explore a Wordpress PHP BACKDOOR webshell
Вставка
- Опубліковано 1 гру 2022
- Learn even more malware analysis with 0ffset's Zero2Auto training! j-h.io/z2a And pre-register for their updated Beginner course! j-h.io/z2a-beginner
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
Hello Dolly is included in Wordpress by default. It's actually a pretty nice way to hide code, as a lot of people will not delete the default plugins... I suppose it is a way to remotely execute code on every website as an admin. The stuff in the worker file is possibly to delete competing webshells, then probably to read base64 code from the wp_options table and execute it.
A decent security plugin will check the hash of the plugin files to note changed files
A decent developer removes those plugins altogether, they're bloat.
I was just about to write this.
A few weeks ago I've deleted webshell from the dolly plugin. The operator of that webshell also uploaded a fake template with some more code. He forgot to attach the screen shot to that fake template.
So in this case it has been repurposed into a trojan, rather than just being one by itself (my guess). Good to know!
@@Xewl someone ordered the bloat? *laughs in node modules*
Finally! A walkthrough for the rest of us. Your practical insight per minute spend is bar none. Well done man. Been searching for a long time for something like this👏👏
That was fun! The rabbit holes had rabbit holes. Kudos to you, and I'm patting myself on the back for being able to follow all of that. Study and practice pay off!
I literally smile on 4:08 and thanks, I really learn a lot from you sir, its all a big chunk of knowledge that you share. took me a lot of time to understand a single video since I always try to look around and google anything that I don't know from what you've said. this is another great video content
I love these types of videos - just going through the crazy. Thanks John.
Advanced congratulations on reaching half a million family members.... You are the best john....💗
Great sponsor on this video man. Something I will deff look into after my current cert path. Cheers for the video.
Hey John, today at work I noticed an event that I followed up on, and I found a similar webshell, I was able to revert a part, but I watched your video again and used one of the techniques you showed and I was able to revert all of it code, thank you very much for these videos 🤜🏻🤛🏻 ✌🏻
Finally, a wordpress shell. Can't wait to see what it does.
That "Tripped over" comment got me laughing. 😂 Just so you know, I'm constantly tripping over your channel. Thanks for all you do. 🙏🏽
Hi, great video. Could it be that the array in "worker.php" at 32:11 is a set of code snippets used in the ""Fast()" function at 16:35 in "stage2_modified.php" to remove "competing" webshells? Would be pretty neat! 😀 My second wild guess is that the Paranoid function does a wider RE based search, but just warns the user instead of automatically deleting files.
I love everything about this video's thumbnail, especially the T-shirt John is wearing XD
Dude, this was such an intreaguing video! 👍
This video is a must-see for anyone interested in exploring Wordpress PHP backdoors and webshells. JohnHammond does an excellent job of breaking down the concepts and explaining them in a clear and concise way. Thank You!
Always great content
love these deobfuscation vids
Thanks. This was super interesting.
Nice one John great video
Truly good work!
Love this, please do a video using AFL to find a exploit then get code execution, I can't find a good video at all and I'm really wanting something simple that I can follow along with, I learn from being hands on
32:35 (line 59) includes a reference to "Leaf PHP Mailer" which is a legit mailer script but it can be loaded on to people's sites to send tons of spam. The code at 32:54 might be the email payload for the Leaf PHP Mailer. You can see things like "SUBJECT", "AMAZON|ADOBE|AZURE" and "BILLING|LOGIN" close together so I'd guess it's creating messages with subject lines stating either Amazon, Adobe or Azure plus Billing or Login, so it could be phishing spam. (On a side note, I want to copy your, "This is a disaster" and use it as my ringtone for work calls.)
I had many of these on my WordPress ❤️
You are my “IT Seth Rogan” !
