202212_风二西_冰蝎流量分析
Tags:流量分析,冰蝎木马,rebeyond,AES,pyshark
0x00. 题目
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:202212_风二西_冰蝎流量分析.zip
0x01. WP
分析及解密脚本
exp.py
# -*- coding: utf-8 -*-
import pyshark, base64, re, urllib.parse
import hashlib
from Crypto.Cipher import AES
# 为了解决报错:This event loop is already running
import nest_asyncio
nest_asyncio.apply()
def getDATAbyACK(intACK):
strTmpFomula = "tcp.ack=="+str(intACK)
strResult = ""
capTmp = pyshark.FileCapture(strCapPath, display_filter=strTmpFomula, tshark_path=strTsharkPath)
intTmp = 0
strResult = ""
for pkt in capTmp:
# intRequestNumber = pkt.number
# print("Request Number:", intRequestNumber)
try:
strResult += bytes.fromhex(pkt.layers[2].get_field_value("payload", raw=True)).decode()
except:
pass
intTmp += 1
# TODO 目前此处根据当前流量包特征临时处理,还需再做规划
strResult = strResult[strResult.find("mAUYL"):-7]
return strResult
def XOR(K, D):
result = []
for i in range(len(D)):
c = K[i + 1 & 15]
if not isinstance(D[i], int):
d = ord(D[i])
else:
d = D[i]
result.append(d ^ ord(c))
return b''.join([i.to_bytes(1, byteorder='big') for i in result])
def regexphp(regexphp, destr):
match = re.findall(regexphp, str(destr))
try:
restr = base64.b64decode(match[0].encode('utf-8'))
except Exception as e:
#print(e)
restr = base64.b64decode(match[0].encode('gb2312'))
return restr
class PHP:
def __init__(self, key):
self.key = key
def decrypt_req_payload(self, payload):
encrypted_text = base64.b64decode(payload)
try:
cipher = AES.new(key=self.key.encode(), mode=AES.MODE_CBC, iv=b'\x00' * 16)
decrypted_text = cipher.decrypt(encrypted_text)
except Exception as e:
decrypted_text = XOR(self.key, base64.b64decode(encrypted_text))
decrypted_text = regexphp(r"64_decode\('(.*)'\)", decrypted_text)
return decrypted_text
def decrypt_res_payload(self, payload):
encrypted_text = base64.b64decode(payload)
try:
cipher = AES.new(key=self.key.encode(), mode=AES.MODE_CBC, iv=b'\x00' * 16)
decrypted_text = cipher.decrypt(encrypted_text)
except Exception as e:
decrypted_text = XOR(self.key, base64.b64decode(encrypted_text))
#decrypted_text = regexphp(r"64_decode\('(.*)'\)", decrypted_text)
msg = regexphp(r"\"msg\":\"(.*)\"}", decrypted_text)
status = regexphp(r"\"status\":\"(.*)\"", decrypted_text)
decrypted_text = '''"status":"{}","msg":"{}"'''.format(status.decode(),msg.decode()).encode()
return decrypted_text
class ASP:
def __init__(self, key):
self.key = key
def decrypt_req_payload(self, payload):
return XOR(self.key, payload)
def decrypt_res_payload(self, payload):
decrypted_text = XOR(self.key, payload)
# msg = regexphp(r"\"msg\":\"(.*)\"}", decrypted_text)
# status = regexphp(r"\"status\":\"(.*)\"", decrypted_text)
# decrypted_text = '''"status":"{}","msg":"{}"'''.format(status.decode(), msg.decode())
return decrypted_text
class CSHARP:
def __init__(self, key):
self.key = key
def decrypt_req_payload(self, payload):
cipher = AES.new(key=self.key.encode(), mode=AES.MODE_CBC, iv=self.key.encode())
decrypted_text = cipher.decrypt(payload)
return decrypted_text
def decrypt_res_payload(self, payload):
cipher = AES.new(key=self.key.encode(), mode=AES.MODE_CBC, iv=self.key.encode())
decrypted_text = cipher.decrypt(payload)
return decrypted_text
class JAVA:
def __init__(self, key):
self.key = key
def decrypt_req_payload(self, payload):
encrypted_text = base64.b64decode(payload)
cipher = AES.new(key=self.key.encode(), mode=AES.MODE_ECB)
decrypted_text = cipher.decrypt(encrypted_text)
# print(decrypted_text)
return decrypted_text
def decrypt_res_payload(self, payload):
cipher = AES.new(key=self.key.encode(), mode=AES.MODE_ECB)
decrypted_text = cipher.decrypt(payload)
return decrypted_text
#准备冰蝎解密key
strKey="rebeyond"
strMD5="e45e329feb5d925b"
md5=hashlib.md5()
md5.update(strKey.encode())
strMD5=md5.hexdigest()[0:16]
# print(strMD5)
# 初始化pyshark参数
strTsharkPath = "C:\\Program Files\\Wireshark"
strTsharkPath = "D:\\=Green=\\Wireshark\\App\\Wireshark\\"
strCapPath = "LL.pcapng"
strFomula="http.request.method==POST && http contains \"about.php\""
cap= pyshark.FileCapture(strCapPath, display_filter=strFomula,tshark_path=strTsharkPath)
