Exploitation of NTFS data streams under WIN in webshell hiding

Exploitation of NTFS data streams under WIN in webshell hiding
This exploitation method. As early as a few years ago, it was nothing new.


I have never paid special attention to it before. I made a mistake today, so I recorded it.


First, write the following script to generate a new PHP file.



<? Fputs (fopen ("x. php:. txt", "w"), "<? Php phpinfo ();?> ")?>Copy code

 

 

X. php: The size after. txt is generated is 0 kb, and there is nothing to open it.

 

 

 

 

 

The following statements are used to perform the include operation:
 

<? Php


Include "./x. php:. txt ";


?> Copy code

 

 

 

The code is correctly executed.

 

 

 

We did not see anything during further tests under cmd. In the dir list, the value is still 0.

 

 

 

 

 

 

In the NTFS environment, this increases the webshell hiding capability. Although it is not 100% secure, it is at least a method to escape.

 

In practice, you can change the written php file to the website rule name, or place it in some remote temporary directories. Change the included PHP file to a file name similar to the website naming rule to better disguise the file.

 

I tried it myself, so I wrote it and shared it.

 

I would like to thank our predecessors for their painstaking research.

 

If the article has any shortcomings, please forgive me.

 

I hope you can discuss it together!