Simple iGuard breakthrough

From: Emperor
InfoGuard, or iGuard for short, is commonly known as a tamper-proofing tool for web files. It was a big topic last night. After studying it, I found a solution and recorded it.

First, give the effect of this thing. If a webshell is lost and it is not killed, it exists on the server, but it turns into a dumb during access:
 

Is it a bit depressing... but it doesn't matter. We can find the InfoGuard directory. Here I am C: TerceliGuardSyncServer
Here is an a. conf file to open.
 

 

Something vaguely captured, but not very clear.
After some effort, I finally figured out the parameters in the preparation file.

[System]
SignDB = C: TerceliGuardSyncServersigndbiguard. db
Vid = BV8CcwNN6iH3dEAw
[Dirs]
D: Inetpubgameto

The meanings are as follows:

SignDB: directory of the watermark library;
Vid: the initialization vector of the watermark library, which is consistent with the first line of the publication server identification file iguard. dat;
[Dirs]: Enter the directories and files for which the watermark is to be scanned in a row of each directory/file.

This should be clear. We should replace the dirs in it with the path of our webshell, but this is not complete yet.
After iguardis installed, a wmktool.exe file is used together with the configuration file. This program is used to add a watermark to the file. It is used to determine whether the file has been modified. Of course, we upload a new file without a watermark, so we certainly cannot use it.
Find this wmktool.exe in the a.confdirectory and execute it.
 

We can see that all files have been processed.
Open our shell and check it out.
 

Is it OK?

Of course, you must first have a shell and have permissions. Otherwise, you will find a solution.