9q13nh 发表于 2024-10-4 16:16:30

关于php对抗安全软件(总结)


    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">日前</span>日期为2018-05-10,php版本<span style="color: black;">日前</span>总共分为3大类,php5.x,php7.x,以及之php5.x之前版本。而<span style="color: black;">日前</span>市场多用于php5.x以及php7.x。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">本文仅讨论php5.x与php7.x。<span style="color: black;">初期</span>php4.x中&nbsp;ZendEngine 1.0 API并不在讨论范围。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;"><span style="color: black;">文案</span>将围绕几个<span style="color: black;">专题</span>来对抗安全软件:</span></strong></span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php本身的变形,加密等<span style="color: black;">是不是</span><span style="color: black;">能够</span>完全胜任一个优秀的backdoor,并且对抗安全软件。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">怎样</span>将<span style="color: black;">拜访</span>.php,的协议转换来对抗waf,<span style="color: black;">例如</span>http,转化tcp,tcp-&gt;tcp方式触发后门</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">思虑</span>backdoor本身的特性,<span style="color: black;">增多</span>标签,如标签1临时性,标签2<span style="color: black;">连续</span>性(<span style="color: black;">例如</span>标签1用户菜刀的连接,查看<span style="color: black;">目的</span>数据库<span style="color: black;">或</span>backdoor服务器本身的其他文件等。标签2来触发<span style="color: black;">连续</span>性渗透,<span style="color: black;">例如</span>无缝连接msf,Cobalt Strike等)</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">思虑</span><span style="color: black;">怎样</span>在<span style="color: black;">目的</span>服务器无文件残留来留有可<span style="color: black;">连续</span>性后门</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">实用性与实战性,<span style="color: black;">例如</span><span style="color: black;">目的</span>机不出网。<span style="color: black;">那样</span>该后门<span style="color: black;">是不是</span><span style="color: black;">能够</span><span style="color: black;">处理</span><span style="color: black;">目的</span>机在不出网的前提下,带入第三方渗透框架(如msf,Cobalt Strike等)</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">针对性自定义<span style="color: black;">敏锐</span><span style="color: black;">目的</span>的<span style="color: black;">敏锐</span>数据。(如<span style="color: black;">目的</span><span style="color: black;">运用</span>wordpress,<span style="color: black;">怎样</span>在不修改<span style="color: black;">目的</span>机php登录源码来可<span style="color: black;">连续</span>性劫持明文<span style="color: black;">秘码</span>)</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">backdoor的市场性质与私用性质</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">总结</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/5u08OUQmyqczlZsascKZueozSHcib2mQpqQFgY1LJNWibBwhey3bIjjb1XR3yTc3UzKwtRrQ80Keh3QxJvCF7SHQ/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">无</span><span style="color: black;">论</span><span style="color: black;">是哪个版本的</span><span style="color: black;">php</span><span style="color: black;">,它的引擎都<span style="color: black;">海量</span>的<span style="color: black;">运用</span>了</span><span style="color: black;">HashTable</span><span style="color: black;">,<span style="color: black;">倘若</span></span><span style="color: black;">说</span><span style="color: black;">php</span><span style="color: black;">是最好的</span><span style="color: black;">语</span><span style="color: black;">言之一,<span style="color: black;">那样</span><span style="color: black;">必定</span>是在</span><span style="color: black;">说</span><span style="color: black;">HashTable</span><span style="color: black;">。</span></strong></span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">期</span><span style="color: black;">间补</span><span style="color: black;">充<span style="color: black;">海量</span></span><span style="color: black;">php</span><span style="color: black;">内核<span style="color: black;">关联</span>知</span><span style="color: black;">识</span><span style="color: black;">,可直接跳到</span><strong style="color: blue;"><span style="color: black;">操作</span></strong><strong style="color: blue;"><span style="color: black;">总结</span></strong><strong style="color: blue;"><span style="color: black;">。</span></strong></strong></span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php语言本身的变形<span style="color: black;">或</span>加密等,<span style="color: black;">日前</span>并<span style="color: black;">不可</span>完全对抗安全软件,并且<span style="color: black;">做为</span>以backdoor的形式。