# # 协议结构分析开始
# print("协议结构分析开始...")
# i=0
# for layer in cap[1].layers:
# print("第",i+1,"层:",layer.layer_name)
# print(layer.field_names)
# i+=1
# print("协议结构分析完成。")
# print("=" * 16)
# 初始化变量
strPOST=""
strPOST_AES=""
strCMD=""
strPath=""
intRequestNumber=0
strRe_AES=""
for pkt in cap:
strPOST_AES=bytes.fromhex(pkt.layers[5].get_field_value("key",raw=True)).decode()
# print(strPOST_AES)
try:
decrypter = PHP(key=strMD5)
data = decrypter.decrypt_req_payload(strPOST_AES.encode())
except:
pass
try:
strPOST_AES=strPOST_AES+"="
decrypter = PHP(key=strMD5)
data = decrypter.decrypt_req_payload(strPOST_AES.encode())
except:
pass
try:
strPOST_AES=strPOST_AES+"="
decrypter = PHP(key=strMD5)
data = decrypter.decrypt_req_payload(strPOST_AES.encode())
except:
pass
intRequestNumber=pkt.number
print("请求序号:",intRequestNumber)
strPOST=data.decode()
# print(strPOST)
# print('-'*4,"POST原内容输出完成",'-'*4)
print('-'*4,"CMD内容输出...",'-'*4)
matchObj = re.search(r'''\$(.*?)\=\"(.*?)";\$(.*?)\=base64_decode\(\$(.*?)\);''',
strPOST)
strCMD=base64.b64decode(matchObj[2]).decode()
print(strCMD)
# print('-'*4,"CMD内容输出完成",'-'*4)
strResponseFomula="http.request_in=="+str(intRequestNumber)
capResponse = pyshark.FileCapture(strCapPath, display_filter=strResponseFomula, tshark_path=strTsharkPath)
# print(strResponseFomula)
print('-'*4,"回显输出...",'-'*4)
strRe_AES = ""
intACK=0
for pktRe in capResponse:
intACK=pktRe.layers[2].get_field_value("ack")
print("\t过滤:tcp.ack==",intACK)
strRe_AES = getDATAbyACK(intACK)
print(strRe_AES)
try:
data = decrypter.decrypt_res_payload(strRe_AES)
print("\n解码成功:")
print(data.decode())
except:
print("\n解码失败!!")
