Practical solutions for Google search WebShell

With the powerful features of Google search, you can be opportunistic in some cases, so that you can easily pull "chicken ". For most security enthusiasts, intrusion tools are traditional and put into use with slight modifications. Many of these users prefer to add their own labels, such as "JFolder New4 modified version" in this case ", declare "this is a tour of xx "! In fact, when you conquer a server and leave a Webshell, you can also take advantage of it. The following describes how to handle Webshell.
1. Search for the corresponding Webshell keyword through Google

Enter "JFolder New4 modified version" in the Google search box and some results will be displayed, as shown in 1. Eight results will be displayed. In some cases, due to key positioning issues, there may be a relatively small number of search results. In this case, you can click "include the omitted results into the search range and then re-search" under the search results ", to obtain more search results related to this keyword.

Figure 1 search for Webshell by key

2. Process search results

Although Google searches for key results, sometimes these webpages may not be able to open or run scripts. Useful records are those records that can normally display webshells. For example, in this example, a total of 8 records are obtained. After the actual test, 2 shows that "JFolder_By_New4" is left on the Webshell page, and "JFolder New4 modified version" is displayed on the title bar of the webpage ", the text and tags displayed on the Webshell can be the key to Google search. In this test, a total of four webshells can run normally:

(1) http: // yh ***. km ***. net/UPLOAD/info/1253544968234/job.jpg. jsp

(2) http://www.s *** c.org/upload/z#/8/job.jsp

Http://www.s *** c.org/uplOAd/2105/job.jsp

(4) http://www.e *** z.com: 8080/ewzbOArd/chedITor/attach/SUaYQDXP. jsp

 

Figure 2 test the normal Webshell

3. Crack the Login Password

Currently, all webshells require that you enter a password to protect webshells from being used by others. Therefore, you can only enter some common passwords based on your experience to test the password.

4. Vulnerability Testing

If you search for Webshell through Google, the website or server may have vulnerabilities. Therefore, you can use vulnerability analysis to reproduce the attack process. The quickest way is to list directories. Of course there are other vulnerability analysis methods, such as using SQL Injection tools to scan SQL injection vulnerabilities. A directory list vulnerability occurs when multiple Webshell addresses exist. You can view the directory list to find other webshells and vulnerabilities. When looking for such vulnerabilities, you can expand them to browse some file directories and access or download some special files. To Webshell address "http://www.en ****. com: 8080/ewzbOArd/chedITor/attach/SUaYQDXP. jsp "for example, 3, remove the specific file name of Webshell, and then press enter to view the list of all files in the directory.

Figure 3 directory list vulnerability Test

5. Obtain Webshell

The "attach" in the address bar shows that the files in this directory should be of the specified file type, such as images. Multiple jsp files are displayed in this folder. by browsing and testing these files one by one, 4. After testing several Jsp files, you can finally obtain the Webshell of the website. The Webshell is JFolder1.0 and can be accessed without a password.

Figure 4 getting Webshell

Note:

(1) You can use "sITe: www.xxxxx.com filetype: jsp" to locate and search a website. Enter "site: www.enwiz.com filetype: jsp" in Google to search. Two JFolder Webshell results are displayed, as shown in Figure 5.

(2) other Google search techniques can be used to search and locate websites. The purpose of searching is to obtain more information to support further penetration. 5. Record the address "www. e ****. com: 8080/ewzboard/chedITor/attach/bngbxlXS. JFoler 1.0 --- A jsp based web folder management tool by Steven Cee. en ****. com: 8080/ewzboard/cheditor/attach/SUaYQDXP. jsp ".

 

Figure 5 search by Google

6. Implement control

Upload a Webshell of your own based on the existing available Webshell, and then perform Elevation of Privilege and further penetration control on the server. In the process of penetration control, you can actively collect and analyze data, as shown in figure 6. Package and download the Webshell in this directory to a local machine, and then analyze and process the code, collect Webshell passwords, organize and improve webshells, and learn from each other through analysis to deepen understanding and absorb advantages! Add new "equipment" in the penetration weapons library, and in some cases may get something that is not intended.

 

Figure 6 Webshell collection

Note:

(1) After obtaining Webshell, you must check the website configuration file, database configuration file, and database. If possible, you can save these files or information to your local device, this facilitates re-penetration and re-control.

(2) After obtaining the Webshell, you can analyze the websites or servers under control from the perspective of security evaluation and reinforcement to see which server vulnerabilities exist. If you are a maintainer, how to fix vulnerabilities and reinforce the system?