<span style="color: black;">例如</span>易暴露,易查杀等。而本身<span style="color: black;">亦</span>不具备多标签属性。如临时<span style="color: black;">运用</span>,与<span style="color: black;">连续</span>渗透<span style="color: black;">运用</span>。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">waf是<span style="color: black;">经过</span>执行一系列针对HTTP/HTTPS的安全策略防护,而<span style="color: black;">做为</span>backdoor,应尽可能避免http协议来<span style="color: black;">连续</span>连接后门。如hook,phpinfo(),当<span style="color: black;">拜访</span>phpinfo(),<span style="color: black;">目的</span>机<span style="color: black;">起始</span>触发tcp监听,并且sharing port 80。连接后门是tcp(攻击机)-&gt;tcp(<span style="color: black;">目的</span>机),来躲避waf的防御的本质。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">日前</span>的安全软件针对backdoor越来越强大。而backdoor的多属性标签<span style="color: black;">行径</span><span style="color: black;">掰开</span>来对抗软件。(如:backdoor有2种标签属性,一种标签是执行任意php代码[临时<span style="color: black;">运用</span>,如菜刀连接],另一种标签是hook func或是开启其他功能,<span style="color: black;">然则</span>触发backdoor的点却完全<span style="color: black;">区别</span>,这与传统php_backdoor有着本质的区别,如想要触发php代码任意执行,<span style="color: black;">拜访</span>页面1触发,而触发hook 是被动触发,触发listen,<span style="color: black;">拜访</span>页面2来触发。而页面1与2无任何<span style="color: black;">相关</span>)</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">针对php的扩展<span style="color: black;">研发</span>,<span style="color: black;">同期</span>要<span style="color: black;">思虑</span>到backdoor本身是私用还是项目<span style="color: black;">或</span>公用。如私用的backdoor,<span style="color: black;">更加多</span><span style="color: black;">思虑</span>的是稳定性,<span style="color: black;">长时间</span>性,而非易用性,通用性。如项目<span style="color: black;">或</span>公用的backdoor优先<span style="color: black;">思虑</span>到易用性与通用性,如全版本的phpbackdoor,<span style="color: black;">同期</span>支持php5.x,php7.x等,它是一个很好的公用性质的backdoor,<span style="color: black;">然则</span>绝对不是一个优秀的私用backdoor。因在实现中,需要<span style="color: black;">思虑</span>到PHP_MAJOR_VERSION问题。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">常常</span>在实战过程中,<span style="color: black;">目的</span>机存在不出网的环境,<span style="color: black;">亦</span><span style="color: black;">便是</span>你<span style="color: black;">能够</span><span style="color: black;">拜访</span>它,<span style="color: black;">然则</span><span style="color: black;">目的</span>机不<span style="color: black;">能够</span>对外<span style="color: black;">拜访</span>。<span style="color: black;">增多</span>了对<span style="color: black;">目的</span>内网以及PC机的渗透时间成本。<span style="color: black;">这儿</span>需要<span style="color: black;">思虑</span>到1,针对不出网的前提下,backdoor本身的sharing port,以及<span style="color: black;">能够</span>无缝对接渗透框架(如msf,Cobalt Strike等)。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">渗透大型<span style="color: black;">目的</span>(如mail服务商)<span style="color: black;">或</span>大型<span style="color: black;">机构</span>域内员工OA,<span style="color: black;">或</span>mail(php结构),需要时时得到user,password明文,<span style="color: black;">倘若</span><span style="color: black;">目的</span>重要<span style="color: black;">或</span>数据<span style="color: black;">敏锐</span>,更<span style="color: black;">或</span>是对方源码加密,<span style="color: black;">针对</span>更改<span style="color: black;">目的</span>登录源码来获取并不是一个明智的<span style="color: black;">办法</span>,<span style="color: black;">那样</span>需要优先<span style="color: black;">思虑</span><span style="color: black;">怎样</span>hook func(post user,pass)--&gt; 写入本地,<span style="color: black;">或</span>发送远程mail,来时时获取。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PHP的全局变量始终存在,而在内核hash中<span style="color: black;">保留</span>在EG(symbol_table),而全局变量的<span style="color: black;">拜访</span>无论是语言本身还是在内核中,语法基本一致。</p>global $micropoor;表达为&amp;EG(symbol_table), micropoor,除全局变量以外,在php语言中还存在超全局变量,$_SERVER、$_REQUEST、$_POST、$_GET等,<span style="color: black;">然则</span>在内核中,超全局变量<span style="color: black;">实质</span>是php内核中定义的<span style="color: black;">有些</span>全局变量。<span style="color: black;">
