What is the Webshell analysis of confusion and deformation?


What is WebShell? Initially, Webshell was often called a script for Web server administrators to remotely manage servers. Later, with the birth of some Webshell management tools, the process of obtaining Web permissions was greatly simplified, so it was gradually called the tool script of Web intrusion.

Webshell is different from vulnerabilities, but uses application vulnerabilities or server vulnerabilities (file upload vulnerabilities, file inclusion vulnerabilities, etc.) to upload script files to the server for subsequent use, which belongs to the subsequent use of penetration testing and the TA0002 Execution stage of ATT&CK.


Figure 1 TA0002

Reference source: https://mitre-attack.github.io/attack-navigator/ (ATT&CK navigator)

In order to bypass the detection and protection of equipment and software, attackers often change their Webshell writing methods, which can ensure that their scripts will not be detected on the premise of ensuring their functions, among which php scripts are more prominent. Because there are many available functions in the php scripting language, php can have ever-changing confusing and distorted writing methods.

One-word Trojans also belong to Webshell scripts. Friends who are interested in one-word Trojans can learn and understand by themselves with reference to the last issue of "Many Variants of One-word Trojans", and this article will not repeat them here.

BACKGROUND When analyzing Webshell before, it was found that there is a kind of Webshell that can completely bypass all kinds of detection software. This kind of script often seems meaningless at the code level and has no common Webshell features. However, it is not difficult to find the idea of this kind of confusing script after layers of research. Just recently, I received an interesting confusing script, and I shared the analysis process of this script with my friends, hoping to play a role in attracting jade.

When I first saw the script, I saw the bright eval function from his content, so I instinctively extracted this part of the code, but it was not enough to prove anything, because the content part was all garbled and there was no trace of WebShell.

After careful investigation, we can find that in addition to eval, we also call three functions: gzinflate, base64_decode and str_rot13. Perhaps we can start with these three functions to find the breakthrough of analysis.


Figure 2 Script Content

Function interpretation str_rot13 ()

ROT13 coding moves each letter forward 13 letters in the alphabet. Numbers and non-alphabetic characters remain unchanged (Caesar encryption).


Base64 encode the contents of the string.


By default, ZLIB_ENCODING_RAW encoding method is used for data, and deflate data compression algorithm is used. In fact, LZ7 is used for compression first, and then huffman encoding is used for compression.

Analysis 1. Content analysis 


Figure 3 Calling the echo command

Using the echo command to parse the content, it was found that str_rot13 () was executed, so I repeated this idea and tried to peel off the original content layer by layer.


Fig. 4 Analysis results

2. Repeated parsing After repeated parsing of the echo command for three times, the monotonous code finally appeared, which proves that the direction of analysis is probably correct, and it feels like a Trojan horse with multiple functions from the amount of code, commonly known as Malaysia.


Fig. 5 Multiple analysis

3. Call the eval function to run the code content. Boy, it really is a big horse.

After investigation, it is found that the functions of the Trojan horse include system information acquisition, directory reading, file downloading, file uploading and other functions.


Figure 6 Original appearance of Malaysia

Copyright Description:No reproduction without permission。

Knowledge sharing community for developers。

Let more developers benefit from it。

Help developers share knowledge through the Internet。

Follow us