Backdooring Websites with just 35 bytes

4 min readOct 6, 2018

tl;dr This article is about code golfing a PHP shell to 35 bytes while keeping it usable as well as secure. The web shell can be found on Github.

Ninjas need to be stealthy but trading off usability for stealth is a bit expensive. We want our web shell to be able to do everything while staying as stealthy as possible. So, we will start with adding the ability to run arbitrary functions by playing with PHP syntax

We can create a really cute web shell with this trick

The beauty of this web shell, is that it can be used to run any arbitrary function with arbitrary arguments. For example, to print the working directory, I can simply do

https://example.com/ourshell.php?function=exec&argument=pwd

It has 97 characters tho, so let’s shorten it

Things I changed

We aren’t using variables to store parameter values, we are using them directly.
Shortened function to f and argument to a
Removed the closing tag i.e. ?> because it’s not necessary

We shortened it to 31 characters, that’s a really huge improvement but what if someone else finds our web shell? He can easily use it for his own gain if he knows how it works.

Yep, we better implement authentication.

Not anything fancy, we will just introduce a new parameter p which can be used to supply the password, if the supplied value matches our password, the function will execute otherwise not.

Now it is password protected but it has 70 characters now so let’s get back to shortening it.

We will use something called ternary operator, it’s basically a shorthand for a if else block.

Normal: if ($movie == 'marvel'){echo 'y'} else{'n'}With ternary operator: ($movie == 'marvel' ? echo 'y' : echo 'n')

Using the ternary operator, we reduced 10 characters

You know what…we can use $_GET[p] instead of $_GET['p'] . Yes, PHP allows that and we can strip 8 more chars just like that. Also, we can remove the unnecessary white space which gives us the following