Backdooring Websites with just 35 bytes

Somdev Sangwan
4 min readOct 6, 2018

--

tl;dr This article is about code golfing a PHP shell to 35 bytes while keeping it usable as well as secure. The web shell can be found on Github.

Ninjas need to be stealthy but trading off usability for stealth is a bit expensive. We want our web shell to be able to do everything while staying as stealthy as possible. So, we will start with adding the ability to run arbitrary functions by playing with PHP syntax

We can create a really cute web shell with this trick

The beauty of this web shell, is that it can be used to run any arbitrary function with arbitrary arguments. For example, to print the working directory, I can simply do

https://example.com/ourshell.php?function=exec&argument=pwd

It has 97 characters tho, so let’s shorten it

Things I changed

  • We aren’t using variables to store parameter values, we are using them directly.
  • Shortened function to f and argument to a
  • Removed the closing tag i.e. ?> because it’s not necessary

We shortened it to 31 characters, that’s a really huge improvement but what if someone else finds our web shell? He can easily use it for his own gain if he knows how it works.

Yep, we better implement authentication.

Not anything fancy, we will just introduce a new parameter p which can be used to supply the password, if the supplied value matches our password, the function will execute otherwise not.

Now it is password protected but it has 70 characters now so let’s get back to shortening it.

We will use something called ternary operator, it’s basically a shorthand for a if else block.

Normal: if ($movie == 'marvel'){echo 'y'} else{'n'}With ternary operator: ($movie == 'marvel' ? echo 'y' : echo 'n')

Using the ternary operator, we reduced 10 characters

You know what…we can use $_GET[p] instead of $_GET['p'] . Yes, PHP allows that and we can strip 8 more chars just like that. Also, we can remove the unnecessary white space which gives us the following

Yay! It has just 47 characters, can we shorten it further? Yes!

Actually I was stuck at this point but then Yohanes pointed out a really neat trick, instead of using ternary operator, we can simply do this

condition&&executeCode

If condition is satisfied, the code following && will be executed. Don’t get confused, it’s just the AND operator ;)

Great! It’s has 45 characters now.

Actually, this article isn’t about the best practices, it’s about writing a super tiny web shell so let’s replace passwordwith _

It reduces the overall size to 38.

Another PHP fun fact! <? is a shorthand for <?php . Yes, it is turned off by default but luckily <?= is allowed.

So we have the winner!

Stop scrolling and take a look at it. It’s beautiful, isn’t it?

I have written another one is a bit more cooler, it’s on my Github.

Well that’s all for today. Have a nice day!

--

--

Somdev Sangwan
Somdev Sangwan

Written by Somdev Sangwan

I make stuff, I break stuff and I make stuff that breaks stuff.