Ok I need this
you are the best💯
One of my friends had this happen to several sites, and didn't have good backups. It took me several hours last night to write scripts to go through and clean up all the files. It makes updates to .htaccess files, prepends all index.php files, etc. so writing a bash script was tedious
you are the best
The book you were reading was Volume 28 on Shelf 4 of Wall 1 of Hexagon: 0kro5a1299530gehm2g8v34iwb5tj57hjgzz6uenx95y9cp6928na05sms3k8chkmd1rlg38p75nczi9dibejq0wywxdh6dwbz04am7eqdyseuvinwrcyd9gjobgu9t3gb84gpm13sa4oynl9e67rl48q0iry1o5vsc3m8ljvnt84ugqwzv5hy9no4chl4cszt2546x74s03cqddy1coszk79eaupmmvidi6wz806kllixxs280147tgekoj66ne8l2vfcla4h6wtp4k2205xqs30wuzdbqvh7jnbkibrdpri3voqq80kjywgrwjj13ub71j7piis4nxibiv4i0flm0s4z2c8lf91p1qkpcw7txq24tijtt0fwdh5la9bm9y42t1uc33qlkltwshulaigr3bz2qk5zx5phoyyrvq9sos464jiq2702jfzf84xbwi8232jcj8kuzu1tvb61gu2qp8i1xjlsq56a8bnbiytjdvtn7p1kq5qknn4nksgxuvpyluk2zn4zg9oeptsx06gpf48h4ysned0d0na5mbjtlgejp9vv4psuiheg6695n9r6e10sbms56hebre76qamua32dfrdzueizhtnkfwke0wfwsr0tfrmeyixa09s5remtc4ikn3ciqirljgb87zl06l1kx5p92camrbykzjwyf3see3lvyd1upjkfkxfde0vxmiogf01dkdemypcep6m4g9i849kixc7vo1jc7th38s5uuyfd4v8mt5eo3v3o01ckaq6c62ixyac7c41ut2waohwmn6tgr8xkr71qbt3jqr0n55226n9hzgzeqe95epg34do2zhwwlm60ynqb7wjmnkym3adufrlqah35olcg4bvtgdbfof4tk8fiz1fi9hntdbrj3vh2ys5m5ffot0rkuz6jagwvvjja431025mwe1d8ps8ecm7xwkzttj52zgs55satbzg4k72ral9dkj9rzhhcyqmdte3qcll5ylwy804p7nvxxrfuvpy3s92eg6wluzv14j1tiseeiup66ckngfdudds934zx92myrag51o7vmawtu22nmxy0hd9dv6fth2pkb9ikchssardg49eyd0540op2a0xquuncdkkp57wit9gk1hn3w8rles6eyn33mnd87c39zhp49p01dcj9wr11ftnlf2uq2pgce7m866n1ayh8j8mlv3mrjjufk6hju3lebsfv5br6hehmuod5gqp3m9non8zsozbf45dooyugm0446vgihsbgmlazpfe3zyih7puts0utca1wdhcysixrx2dy7ctmjy8gzvq9frwrh0zhbw0w9c4cepwdyqvvhsq1imzzl9g5to012a8caek3x6c2ghxlrfeizz6ik9d4dy54m7mdzmkshuwv7cpe2awogc2jmxiqnvvq95lqo7t23qm9rjqmf277k2chjel98e9o2mrk5qmj6xp8qcat2b1eir4oqh4iojy33yvb8vcdacmb1nrhil8t9glnr7r5e875ycih3xk9sqf0u0zcfb12zbvr5ug4vh3cb6c6yx1ndtu931in73dfvcsiyzlebdorrmnqd12wsrrvydswk06nwpm6x2of9fypnla0n1vlblg3412xoyu17fxh55dlfs3a4n0ujy1z612hmeetqxsdz5kat70ylndwik34anufi91o4h5tlqw2andp26yv602feg2u2upreyu0rh5ed1m5utu1ne10fge535eacgtl6v7sskkhdzc4o7sttiwin72kxdpljflr9ym9w9bf3njoasqipumcfx7eukdcdj3fqww4um9mk8cho1ml5al9nejbfk8flyd4m383tq5lzmjgwzicqsnkhj8jwr59rc0jvym5ss7u6e3bu99x000sfbs6bwqcsglzky69k974ijd5lvlj3a4o10rp0w9np3syhp1zk5wnu85x78fjngfxem2cy6arqo5ypt7nvj1thodusp4wntjjt4hsf3nuya82sfyuwopozezqw0fzectg88f1i4irfrpb8y8i53rq78vr34ued4j5su3y80yb9lsqwpc5frtvbsip16qcq7g42bmmc2mwwf1inz4r06d6uhgc0r8fgwhqgujd6hm8759q8c3u6etqvkbhnlmp410c9sjzsyjmtmangrlwpibes9ca8ezz61qcyrvlra33nuerb4igtbpy2nex98w1qqzzooml94c1cvmb300kfb6y4v0pk8uvshpuppu5lj2vpcptnuyubaroid4eievyduwjzzecnc8ew4ixzu9fsanff39fp6kza3e2yi1dqxdyufgl7hb89jc3azcvhxynfa4q33muv78po8ycq79n490oq2yet8o4kgmjkqy5ny76d8aejy2r2eaw7bb3t6nd97wgbkorbuc6uxjd5f8qgpbomyk3aiq7ss3kjx8n6l44xrcdpg6ucpouio4bauoy79d5fr8wwx6ji7x6l5anlrhasvtcmbb5xjbqgcme6n3fu0beu10xm8e19ojmw3nty8ca294s873cz4m9hlg7gajirgw28e6162il0s0bmywgui9l1gzp8yp8ht9051pwdgmsmvnbqapn5osgyv5x8m6z6vxhiirf4p9gflkj8n2hr8qmh46getjipc260gyg59yqmltpwqb4v3oy7rgl6mo1ufecxbiukqvouuh5grqj0yzevkn8dttu2i5rekdenim9chzeelze8bru2vgxa20c9r48d2712o0xkzamvdu1upnmkn80v9eh18tm7moiza6gkpe8b0cw8d620upv9rm78jk1gzh5p74epeansl13rc9pv6sn7zqh8afup40uksorplonsjcbbq4mredsapmyg2bjig4qdzdpflzuaro0nvatzk41ec2qapd39l1dq4vn02un67ijym0c695iwoapdipr85nm6chjcwq2ygvj050uw7gnow5thucaojlkd1kg5iswkpgxor9v8zoazqv1jjhpai2dw5ao15yydn3rz1yfv1kqjfgbcdfh362aoytkusa3vtylrlaloftsnjlyptlbiz0y816dvx7wn81003596z37rl56fprdwmc52nrpxqoxtfh6z5hd1mzipjfcipglfxxigfj3mbtgda6tbznjeoejdfmdmfc95dk43y7v8v79p99ult1373audlng6gdyvagvc05mzaj7808l6w6fyzlru6ohqiazvs6kswlgnjh3snwv
My man!
How easy it is to pop web shells is why every web developer needs to take things like OWASP and security training seriously. About 20 years ago, it was common to see websites that had an image upload feature for community images. A lot of these were using PHP because there was commonly available code that did it for you, except the built-in filename handling logic in PHP didn't handle null bytes in filenames correctly (e.g. it would consider screenshot.jpg\0.php just screenshot.jpg). Coupled with the fact that these files were just casually placed inside a web root somewhere meant with a clever file name you could toss a PHP web shell out and own any of these servers.
Awesome!
When attempted to CURL some of the URL and got redirects, it occoured to me that they are already using user agent detection and that my be implemented on these urls as well. @40:00
Nice analyze and acutally inpressive code. Like to know who has made it. Of course, awfull when used with criminal intents but fun to play around with for white hats ❤
The Hello Dolly plugin is included by default in WordPress for some reason.
I was making alot of resaerch about this topic just yesterday.
I'd like to have the source to play with myself. I am a PHP dev. Edit: wow, at around 33:00 he references the b374k shell... that's about 8 years old!
