Cookie-gated PHP webshells use obfuscation, php-fpm execution, and cron-based persistence to evade detection in Linux hosting environments. This post examines how this tradecraft conceals execution behind specially crafted HTTP cookies.
tl;dr instead of a secret get param, a kind of data passed by the client, they’re now using cookie values, a kind of data passed by the client but in a different field of the http request
tl;dr instead of a secret get param, a kind of data passed by the client, they’re now using cookie values, a kind of data passed by the client but in a different field of the http request
yawn.