share your technology and add some temperature for safety

Posted by barello at 2020-04-05

About permission maintenance, I wrote a back door technology article based on the system side, such as image hijacking, LPK and so on. Of course, it's also a good way to do things on the web after you get the permission. PS: I hope the forum supports markdown earlier, or it will be very hard to typeset.

-Construct file contains vulnerability - hidden script Trojan - construct SQL injection point

>**Overview of this part: * * > * basic file contains posture > * make picture horse > * construct file contains vulnerability

-* * PHP file contains vulnerability introduction**

First, let's talk about File Inclusion vulnerabilities. Strictly speaking, File Inclusion Vulnerability is a kind of code injection. The principle is to inject a script or code that can be controlled by the user and let the server execute it. `A typical example of code injection is file inclusion. File Inclusion Vulnerability may appear in languages such as' JSP, PHP, ASP ', and the principle is the same. This experiment takes PHP file inclusion vulnerability as an example. To successfully exploit the File Inclusion Vulnerability, the following two conditions need to be met:

>1. The web application uses include() and other file inclusion functions to introduce the files to be included through dynamic variables; > 2. The user can control the dynamic variables.

In PHP, there are four functions for containing files. When you use these functions to contain files, the PHP code contained in the files will be executed. The differences between them are explained as follows:

>`Include(): when using this function to include files, only when the code executes the 'include()' function can the files be included. When an error occurs, only a warning will be given to continue to execute downward.

>`Include ou once(): the function is the same as' include() ', the difference is that when the same file is called repeatedly, the program calls only once.

>`Require(): the difference between 'require()' and 'include()' is that if an error occurs during the execution of 'require()', the function will output the error information and terminate the script. When using the 'require()' function to include a file, the file is called as soon as the program executes, while include() is called only when the program executes the function.

>`Require once(): its function is the same as' require() '. The difference is that when the same file is called repeatedly, the program calls only once.

####Step 1 the basic file contains the pose

All of the following steps are established when the target machine permission has been obtained.

Let's assume that we have got a sentence webshell of the target machine through a series of penetration tests in advance.

Suppose we know in advance that some script files of the target server have File Inclusion vulnerabilities, such as:

For example, we create a new file 'getshell. PHP' in the same directory as the vulnerability file 'include. PHP'. The content is a PHP one sentence Trojan horse:

Then we try to use the 'include. PHP' script Trojan 'getshell. PHP':

Click "enable post data" to call up the post data column, and post the following data:

The variable passed here is to view the environment variable of the current system by calling the 'system()' function of PHP to execute the 'set' command.

Of course, there is a Trojan file directly included here, which seems to be of no great significance when we already have webshell. Concealment is not very strong.

####Step 2 make a picture horse

PHP files contain files that are parsed as PHP files regardless of their format.

Then, if the malicious code is inserted into a normal web page picture, and the picture can be displayed normally after the malicious code is inserted, the concealment is enhanced.

In fact, the image Trojan has another meaning. In some websites, when we try to upload the shell through penetration testing, we will use the upload file, but sometimes there will be filtering. If we just upload the file at the end of `. ASP. PHP ', the system will not upload it to you. Then we usually put a sentence in the image, written as ` 1. ASP;. JPG or 1. ASP; The format of JPG is uploaded, so when uploading, the system detects that it is a picture, and then after uploading, the file will be treated as an ASP file.

So how to make a word trojan in the form of pictures?

First, we prepared a picture file '1. PNG' in the tool directory and a one sentence Trojan horse file 'hack. PHP'. When you are ready, open the command line in that directory and enter the following command:

At this time, we open two files for comparison and use Notepad to open them. We find that the content of '1. PNG' has added a sentence of our 'hack. PHP' Trojan statement to the picture.

Of course, the most important thing is that the picture written in a sentence can be opened normally. This is the purpose of this step:

Then, in the actual penetration test experiment, we usually download the original picture file of the website and replace it with a sentence Trojan horse, and finally achieve a certain hidden effect by replacing the original picture file.

Then let's try whether the Trojan horse can be used. First, upload 'test. PNG' to the root directory of the target machine through the file upload function of the Chinese kitchen knife:

Then we try to include a sentence picture Trojan horse 'test. PNG' through 'include. PHP':

Click "enable post data" to call up the post data column, and post the following data:

The variable passed here is to view the environment variable of the current system by calling the 'system()' function of PHP to execute the 'set' command.