Yeah m2 😊
Its time for some 4k videos John! :)
I'd love to see it in action :D
how to send you malware? I Found upl.php and index.php named files on linux servers. I need help because i want to know from where they are coming
hey john, i watched the malware analysis videos for you but its so complex ...
can you make video about simple malware for begineres
Network Chuck, Black Hat keynotes on YT, w3, and PC Security Channel all have great beginner content or advanced topics explained in simple to understand terms. I think John does a great job for entry level to intermediate, but may be hard to understand sometimes if you're a total beginner. Check them out.
Have You Never Heard About Internet Archive (The WayBack Machine)? 😅
Look up Fishpig Magento 2 supply chain attack.
8:34 - I am not any good at coding, but why is the malware trying to switch sperms on line 24 in stage2_modified.php? 🧐
Keep sending me malware is not something you hear everyday lol 😂
Would have been cool if you showed us the interface
Man, stopping mid deciphering was a bummer. The Take-Yourprizes URL had Shellcode it seems. When you curled it, we saw something. But the URL is down it seems, I get nothing anymore. Now, we will never know how deep this rabbit hole was.
Spin up a little php server and open that file up in a web browser! Show us what it looks like! Just turn off networking on the VM first. Also snip out that check for that hash so the page loads. It's probably got a sorta cool looking interface!
Ok.. I'll follow you on Twitter
How this cpl.php ended up on some of their servers? Was it uploaded via some form, and attacker tried to execute this somehow, but hopefully failed? And just left trace of this junk file on the server?
Yeah, thanks to the gist comment and WordFence, I understood...
But basically - to protect against this to happen, just should not allow execute PHP files in uploads folder, I guess.
The hello dolly plugin is part of WordPress
I'm pretty sure it's included for new wordpress developers to learn about how to develop plugins. it's expected to be removed on a production site.
Absolute classic. You know these shenanigans if you work in the Industry
Open a File and see b64? Welp.... your site is probably hacked.
Its such a pain to clean this shit up
great video 👍
👍
People of the comments inform me. ALL of the random emails that I get with PDFs. I'd like to tear into them and see what's inside. Please suggest a starting point.
Wtf is with the "Hey you won a price" in the comments section
The malware author looking at this like 👁️👄👁️
How can I find bug in a webs' which using php old version (a website use php v5 🤩)
"how to hack website pls I am script kiddie"
@@lydianlightssure, ping me.
i will guide you😊
I've posted a tool that I created some time ago on your comment section... and it is just for that kind of malware... If you can't find it hit me up and I'll send it to you :) It basically retrieves the actual code and you don't go thru all the steps/stages... for the malware I was creating it it was 20+ stages ... so.... pain in the rear...
31:01 It could be a fake 404 to hide a webshell's presence
Hello santa where is Cyber of Advent day 2 video ?
@@axelvirtus2514 i like john hammond video 😌
WordPress*
Biks maga biks ?
My question is how does the hacker put this shell in the server without access???? That's the only question...who has the answer??
Contact Form 7 is worst in security.
Damnit, my phone listens my conversations
God Job hahahaha
RIP VK.
Php : No plz No
ada indonesia coyyy
thats was indonesian hacker
Yep
$perms
first
please john click on this it is totally not malwareand you will totally not get infect coz of this
🤣🤣🤣
People use microsoft, OMG dont they know linux is the go in 2022 and beyond!
Wordpress sucks!
at around 30 minutes in, i think the malware was looking for other webshells in the system to maybe remove them? quite confusing
Yep, just wrote it too, but you were first! 😀 Totally agree with you.
@@pinobeppo9287 👍
I founded another one of these things in a website. What's your mail? I'll send you the files
@@PR2000 man that's obviously a scam comment
@@maksymilianlewinski8619 I know
@@maksymilianlewinski8619 I only wanted to see if he replies
@CalebHammer608 Wow. What a cool scam comment. Haha
fikker有漏洞吗??