Webshell实现与隐藏探究,webshell实现探究
Webshell实现与隐藏探究,webshell实现探究
一、什么是webshell
webshell,顾名思义:web指的是在web服务器上,而shell是用脚本语言编写的脚本程序,webshell就是就是web的一个管理 工具,可以对web服务器进行操作的权限,也叫webadmin。webshell一般是被网站管理员用于网站管理、服务器管理等等一些用途,但是由于 webshell的功能比较强大,可以上传下载文件,查看数据库,甚至可以调用一些服务器上系统的相关命令(比如创建用户,修改删除文件之类的),通常被 黑客利用,黑客通过一些上传方式,将自己编写的webshell上传到web服务器的页面的目录下,然后通过页面访问的形式进行入侵,或者通过插入一句话 连接本地的一些相关工具直接对服务器进行入侵操作。
webshell根据脚本可以分为PHP脚本木马,ASP脚本木马,也有基于.NET的脚本木马和JSP脚本木马。在国外,还有用python脚本语言写的动态网页,当然也有与之相关的webshell。 根据功能也分为大马与小马,小马通常指的一句话木马,例如:通常把这句话写入一个文档里面,然后文件名改成xx.asp。然后传到服务器上面。这里eval方法将 request(“pass”)转换成代码执行,request函数的作用是应用外部文件。这相当于一句话木马的客户端配置。服务器配置(即本机配置): Default| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | form action=http://主机路径/TEXT.asp method=post> textarea name=value cols=120 rows=10 width=45> set lP=server.createObject("Adodb.Stream")//建立流对象 lP.Open //打开 lP.Type=2 //以文本方式 lP.CharSet="gb2312" //字体标准 lP.writetext request("newvalue") lP.SaveToFile server.mappath("newmm.asp"),2 //将木马内容以覆盖文件的方式写入newmm.asp,2就是已覆 盖的方式 lP.Close //关闭对象 set lP=nothing //释放对象 response.redirect "newmm.asp" //转向newmm.asp /textarea> textarea name=newvalue cols=120 rows=10 width=45>(添入生成木马的内容) /textarea> BR> center> br> input type=submit value=提交> |
大马的工作模式简单的多,他没有客户端与服务端的区别,就是一些脚本大牛直接把一句话木马的服务端整合到了一起,通过上传漏洞将大马上传,然后复制 该大马的url地址直接访问,在页面上执行对web服务器的渗透工作。但是有些网站对上传文件做了严格的限制,因为大马的功能较多,所以体积相对较大,很 有可能超出了网站上传限制,但是小马的体积可以控制(比如把代码复制很多遍,或者在一个乱码文件中夹入代码),但是小马操作起来比较繁琐,可以先上传小马 拿到webshell,然后通过小马的连接上传大马拿到服务器。
二、如何上传webshell
1.解析漏洞上传
现在对于不同的web服务器系统对应的有不同的web服务端程序,windows端主流的有iis,linux端主流的有nginx。这些服务对搭建web服务器提供了很大的帮助,同样也对服务器带来隐患,这些服务器上都存在一些漏洞,很容易被黑客利用。(1)iis目录解析漏洞
比如:/xx.asp/xx.jpg 虽然上传的是JPG文件,但是如果该文件在xx.asp文件夹下,那个iis会把这个图片文件当成xx.asp解析,这个漏洞存在于iis5.x/6.0版本。(2)文件解析漏洞
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to implement webshell upload under nginx load balancing
May 16, 2023 am 08:16 AM
Scenario description assumes that in a real production environment, there is an RCE vulnerability, which allows us to obtain the installation of the WebShell environment. First, before pulling the vulnerable image on GetHub, we need to install nginx and tomcat on centos in advance and configure nginx and tomcat. Configuration file, use docker to pull down the image, and reproduce the vulnerability. 1. Set up the docker environment first. 2. Test whether tomcat can be accessed. As can be seen from the above figure, the back-end tomcat is accessible. 3. Check the load balancing of nginx reverse proxy in docker. 4. Check the ant in lbsnode1 in docker. .jsp text
How to analyze and trace the source of WebShell file upload vulnerability in Mozhe Shooting Range
Jun 01, 2023 am 08:55 AM
1. After opening the URL, it was found that it was an upload page. 2. Directly uploaded the file with the suffix php, but found that it could not be uploaded. 3. Use BurpSuite to capture the packet, and change the suffix of the uploaded file with the suffix php to php5 to bypass it. After 4. Use a kitchen knife to connect. In the directory of var/www/html, a file with KEY is found. Open it and you will see key5. Open another URL, which is also an upload page, but the upload list is set. Only Allow files with the suffix .gif.jpg.png to be uploaded through 6. We write a txt one-sentence Trojan and change its suffix to jpg7. When uploading, use BurpSiuit to capture the packet and modify the file suffix to display
WebShell security settings of Pagoda panel
Jun 21, 2023 pm 04:35 PM
As Internet security issues become increasingly prominent, the security of major websites and applications has become an increasingly important issue. Especially in website operation and maintenance management, tools such as WebShell are often needed for maintenance and repair. However, WebShell is also often used by hackers and becomes an entry point for attackers to invade. This article will introduce the WebShell security settings of the Pagoda Panel to help website administrators improve the security of the site. 1. The concept and common uses of WebShell 1. Concept WebShell is
