当前位置:网站首页>Network security skills competition in Secondary Vocational Schools -- a tutorial article on middleware penetration testing in Guangxi regional competition
Network security skills competition in Secondary Vocational Schools -- a tutorial article on middleware penetration testing in Guangxi regional competition
2022-07-05 06:12:00 【Wangzai sec】
The middleware penetration test environment can privately trust bloggers
PHPStudy Back door analysis
because PHPStudy Suffered from supply chain attacks , PHPStudy In the software installation package php_xmlrpc.dll
The module has a hidden back door . among , Affected versions include PHPStudy 20161103
and PHPStudy 20180211
. Through the analysis of , The core function module of the back door has two parts : The first is to judge the special HTTP Header execution remote PHP Code ; The second is to judge the special HTTP Head back connection C&C Server and execute the return PHP Code .
Experimental environment : Windows 7(32 position ) , PHPStudy 20181103 edition php-5.2.17/ext Under the extended folder php_xmlrpc.dll.
Sample information
name | php_xmlrpc.dll |
---|---|
SHA256 | aea021c5d79adbdc8a755d2f56db4f2e71781abbdcce2a2fa6e04aff3c02be75 |
type | 32 position DLL |
size | 73,728Byte |
Positioning feature code location
Use IDA Open the sample php_xmlrpc.dll
, Then open the string window , You can find @eval()
This code executes the function ( Looking up the data, we learned that , @ yes PHP The provided error information mask special symbols , eval()
Function takes a string according to PHP Code execution , middle %s The format character is a string parameter ). As shown in the figure below , There are two places eval Characteristic code , Are located in the core function of the back door :
According to the position of these two strings and IDA Cross reference function of , You can directly locate the location of the backdoor code . F5 Generate the pseudo code of this part of backdoor vulnerability respectively , Conduct the following analysis .
Remote command execution backdoor function analysis
We know by referring to relevant materials , If the attacker constructs HTTP The head contains Accept-Encoding
Field will enter the corresponding attack process . If HTTP The head also contains Accept-Encoding: gzip,deflate
as well as Accept-Charset
When there are two fields , Will decrypt first Accept-Charset
in Base64
After PHP Code , Then execute the code , Thus causing the harm of remote command execution . The pseudo code analysis of this part is shown in the following figure :
Connect C&C Perform arbitrary code function analysis
If the attacker initiated HTTP The request header contains Accept-Encoding:compress,gzip
Will enter another back door function logic : First, it will splice the obtained disk serial number and MAC Address , The disk serial number and MAC The address upload is the unique identification of the controlled machine , After that, some other data and PHP The function is passed to PHP Zend The engine performs , The pseudo code of this part is shown in the figure below :
Below spprintf The function is php Official self encapsulated functions , Realize the string splicing function .
In this rear door function module , spprintf Function concatenates strings twice , Namely : spprintf(&v46, 0, a_evalSS, aGzuncompress, v46);
and spprintf(&v45, 0, aS_valSS, v42, aGzuncompress, v45);
. As shown in the figure below :
Because of the variable v45 and v46 After that, they are all used as parameters zend_eval_strings
The function call executes , therefore , You can infer variables v45 and v46 Store shellcode. The above code segments are for variables v45 and v46 Pretreated . The analysis shows that , v46 Of shellcode At the address 1000C028
To 1000C66C
Between , v45 Of shellcode At the address 1000C66C
and 1000D5C4
Between . ( See the red box above )
Use HexEditor Look at the first one shellcode Corresponding position of , You can see shellcode Before gzuncompress
identification , As shown in the figure below :
Zend The paragraph that the engine needs to parse PHP The core of the code is gzuncompress
, Looking up the data, we learned that , This function is usually used to avoid confusion , The construction of the whole sentence is $V='';$M='';;@eval(gzuncompress(' data ');
. Extracting and decompressing these two paragraphs have been available on the Internet shellcode Script for , Don't make wheels again . The code is shown below :
stay ./phpStudy/php Run the above script under the directory , Two successful wins base64 Encoded data , As shown in the figure below :
The first paragraph base64 The data is decoded as follows :
This paragraph PHP The code function is to initiate a HTTP request , with Accept-Encoding:compress,gzip
Request header , Then the request can automatically activate function module 2 , Thus connecting C&C The server uploads system information . The current trigger time will be updated after the automatic trigger method ends , Next time, judge whether to enter the automatic trigger mode according to this time :
The second paragraph base64 The data is decoded as follows :
This paragraph PHP The code has built-in domain name table and port table , Send the request to C&C Address 360se.net, Then execute by C&C What the server returned .
Remote command executes backdoor test
First , Run and start the problem PHPStudy edition , As shown in the figure below :
EXP Here's the picture , By construction http Request remote code execution . among , echo system("net user")
Command book base64 After coding is ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7
, Users on the host can be displayed , For echo verification . Accept-Encoding
The field value is set to gzip,deflate
, Then we can judge whether it exists Accept-Charset
Field and get the value of this field . base64 Execute after decoding , That is to realize remote command execution :
stay burpsuite Construct the above http request , And send the request to the target host , Echo verifies that the backdoor utilization realizes . As shown in the figure below :
边栏推荐
- Erreur de connexion Navicat à la base de données Oracle Ora - 28547 ou Ora - 03135
- [cloud native] record of feign custom configuration of microservices
- Daily question 1342 Number of operations to change the number to 0
- Implement an iterative stack
- LVS简介【暂未完成(半成品)】
- One question per day 1447 Simplest fraction
- 开源存储这么香,为何我们还要坚持自研?
- Typical use cases for knapsacks, queues, and stacks
- 【Rust 笔记】14-集合(上)
- Appium基础 — 使用Appium的第一个Demo
猜你喜欢
快速使用Amazon MemoryDB并构建你专属的Redis内存数据库
Matrixdb V4.5.0 was launched with a new mars2 storage engine!
Leetcode-6108: decrypt messages
可变电阻器概述——结构、工作和不同应用
Introduction et expérience de wazuh open source host Security Solution
Scope of inline symbol
Brief introduction to tcp/ip protocol stack
数据可视化图表总结(一)
1.13 - RISC/CISC
[jailhouse article] performance measurements for hypervisors on embedded ARM processors
随机推荐
Scope of inline symbol
LeetCode 1200. Minimum absolute difference
SPI 详解
Error ora-28547 or ora-03135 when Navicat connects to Oracle Database
Personal developed penetration testing tool Satania v1.2 update
1039 Course List for Student
Multi screen computer screenshots will cut off multiple screens, not only the current screen
Introduction et expérience de wazuh open source host Security Solution
Navicat連接Oracle數據庫報錯ORA-28547或ORA-03135
Leetcode-6109: number of people who know secrets
Smart construction site "hydropower energy consumption online monitoring system"
传统数据库逐渐“难适应”,云原生数据库脱颖而出
Records of some tools 2022
Appium基础 — 使用Appium的第一个Demo
shared_ Repeated release heap object of PTR hidden danger
Control unit
One question per day 2047 Number of valid words in the sentence
CPU内核和逻辑处理器的区别
Daily question 2013 Detect square
JS quickly converts JSON data into URL parameters