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">php-src-master\main\php_variables.c:908-917</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">void&nbsp;php_startup_auto_globals(void)</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">{</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_GET",&nbsp;sizeof("_GET")-1,&nbsp;1),&nbsp;0,&nbsp;php_auto_globals_create_get);</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_POST",&nbsp;sizeof("_POST")-1,&nbsp;1),&nbsp;0,&nbsp;php_auto_globals_create_post);</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_COOKIE",&nbsp;sizeof("_COOKIE")-1,&nbsp;1),&nbsp;0,&nbsp;php_auto_globals_create_cookie);</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_SERVER",&nbsp;sizeof("_SERVER")-1,&nbsp;1),&nbsp;PG(auto_globals_jit),&nbsp;php_auto_globals_create_server);</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;zend_register_auto_global(zend_string_init_interned("_ENV",&nbsp;sizeof("_ENV")-1,&nbsp;1),&nbsp;PG(auto_globals_jit),&nbsp;php_auto_globals_create_env);</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_REQUEST",&nbsp;sizeof("_REQUEST")-1,&nbsp;1),&nbsp;PG(auto_globals_jit),&nbsp;php_auto_globals_create_request);</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zend_register_auto_global(zend_string_init_interned("_FILES",&nbsp;sizeof("_FILES")-1,&nbsp;1),&nbsp;0,&nbsp;php_auto_globals_create_files);</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">}</p>
    </span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">跟zend_register_auto_global</span></p><span style="color: black;">
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">php-src-master\Zend\zend_compile.c:1649-1661</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">int&nbsp;zend_register_auto_global(zend_string&nbsp;*name,&nbsp;zend_bool&nbsp;jit,&nbsp;zend_auto_global_callback&nbsp;auto_global_callback)&nbsp;/*&nbsp;{{{&nbsp;*/</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">{</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;zend_auto_global&nbsp;auto_global;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;int&nbsp;retval;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;auto_global.name&nbsp;=&nbsp;name;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;auto_global.auto_global_callback&nbsp;=&nbsp;auto_global_callback;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;auto_global.jit&nbsp;=&nbsp;jit;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">retval&nbsp;=&nbsp;zend_hash_add_mem(CG(auto_globals),&nbsp;auto_global.name,&nbsp;&amp;auto_global,&nbsp;sizeof(zend_auto_global))&nbsp;!=&nbsp;NULL&nbsp;?&nbsp;SUCCESS&nbsp;:&nbsp;FAILURE;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;retval;</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">}</p></span><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">把对象<span style="color: black;">保留</span>CG(auto_globals)这个全局变量,正如上文,在内核中,超全局变量<span style="color: black;">实质</span>为php内核定义的全局变量。<span style="color: black;">保留</span>在CG。</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">&nbsp; &nbsp;而backdoor常用除EG,CG辅助宏外,其他辅助宏为:</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">EG();//<span style="color: black;">全局变量</span>&nbsp;executor_globals&nbsp;<span style="color: black;">如</span>$_GLOBALS,INI<span style="color: black;">信息</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">SG();//SAPI<span style="color: black;">变量</span>&nbsp;<span style="color: black;">请求数据</span>&nbsp;sapi_globals_struct&nbsp;<span style="color: black;">如</span>:HTTP<span style="color: black;">原始请求变量</span>sapi_request_info</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">CG();//<span style="color: black;">编译变量</span>&nbsp;compiler_globals&nbsp;<span style="color: black;"><span style="color: black;">能够</span>得到函数表</span>,<span style="color: black;">类表</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">EX();//<span style="color: black;">当前执行数据</span>&nbsp;zend_execute_data&nbsp;<span style="color: black;"><span style="color: black;">能够</span>获取到当前执行的函数</span>,<span style="color: black;">类</span>,OPCODE<span style="color: black;">等</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">OG();//<span style="color: black;">输出变量</span>&nbsp;output_globals</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">认识</span>了超全局变量,全局变量,常量等,<span style="color: black;">倘若</span>需要hook 自定义或本身函数,还需声明导出函数,Zend本身<span style="color: black;">供给</span>了一组宏,类型为void</span></p>//&nbsp;function&nbsp;declaration
PHP_MINIT_FUNCTION(my_extension);
&nbsp;&nbsp;
//&nbsp;...&nbsp;some&nbsp;code&nbsp;...
