应急响应
应急响应概述
Windows入侵排查
Windows日志分析
Linux入侵排查
Linux日志分析
Windows入侵排查【详细版】
Linux入侵排查【详细版】
蚁剑流量分析
冰蝎流量分析
中国菜刀流量分析
Webshell管理工具流量特征
-
+
首页
冰蝎流量分析
冰蝎4.0和冰蝎3.0相比有了很大的不同,无论是从Webshell的生成方式、加密的选择方式、内置的插件以及流量的分析角度上来看,都大不一样。 项目地址:https://github.com/rebeyond/Behinder/ ## 生成WebShell 在冰蝎4.0的控制台界面选择传输协议,在弹出的窗口中选择你接下来要使用的流量加密方法,这里选择的是默认的default_xor_base64。【因为这里只是实验,没有必要那么复杂】  当选择了加密的方式后,就会出现以下的内容: 下面两个模块是负责对流量加密和解密的两个模块,如果要修改密钥可以直接修改代码的内容,修改完毕后点击保存后再点击生成服务器即可。  ## 连接WebShell 可以发现在连接WebShell字段中并没有设置密码的部分,这是因为在上面的"传输协议设置"中设置好密码并点击保存后,冰蝎4.0使用的连接密码也会随之改变。所以,当两个WebShell使用同一种加密方式,但是key不同,冰蝎同一时间只能连接一个WebShell。  设置后之后点击保存即可。  ## default_xor_base64加密解密 以下的内容均针对冰蝎默认的key进行加密解密分析: default_xor_base64流量,红色为请求,蓝色为响应。  直接使用冰蝎4.0所提供的解密方式进行解密,会发现”请求的命令“无法完整的解密,部分存在乱码的情况。我这里在ubuntu下,通过Webshell进行解密。 ```php $ cat shell.php <?php @error_reporting(0); function decrypt($data) { $key="e45e329feb5d925b"; $bs="base64_"."decode"; $after=$bs($data.""); for($i=0;$i<strlen($after);$i++) { $after[$i] = $after[$i]^$key[$i+1&15]; } echo $after; } $aa=Decrypt("/svfjTI5ZldjXWU5IlYNCBtPHUJVXQlKJ0cPW0gyYmQ1NXVZU08HSg5UCl4degAPUVYRNDI6Z2VqdgldHF8DE1U0ZTBRVAJkYicoU1NDA0pYVAtUHWoSFwtbAwIzNWYVVUENMjIxEQ0DQQFPV0djZTJGEVJGTBVkYjI2XENABxZANGUhflMHEwMaCFhcUk0qVl8AUEYCZ2VqZwFKQloMFlE0ZTRhXBUWC1oKODIzXgxaXBENMzllTUtjZTkyPWJ0ODVjMzUwZmdiJmU5JV8DE1UaCVJcXkk2FkcNV1V3FwxYUQBBNTlzaWI6ZCk4NXRlIzRlNVNJFgAMUWU5Hx0uD1VDBBxeWAgCTWYQS1tbBV4deQ9SRFhJCQNbAxZhQRAMWlInRltVAgAQDmg5KzV4bzQjZSgzOWgGBhVLGQlcBAZbWwNaVTFmeGM1bE1dZhYXXVsCMjItTkwuXwVPUxoOBFpSSmBGSw8LBQ5oOS01Qm80I2USPjluZWU8ZDsyFmNlNRptMxczZmFiImU5NkEKDEc0ZSF+WgkITU8cSFVRDUpxRw5RSAJnZWRQFUxTWRFkNCBNf1hYEARNWQVXVRotB15QBkcJEDxkYiYOWERUTQlVWwIcd0EFABJBDVZcMmJJNTV0WVNPB0oXQQ1VHX0DFlx4BEM1OUhvYhpkLjM1aQNdWQlwXVcSABpBZTknHS4PVUMEHF5YCAJNegZTV1YWXh1jaTMDOVRvYjdkCjM1YQhHUm0zBzhmYzBACnp/cWNlEh0pWVNPB0oOVApeHWYWF11bAggbdQwEFFRLVVNbBUpnQRdaXF5daWICZAE4NWBlDTRlPlhYEARNQBBQXhovBEQyZQgzOWUVF0FlOQodLg9VQwQcXlgIAk16BlNXVhZeeF8ERVMWCgQMUkt2UF8HBkAOTH9YWBAETVkFV1UaLQdeUAZHCTVmWGILbzkONV1tND9pMzg5YWxiN2R7PjVvZTg8ZTEyfWdlalIBTXFZAxZHNGUgGhAqDwNDBRZeVAwCG3YJUkFKXWlic2R+ODVmZXw0ZTxVXBIqF0EUTEZmFhdRVAg7MnNnZW1fBU9TGg4EWlJKcF5YFRZlNSg4MjwFAEB4AEdaVgJkYnVMdVhUFAQbWQRdVRY1ERBcCl4Jbi4PVUMEHF5YCAJNdghYQUZZTHhfBEVTFgoEDFJLS1dTDgBXQUp+V00OCgYOaDl8NS1vNHhlYzM5fg8DQwUWXlQMAhtHAFVeXAURTXgBTVpaBmI0Z2QzNFAIEw1eATgyDEopXlQTUh1VBwsFGitbWFABEQ9uKVlTTwdKDlQKXh16AA9RVhEIG3UMBBRUS1VTWwVKe1cPVlFNXWliYWRsODUxZWI0ZTZFSw8RBz1kYTM1YD52MmVpMzlvBxdcCF14Rg0LNTVBG35TBxMDGhFNW1lNKFVFXmkbdQwEFFRLVVNbBUpnQRdaXF5daWJpZGQ4NWBlajRlNmdtIEhaPWRZMzVyD1VDBBxeWAgCTWYQS1tbBWI0V2QzOl4DESBMEFxBNGJzHHkPUkRYSQkDWwMWYUEQDFpSXhppe2plBjUBMzJWYgM1NWJ2XFoUHBJBZTk0HTknHW4nPzJRZgxoNWY5WDRiYFJZEEBaMWYJYzVhWl5aEQA8NQsyMjMBABZ4AUpBVAUAODUVMxIzZkhiRGU5NlMDDFg9ZUAzOXUPA0MFFl5UDAIbYQ1BXU4HBw5QYzlHNGJnR1pkMyh1DAQUVEtVU1sFSkZQA19XWhJKL1AQUV1RWWQ0NAAyMiwqDwNDBRZeVAwCG3AdUFdJEgwNW184MjYNB140ZTVAXBUQDkFlOQd5CARCVEpGRlAKSi9UFAV+XwMTVRoJUlxeSTYWRw1XVQ4uD1VDBBxeWAgCTWYQS1tbBV4KDmQzPXUMBBRUS0xGXA5KeVQVCDM5dhYXW0pTXEBMAFpWCldbVwFtYkplOSJfAxNVGglSXF5JNhtGEFxfMmLkNTVuVFdNNhcNRQFLRkxuZbc1XTkyu2bhYzV8U1NDA0paXAocUVEHFxFQEBZxXQMXR1ARNDK/Z2VlUwtLfFQPADU1Sxt+UwcTAxoIWFxSTTZARwxdVQJPKQhUElgdWwsKG1YNUkBKAxFNdgxYQEYHEQ85ZbsysGxl5TXuODIzDgBaUhFbMzllTUt8aDm+Ne9vNFZlvTM5YQoRGwpYX1BqZaQ0ZThGVioKFVAWelNGB2k0p2UTODkFZfE0ZD5FXAwBW0IWOzKsZ2VlXApdV00tAzU1cBt+UwcTAxoIWFxSTTZARwxdVQJPLG418zmqP2IGNKxkMyNTBxMDGghYXFJNN0FbEVpfXGFl+TRkM1VQFjdBWxFaX1xnZXcdTXVYVBQEG1kEXVUWNBAMQQ1UVw5uZak1+zkypWb6YzVjWl9RTABMUG0zkzhmZ01WbDmRNGJhUU0AUDM5Tk05eQ5YRFRNCVVbAhxhTRQMDFJfEH5fAxNVGglSXF5JNRBaB1xBRllpNJBllTg5+mXFNGQ+HVcLCxtGDTsykGdlYBgHMTKeY2UlXwRFUxYKBAxSS2lAWgEAR0ZiM584ZnMIVBJYHVwNSnZAA1VXSwMBMFAFXVdHZWWbNGUqWFgQBE1cCxZ7WxIQQGYRQVdYCzcHVABcQDJi1DU1a1RXTS8LEkAQakZHBwRZNGUkGhAqDwNDBRZbWk0sWkUQR2FNFAADWF81MoZi0T41yzOHOGZXSnkOWERUTQxbGixdQkwSNhZHAVhfDi4PVUMEHFxQCUoBXQVLQVAWSnddBEFBXBJeS2NoOT011W80h2WLMzl1TS5fBU9TGgsKG2cAUlZcFF5LY2g5PTXYbzSFZYgzOW4XB1QAdVtbB2k0iGUTODnWZdw0ZDg4PWKlNTVrVFdNIxcQWhZqRkcHBFk5ZfEyjWxlzDWnODI0EmQ0JilZU08HSg5UCl4dZRAKV1AWQAk4ZmcAR2U5KnkIBEJUSlpdFiQQBFMBS1dRMABVUQBBCThmYQZcF0szNWsKR3YNUkBKAxFjNX51WFQUBBtbDFwdWg4EEEYBTR12CgRGRgBHCThmaQhUElgcQwcXR1wKXTo5qmRiNB8xMvtjZTJeAEphXBJkYiRMEH5fAxNVGhBHW1VJNgdBXzUy5WK0PzVZM+A4ZmgIVBJYHUAWDFgaNlZGPmaxYzVsUEZQEARAWhcyMi9OTC5fBU9TGhcRXVlKekZcFAQWWhYCPjW0ZeM+ZeYy4WdlcF8FT1MaFxFdWUp6RlwUBBZaFj4y72NlM10EQHxcHhFjNWcRG29uZeg1uDgy4ma7YzVgV1dNFmQ0IU0aflMHEwMaCFhcUk0qVl8AUEYCamWCNYUyMu5ihzU1ZBE6OYJkYjZGAxA9YoM1NWZUV01nZUQdKFNTQwNKWFQLVB12BA8HVhACG3kIBEJUSl9TVwFKLVcOXFFBWWk03WXaOTlaZYg/ZFoyFGNlNwRLCjo5i2RiPAdWX0UDF1FhCj8y1mb9aDUHOcI0YnVeVBNSHEwSDA4bJlhBUFRRPDWXMjIcTikIVBJYHVkDC1MaNkdAUAgCWRwoU1NDA0pYVAtUHXoKBBFGXzUyvWKRPjUoM8c4Zm8FUBB8XFYNAVFHbTPFOGZrB1sHVlZQNgpnQRdaXF5uZZs0ZC9BQAxLWVwWUBx7JzYnA1B8XFYNAVFHbTPJOGZuDFATcFxGFgRaVgA/MsRmhGg1KTnMNGJjUVsGXFZcbmRiNGQ+QFASCVVWADIyfU4pCFQSWB1ZAwtTGiZbU0s1ABNAAVdRUFkpXlQTUh1VBwsFGidRU0cxAEVAAF1RXF1MLl8FT1MaDgRaUkpgRksPCwUOaDgwNGFvNFZkNzM5Z2hqNGI4MjdASTw0bTIyOEptYz9lOTpQDAFHYgxHWjhmcEp5DlhEVE0JVVsCHGFNFAwMUl8QaDljaTU4bzNROGhvYiNktzM1axZRQSlWXF4SDWM1YBF7HDRpNSRkITg5cGRxNGQ4Tz1jcDU1Y3FTSgNTVjRkKH5fAxNVGglSXF5JJg5UF0oJNGJicVsGXFZcFGRiMBJYXkAHZDQ2DlZLOGZjB1sQUEZMY2U1b2QzMEoEZGIsKFNTQwNKWFQLVB1qEhcLWwN7R1wOAVFHXjIyPhAAEEYNVlw0YmJTUBF9U1QDaWMUZBk4NS9kFjRlOGJYAQAhWgpNV00WbTURZDM4XgMRMFAVTFdGFm01E2kzOTlqbGI3ZREzNWkCUUE3VkFJCQsRUGw4GDRib1NQEWBXShUMDVtsOB45Yms0OWwzMDhIZGIyF1xBRgsKWj1kAzM5bhcHRhRWXEYHbTUHZDM1SwMUF1AXTTo0VmQ0IRZWRnoOBBBUB01XRycLV1oBWlxebmRUNGQ/XVcIKFVFZDMHdQwEFFRLTEZcDkp5VBUPflMHEwMaCFhcUk02QEcMXVUCKg8DQwUWXlQMAht6B1lXWhJeXA5lOTpSBxF5VAJaUThmYUocP3szNW4CUUEkR0ZLDwcXQQExMwljZTVAbTIMM2ZhYhRlOTtGFwdHQRdaXF5nZXQdLXAbeQgEQlRKX1NXAUoxQRZQXFJZaTV0ZHE4OQVkITRkKFhUFAQbWQRdVRYvCxZQA1xAMmMgNTVtQ1NLFQArWxA4MiNKKV5UE1IdVQcLBRo3TUBcDAIPfEx6PjghZCo/ZX8zfGNlJF8ERVMWExELWUtrU1sGClkyZHg4OCpldTRkPlxQGhF9WxEyMj1OLEt8aDh8NC1vNXlkYzM5ZwxjNWVwMzVqCFVSDFB8TAtkYjMWWFxRDQg1NXd/WFgQBE1AEFBeGjAEWlEKXgk4ZmYAQAI4Mj1eBlhcC1pGB2dlZUYRWlFQERY8NDwyMikDUVdQVwsLUwcHAVFcAQdbbmQ5OWRdMw5oZVc0ODIyPSUKBlBlOSB5DQZVWTNSQFAHBw5QMFhQWQdkNDopWlxcKBAPVwFLZlQACVE0ZSV+VgUEDmMFS1tUAAlRYRxDV20HBw5QZTk/ZhYEV14oUkJtBwcOUGU5OHAaBlFFEVpdVxVkYjw3UFVbAxFBRwAyMnNOKQhUElgdQBYMWBooUkIFKg8DQwUWXlQMAhtmEUFbVwFeLl8FT1MaDgRaUkpgRksPCwUOWgJoHC4PVUMEHF5YCAJNZhBLW1sFXjU1b2BdTBQGB3MNVVc1Q2U2NWEzMjlhZWs1Yjk1NWJlPTVtMzU5ZmVrNW05NTViZT41bzM1OWZlYDVvOT41YmU2NWgzPjlmZWA1ajk+NWJlPDVkMz05dmVjNDs5MjULZTY1ZDMyOVl3cIZkLYk1dDyDNX2BMi3QZX4neo8yKdRlFoZlJyAr1WVGjmQva4JifYY1QYUyJXRD1DV4jzIX0WUQH9IzFYhmZWI3ZVkyNWJpNDRlCTI8Zk1iHGQ5M1RiZTQzZTIyA2ZoYjRkEzIeYmQ1amUzMVhmbGI9ZDkz+9llG2zSMwJ0TE7VNVAVIANI1zQh0jMIgGYlYTUzFSB00GV3jGVzMTkxT9Y1IY8yfHAuN4hlfoQ5N0/WNSE6jzVm0zRiKx6EOS93OzHZOX9sYXdvZtMzYwNifGYYYIQyMTtmHh9JN4U5OXcDg2RehTUJNoI1MmQfj2YscFhnhDJ41GVlGGaOMj3QZTViSY8yfHAKN4hlfoQ5N0hhiGQ9hDU1MpM0T32VOEArTidSFIQ1ENw0dWYzZRV0JHBB3TlyNmIyHoFldoQ5L3cpNtk5f4NiNB6BZXYxhGZh1DUzdx+DYiwmbGGOMnQ/ZnBuN48yZFhhLTFIN485YjxhH04VNoJiOiZU0zNVjmYOMYNkbmUY1GV9Jwgwjzkr02JkSTqPNWbTNGIyHoQ5L3cNNtk5f4NiNBk22DM2j2YyNZJkqHySYugOME+HMnzQZSsnLzqPNS/TNGRPhzJ8ZdhiMdI5ZQ9kfDKDZXogYGLYYng9OiBuMdM0ZF80Kz5/Y2aIZD1rNkhPGDHSM20rB9NiUtM5WWbUZWNifDWEOS93DzbZOX+DYjQtM2aOMj3QZTVifT