Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the Webshell analysis of confusion deformation, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

What is WebShell?

In the beginning, Webshell was often used as an acronym for a class of scripts used by Web server administrators to remotely manage servers. Later, with the birth of some Webshell management tools, the process of obtaining Web permissions is greatly simplified, so it is gradually called the tool script for Web intrusion.

Webshell is different from vulnerabilities, but takes advantage of application vulnerabilities or server vulnerabilities (file upload vulnerabilities, file containing vulnerabilities, etc.) to upload script files to the server for subsequent utilization, which belongs to the subsequent utilization of penetration testing and the TA0002 Execution (execution) phase of ATT&CK.

Figure 1 TA0002

Reference source: https://mitre-attack.github.io/attack-navigator/ (ATT&CK Navigator)

In order to bypass detection and detection of protective equipment and software, attackers will often change their own Webshell writing methods, which can ensure that their scripts will not be detected under the premise of ensuring functions. Among them, php scripts are more prominent. Because there are many functions available in php scripting language, php can have ever-changing confusion and distortion.

A word Trojan horse also belongs to the Webshell script, interested in a sentence Trojan horse friends can refer to the previous issue of "a variety of Trojan horse deformation ways" to learn and understand, this issue of the article will not repeat.

Background

Previous analysis of Webshell, found that there is a kind of Webshell can completely bypass a variety of detection software, this kind of script often seems meaningless at the code level, there is no common Webshell characteristics, but after layers of peeling cocoon, it is not difficult to find this kind of confused script ideas, just recently received an interesting confusion script, share the script analysis process with partners, also hope to play a role.

First look at the script

The first time I saw the script, I saw the bright eval function in its content, so I instinctively extracted this part of the code, but it didn't prove anything, because the content was full of clueless garbled code and no trace of webshell.

Careful discovery can find that in addition to eval, but also called gzinflate, base64_decode, str_rot13 these three functions, perhaps we can start from these three functions to find a breakthrough in the analysis.

Figure 2 content of the script

Function interpretation

Str_rot13 ()

The ROT13 code moves each letter forward 13 letters in the alphabet. Numeric and non-alphabetic characters remain the same (Caesar encryption).

Base64_decode ()

Base64 encodes the contents of the string.

Gzinflate

ZLIB_ENCODING_RAW coding is used by default for data, and deflate data compression algorithm is used. In fact, LZ7 compression is used first, and then Huffman coding is used.

Analysis 1. Content analysis

Figure 3 invoking the echo command

Use the echo command to parse the content, only to find that str_rot13 () has been executed, so repeat this idea and try to peel off the original content layer by layer.

Figure 4 Analytical results

two。 Repeated parsing

After three repeated parsing of the echo command, what finally appears is no longer a monotonous code, which proves that the direction of the analysis is probably correct, and from the amount of code, it feels like a Trojan horse with a variety of functions, commonly known as a horse.

Figure 5 multiple parsing

3. Call the eval function to run the code content

Boy, it's really a big horse.

After investigation, it is found that the functions of the Trojan include system information acquisition, directory reading, file download, file upload and other functions.

Fig. 6 the original appearance of Malaysia

After reading the above, do you have any further understanding of the Webshell analysis of obfuscation deformation? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.