pass
print("="*32)
输出内容:
D:\=MAX230_Wiki=\题库\Archives\Misc\流量分析\202212_冰蝎流量>python exp.py
请求序号: 27669
---- CMD内容输出... ----
qmluq8l9KqzLWmZfoVQudAO67CRNazsLFyfDK87IHHzhW0GjZTHG3fH5Ob5HIGAVahQSgfT5FLTSRWXQviHggXByZnyzUyhnHRJror87Dhfmk4rsvqDnwlMNdUCh4bsFpJwGQ1ltffYDHNsxxKW3gcxRamlv5qQVVf5sg0CZdr6efIvEOcmq7UoHhn5g3PRteBR4A46Q6v3Xm5LYsypwh3sPeBEXhiiPRXJkoOpHRQGxepKmAtkOhfqmeT4kxpGzxvVcpjP6LuW89XZtQQN833GHdrwjMLAdbQRMVyDY7fXajKKxXdWE29vhCDooaUHjykoK5G6ypVvRFVF8t5n5IKdslpAZzesRdzB3E6tjPcXbTQxx42mRwZaPc19hnwS2S5K94X2bQb1dmIbajGXGAHThcj5aIxC7fYvvaLRVLRnexFcNrAu1abxe0w8O0ZskrWTDvXzSxYig0pMsDUNO8kgjHsg01SYMAW8pNiXCg7tViEJk450rIEZWKr3630zD2E6Mu4Eeb2shhIqoB41Hs0dyEgd7RUz65e006Ksiw0pAVUAT9UeOIL4kmeFdzZZUU1H7JMPvh3vbawqRPKm0SNlbA3vgi7gg1GPVuYcetkCiU5IXKStEmlUsSOtKYcgIwTMf4x4yY0K24EOKqFR4C19XBZs9vtU12POL7Yd6Siw7U4Ho1jhak7AiAieeyOKqU4sXK5LyqDDXlcgm8s4p5aJ0IAvShjWxjmrO2MZVx3rzwunTrGyF3jYRhTe16ytLUGLEvLcs052lhpcjPOnA7iGNe8S33sOxaiknEqCnUDXn6Qihog3G7nE6Y8jg7nEFOXJbj9W273g5TH8C8XB5uodnsvtKNy3MT8tPihRgNN8y1x8i0iaQ2cdxAhHoRAR1iHAMO7JV3RVirahYo6SOX4qLP9SkFMmyzcyr7FKtvStx3pkvg8PzbqKtjTivTYegtIvcKIxa74v8VKljXCQn3G6UZz3zrDXEutMblp3T0PEL6l6raNPo27HhCZmaSj6BnX4eSUULabGWTCEIAZO2MjumlLDbjcnvAAzAx7rDAGNk4oKfuQfkzmBafV2EufD3yaJqM3vL6zwBsBup0cwHSxkKKU2vinhAcT1rlksQA2336GV6Aaft4MFMJ6s2KaZaVIH7pIQfVP5hy8Ia1w06LWw7wJwjiBFW5V56o9cgr26L18DqhwYU0tXuEvaZrtAvUCPqf8vOSbc1LeyNGgEtO6rNAqEfRFbfJjjtkTHgZqgJSZWUpUPTfQoL0xnkScz3VWd4zlgjJcFaKQOYKXwjmVXf5wQX6ZSOPwR6nfjjYVzm0Ok3eh0mBmFFHrVhTCA6OllGWYVGITuxwu1te
---- 回显输出... ----
过滤:tcp.ack== 4990
mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j6X96QXdue11/TSSXo3KT5/3ABgdT7sESxGYMjbnlCGKIbwqWJ/KReboTKu1izedBiEbzrwRGN8FgbXMEtEQzSKOINDSbhbOgrvP9MN7YVrB3UuyDVIT50AsImCHFgZHRWTusuppv3MlJEGOu1sAp3xiL7WredNFWu31fXUJh1gaQwiWSECuMbuzNycHCqSwHtH4SaRnr2ZbF40BpWJoD0QEZJ9iMjEZIGC4egYOFo0laZT4PHUMyNz7M9F/0Ynv3q+SUysVq/3/40kMwTyRYsJ674RQ4NGdDarn+gvbcUjdXwF3OLKvXg452ca1AUg9u2smDlsS05xhaefVGBspwmfeAqLNlMKUYyus1kUrIXCIlYEvs0qsdoKCVHOCy6jHXFauub1uRS79AHMrS7BXrj7FLUbnDqtKQKZE8G+p3iWFHVmGCEmMZDvIhsesDLsGC+vEOnsIm0jjJxOQeVjHtd2ieaWQRG312ofcZPxzz5OaBw3l7CNDTg12iyJBaBsML8mvoBgphCvgcUB7gt/FVoMeiGPFqWYs9jjHba5RwuK1Tkjd1waklIoBUeCdlPvxj3VCXAT5+XjSlGaReotvwEh5Ijfa+aCQ1ax2SHMwkfdkbycd8KvfndpslLX/QXm7OPTvXD25V/YSwkQNfq899YlY4JwXrI77azhnx6ovmen3Gq1UxMrj0bAYJfBZZce94tnZS0BcD1EjreySR5jiCaeTk+0EGdM+EFTw1kJXWA276IgukbBcF2mRhJnxE3oi4uB3SkoVo6pOntMD9Ro2YLA60nkTHeip/YK6tR0vaMmmiw6+KNtALN2BjWhlHCHQfVuIdUzY1vIXoznoLiRuOZyet7vVVBlh135S9CH16+P3CFeUBhJZzxRdO/0uBCWkTIsMrvmZHhqIgnzbuJVHJlA+kSPn6jMJH0cPxr3kI+odD0wNBaclEboHZLc7zcBBRHOm13yV9iCntzwt6h/Mr7O6TlrWJhPK4aN3xB1bkLu/70pxdp2FYMaCpu1TiQgWzqoS3GdRKXHzSmnmaGKknzVmbstLv0wr/Z6rNMBX5A4hfkPLgJT1os4UJRTaF7Fyr6S2mbeZtopCyWL5j88o930AgWCTRpGVa1Ovu7TRIuKyLdHAwpevKzBH8C752Me2IcvonQX5I6Kn/QrZtRZ51R0Hczy+dT7frpR8tDtvxRs7RYLVgA3tSjsax9TgEyqdZ+PnmUTSPQ4gUKzF0jmugxjCZVae3LpxAhK1stef1Fizuj/kuMxZMPQYnCU5guV0IbB4aypLuRT7E9NZlOLNoG/w4+3eDFQESVJZs1GzQES0iUTvbVjAFEPAF3oHOXmGwSC7hcogEFQ+78PqQblnNo/lDGGjmzrzrYNtvNzcoBIeQgKdHqmEfTGlumSgyHd7uDoxunqQBzIRwr++q54+wL4mofQWWfj/9a50Elfb0CYlWwiw/sIdfuiygIZDA1tFzD9S67NkMdfO9wbfygwkb5aNv1VOlrZRZ5JdX4llJpphmoQqV0MtdqFAoQf7tSeAYXEPt6WiPIj0TQI/UHQRieKpPcON/e9owsChEBZqFwKkBplXJQdaTgxau0jpdlvXsYsDKbTa4nF0r9q7CHZJ9tiFP6x3HIQnKcpWt2zentfQE/76lCuCn9g6Jn/8Yg1HbZ4wU+xF4MBug+8M9CwJeVC10MSdJDAXpsvXc9wDPuLLDDS0UX3cskiVmXJxOqLiKT8BQ4b2WroT5DxiySTdNp5pH2+z7ce6q8cSOGJKiu243XLkQOjoiX1gzyUJCYiOOLrlHHDYB1U6gp49LZI5IlgdfqEpc3QOhmbAEca7EikUgOcYgdDb4w/YKvEmCNb4ArTQc5VaVpVGDrgVVHAETnQG1Od1EsRJID2qNPnNmw8i0d1X9WhTz58jm4Qz/Rl0HbSGWI0yVPSDNP9X4OYzGugUaO98z25I+gQV2mWJga38izOPlLFl3dsOtFZ/NXXZX/rpq5RbS5/RQINy/yQ/u9xHzTDu26uYJxOb8Q++d/+osM16tT/ewoMa8/vK4ciQkq86F+sz3PrYFtPNWAuOtG+ofo+pUZ0NJfGXNWn4vLyATCnlql6e9liwP8kGTRqdsYaS/gqqGy26l/dvWXl2ZtCi+d+ssHVkdOzEa1NVbODAn3HNoLoblFnGzIyfHFP7FntuWgDhHA2f+ewfUWT6It/ydBBzEeq7M5M4HAF0a25+EZB+LL9RJhQCdPw71ATH84h99wbGv562CS9+5Bto34Fnsm5Ccpx1hl64i/1E281jTf3xOGoikF623qX1i6uqEUL50CMZqjTsrdFBGrkwfH4m09fX/9N8TRrro9S9P5VSGSJLGwuEGOa+XGAwbKGk8UIfOmyEdCCA/Zm21aEs4mtcnKhLi1eOBHQ0pAlmjo7cKFiI8GNrAA8kzPde54T1XM=
解码成功:
"status":"success","msg":"qmluq8l9KqzLWmZfoVQudAO67CRNazsLFyfDK87IHHzhW0GjZTHG3fH5Ob5HIGAVahQSgfT5FLTSRWXQviHggXByZnyzUyhnHRJror87Dhfmk4rsvqDnwlMNdUCh4bsFpJwGQ1ltffYDHNsxxKW3gcxRamlv5qQVVf5sg0CZdr6efIvEOcmq7UoHhn5g3PRteBR4A46Q6v3Xm5LYsypwh3sPeBEXhiiPRXJkoOpHRQGxepKmAtkOhfqmeT4kxpGzxvVcpjP6LuW89XZtQQN833GHdrwjMLAdbQRMVyDY7fXajKKxXdWE29