&nbsp;&nbsp;
zend_module_entry&nbsp;my_extension_module_entry&nbsp;=&nbsp;{
#if&nbsp;ZEND_MODULE_API_NO&nbsp;&gt;=&nbsp;20010901
&nbsp;&nbsp;&nbsp;&nbsp;STANDARD_MODULE_HEADER,
#endif
&nbsp;&nbsp;&nbsp;&nbsp;"my_extension",
&nbsp;&nbsp;&nbsp;&nbsp;my_extension_functions,
&nbsp;&nbsp;&nbsp;&nbsp;PHP_MINIT(my_extension),
&nbsp;&nbsp;&nbsp;&nbsp;NULL,
&nbsp;&nbsp;&nbsp;&nbsp;NULL,
&nbsp;&nbsp;&nbsp;&nbsp;NULL,
&nbsp;&nbsp;&nbsp;&nbsp;NULL,
#if&nbsp;ZEND_MODULE_API_NO&nbsp;&gt;=&nbsp;20010901
&nbsp;&nbsp;&nbsp;&nbsp;"1.0",
#endif
&nbsp;&nbsp;&nbsp;&nbsp;STANDARD_MODULE_PROPERTIES
};
&nbsp;&nbsp;
//&nbsp;...&nbsp;some&nbsp;code&nbsp;...
&nbsp;&nbsp;
//&nbsp;function&nbsp;implementation
PHP_MINIT_FUNCTION(hosting_tools)
{
&nbsp;&nbsp;&nbsp;&nbsp;REGISTER_INI_ENTRIES();
&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;SUCCESS;
}<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在php请求过程中,需要调用HashTable来<span style="color: black;">查询</span>全局变量<span style="color: black;">或</span>hook func,几个原型如下:</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">uint32_t&nbsp;zend_hash_num_elements(HashTable&nbsp;*ht);&nbsp;&nbsp;//&nbsp;<span style="color: black;">获取数组<span style="color: black;">体积</span></span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zval*&nbsp;zend_hash_find(HashTable&nbsp;*ht,&nbsp;zend_string&nbsp;*key);&nbsp;&nbsp;//<span style="color: black;"><span style="color: black;">按照</span></span>&nbsp;zend_string&nbsp;*&nbsp;<span style="color: black;"><span style="color: black;">做为</span></span>&nbsp;key&nbsp;<span style="color: black;"><span style="color: black;">查询</span>数组</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">zval*&nbsp;zend_hash_str_find(HashTable&nbsp;*ht,&nbsp;</span><strong style="color: blue;"><span style="color: black;">char</span></strong><span style="color: black;">*str,&nbsp;</span><strong style="color: blue;"><span style="color: black;">size_t</span></strong><span style="color: black;">len);&nbsp;&nbsp;//&nbsp;<span style="color: black;"><span style="color: black;">按照</span></span><span style="color: black;">&nbsp;char&nbsp;*&nbsp;</span><span style="color: black;"><span style="color: black;">做为</span></span><span style="color: black;">&nbsp;key&nbsp;</span><span style="color: black;"><span style="color: black;">查询</span>数组</span></span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zval*&nbsp;zend_hash_index_find(HashTable&nbsp;*ht,&nbsp;zend_ulong&nbsp;h);&nbsp;&nbsp;//<span style="color: black;"><span style="color: black;">查询</span>索引</span>&nbsp;h&nbsp;<span style="color: black;">的数组元素</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">void*&nbsp;zend_hash_find_ptr(HashTable&nbsp;*ht,&nbsp;zend_string&nbsp;*key);&nbsp;&nbsp;//&nbsp;<span style="color: black;">同上,只是返回元素指针指向的值</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">void*&nbsp;zend_hash_str_find_ptr(HashTable&nbsp;*ht,&nbsp;</span><strong style="color: blue;"><span style="color: black;">char</span></strong><span style="color: black;">*str,&nbsp;</span><strong style="color: blue;"><span style="color: black;">size_t</span></strong><span style="color: black;">len);&nbsp;&nbsp;//&nbsp;<span style="color: black;">跟上同类</span></span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">void*&nbsp;zend_hash_index_find_ptr(HashTable&nbsp;*ht,&nbsp;zend_ulong&nbsp;h);&nbsp;&nbsp;//&nbsp;<span style="color: black;">跟上同类</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zend_bool&nbsp;zend_hash_exists(HashTable&nbsp;*ht,&nbsp;zend_string&nbsp;*key);&nbsp;&nbsp;//&nbsp;zend_string&nbsp;*&nbsp;key<span style="color: black;"><span style="color: black;">是不是</span>存在</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">zend_bool&nbsp;zend_hash_str_exists(HashTable&nbsp;*ht,&nbsp;</span><strong style="color: blue;"><span style="color: black;">char</span></strong><span style="color: black;">*str,&nbsp;</span><strong style="color: blue;"><span style="color: black;">size_t</span></strong><span style="color: black;">len);&nbsp;&nbsp;//&nbsp;char&nbsp;*&nbsp;key&nbsp;<span style="color: black;"><span style="color: black;">是不是</span>存在</span></span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zend_bool&nbsp;zend_hash_index_exists(HashTable&nbsp;*ht,&nbsp;zend_ulong&nbsp;h);&nbsp;&nbsp;//<span style="color: black;">索引</span>&nbsp;h&nbsp;<span style="color: black;"><span style="color: black;">是不是</span>存在</span></span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">zend_array&nbsp;*HASH_OF(zval&nbsp;*val);&nbsp;&nbsp;//&nbsp;<span style="color: black;">其实</span>&nbsp;HASH_OF&nbsp;<span style="color: black;">是一个宏,参数</span>&nbsp;value&nbsp;<span style="color: black;"><span style="color: black;">能够</span>是数组</span>&nbsp;`IS_ARRAY`&nbsp;<span style="color: black;"><span style="color: black;">或</span>对象</span>&nbsp;`IS_OBJECT`<span style="color: black;">,否则返回</span>&nbsp;NULL</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而在php7.x中,HashTable API大部分被修改,列出1处对比原型如下:(<span style="color: black;">详细</span>见tks官方wiki)</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">-&nbsp;if&nbsp;(zend_hash_find(ht,&nbsp;Z_STRVAL_P(key),&nbsp;Z_STRLEN_P(key)+1,&nbsp;(void**)&amp;zv_ptr)&nbsp;==&nbsp;SUCCESS)&nbsp;{&nbsp;&nbsp;//php5.x</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">+&nbsp;if&nbsp;((zv&nbsp;=&nbsp;zend_hash_find(ht,&nbsp;Z_STR_P(key)))&nbsp;!=&nbsp;NULL)&nbsp;{&nbsp;&nbsp;&nbsp;//php7.x</span></p><h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">操作</span><span style="color: black;">总结</span><span style="color: black;">:</span></strong></span></h2><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">接下来<span style="color: black;">思虑</span>的事情是<span style="color: black;">怎样</span>把以上枯燥无趣变成一件有趣的事情。并且做出2个demo,2个更<span style="color: black;">拥有</span>实战性的backdoor</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1.php7.x 劫持_POST,<span style="color: black;">或</span>_GET等,执行任意php code(临时<span style="color: black;">运用</span>标签)</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">2.php7.x hook phpinfo,来<span style="color: black;">隐匿</span>一句话(临时<span style="color: black;">运用</span>标签)</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">3.<span style="color: black;">怎样</span>构造php全版本的backdoor(公共或项目backdoor思想)</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.关于第三方框架的嵌入。(<span style="color: black;">连续</span>性标签)</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">做为</span>demo1,设计出php7.x backdoor</p>以info.php 为demo,内容如下:<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/5u08OUQmyqczlZsascKZueozSHcib2mQpdMibEKcXrDDzgBIaox0BERgFkX4mWkhicpbBLBwhQXuFJeqIvEE5WcPQ/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">拜访</span>任意php页面,带有post参数micropoor_php,则执行任意代码。