Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of GetShell, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

0x00, what is WebShell?

One of the phased goals of penetration testing is to obtain the operation control rights of the target server, so WebShell arises at the historic moment. WEB in Webshell is the web service, and shell manages the interaction between the attacker and the operating system. Webshell is known as an attacker who has certain permissions on the Web server through the Web server port, while webshell often appears in the form of web page scripts. Common WebShell is written in asp, jsp and php, which provides functions such as executing system commands, uploading and downloading files, database management and so on.

The way 0x01 acquires WebShell

The action of obtaining WebShell, also known as GetShell, is not only the comprehensive embodiment of various capabilities of penetration testing, but also an important phased goal of penetration testing.

There are many ways of GetShell, such as file upload, SQL injection, command execution, file inclusion, parsing vulnerabilities and so on. Sometimes a loophole can be GetShell, and sometimes it takes a variety of loopholes to hit a combination of fists. So, communicate more in order to master more GetShell posture.

1. File upload vulnerability GetShell

Through the use of arbitrary file upload vulnerabilities can be the fastest access to WebShell, there are generally three common cases: (1) directly upload Trojan files to the target server; (2) bypass protection (the following does not include bypassing WAF protection, later there is time to introduce bypass WAF posture) restrictions on uploading Trojans; (3) CMS and other general arbitrary file upload vulnerabilities. In the penetration test of the target, the file upload interface can be found from front and background avatar modification, file import, picture upload and so on. In addition, you also need to find out whether there is a file upload vulnerability based on the identified site fingerprint. Here is how to upload WebShell for different situations.

(1) if the site does not have any protection, and the upload point does not have a security check, you can upload WebShell files directly. (2) simple protection exists in the site:

A) when the front end verifies the file suffix, you can first pass the allowed file type, and then grab the package to modify the file suffix.

B) when checking MIME, grab the package to modify Conten-Type to allow MIME type.

(3) ways to bypass the blacklist:

A) use special file suffixes Such as .php3, .php5, .php7, .phtml; asa, cer, cdx, aspx;jspx, jsw, jsv, jspf, etc., but not necessarily can be parsed.

B) use special characters with the Windows/Linux feature, such as uploading files with suffixes such as .php:: $DATA, ".php space" to the Windows server, because the Windows file suffix can not contain some special symbols, these files are saved on the Windows server with only .php suffix.

C) Apache 1.x, 2.2.x file parsing vulnerabilities, .php.xx.

D) suffix case, such as pHp.

E) use dual filename in the packet, such as filename= "1.jsp"; filename= "1.php".

(4) bypassing the whitelist:

A) 00 truncation, PHP is required

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.