Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of the maintenance of infiltration permissions after using DLL to deal with mapping under NET. Many people may not know much about it. In order to make you understand better, the editor summarized the following content for you. I hope you can get something according to this article.

Preface of 0x01

With regard to the methods and steps of authority maintenance introduced in the article, the author draws a simple flow chart, such as the following figure.

Portal

Exploring the ashx of one sentence Trojan horse based on. Net

Exploring the Asmx of one sentence Trojan horse based on. Net

Exploring the SVC of one sentence Trojan horse based on. Net

Hiding means: using App_Code directory attackers to create class files and write a sentence in the code Trojan, instantiating in other files to call this class directly upload DLL attackers to make a DLL locally, can optionally add shells and upload to the Bin directory locally to generate DLL attackers use WebShell to generate DLL backdoors in the Bin directory

The first method considers creating a class file in the App_Code directory and writing a sentence Trojan in the code, and then going back to the root directory to find a file that can append code or create a new file to call the class; the second method considers that it is best to add a shell to create a DLL locally, and then modify the web.config file to increase the handlers node append mapping relationship after uploading it to the Bin directory. The third method uses the local environment to generate DLL and modify the mapping access; such benefits are obvious: the contents of a sentence or horse are all saved in DLL, the traditional text checking does not work, and access through the suffix name of GIF echoes an image verification code so that it can also escape some IDS products based on traffic characteristics detection. The following sections explain the principles and steps of implementation in detail.

0x02 DLL WebShell back door

Before introducing the DLL backdoor, we need to introduce two special directories in .NET applications, one is the App_Code directory and the other is the Bin directory. Their function is to share code among multiple Web applications or pages. The App_Code folder can contain source code files with .vb, .cs and other extensions, which will be compiled automatically at run time, and any other code in the Web application can be accessed. In order to better demonstrate the effect, the author has created a new App_Code directory and implemented the following code in About.aspx:

The code in Apptest.ashx is as follows, which outputs the sentence "Hello World, this is App_Code ProcessRequest".

The result of opening the debugging output of VS is as follows

If there is an App_Code directory in the Web application, the attacker hides a sentence Trojan in the method of a file in that directory, which happens to be called by other files from the outside world, so that you can achieve a more hidden backdoor program, but this concealment will still be killed by D shields or security dogs. Obviously, this method is not the best choice, so you can consider putting it in the DLL file under the Bin directory.

As for the purpose of the Bin directory in a .NET application, the first paragraph describes: the Bin folder holds the compiled assembly, and other code anywhere in the Web application will automatically reference this folder. A typical example is the code that you compiled for a custom class. You can copy the compiled assembly to the Bin folder of your Web application so that all pages can use this class. Assemblies in the Bin folder do not need to be registered. As long as the .dll file exists in the Bin folder, the. NET can recognize it. If you change the .dll file and write a new version of it to the Bin folder, .NET detects the update and uses the new version of the .dll file for subsequent new page requests. Next, the author assumes that a WebShell already exists on the server, create an ashx pony, note that the code is C #, and the suffix name of the file can be arbitrarily specified as C:\ inetpub\ wwwroot\ AdminWeb.txt as shown in the following figure

After saving, go to the CMD window of WebShell and call csc.exe to compile. This AdminWeb.txt,csc.exe is a tool provided by .NET that can compile cs files under the command line. The default location of the host csc.exe installed in the .net environment is in C:\ Windows\ Microsoft.NET\ Framework\ [.NET specific version number] directory. For example, after installing VS, the author will automatically install version 2.0 VS and enter / under the naming line. See all the help.

Where / t:library means to generate dll,/r parameter means to refer to the DLL,-out parameter to indicate the location of the generated dll, which obviously needs to be placed in the Bin directory. The complete command is as follows:

Seeing the output of the following indicates that the command was executed successfully!

The result of WebShell execution is shown in the figure.

Then jump to the site Bin directory to see that the desired AdminWeb.dll file has been created successfully, and the DLL version of the backdoor program has been completed.

At this point, the attacker must have thought of calling the method in the DLL in an existing file. The author created a new c.aspx file and wrote a piece of code to instantiate the AdminWeb class in DLL. The following code triggers its constructor.

After previewing, we get the following result. In the process of instantiating the class, the constructor is automatically called and the Set command under DOS is executed.

According to this way of thinking, you can no longer find any characteristics of ASPX horses on the server, and at most you can find that the newly created c.aspx file is suspicious, but the name of the method called looks very common, and even if the administrator uses D shield or security dog to scan any clues, it also implements a way to maintain backdoor permissions. But the author is not satisfied, and then we will introduce a more covert method.

