Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of the traceability events of webshell uploaded. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Patrol inspection and killing

First of all, I know that what I need to do is not to find out where the uploaded location is. I should log on to the server for webshel inspection and patrol to see if it has been invaded, whether there is a back door, and so on. Although the ip address of our company is reported, in case a few webshell are missed and uploaded successfully by others without detection, how can the server be compromised? So I went up to inspect the server, uploaded this webshell killing tool to check and kill, used netstat-anpt and iptables-L to determine whether there was a backdoor set up, to see if any mining program occupied CPU, and so on, which are not detailed here. Fortunately, the server wasn't compromised, and then I started thinking about this upload point.

Review of file upload loopholes

First of all, I asked the developer who docked with me about the address that the server was open to the public. After asking for the address, I opened it and found that what I looked familiar was tested by myself not long ago. At this time, I felt a little confused, and the developer confronted this rectification information. After the last test, I found that the place where this upload was uploaded was a whitelist restriction, and only jpeg, png and other image formats were allowed to upload. At that time, I also found that although the upload was a whitelist restriction, a random number on the uploaded file name, and matched the time rule, I still found the upload path and file name in the return package. This and he suggested that it should be rectified, otherwise this file would contain loopholes, and he and I reported that it had indeed been rectified and did not return to this path.

File suffix encoding bypass

After discussing and reviewing the problems of the last rectification and reform, we sorted out the train of thought. Then I logged on to the website to check the reason, because there was only one place to upload pictures on the website. I tried to grab the package. After using repeater to replay the package, I found that the return package did not return the file upload path, and then I tried all kinds of bypassing, but it didn't work. In the end, they thought hard and didn't get a result, and then asked what was the reason for the alarm provided by the cloud platform. After reading the feedback from the cloud platform, it is found that there is an image code in the file. This is not a big problem. There is no permission to upload the file, and it does not return the file path, and the file name has been randomly changed. But why this jsp upload is successful? this makes me wonder.

When I carefully found the webshel data provided by the cloud platform, I carefully observed that the file name used base64 encoding. I was very confused. I didn't do the coding when I did the random function. I didn't do the coding last time. I suddenly thought of the crux of the problem, and then used burpsuite's decoder module to base64 the file name "1.jsp" into "MS5Kc1A=", and then sent the success feedback status code 200. the upload failure feedback 500status code was wrong.

So, the problem is that the R & D staff used base64 encoding for the file name during the rectification process, resulting in the file name being decoded using base64 during the storage process, and when I uploaded the file, the suffix .jsp also did this base64 encoding, and the .jsp was successfully decoded during the storage process, and there was no whitelist restriction after decoding. In fact, this kind of coding change is unnecessary, after all, the original random number has been changed to change the file name, and then do coding a bit superfluous, which is why the program bug changed to cause more bug reasons.

This is the end of the article on "example Analysis of the traceability events of webshell uploaded". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.