Of course, a Trojan horse file is included directly here. It doesn't seem to make much sense when we already have webshell. Concealment is not very strong.

####Step 3 construct file contains vulnerability

So suppose that there is no File Inclusion Vulnerability in the script files on the server where we get the shell, we need to construct the vulnerability ourselves to achieve the effect of permission maintenance.

The construction of the script file containing the vulnerability in the file is relatively simple. Write a PHP file without any filtering using the 'include()' function call file. The file code and related comments are as follows:

Next, we will visit the following URL in the browser to include the picture Trojan horse 'test. PNG':

The PNG file here is regarded as PHP file parsing, so it directly shows the picture garbled code. At the end of the garbled code, we did not find a trace of our word Trojan, so we infer that our word Trojan has been parsed.

Then we click "enable post data" to call up the post data column, and post the following data:

The variable passed here is to view the environment variable of the current system by calling the 'system()' function of PHP to execute the 'set' command.

We can see the echo of 'net user' command under the picture scrambling.

So far, the picture Trojan has been successfully deployed and used.

>**Overview of this part: * * > * use 'preg replace' function to leave back door > * use encryption 'preg replace' function > * variant encryption back door

####Step 1 use the 'preg'replace' function to leave a back door

In fact, we can realize the hidden back door through the following code:

-'preg'replace' function prototype:

`/The E 'Modifier makes' preg'replace()' use the 'replacement' parameter as PHP code (after the appropriate reverse reference is replaced).

Tip: make sure that 'replacement' constitutes a legal PHP code string, otherwise PHP will report a syntax parsing error in the line containing 'preg'replace()'

The above code is post receiving data, which may not be intuitive. If you get the data instead, you can better understand:

For example, the code is as follows:

That is, access the following URL in the browser to pass the variable function 'phpinfo()'

As can be seen from the above figure, 'phpinfo()' will be executed (using the '/ E' modifier, 'preg'replace' will execute the 'replacement' parameter as PHP code).

In PHP, if there are variables in double quotation marks, the PHP interpreter will replace them with the result after variable interpretation, and the variables in single quotation marks will not be processed.

**Note: * * functions in double quotes will not be executed and replaced.

####Step 2 use the encryption 'preg'replace' function

We have prepared a PHP backdoor file to encrypt the 'preg'replace' function:

The contents of the document are as follows:

[PHP] plain text view copy code

The above code is finally decrypted, but it is actually a sentence webshell executed by using the '/ E' of 'preg'replace'.

The MD5 value '202cb962ac59075b964b07152d234b70' in the code is' 123 'in clear text.

Let's first upload 'test1. PHP' to the root directory of the target machine through the Trojan horse in the last step,

The Trojan is used to access the file and submit data similar to the following through post:

The post data column of Firefox's hackbar plug-in is not enabled by default. We need to check the part in the red circle above that has started the post column.

After starting the post column, we enter the following data in the 'post data' column to post to the server:

As shown in the figure above, the 'phpinfo()' function was executed successfully.

Of course, we can also execute system commands through the 'system()' function:

For example, post the following data through the hackbar plug-in of Firefox browser:

In the above post data, the system command 'set' is executed to view the current operating system environment variables, as shown in the figure above. We have successfully returned.

####Step 3 variant encrypted back door

We have prepared a PHP script backdoor here. The code is very wonderful. The source code is as follows:

[PHP] plain text view copy code

Above source code, just look at you can not see what clue. In order to facilitate you to see what the above code has done, we have done output debugging for the code, output the output of each step, and made some detailed explanations for the code:

[PHP] plain text view copy code

Then we use the Chinese kitchen knife to upload the above two files' base. PHP 'and' base1. PHP 'to the root directory of the website.

