K7

K7Blog

须知少年凌云志 曾许人间第一流.
proton
telegram

Backdoor Baota is really amazing.

Forgive me for updating three times a day. The first two articles were just boring records of the process I hadn't recorded before, and this article is the actual topic for today.

The title does not mean that I discovered some backdoors in Baota, but rather that the program itself has some issues. As someone who knows nothing about technology, I was able to find this vulnerability just by watching a short video. Should I praise myself for being smart or blame Baota for this?

Incident:#

While watching a video on Bilibili, I found someone selling virtual hosts claiming that their virtual host sales system had vulnerabilities. Others could freely access all directories under /www/wwwroot/ and even delete or modify files. They demonstrated a simple case of success in the video, but the window in the video was not fully visible.

When I heard this, I remembered that I had downloaded a PHP webshell from GitHub before, and there was a security mode. Before enabling it, I could only access the current website directory, but after enabling it, I could access all directories and files under /www/wwwroot/, including some other directories. Because Baota enables cross-site attack prevention (open_basedir) by default when creating a new website, it may require special methods to bypass it. Previously, I could easily find the PHP webshell on Google by searching for "PHP webshell GitHub", but now I can't find that version of the file anymore. So I started to desperately search and download for testing, but couldn't achieve the same effect.

What I thought at the time was, if I were also selling virtual hosts and had this file, I could purchase other people's virtual hosts and upload the file to destroy and inject malware into their websites. In the end, I still couldn't find that version of the file.

Then I watched the video frame by frame, looking for some clues to see if I could figure it out. Later, I found out that he was using the Chinese AntSword and DreamNai Baota virtual host sales system. The DreamNai system has the same effect as BTHost, using Baota's API to create and manage websites, and distributing Baota's resources.

Chinese AntSword is a penetration testing tool similar to the Chinese TroopRat. I knew about the Chinese TroopRat tool a long time ago, but I never played with it or knew how to use it. So I downloaded Chinese AntSword and started testing like crazy, and finally found this vulnerability.

Vulnerability Reproduction:#

Before writing this article, I not only tested it on my local Baota, but also found a service provider using the same DreamNai virtual host sales platform, and purchased a virtual host for testing. And for the rigor of the title, I even set up a new server with LNMP environment and built a WordPress site for testing.

Local Testing:#

First, of course, is our Baota environment, and then Chinese AntSword, a simple Nginx+PHP7.2.

Chinese AntSword GitHub: https://github.com/AntSwordProject/antSword
Official Documentation: https://www.yuque.com/antswordproject/antsword
Pre-compiled Software: https://github.com/AntSwordProject/AntSword-Loader

It was my first time using it and doing this kind of thing. I directly created a PHP file based on the official documentation:

<?php eval($_POST['ant']); ?>

I obtained my own shell based on the documentation First Shell and added it.

Because the website was added directly in Baota and the cross-site attack prevention (open_basedir) was enabled by default, you could still access files outside the current directory and edit them.

Snipaste_2024-04-07_19-25-17

Our current user permission is www, so we still cannot modify files owned by the root user.

At first, I tested it using PHP 7.4, but it wasn't as simple as I thought. If I didn't change the PHP version, I would probably still be struggling (I saw a video on a public account that used PHP 5 for testing, so I changed it too). However, there is another way to access files.

Right-click on a blank space in Chinese AntSword, open the plugin center, and install a plugin called "Bypass disable_functions":

Snipaste_2024-04-07_19-29-51

When writing the article, I found the introduction on GitHub: Break through disable_functions to execute system commands and bypass security mechanisms such as open_basedir. Now I don't understand why I couldn't access directories as easily as before. Maybe my next steps can be considered as bypassing.

Select the shell we added, right-click on the plugin center to open the plugin we downloaded, and run it in the mode I selected in the picture:

Snipaste_2024-04-07_19-34-45

A simulated terminal will pop up, and we can access other directories. I also tested that I could delete files.

Snipaste_2024-04-07_19-42-58

It's that simple, but it took me a long time to figure it out.

Virtual Host Provider Testing:#

I got a free virtual host and created a simple PHP file just like before, with PHP version set to 7.2.

The vulnerability was successfully reproduced:

Snipaste_2024-04-07_19-46-36
Snipaste_2024-04-07_19-47-03
Snipaste_2024-04-07_19-47-25

Editing and downloading files worked without any issues.

LNMP Script Testing:#

After running the LNMP script, I directly downloaded and extracted WordPress under /home/wwwroot/default/, and set it up. I wanted to prepare a template file that would simulate the process of being logged into the backend with a weak password and then injecting a shell. However, I encountered file permission issues, and even after solving them, it asked me to input FTP credentials for uploading, so I skipped it.

I directly created a shell in the directory, which was also in a PHP 7.2 environment. However, I couldn't directly access other files in the current directory. It was the same as when I was using PHP 7.4 in Baota, where I needed to use the "Bypass disable_functions" plugin in the terminal to access them.

Conclusion:#

I now understand what a webshell is, and Baota installed with PHP 7.2 (and possibly versions below) can directly and easily modify files. LNMP installed with PHP 7.2 has some permissions that need to be resolved.

The solution is to go to Baota's Software Store and install the "Baota PHP Security Protection" plugin, but it requires payment. You can install a cracked version to solve this issue. However, it can only solve the webshell I tested, and I don't know about others.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.