vhCDooaUHjykoK5G6ypVvRFVF8t5n5IKdslpAZzesRdzB3E6tjPcXbTQxx42mRwZaPc19hnwS2S5K94X2bQb1dmIbajGXGAHThcj5aIxC7fYvvaLRVLRnexFcNrAu1abxe0w8O0ZskrWTDvXzSxYig0pMsDUNO8kgjHsg01SYMAW8pNiXCg7tViEJk450rIEZWKr3630zD2E6Mu4Eeb2shhIqoB41Hs0dyEgd7RUz65e006Ksiw0pAVUAT9UeOIL4kmeFdzZZUU1H7JMPvh3vbawqRPKm0SNlbA3vgi7gg1GPVuYcetkCiU5IXKStEmlUsSOtKYcgIwTMf4x4yY0K24EOKqFR4C19XBZs9vtU12POL7Yd6Siw7U4Ho1jhak7AiAieeyOKqU4sXK5LyqDDXlcgm8s4p5aJ0IAvShjWxjmrO2MZVx3rzwunTrGyF3jYRhTe16ytLUGLEvLcs052lhpcjPOnA7iGNe8S33sOxaiknEqCnUDXn6Qihog3G7nE6Y8jg7nEFOXJbj9W273g5TH8C8XB5uodnsvtKNy3MT8tPihRgNN8y1x8i0iaQ2cdxAhHoRAR1iHAMO7JV3RVirahYo6SOX4qLP9SkFMmyzcyr7FKtvStx3pkvg8PzbqKtjTivTYegtIvcKIxa74v8VKljXCQn3G6UZz3zrDXEutMblp3T0PEL6l6raNPo27HhCZmaSj6BnX4eSUULabGWTCEIAZO2MjumlLDbjcnvAAzAx7rDAGNk4oKfuQfkzmBafV2EufD3yaJqM3vL6zwBsBup0cwHSxkKKU2vinhAcT1rlksQA2336GV6Aaft4MFMJ6s2KaZaVIH7pIQfVP5hy8Ia1w06LWw7wJwjiBFW5V56o9cgr26L18DqhwYU0tXuEvaZrtAvUCPqf8vOSbc1LeyNGgEtO6rNAqEfRFbfJjjtkTHgZqgJSZWUpUPTfQoL0xnkScz3VWd4zlgjJcFaKQOYKXwjmVXf5wQX6ZSOPwR6nfjjYVzm0Ok3eh0mBmFFHrVhTCA6OllGWYVGITuxwu1te"
================================
... ...
... ...
... ...
================================
请求序号: 28023
---- CMD内容输出... ----
cd /d "D:\phpstudy_pro\WWW\laravel\"&cat flag.txt
---- 回显输出... ----
过滤:tcp.ack== 19010
mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j6liCGnygPOzvWRVLzOLRwRDwMYcBtbhK0VChJsePWE4XRc3ijmyRT27DNFksikgxfkeBAG3cIg0q/Zo4honXaVXC+TqUYblTXjGejENXBbCApQx1A7Nl0qzDYiyAXjso08wuecl9EKax4gQmw+nFdpHx2zL7yWRDihRDvDICBlvA==
解码成功:
"status":"success","msg":"'cat' 不是内部或外部命令,也不是可运行的程序
或批处理文件。
"
================================
请求序号: 28033
---- CMD内容输出... ----
cd /d "D:\phpstudy_pro\WWW\laravel\"&type flag.txt
---- 回显输出... ----
解码失败!!
================================
请求序号: 28044
---- CMD内容输出... ----
cd /d "D:\phpstudy_pro\WWW\laravel\"&type flag.txt
---- 回显输出... ----
过滤:tcp.ack== 6316
mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j76ltx/pIQNdsmAnC2xCEH4owazED+VbgLKE95MAERuViEdAlmUINg6IlGkWt0WbuEnAic0BcpLq8GrC7OzCj8j
解码成功:
"status":"success","msg":"flag{6ao6bnliyelpf2m5wudmt8ldudtnger8}"
================================
D:\=MAX230_Wiki=\题库\Archives\Misc\流量分析\202212_冰蝎流量>
浙公网安备 33010602011771号