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/5u08OUQmyqczlZsascKZueozSHcib2mQphXoP8SAcnpEicy4yzSYIAj0EUnCGkicJ2FMN0SmJ9XlyPGPia6b5bjobA/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">菜刀配置:</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">填写自定义code </p>下载<span style="color: black;">位置</span>:&nbsp;linux php 7.x_x64_backdoor<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://drive.google.com/file/d/1WkQInZQ53PHe104MKHqFOG_-ydCZh4lN/view?usp=sharing</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">更加多</span>有趣的实验:</p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">做为</span>demo2,劫持phpinfo();,使得一句话后门为&nbsp;</p>demo3,无缝支持第三方框架。嵌入C payload,并sharing port 80.<h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;"><span style="color: black;">参考致谢:</span></strong></h2><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">http://php.webtutor.pl/</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">https://wiki.php.net/phpng-upgrading</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">https://www.jianshu.com/p/32fdad9be6c8</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">https://github.com/pangudashu/php7-internal/</span></p><h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">附录:</span></h2><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php5.x&nbsp;x64&nbsp;backdoor&nbsp;for&nbsp;linux</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">public_x64.so</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">Size:&nbsp;26800&nbsp;bytes</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">MD5:&nbsp;1C21BD02D26E9A3914A9A7248B799715</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">SHA1:&nbsp;934D577EDBCBC6FEB93AA52DE2C195BE59269B77</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">CRC32:&nbsp;8145921D</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">备注:public_x64.so仅适用x64位</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php5.x&nbsp;for&nbsp;Linux&nbsp;的Microdoor。不适用其他版本。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">为防止原文件被篡改,<span style="color: black;">运用</span>前,请对比文件MD5值。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">所有Microdoor系列仅供学习。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">https://drive.google.com/file/d/1qDYcGuODAUOWF8rKGw4okQ34TyBK9vBh/view?usp=sharing</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php5.x&nbsp;x32&nbsp;backdoor&nbsp;for&nbsp;linux</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">public_x32.so</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">Size:&nbsp;26127&nbsp;bytes</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">MD5:&nbsp;9BF67665FDCB30C355358624DBEB79BB</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">SHA1:&nbsp;3E996D33F18C1E34600203E8C348988449865888</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">CRC32:&nbsp;54264834</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">备注:public_x32.so仅适用x32位</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php5.x&nbsp;for&nbsp;Linux的Microdoor。不适用其他版本。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">为防止原文件被篡改,<span style="color: black;">运用</span>前,请对比文件MD5值。</span></p><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/5u08OUQmyqeG05W23YjpXNKPFGKO3wzJG4bvVLbFuia2KvG7hg04opnb5YxvJVQQN6ibncASzEdhoE1LkbaEG1Sw/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p><span style="color: black;">↙↙↙&nbsp; &nbsp;点击 ”阅读原文“ 与作者展开<span style="color: black;">专题</span>探讨,直面交流。</span>

nykek5i 发表于 2024-10-23 00:20:15

系统提示我验证码错误1500次 \~゛,

1fy07h 发表于 2024-10-27 21:14:32

外贸网站建设方法 http://www.fok120.com/
页: [1]
查看完整版本: 关于php对抗安全软件(总结)