Webshell backdoor analysis Article 1

Today, a student sent a webshell box, but there is no clear password in the box, unlike the previous box.

This webshell box has aroused my great interest.

 

I immediately thought of a solution .. I found several webshells for brute-force cracking.

Get a webshell in a few minutes

NOTE: If webshell is not encrypted, there is no need to write or decrypt it.

A small asp Server opens the process and enters the correct password for monitoring to find all relevant connections such as GET/POST.

Decisive findings:

 

Note that the host here is probably the address of the email reception. whois is decisive to get the QQ mailbox of the box author and the QQ number. In fact, I really don't want the club to have a junior high school party at night, the person who makes the box decisively.

It is strange that in the past, webshell boxes were used to obtain the URL + password and then send it to the remote server. However, this webshell is quite different. I am ignorant. Still lags behind my ideas.

See

</img>
 

 

When I see this label, I mean the author is really very good. I mean that a successful login will certainly be executed once, so just make a record on the remote server. How hidden, but how can we escape the brother's eyes.

Recall what I did not know about the suffix parameter mentioned in the box before. Please go back to our first high-definition CAPTCHA. Based on this, I carefully read this unencrypted network horse? I have discovered something decisively:

:

Tracking URL variables 32

:

Okay. I can see that this code is incorrect.

 

If session ("KKK") <> UserPass then if request. form ("pass") <> "" or request ("pass") <> "" then if request. form ("pass") = UserPass or request. form ("pass") = url then session ("KKK") = UserPass response. redirect url else
If there is a logic problem, the variable passed in is equivalent to UserPass or equal to the url. you can log on only when one of the variables meets the requirement.

 

Final Result

--------------- Lewd segmentation -------

After the analysis is complete, I sent another webhorse. Okay, wait for me to come back to help you analyze it.