Backdooring Websites with just 35 bytes

Somdev Sangwan
Oct 6, 2018 · 4 min read
Image for post
Image for post

tl;dr This article is about code golfing a PHP shell to 35 bytes while keeping it usable as well as secure. The web shell can be found on Github.

Ninjas need to be stealthy but trading off usability for stealth is a bit expensive. We want our web shell to be able to do everything while staying as stealthy as possible. So, we will start with adding the ability to run arbitrary functions by playing with PHP syntax

Image for post
Image for post

We can create a really cute web shell with this trick

Image for post
Image for post

The beauty of this web shell, is that it can be used to run any arbitrary function with arbitrary arguments. For example, to print the working directory, I can simply do

https://example.com/ourshell.php?function=exec&argument=pwd

It has 97 characters tho, so let’s shorten it

Image for post
Image for post

Things I changed

  • We aren’t using variables to store parameter values, we are using them directly.
  • Shortened function to f and argument to a
  • Removed the closing tag i.e. ?> because it’s not necessary

We shortened it to 31 characters, that’s a really huge improvement but what if someone else finds our web shell? He can easily use it for his own gain if he knows how it works.

Yep, we better implement authentication.

Not anything fancy, we will just introduce a new parameter p which can be used to supply the password, if the supplied value matches our password, the function will execute otherwise not.

Image for post
Image for post

Now it is password protected but it has 70 characters now so let’s get back to shortening it.

We will use something called ternary operator, it’s basically a shorthand for a if else block.

Using the ternary operator, we reduced 10 characters

Image for post
Image for post

You know what…we can use $_GET[p] instead of $_GET['p'] . Yes, PHP allows that and we can strip 8 more chars just like that. Also, we can remove the unnecessary white space which gives us the following

Image for post
Image for post

Yay! It has just 47 characters, can we shorten it further? Yes!

Actually I was stuck at this point but then Yohanes pointed out a really neat trick, instead of using ternary operator, we can simply do this

condition&&executeCode

If condition is satisfied, the code following && will be executed. Don’t get confused, it’s just the AND operator ;)

Image for post
Image for post

Great! It’s has 45 characters now.

Actually, this article isn’t about the best practices, it’s about writing a super tiny web shell so let’s replace passwordwith _

It reduces the overall size to 38.

Another PHP fun fact! <? is a shorthand for <?php . Yes, it is turned off by default but luckily <?= is allowed.

So we have the winner!

Image for post
Image for post

Stop scrolling and take a look at it. It’s beautiful, isn’t it?

I have written another one is a bit more cooler, it’s on my Github.

Well that’s all for today. Have a nice day!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store