Obfuscated PHP Backdoor

full · April 2, 2021, 1:41pm

Hi, I recently found a malicious PHP code [ LINK ] injected in some webpages, I tried to formate and deobfuscate it and understand how it works, It seems that is using Cookies to execute PHP code (Cookie: cipher=serialized+encrypted PHP code), I just want to know how they are making this kind of backdoors and how to generate this Cookie.

function cs_decrypt_phase($data, $key)
{
    $out_data = "";

    for ($i = 0; $i < strlen($data);) {
        for ($j = 0; $j < strlen($key) && $i < strlen($data); $j++, $i++) {
            $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
        }
    }

    return $out_data;
}

This a readable function to decrypt it.

Humairaa_Nunhuck · April 9, 2021, 7:56am

Hi i had the same code injected in one of my webpage. Do you have more information on how the code works?

webshell · April 14, 2021, 10:54am

Do you have the latest webshell?

full · April 15, 2021, 6:12pm

Yes i ve bought a tool to generate the backdoor and payloads

Racist · June 2, 2021, 12:44am

tbh thats pretty “skiddy”, php webshells are easy to make and most of them are just Copy and Pasteable

Satoshin · June 3, 2021, 4:46pm

There is no such thing as a “skiddy” project. its all about fun and being interactive. Webshells are fun to make and can provide alot of learning experience for php, and alot of webshell’s nowadays are private. The public webshells are always backdoored and send back a email if you do infect a server, so its worth making your own.

The easy part is about experience, your not just gonna call C easy to someone who never learned it before are you? - Satoshin

system · August 2, 2021, 5:41am

This topic was automatically closed after 121 days. New replies are no longer allowed.