After that, we access the debugged 'base1. PHP':


As can be seen from the above figure, the output of PHP file after running is as follows:

We output the above code file step by step. At the end of the output, we find that the generated code is the classic PHP version one sentence Trojan horse file code:

`The specific URL address after base. PHP 'upload is as follows:

[Applescript] plain text view copy code

We can't access the file in Firefox and submit the following data directly using the hackbar plug-in: ` ` ` Z0 = phpinfo()```

We need to encrypt the assignment of the 'Z0' variable. The encrypted data form is as follows:

```Z0 = cghwaw5mbygpow = = ` ` let's directly select 'phpinfo();' in 'Z0 = phpinfo();', then click 'encoding' - > 'Base64 encoding', so 'phpinfo();' will be encrypted:

After encryption, click "execute" to submit:

As shown in the figure above, 'phpinfo()' function was executed successfully.

Then we can also try to execute system commands such as' net user ': Generally speaking, we submit the following data:

```z0=system('net user');```

Here we need to encrypt the 'system ('net user'); 'part of the variable assignment, select' phpinfo(); 'in the post column, and then click' encoding '- >' Base64 encoding '. Then the post data will become the following form:

```Z0 = c3lzdgvtkcd2zxinkts = ` ` after encryption, we click 'execute' to submit:

As shown in the figure above, the 'net user' command is executed successfully and we get clear return information.

>**Overview of this part: * * > * construct injection point > * utilize the injection point of the construct

This part takes PHP script and MySQL database as an example to demonstrate how to construct an injection vulnerability on the target machine after obtaining the permission of the target machine, so that we can maintain the permission secretly in the future.

####Step 1 construct injection point

Let's assume that we have got a sentence webshell of the target machine through a series of penetration tests in advance. Open the Chinese kitchen knife tool and add a sentence Trojan horse. Note that the database configuration information is filled in the following data (obtained in advance):

Use the Chinese kitchen knife to enter the database management function of the target machine:

Execute the following statement on the database management function page of Chinese kitchen knife to create a new database:

```create database sqlinject;```

Then exit the database management page, and you can see the new database 'sqlinjec' on the database management page again. Double click the database name to switch to the database:

Then execute the following statement to create tables and columns in the 'sqlinject' database:

``` create table admin(id int auto_increment primary key,username varchar(32) not null,password varchar(32) not null);```

Execute the following statement to write field values to the columns in the table:

```insert into admin (username,password) values ('admin',md5('admin')),('safe',md5('12345')),('test',md5('test'));```

Then we double-click to view the items under the 'inject' database, and we can see that the data has been written.

Next, we need to construct a script file to call the above database. The content of the script file is as follows:

[PHP] plain text view copy code

After the file is uploaded, we speculate according to the above script content that the SQL injection points are as follows:

Based on our previous knowledge of SQL injection, we try to read the relevant information of database users by constructing the following statements:

>`The concat() function puts multiple fields to be queried together

>`0x7c 'is the result of hexadecimal transcoding of the' | 'symbol, which is helpful for us to distinguish the fields at that time.

We have the following specific information:

In the actual penetration test, we can crack the password through the large-scale hash cracking platform of 'cmd5. Com'. Here we know through online cracking that the password value of this hash is' root '. This information can be used for subsequent MySQL authorization.

Later, suppose that the Trojan was deleted by the administrator in our previous sentence, but we can still use the SQL injection point we created above to write another script Trojan to the server.

Then we try to write a sentence webshell to the server here. The sample Trojan horse is as follows:

As shown in the figure, in a word, the result of Trojan encryption is:

[Applescript] plain text view copy code

The above statement is executed twice in a row. If the following error occurs, the file is written successfully:

At this point, we succeeded in early enough SQL injection point and successfully used it to write a new webshell to the target machine.

In this part, we mainly studied the following contents:

Through this experiment, we have learned the principle and utilization of several more peculiar hidden script Trojans, in order to maintain the permissions of the web side. We also learned how to make use of File Inclusion Vulnerability, how to make picture Trojan horse, and how to construct File Inclusion Vulnerability so that we can maintain the web-side permissions later, and how to construct SQL injection point on the web-side of the target server to maintain the permissions later.

Of course, there are a variety of web-side permission maintenance technologies, not only for this, you can't imagine it, and no penetration tester can't do it.

If sensitive operation is involved, please test within the scope permitted by law!

Step 3 of 0x02 in this paper: variant encrypted back door, which was previously recorded with reference to a cow's article of T00ls, can no longer find the original link, so there is no link attached.