Originally, Webshell was often referred to as a script for Web server administrators to remotely manage the server. Later, with the birth of some Webshell management tools, the process of obtaining Web permissions was greatly simplified, so it was gradually called a Web intrusion tool script.
Webshell is different from vulnerabilities, but uses application vulnerabilities or server vulnerabilities (file upload vulnerabilities, file inclusion vulnerabilities, etc.) to upload script files to the server for subsequent exploitation, which belongs to the subsequent exploitation of penetration testing and ATT&CK's TA0002 Execution (execution) stage.
Figure 1 TA0002
Reference source: https://mitre-attack.github.io/attack-navigator/(ATT&CK Navigator)
In order to bypass detection and protection equipment, software, etc., attackers often change their Webshell writing methods to ensure that their scripts will not be detected while ensuring functionality. Among them, PHP scripts are more prominent because There are many available functions in the PHP scripting language, which leads to ever-changing confusion and deformation of writing methods in PHP.
One-sentence Trojans also belong to Webshell scripts. Friends who are interested in one-sentence Trojans can refer to the previous issue's "Multiple Transformations of One-Sentence Trojans" to learn and understand by themselves. This article will not go into details.
When I analyzed Webshells before, I found that there is a type of Webshell that can completely bypass all kinds of detection software. This type of script often looks like it at the code level. It is meaningless and has no common Webshell features, but after digging through the layers, it is not difficult to find the idea of this type of obfuscated script. I just recently received an interesting obfuscated script, and I want to share the analysis process of the script with my friends. I also hope it can serve as a starting point.
When I first saw this script, I saw the obvious eval function in its content, so I instinctively read this part of the code It was extracted, but it was not enough to prove anything, because the content was all seemingly clueless garbled code, without any trace of WebShell.
If you look carefully, you can find that in addition to eval, the three functions gzinflate, base64_decode, and str_rot13 are also called. Perhaps you can start with these three functions to find a breakthrough in analysis.
Figure 2 Script content
str_rot13()
ROT13 encoding moves each letter forward 13 letters in the alphabet. Numbers and non-alphabetic characters remain unchanged (Caesar cipher).
base64_decode()
Base64 encode the string content.
Gzinflate
The ZLIB_ENCODING_RAW encoding method is used by default for data, and the deflate data compression algorithm is used. In fact, LZ7 is used for compression first, and then Huffman coding is used for compression.
Figure 3 Calling the echo command
Using the echo command to parse the content, it was found that str_rot13() was executed, so I repeated this idea and tried to peel off the original content layer by layer.
Figure 4 Analysis results
After three echoes After repeated parsing of the command, what appeared was finally no longer a monotonous code, which proved that the direction of analysis was probably correct, and judging from the amount of code, it felt like a Trojan horse with multiple functions, commonly known as a horse.
Figure 5 Multiple parsing
Good guy, he is indeed a big horse.
After research, it was found that the functions of this Trojan include obtaining system information, reading directories, downloading files, uploading files, etc.
Picture 6 The original appearance of Malaysia
The above is the detailed content of What is the webshell analysis of obfuscated deformation?. For more information, please follow other related articles on the PHP Chinese website!