+ENSt3WzbYM3+PZjR7M2eEMjHUZWNiwjM3A2B8Z4pglTIyYkw0l2WWMhRmbWIcZJAyGGKnNQ5kDTIUZm1iHGV7MjVizDT3ZHEyOWchY/Fl/jIYYyc1cWRxMjlmYWNVZDkyU2JvNHBlbjJOZmliNmRgMnxiPTRNZTcyk2Z9YkxkQzI2Yrs0aGVEMjVmZmLHZHAybWIdNDFkUjJaZhJiOWQ/M0NiKzRtZUsyPmZlY/tkETIcYmU0NWT9MkJmaWI0ZDEz82IZNEtlMTNbZmViOWQ4Mj1jozRJZU4yO2cEYjVkvzIUYmU0KWU7MidmaGIqZCQyFWJMNB5ldjIVZjxiGGRPMhpi6TQFZZEyDGbAYgdknzIDYsw0F2WZMhpm0mIRZPsyHmK7NBllwTIUZ2piGmUcMgVjXjQAZA0yC2daYgNlezIfYyE0HmRSMhVnE2IYZa0yGmPJNAVk9zIMZ6JiB2XwMgNjqTQCZFAyOWZaYjKbOZc1YWI0N2IzNj5mWWI0YzkfdmVlGcJlpzU5SyZlNRLGMrFiYzM1ZzQyPWFlXjVkPjJDYmQzNUgyyjlkZWA1UzkKNWBkazVlMo05YGVlNWQ52Cfi3TSw3TO5dHR3LB6iOeke1GW7q2XnIKjeZeeDZK0go9Rlrq5lE4o5xmPfNQdgMSfANm0xd5dhYGNOMYNkkQgxxWUpjWWTNIRmBjs2dpNhbGZ3mGY8Nhlq0GXKD2CCMoU73jSHPCo2j2bTToJkgIU13l8xLGCFMoZcY3szojkUjmJzbYJlKx+PZnl7M9I5Liej0zQp0zMQd39g1DXbAzSSnb6PNdVqiTnUPHsx0jn2GdVljYJljwg8f2DUNdsDNCxkozQT3jMkYNFlehjSOS4sZNM0KXfyhDl602IXKiA3g2LaDjPCzOkU1mViNWc4UjViZWY1bTNzOWVlpzWiOTY1PGW+NaAz9DliZRY1EDn1NaplMTUeM185r2VlNWI5MjWIZRw1TDMyOWZliDViOTU1Y2U9NYQz+DmtZWA1aDnsNR5lMzVmMlM5ZmUkNXU5MjVZZT01WTM+OVhldTUkORU1I2VwNSYzbDkjZRY1IjlJNSVltDUtM6s5L2XBNS85izUuZfQ1KDP3OSllvDU0Odo1MWRXNWUzLTlgmGJxYzm1MmIGyDV8NDKXm2V+MmSJNTUBQijNZRQzXWZlYjFkODIYYmc0aWVuMjpnOmI1ZloyMmJvNDVkdIk5cDzVNXx3IPjaZbEPYR4g9tBlfmJPgDLmY2WNNbwyMgNjfGeMZOYzNftlzSxgijLaZ2WiNQcDNBjZZSJs0jMqK4PTYil9P4Q1fnfTg2UvhDlE02IpMxIrM9tl3zdl8zJa0GWOD2MlqzXLfDAni4UyyP1lLx/SOXticJaMNZMJOiBud5o00jljLGpkgjUyCTsgb9NifHbDNohiKG02d2hhj2Y0ezxghDIxO2YtMndShDkBNtQ1M/kyVlhikzUwGYQ5LzJwydw5xA9qfDyDZcwIMH9s1DUtKjM0Ztg0eDwwIGI102JkfTA2iGJhbTZ8NCBY0GUFZtI5ZfViBg4yfDQg+HR31DRhKjMycHeCNGAJNRR/YtQ1eG4fJmNsgjV5ZJXGZUjUNUYqMz7UZDusZT4fFNBkcjEAjzMhT3Y1I9MzLm5L02IX1DkyNWZkVDVlM0I5bWXjNV84JTR6ZTw19DMZOH9lbjVtOfk1JGQjNH0zOjm0ZV00fTk+NWtlUzXcMig5YWVlNV051TR5ZTM1YzMyOCFlSjVNOTI1YmRzNHkzTDlnZWI0IzgyNH9lNjVtMg04eGR9NWc5PTRaZBQ1YjM2OARlYjVoOTM1YmRzNHkzTzlnZAM1ZDlsNXVlNDUHMzo5BWVtNQA5JDUHZQ01AjNlOQ5lBTUNOVk1CWVBNQgzszkIZfM1CzmONRJlizUWM/k5EmWwNRE5zDUUZCU1HjIqORpkQjUZOBE1HGQENRoyCDnmZCA15ThRNWJlKjVgzTIaYWV0MmRaNTW5mDSuYjNRPmYGmTU1wTIkdGRQNWUzNjlnZU80ATkyNWBkUjVnMwM5VGVgNDs5MjRXZTI1ZjMyOdNO1DUtjzMWcWQRg2WpqTkyT0mDZHAhNEVmiTUohTJoTWbfNWCPMmLXZB0fToUycHVkSTbZOX+DYjQfNtgzNo9mMtc1IRMZg2IsJzRIMI85K9NiZE86jzVm0zRi0DIdnmZKSfVkBX8fTnY1BNwz2Ttm0GMaThUhNFHcNN5nM4c5I09OJmUMizWJZzSAZBoYjWYg1DUtKjMCZtg0eDwwIFo102JkTo0ycGbYNDE8MCBYNdNiYjOIMjViYTVVZTMyGWZmYlNkHjMNYhs0N2UzMoxmTWIcZDkyNWLQNE5lPzI4ZwdiNWQ1MjRiAzQSZAszAGZnY1RkOTIfYm80NWW3Milm42IfZL4ycWLtNFRlvjJfZutiRmS2MrVi9TS4ZaEyjWb2Y1ZkOTIzYmfPNQQYM11mZWIxZDgyGGJnNQ9kCDI7ZzpiNWU5MjNiYzQ1ZVsYjWdK1DUtKjMIZtg0eDwwIFo102JkTo0zGmbYNDE8MCE4WTbUNTOPM3UuTjcw0zJ2KXbdY390KUII2WR4bNIyf3d62WoPYDoEMHdgLTHbkTIvf2F3MEkoMzXUZGWkMbc3OMGaiixgiTI1YmY1VWUzMgdmY2J/ZCIzZ2M2NDBlMzJRZk1iHGQ5Mh5iWDUuZTQyOGZfYhtlbTNmYmc0d2UVM2xnM2I2ZH4yFGMyNG9lNzNYZmViF2QxMjVi8DQeZaUyA2byYndkoTJyYvw0Z2WoMmZm/GJQZKQzVmJlNC9lMc05LGVkMmQ7NTUBZDM0KTQyYmdlYs9kIzNRYmU0MWUyMhRmbWNtZCkyNGM6NDVlLDI4ZmViNWQ+ITQ41jR21DMyOWdkAzVkOTQ1Y2U0NXczMDkOZQs1ZjhtNWJl2DVjMzg5ZmXZJmVlfzZceB+LxzMuEntOfwZIjzNrf2FUJWpNAbv3MeY2ZZ7N0XCWjDWTCTcgY3eaNNI5YyxnZII1Mgk0IGDTYnx3ODMx32V5bGYhaWrQZTMsYj2PNWY8Nx42hTJupmU5D2CeMmNYYibJ3TPEA2N8Z4Nkxgg9e22CNSwgMzhi2GJ4PTogbjHTNGR8OzaEZmE7Nk9qhDU1pTRWXzorMHSkcCfSODcmY2ImJ9MyNwNvfGuDZWcIMcVlNyxhgzI4ZkBiV2RcMkNiZDVWZTMyLmZhnzViPjJWY3tLMmVFzzk0YmJuYzl/NAZlNDVhMzM5S2VjNAM5MjVgZTE="); ?> $ php shell.php | strings | grep -C 3 ifconfig ```  响应的内容可以直接通过冰蝎4.0自带的解密来实现。  ```json {"msg":"ZXRoMCAgICAgIExpbmsgZW5jYXA6RXRoZXJuZXQgIEhXYWRkciAwMjowMDowYTowMjowMjowZiAgCiAgICAgICAgICBpbmV0IGFkZHI6MTAuMi4yLjE1ICBCY2FzdDoxMC4yLjMuMjU1ICBNYXNrOjI1NS4yNTUuMjU0LjAKICAgICAgICAgIGluZXQ2IGFkZHI6IGZlODA6OmFmZjpmZTAyOjIwZi82NCBTY29wZTpMaW5rCiAgICAgICAgICBVUCBCUk9BRENBU1QgUlVOTklORyBNVUxUSUNBU1QgIE1UVToxMzQwICBNZXRyaWM6MQogICAgICAgICAgUlggcGFja2V0czoxMzE3NjggZXJyb3JzOjAgZHJvcHBlZDoxIG92ZXJydW5zOjAgZnJhbWU6MAogICAgICAgICAgVFggcGFja2V0czo1Nzc0IGVycm9yczowIGRyb3BwZWQ6MCBvdmVycnVuczowIGNhcnJpZXI6MAogICAgICAgICAgY29sbGlzaW9uczowIHR4cXVldWVsZW46MTAwMCAKICAgICAgICAgIFJYIGJ5dGVzOjE0MTg5OTM5ICgxNC4xIE1CKSAgVFggYnl0ZXM6MTIxOTI1MCAoMS4yIE1CKQoKbG8gICAgICAgIExpbmsgZW5jYXA6TG9jYWwgTG9vcGJhY2sgIAogICAgICAgICAgaW5ldCBhZGRyOjEyNy4wLjAuMSAgTWFzazoyNTUuMC4wLjAKICAgICAgICAgIGluZXQ2IGFkZHI6IDo6MS8xMjggU2NvcGU6SG9zdAogICAgICAgICAgVVAgTE9PUEJBQ0sgUlVOTklORyAgTVRVOjY1NTM2ICBNZXRyaWM6MQogICAgICAgICAgUlggcGFja2V0czozODMgZXJyb3JzOjAgZHJvcHBlZDowIG92ZXJydW5zOjAgZnJhbWU6MAogICAgICAgICAgVFggcGFja2V0czozODMgZXJyb3JzOjAgZHJvcHBlZDowIG92ZXJydW5zOjAgY2FycmllcjowCiAgICAgICAgICBjb2xsaXNpb25zOjAgdHhxdWV1ZWxlbjoxIAogICAgICAgICAgUlggYnl0ZXM6MTE5NTAxICgxMTkuNSBLQikgIFRYIGJ5dGVzOjExOTUwMSAoMTE5LjUgS0IpCgo=","status":"c3VjY2Vzcw=="} ``` 对获得的msg字段的内容,再进行base64的解码可以得到:  ## 特征总结 响应包中的"Transfer-Encoding"字段值必然是"chunked" 异或及base64处理的第一个响应包的开头字符为"TxcIQ" 异或及base64处理的第一个请求包的开头字符为"svfjTI" ```php string(2240) "@error_reporting(0); function main($content) { $result = array(); $result["status"] = base64_encode("success"); $result["msg"] = base64_encode($content); @session_start(); //初始化session,避免connect之后直接background,后续getresult无法获取cookie echo encrypt(json_encode($result)); } function Encrypt($data) { $key="e45e329feb5d925b"; for($i=0;$i<strlen($data);$i++) { $data[$i] = $data[$i]^$key[$i+1&15]; } $bs="base64_"."encode"; $after=$bs($data.""); return $after; } $content="cEhFQ3RKWHZaTkRMb0tld01HV1RWYk1CNkhRaVJNbFo1TVVBVDZPNnBORU1IVWZHZmxCTmJpYWpUbzJYTFRIOXZpeUZqcTBqTHJuTE1ZYnR2T2dQRkVkemJCd2hNTFN0SjMxT1NEVEF2QTBNdE9mRnQwWlZHcmdabEZvV2xZT1pxSjRhUXhXbWg2c2U4RHI0Tk1KV0M1blVDQmd5TDE1VElUNWRnQkdPUGtYdW9GU1hxWEtEMTNld01mUzdLaEdXUVBCaTJmNzdqcGdhWjZVZ0tJTG93REkxN2s0SlROM3VNWWEycEhoUXBOUVRKZ2pac0tsSXByMVJEVkhtVWE1RHp4SDMwTGk4d3AzZ25XZ0EwTGlXSFB3ZkRTSGtHbU5NQmx6cWFGTk9TV2NZQ2NKb0JJNWFrYjBKaFB6TDdDTTc0NUpDSWFyaVFSazdpOTlYVmc4RnRhRFpPSkFsTWNiUUdaczVzS2lBWXpqTnI1UnhzbnhzYXlCSUFlSXh2ZURpUnFSdUVKV1pqanRJQVNIenVMbnAyaDZBS05hZEZ1UHh4OWJrakxuTnBjZnRYeHA1QnBsRGUzOUFRN25SZzlFM0tKM2tOaTBQS09PaVVhYmhadGVWejNaYVVOZldWRGwxbWhqb080a1hHZ0NQaVRVVThDRzRTbllPTTVnakZrZW5ycEZRWFlubll6SG4zZ1JZdzdMV3ltMEdxU1hocm0wREZHZ1FDUWYyRHY2VkFQTzd0aUVnNkhOa1dLeTBBaDRGdTlVSmdlZnFtWjIwdk92bzJHb0RmQ3d4cXBDdDRNbFVpbDh0dEswNUdGWjBqbFF6bEp5UFlKZ3hpNTBObkJUR21uVmlWVW81ZjVTb2F2cTRyTDhxR1RIMVFkWTZ1WGdYRUZCZGZIcGhUalVCejR3bDgzbVJRR1ZEWWZqTEJqQWVMSVJWOUxFejBUckJ0MHdINVN2TXljZmxsSExibWloVGQ3anBYMlYzSGFXOVpFMU5DcU1CcDNlOHRvSFV1WEd3bDdmNEFpd1k1aWhJQ1g3c21laEFEMUlLeER3dHpPNU1obnNvOVBtRXFrU25kSG1tbzc0NWJJWkJUMFFiaWNUcnhOTGxFczhsdDNGMGJ0NVFNRVdubFgxUnVWbDhUN2FCVGVyYXpsMkxHMlV1RnJzcGdpR29jbVRIRXUwSFpGNG5DSTRVbjR3MXBhanhRRnFMWVFZZ3paYXRpSXN6T1EwRGRGUXM0MVRBOXpsYWlpWG9vSUZRVDhxdmJFcGJwWW83YzNUOXNpTGYyYW5ZcXdWeWlESUxFdjdtaE9zeEhvZlZSMFhaRXdkVUhtSDFTYTFYVU94RnV6MDAyT01JaDJBMEhwQXRtNTE1VWl4emIzMElrU2FaVVNncFc2YnY0UWZjTm85WVpacEl2eFhramVpNkk2c005S2ZUbDFqT1BBTWxqeUlBMXE4azRjeHlwRTl4WmlvN1pwRjV6RUxnaDNQUWlHRVRWTVNNSnBkUHBYbXBzeHFPWXhDeWl0T3dxWmZkMzBXTXR0WTFUbE16OENkNEJJUmRONVYyMHlLS2VlY2dZbHlyczl4SmF0czRNZmNJWEE2QUpybmxabzBWQ3FBY2dMY3dUUFJVVHo="; $content=base64_decode($content); main($content);" ```
毛林
2025年11月1日 14:30
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
PDF文档(打印)
分享
链接
类型
密码
更新密码