What is the performance analysis of WAF on WebShell traffic detection?
May 16, 2023 pm 07:47 PM
Local environment setup Judging from the retained screenshots, the other party's PHP version is 5.6.40, so I want to set up a test environment of apache+php5.6.40. Open virtualbox, copy the link to the centos image system, and configure it according to the following process. 1.Install apacheyuminstall-yhttpdhttpd-vServerversion:Apache/2.4.6(CentOS)Serverbuilt:Aug8201911:41:182.Install php5.6yum-yinstallepel-releaserpm-Uvhhttps://mi
A brief discussion on the Webshell of the Empire CMS framework
Mar 16, 2021 am 10:48 AM
This article introduces you to the Webshell of the Empire CMS framework. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.
Website vulnerability repair: Example analysis of uploading webshell vulnerability patching
May 30, 2023 pm 01:49 PM
SINE Security was conducting website vulnerability detection and repair on a customer's website and found that the website had serious SQL injection vulnerabilities and uploaded webshell website Trojan file vulnerabilities. The website used a CMS system, developed using PHP language, and the MySQL database architecture. The source code of this website is currently open source. A certain CMS is a social CMS system that focuses on providing paid knowledge. Payment for knowledge is in high demand on the current Internet. This system can share documents and download them for a fee. The knowledge content published by users can be hidden and provided to paying customers. read. The code is relatively streamlined and is well liked by the majority of webmasters. The vulnerability of this website mainly occurs when uploading the compressed package and constructing malicious decompression code to refer to the w in the zip package.
Example analysis of webshell uploaded traceability events
May 12, 2023 pm 02:43 PM
First of all, I understand that what I have to do is not to find where the uploaded location appears. I should log on to the server to perform webshel inspection and inspection to see if it has been invaded by others, whether there is a backdoor, etc. etc. Although the IP address reported is our company's IP address, if a few webshells are missed and uploaded successfully by others but not detected, what can we do if the server is invaded? So I went up to inspect the server, uploaded this webshell killing tool for killing, used netstat-anpt and iptables-L to determine whether there was a backdoor established, checked whether there was a mining program occupying the CPU, etc., I will not go into details here. . Fortunately, the server was not compromised, and then
What is the webshell analysis of obfuscated deformation?
May 19, 2023 pm 11:07 PM
What is WebShell? In the beginning, Webshell was often used as the abbreviation of a type of script used by Web server administrators to remotely manage the server. Later, with the birth of some Webshell management tools, the process of obtaining Web permissions was greatly simplified, so it was gradually called a Web intrusion tool script. Webshell is different from vulnerabilities, but uses application vulnerabilities or server vulnerabilities (file upload vulnerabilities, file inclusion vulnerabilities, etc.) to upload script files to the server for subsequent exploitation. It belongs to the subsequent exploitation of penetration testing and the TA0002Execution (execution) stage of ATT&CK. Figure 1TA0002 reference source: https