0x03 HttpHandler mapping

In my first introduction to ashx, we mentioned ISAPI, which transfers different requests to different handlers based on the file name suffix. Almost half of the file access is handled by aspnet_isapi.dll. It is obvious that aspnet_isapi.dll handles different requests differently. Looking at C:\ Windows\ Microsoft.NET\ Framework\ v4.0.30319\ Config\ web.config configuration definition, you can see that ashx can be customized to implement the mapping relationship, such as the following configuration:

The path attribute is required in the configuration item, and its function is to specify that the path can contain a single URL or a simple wildcard string such as * .ashx; other properties refer to the following table

Attribute description name handles mapper name type required attribute, specifies comma-separated class / assembly combination, generally corresponds to DLLverb required attribute under Bin directory, can be GET/POST/PUT; or script mapping such as wildcard * preCondition optional attribute, can be Integrated / Classic validate optional attribute, generally true

The following author demonstrates how to access the captcha image through the browser to achieve the effect of command execution: first, the name property is set to a gif image disguised as the name of the normal processor, PageHandlerFactory-ISAPI-2.0-32. The path attribute is set to any name, here is the implementation of the verification code; the verb attribute is * to indicate any request; type is the most important namespace. Class name; preCondition property is set to integrated mode (IIS7 has good performance)

The author wrote a C # pony, saved the name as IsapiModules.Handler.cs, and realized three functions: one is to generate the verification code, the second is to create an one-sentence file of aspx, and the third is to execute the cmd command; the purpose of generating the verification code is to better hide itself. The output from the data returned by HTTP is a picture file, and the code snippet is shown below.

Then generate IsapiModules.Handler.dll under the command line, and the command to generate DLL is as follows:

Finally, you only need to add the handlers/httpHandlers node to the Web.config file in the root directory of the site; pay attention to adding the following configuration in IIS6

Configure this in IIS7 integration mode

Once configured, the mapper PageHandlerFactory-ISAPI-2.0-32 defined by the author will be registered in the IIS7 service manager mapping list. The name is very close to the PageHandlerFactory-ISAPI-2.0 of the system, but it is indeed a camouflage.

Open the browser to enter http://ip/anything.gif?a=c&p=cmd.txt&c=ipconfig, this time the interface is a CAPTCHA picture, camouflage is very good, IDS is not easy to detect.

At this time, cmd.txt has been generated on the server to get the IP configuration information!

Just imagine leaving such a perfect backdoor program, whether the parameters are added or not will output CAPTCHA pictures, so that you can bypass some terminal products and traffic detection, and achieve a good hiding effect.

The concealment of one sentence of 0x04 kitchen knife

To make a sentence available for a kitchen knife, you must introduce Jscript.Net, and you need to use the jsc.exe that comes with the .NET FrameWork to compile the js script. For commands about jsc.exe, please refer to https://docs.microsoft.com/zh-cn/previous-versions/visualstudio/visual-studio-2010/7435xtz6(v=vs.100)

The author creates a new IsapiModu1e.Handler.js with the following implementation code

Call jsc.exe in WebShell to compile the js script, enter

Jump to the Bin directory to get the compiled DLL

Modify the Web.config configuration, add a new DLL mapping relationship, and complete the whole kitchen knife backdoor configuration.

Visit the picture kitchen knife address http://ip/news.gif, see the following picture shows that the kitchen knife horse runs successfully!

The kitchen knife is also connected successfully without pressure!

Finally, the author downloaded several common inspection and killing tools, not surprisingly, a sentence explored before the Trojan horse and confusion after the DLL are exempted from killing.

Summary of 0x05

1. The backdoor implemented in this way is so hidden that it is difficult for administrators to find that it can be maintained for a long time.

two。 The generated DLL can also be generated locally, or it can be further confused or shelled, etc., to kill software on the server side.

3. For code snippets and DLL downloads of the article, please refer to https://github.com/Ivan1ee

4. There is already a compiled and confused DLL on Github

5. The unconfused DLL MD5 are

IsapiModu1e.Handler.dll = > MD5 (39cbf41b99a3751b3ff755509e35b1ae), IsapiModules.Handler.dll = > MD5 (e891914d65f28822aaf2d13ae984eee6)

6. The DLL MD5 after shell confusion are respectively

IsapiModu1e.Handler.dll = > MD5 (8cc5a23e925aa52d0ae80bec8ab28f88), IsapiModules.Handler.dll = > MD5 (7cbba64946ecbc824c2cca1192b16684) 0x06 Defense measures

1. As an administrator, you can check out the handlers mapping relationship in Web.config.

two。 Troubleshoot illegal mapping relationships through the IIS server management program

3. For hidden ponies or ponies, the traditional IDS is difficult to detect and requires terminal protection to work together to kill.

After reading the above, do you have any further understanding of the example analysis of penetration permission maintenance after the implementation of DLL processing mapping under NET? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.