Select Browser Mobile | Continue

Silic Group Froum Archive - Silic Security

 Forgot Password?
 Join Us
Search
12Next
Threads List New Thread
Show: 10512|Reply: 22

[原创] 初学解密asp,对hmily大马后门的发现~

    [Copy URL]
niailuo The user has been deleted
Posted 2010-8-13 10:43:07 | Show all replies |Read Mode
作者:niailuo
来自:习科(Silic)信息技术
地址:https://a.blackbap.org/



刚玩脚本的时候,不会解密,总是不放心网上的asp大马,怕有后门。

后来在hmily的博客看到这样一篇博文:http://hi.baidu.com/52hmily/blog ... a5be36349bf7fd.html

因为hmily是吾爱破解的站长,本身也是暗组论坛的荣誉会员之类好像,于是对他的shell很放心,就一直用着。

后来会了一点解密,就解密了他的shell。发现了一个后门。

存在后门的是下载Hmily博客附件的压缩包中的第一个asp木马见图:

1.jpg

打开一看,是VBScript.Encode的加密,如图,熟悉的乱码:

2.jpg

用了一些工具来解密:

3.jpg

都出现了解密不完全的现象。如图,用网页的解密也同样不完全。

4.jpg

分析原因,是因为特殊字符没有处理好的原因,例如解密的时候工具遇到×就会自动停止。
后来用一款工具“Asp Decode特别版”成功脱掉了第一层衣服:

5.jpg

搜索字符串“userpass”,多次下一步后,发现了代码:

6.jpg

大家都可以看懂这句代码了吧,就是验证密码的时候多了一个or验证,两个条件满足一个就可以登陆shell了。这里无论你在UserPass="hmily"中把密码改的多么复杂,用密码“love”都是可以登陆shell的。这里love就是这个shell的万能密码了,也就是后门了。大家只要把那句 or request.form("pass")="love"删掉就可以去掉这个后门了。
这里用密码“love”成功登陆。截图:

8.jpg

因为这里是初学,高手见笑了,呵呵。


由此可见,即使是吾爱破解和暗组的大牛发的东西,也是会有后门的,可能是大牛没有注意的原因了。呵呵。


这里大家可以去hmily的博客下载shell,我这里就不提供下载了。提供下我常用的加密解密工具。

http://down.qiannao.com/space/fi ... 5de5-5177.rar/.page

Rate

1

View all rate

niailuo The user has been deleted
 Author| Posted 2010-8-13 12:22:09 | Show all replies
回复 2# Mr.Cool

初学asp解密发现的。谁知道有没有别的什么发信之类的后门呢。有待进一步研究!
mi3x5x The user has been deleted
Posted 2010-8-14 00:01:00 | Show all replies
刀城看到过喽。继续惨无人道的支持
白开水 The user has been deleted
Posted 2010-8-15 13:53:03 | Show all replies
加密解密   老者正在研究  这方面的东东......
白开水 The user has been deleted
Posted 2010-8-15 16:01:35 | Show all replies
回复 8# Mr.Cool


  我多老 你又不是不知道?
iyuki The user has been deleted
Posted 2010-8-15 21:41:53 | Show all replies
看来什么东西再用的时候都要考证一下啊
黑瓶子 The user has been deleted
Posted 2010-12-14 22:55:40 | Show all replies
不错不错, 学习了
Ettack The user has been deleted
Posted 2011-11-10 13:01:52 | Show all replies
终于看到解密不全问题的解决办法了
fuck The user has been deleted
Posted 2012-4-9 13:00:46 | Show all replies
我好害怕 没法过了
雨中漫步 The user has been deleted
Posted 2012-4-9 19:54:56 | Show all replies
不敢用加密的飘过
icesky The user has been deleted
Posted 2012-4-10 17:05:02 | Show all replies
嗯,过来学习一下思路,LZ有心人
Ist The user has been deleted
Posted 2012-8-4 10:37:13 | Show all replies
学习了`工具包了
whxhxw The user has been deleted
Posted 2012-8-7 10:08:40 | Show all replies
楼主,你的东西居然报毒了
lovecc The user has been deleted
Posted 2013-5-26 12:38:13 | Show all replies
哇哦,大牛也要逆天啊!
lindoudou The user has been deleted
Posted 2013-6-6 09:40:30 | Show all replies
真的是很无语
Posted 2013-7-21 07:31:57 | Show all replies
楼主,你的东西被ESET报毒了。。。。。。
心迹 The user has been deleted
Posted 2013-8-4 14:16:36 | Show all replies
心寒啊。本来以为这些都是菜鸟玩的。原来大牛也发布有后门的东西。
4hroot The user has been deleted
Posted 2013-8-6 18:41:20 from mobile phone | Show all replies
看着看着.就不知道老大发的不知道有没有后门了
Lord The user has been deleted
Posted 2013-11-14 14:08:11 | Show all replies
支持一下,学习学习!
hrat The user has been deleted
Posted 2015-1-2 00:30:35 | Show all replies
还是咱们这里靠谱,直接公布源码
12Next
Threads List New Thread
You need to login before reply! Login | Join Us

Credit Rules of This Forum

Close

公告Privious /1 Next

小黑屋|手机版|Archiver|Silic Security

GMT+8, 2020-8-14 02:12

© 2001-2014 Silic Corp.

Quick Reply Top Return List