writing and thinking about the web shell verification survival tool (1)

Posted by punzalan at 2020-02-29


Webshell believes that everyone will know about this. It's likely that the kitchen knife is more commonly used. In the usual practical situation, there is usually a situation. If there are too many shells, if you need to check whether the shell still exists, you can only click the kitchen knife one by one to access the website directory. In the kitchen knife, you don't find the function of checking whether the shell still exists in batches. It's very important Trouble, so I have the idea of writing this tool.


A familiar sentence in PHP:

The meaning of this code is very simple. The function of eval() is to execute the string as PHP code. Then the whole execution process is to receive the X parameter of post request, and then execute the X parameter content through Eval function. Next, we will analyze the principle of the tool. The author thought about many parameters before to do the survival verification, and finally decided to use phpinfo() function as the feature The feature matching is the simplest. The author directly posts through Firefox's hackbar plug-in, passing in x = phpinfo(); to 1. PHP page, as shown in the following figure:

See, all the information of phpinfo () is displayed on the web page, then you will ask me how to conduct the survival verification next? If phpinfo() is executed successfully, it means survival. Then we only need to determine whether there is a string (configure command | compiler | registered stream filters | Architecture) in the post page by regular matching.

code implementation

The author takes the webshell address as:

It is saved in the txt file in the shell folder. The author's thoughts are as follows:

Python is mainly used in OS, Sys, queue, threading and other modules. This article can also be said to be a preliminary tutorial for Python thread introduction. The code realizes the survival judgment of webshell by multithreading and queuing. In this way, our program will be faster. The comments have been written. The code of webshell verification end is as follows:

The multithread verification control end code is as follows:

First, create a shell folder under the directory where the script is executed, and then put the form of webshell:

Save it as follows:

Then write 1.txt and 2.txt respectively in the same form of webshell, and run the python script directly, as shown in the following figure:


The above method is just to provide a way to make it more convenient for us to verify the survival of webshell through program control. Of course, there are other ways, such as checking the directory where webshell is through post. This article is mainly operated by phpinfo(), which is convenient for our code writing and simple and convenient verification. At the same time, it is also convenient for us to To realize the batch verification of webshell survival, the multithreading method of Python and the use of queues are also popular. The next article will explain the verification storage of python with MySQL database and the primary stage of realizing the personal verification platform of webshell

Demo download: