202212_风二西_冰蝎流量分析

Tags:流量分析,冰蝎木马,rebeyond,AES,pyshark

0x00. 题目

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：附件名称

0x01. WP

分析及解密脚本

exp.py

# -*- coding: utf-8 -*-
import pyshark, base64, re, urllib.parse
import hashlib
from Crypto.Cipher import AES# 为了解决报错：This event loop is already running
import nest_asyncio
nest_asyncio.apply()def getDATAbyACK(intACK):strTmpFomula = "tcp.ack=="+str(intACK)strResult = ""capTmp = pyshark.FileCapture(strCapPath, display_filter=strTmpFomula, tshark_path=strTsharkPath)intTmp = 0strResult = ""for pkt in capTmp:# intRequestNumber = pkt.number# print("Request Number:", intRequestNumber)try:strResult += bytes.fromhex(pkt.layers[2].get_field_value("payload", raw=True)).decode()except:passintTmp += 1# TODO 目前此处根据当前流量包特征临时处理，还需再做规划strResult = strResult[strResult.find("mAUYL"):-7]return strResultdef XOR(K, D):result = []for i in range(len(D)):c = K[i + 1 & 15]if not isinstance(D[i], int):d = ord(D[i])else:d = D[i]result.append(d ^ ord(c))return b''.join([i.to_bytes(1, byteorder='big') for i in result])def regexphp(regexphp, destr):match = re.findall(regexphp, str(destr))try:restr = base64.b64decode(match[0].encode('utf-8'))except Exception as e:#print(e)restr = base64.b64decode(match[0].encode('gb2312'))return restrclass PHP:def __init__(self, key):self.key = keydef decrypt_req_payload(self, payload):encrypted_text = base64.b64decode(payload)try:cipher = AES.new(key=self.key.encode(), mode=AES.MODE_CBC, iv=b'\x00' * 16)decrypted_text = cipher.decrypt(encrypted_text)except Exception as e:decrypted_text = XOR(self.key, base64.b64decode(encrypted_text))decrypted_text = regexphp(r"64_decode\('(.*)'\)", decrypted_text)return decrypted_textdef decrypt_res_payload(self, payload):encrypted_text = base64.b64decode(payload)try:cipher = AES.new(key=self.key.encode(), mode=AES.MODE_CBC, iv=b'\x00' * 16)decrypted_text = cipher.decrypt(encrypted_text)except Exception as e:decrypted_text = XOR(self.key, base64.b64decode(encrypted_text))#decrypted_text = regexphp(r"64_decode\('(.*)'\)", decrypted_text)msg = regexphp(r"\"msg\":\"(.*)\"}", decrypted_text)status = regexphp(r"\"status\":\"(.*)\"", decrypted_text)decrypted_text = '''"status":"{}","msg":"{}"'''.format(status.decode(),msg.decode()).encode()return decrypted_textclass ASP:def __init__(self, key):self.key = keydef decrypt_req_payload(self, payload):return XOR(self.key, payload)def decrypt_res_payload(self, payload):decrypted_text = XOR(self.key, payload)# msg = regexphp(r"\"msg\":\"(.*)\"}", decrypted_text)# status = regexphp(r"\"status\":\"(.*)\"", decrypted_text)# decrypted_text = '''"status":"{}","msg":"{}"'''.format(status.decode(), msg.decode())return decrypted_textclass CSHARP:def __init__(self, key):self.key = keydef decrypt_req_payload(self, payload):cipher = AES.new(key=self.key.encode(), mode=AES.MODE_CBC, iv=self.key.encode())decrypted_text = cipher.decrypt(payload)return decrypted_textdef decrypt_res_payload(self, payload):cipher = AES.new(key=self.key.encode(), mode=AES.MODE_CBC, iv=self.key.encode())decrypted_text = cipher.decrypt(payload)return decrypted_textclass JAVA:def __init__(self, key):self.key = keydef decrypt_req_payload(self, payload):encrypted_text = base64.b64decode(payload)cipher = AES.new(key=self.key.encode(), mode=AES.MODE_ECB)decrypted_text = cipher.decrypt(encrypted_text)# print(decrypted_text)return decrypted_textdef decrypt_res_payload(self, payload):cipher = AES.new(key=self.key.encode(), mode=AES.MODE_ECB)decrypted_text = cipher.decrypt(payload)return decrypted_text#准备冰蝎解密key
strKey="rebeyond"
strMD5="e45e329feb5d925b"
md5=hashlib.md5()
md5.update(strKey.encode())
strMD5=md5.hexdigest()[0:16]
# print(strMD5)# 初始化pyshark参数
strTsharkPath = "C:\\Program Files\\Wireshark"
strTsharkPath = "D:\\=Green=\\Wireshark\\App\\Wireshark\\"
strCapPath = "LL.pcapng"
strFomula="http.request.method==POST && http contains \"about.php\""cap= pyshark.FileCapture(strCapPath, display_filter=strFomula,tshark_path=strTsharkPath)# # 协议结构分析开始
# print("协议结构分析开始...")
# i=0
# for layer in cap[1].layers:
#     print("第",i+1,"层:",layer.layer_name)
#     print(layer.field_names)
#     i+=1
# print("协议结构分析完成。")
# print("=" * 16)# 初始化变量
strPOST=""
strPOST_AES=""
strCMD=""
strPath=""
intRequestNumber=0
strRe_AES=""for pkt in cap:strPOST_AES=bytes.fromhex(pkt.layers[5].get_field_value("key",raw=True)).decode()# print(strPOST_AES)try:decrypter = PHP(key=strMD5)data = decrypter.decrypt_req_payload(strPOST_AES.encode())except:passtry:strPOST_AES=strPOST_AES+"="decrypter = PHP(key=strMD5)data = decrypter.decrypt_req_payload(strPOST_AES.encode())except:passtry:strPOST_AES=strPOST_AES+"="decrypter = PHP(key=strMD5)data = decrypter.decrypt_req_payload(strPOST_AES.encode())except:passintRequestNumber=pkt.numberprint("请求序号:",intRequestNumber)strPOST=data.decode()# print(strPOST)# print('-'*4,"POST原内容输出完成",'-'*4)print('-'*4,"CMD内容输出...",'-'*4)matchObj = re.search(r'''\$(.*?)\=\"(.*?)";\$(.*?)\=base64_decode\(\$(.*?)\);''',strPOST)strCMD=base64.b64decode(matchObj[2]).decode()print(strCMD)# print('-'*4,"CMD内容输出完成",'-'*4)strResponseFomula="http.request_in=="+str(intRequestNumber)capResponse = pyshark.FileCapture(strCapPath, display_filter=strResponseFomula, tshark_path=strTsharkPath)# print(strResponseFomula)print('-'*4,"回显输出...",'-'*4)strRe_AES = ""intACK=0for pktRe in capResponse:intACK=pktRe.layers[2].get_field_value("ack")print("\t过滤：tcp.ack==",intACK)strRe_AES = getDATAbyACK(intACK)print(strRe_AES)try:data = decrypter.decrypt_res_payload(strRe_AES)print("\n解码成功：")print(data.decode())except:print("\n解码失败！！")passprint("="*32)

输出内容：

D:\=MAX230_Wiki=\题库\Archives\Misc\流量分析\202212_冰蝎流量>python exp.py
请求序号: 27669
---- CMD内容输出... ----
qmluq8l9KqzLWmZfoVQudAO67CRNazsLFyfDK87IHHzhW0GjZTHG3fH5Ob5HIGAVahQSgfT5FLTSRWXQviHggXByZnyzUyhnHRJror87Dhfmk4rsvqDnwlMNdUCh4bsFpJwGQ1ltffYDHNsxxKW3gcxRamlv5qQVVf5sg0CZdr6efIvEOcmq7UoHhn5g3PRteBR4A46Q6v3Xm5LYsypwh3sPeBEXhiiPRXJkoOpHRQGxepKmAtkOhfqmeT4kxpGzxvVcpjP6LuW89XZtQQN833GHdrwjMLAdbQRMVyDY7fXajKKxXdWE29vhCDooaUHjykoK5G6ypVvRFVF8t5n5IKdslpAZzesRdzB3E6tjPcXbTQxx42mRwZaPc19hnwS2S5K94X2bQb1dmIbajGXGAHThcj5aIxC7fYvvaLRVLRnexFcNrAu1abxe0w8O0ZskrWTDvXzSxYig0pMsDUNO8kgjHsg01SYMAW8pNiXCg7tViEJk450rIEZWKr3630zD2E6Mu4Eeb2shhIqoB41Hs0dyEgd7RUz65e006Ksiw0pAVUAT9UeOIL4kmeFdzZZUU1H7JMPvh3vbawqRPKm0SNlbA3vgi7gg1GPVuYcetkCiU5IXKStEmlUsSOtKYcgIwTMf4x4yY0K24EOKqFR4C19XBZs9vtU12POL7Yd6Siw7U4Ho1jhak7AiAieeyOKqU4sXK5LyqDDXlcgm8s4p5aJ0IAvShjWxjmrO2MZVx3rzwunTrGyF3jYRhTe16ytLUGLEvLcs052lhpcjPOnA7iGNe8S33sOxaiknEqCnUDXn6Qihog3G7nE6Y8jg7nEFOXJbj9W273g5TH8C8XB5uodnsvtKNy3MT8tPihRgNN8y1x8i0iaQ2cdxAhHoRAR1iHAMO7JV3RVirahYo6SOX4qLP9SkFMmyzcyr7FKtvStx3pkvg8PzbqKtjTivTYegtIvcKIxa74v8VKljXCQn3G6UZz3zrDXEutMblp3T0PEL6l6raNPo27HhCZmaSj6BnX4eSUULabGWTCEIAZO2MjumlLDbjcnvAAzAx7rDAGNk4oKfuQfkzmBafV2EufD3yaJqM3vL6zwBsBup0cwHSxkKKU2vinhAcT1rlksQA2336GV6Aaft4MFMJ6s2KaZaVIH7pIQfVP5hy8Ia1w06LWw7wJwjiBFW5V56o9cgr26L18DqhwYU0tXuEvaZrtAvUCPqf8vOSbc1LeyNGgEtO6rNAqEfRFbfJjjtkTHgZqgJSZWUpUPTfQoL0xnkScz3VWd4zlgjJcFaKQOYKXwjmVXf5wQX6ZSOPwR6nfjjYVzm0Ok3eh0mBmFFHrVhTCA6OllGWYVGITuxwu1te
---- 回显输出... ----过滤：tcp.ack== 4990
mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j6X96QXdue11/TSSXo3KT5/3ABgdT7sESxGYMjbnlCGKIbwqWJ/KReboTKu1izedBiEbzrwRGN8FgbXMEtEQzSKOINDSbhbOgrvP9MN7YVrB3UuyDVIT50AsImCHFgZHRWTusuppv3MlJEGOu1sAp3xiL7WredNFWu31fXUJh1gaQwiWSECuMbuzNycHCqSwHtH4SaRnr2ZbF40BpWJoD0QEZJ9iMjEZIGC4egYOFo0laZT4PHUMyNz7M9F/0Ynv3q+SUysVq/3/40kMwTyRYsJ674RQ4NGdDarn+gvbcUjdXwF3OLKvXg452ca1AUg9u2smDlsS05xhaefVGBspwmfeAqLNlMKUYyus1kUrIXCIlYEvs0qsdoKCVHOCy6jHXFauub1uRS79AHMrS7BXrj7FLUbnDqtKQKZE8G+p3iWFHVmGCEmMZDvIhsesDLsGC+vEOnsIm0jjJxOQeVjHtd2ieaWQRG312ofcZPxzz5OaBw3l7CNDTg12iyJBaBsML8mvoBgphCvgcUB7gt/FVoMeiGPFqWYs9jjHba5RwuK1Tkjd1waklIoBUeCdlPvxj3VCXAT5+XjSlGaReotvwEh5Ijfa+aCQ1ax2SHMwkfdkbycd8KvfndpslLX/QXm7OPTvXD25V/YSwkQNfq899YlY4JwXrI77azhnx6ovmen3Gq1UxMrj0bAYJfBZZce94tnZS0BcD1EjreySR5jiCaeTk+0EGdM+EFTw1kJXWA276IgukbBcF2mRhJnxE3oi4uB3SkoVo6pOntMD9Ro2YLA60nkTHeip/YK6tR0vaMmmiw6+KNtALN2BjWhlHCHQfVuIdUzY1vIXoznoLiRuOZyet7vVVBlh135S9CH16+P3CFeUBhJZzxRdO/0uBCWkTIsMrvmZHhqIgnzbuJVHJlA+kSPn6jMJH0cPxr3kI+odD0wNBaclEboHZLc7zcBBRHOm13yV9iCntzwt6h/Mr7O6TlrWJhPK4aN3xB1bkLu/70pxdp2FYMaCpu1TiQgWzqoS3GdRKXHzSmnmaGKknzVmbstLv0wr/Z6rNMBX5A4hfkPLgJT1os4UJRTaF7Fyr6S2mbeZtopCyWL5j88o930AgWCTRpGVa1Ovu7TRIuKyLdHAwpevKzBH8C752Me2IcvonQX5I6Kn/QrZtRZ51R0Hczy+dT7frpR8tDtvxRs7RYLVgA3tSjsax9TgEyqdZ+PnmUTSPQ4gUKzF0jmugxjCZVae3LpxAhK1stef1Fizuj/kuMxZMPQYnCU5guV0IbB4aypLuRT7E9NZlOLNoG/w4+3eDFQESVJZs1GzQES0iUTvbVjAFEPAF3oHOXmGwSC7hcogEFQ+78PqQblnNo/lDGGjmzrzrYNtvNzcoBIeQgKdHqmEfTGlumSgyHd7uDoxunqQBzIRwr++q54+wL4mofQWWfj/9a50Elfb0CYlWwiw/sIdfuiygIZDA1tFzD9S67NkMdfO9wbfygwkb5aNv1VOlrZRZ5JdX4llJpphmoQqV0MtdqFAoQf7tSeAYXEPt6WiPIj0TQI/UHQRieKpPcON/e9owsChEBZqFwKkBplXJQdaTgxau0jpdlvXsYsDKbTa4nF0r9q7CHZJ9tiFP6x3HIQnKcpWt2zentfQE/76lCuCn9g6Jn/8Yg1HbZ4wU+xF4MBug+8M9CwJeVC10MSdJDAXpsvXc9wDPuLLDDS0UX3cskiVmXJxOqLiKT8BQ4b2WroT5DxiySTdNp5pH2+z7ce6q8cSOGJKiu243XLkQOjoiX1gzyUJCYiOOLrlHHDYB1U6gp49LZI5IlgdfqEpc3QOhmbAEca7EikUgOcYgdDb4w/YKvEmCNb4ArTQc5VaVpVGDrgVVHAETnQG1Od1EsRJID2qNPnNmw8i0d1X9WhTz58jm4Qz/Rl0HbSGWI0yVPSDNP9X4OYzGugUaO98z25I+gQV2mWJga38izOPlLFl3dsOtFZ/NXXZX/rpq5RbS5/RQINy/yQ/u9xHzTDu26uYJxOb8Q++d/+osM16tT/ewoMa8/vK4ciQkq86F+sz3PrYFtPNWAuOtG+ofo+pUZ0NJfGXNWn4vLyATCnlql6e9liwP8kGTRqdsYaS/gqqGy26l/dvWXl2ZtCi+d+ssHVkdOzEa1NVbODAn3HNoLoblFnGzIyfHFP7FntuWgDhHA2f+ewfUWT6It/ydBBzEeq7M5M4HAF0a25+EZB+LL9RJhQCdPw71ATH84h99wbGv562CS9+5Bto34Fnsm5Ccpx1hl64i/1E281jTf3xOGoikF623qX1i6uqEUL50CMZqjTsrdFBGrkwfH4m09fX/9N8TRrro9S9P5VSGSJLGwuEGOa+XGAwbKGk8UIfOmyEdCCA/Zm21aEs4mtcnKhLi1eOBHQ0pAlmjo7cKFiI8GNrAA8kzPde54T1XM=解码成功：
"status":"success","msg":"qmluq8l9KqzLWmZfoVQudAO67CRNazsLFyfDK87IHHzhW0GjZTHG3fH5Ob5HIGAVahQSgfT5FLTSRWXQviHggXByZnyzUyhnHRJror87Dhfmk4rsvqDnwlMNdUCh4bsFpJwGQ1ltffYDHNsxxKW3gcxRamlv5qQVVf5sg0CZdr6efIvEOcmq7UoHhn5g3PRteBR4A46Q6v3Xm5LYsypwh3sPeBEXhiiPRXJkoOpHRQGxepKmAtkOhfqmeT4kxpGzxvVcpjP6LuW89XZtQQN833GHdrwjMLAdbQRMVyDY7fXajKKxXdWE29vhCDooaUHjykoK5G6ypVvRFVF8t5n5IKdslpAZzesRdzB3E6tjPcXbTQxx42mRwZaPc19hnwS2S5K94X2bQb1dmIbajGXGAHThcj5aIxC7fYvvaLRVLRnexFcNrAu1abxe0w8O0ZskrWTDvXzSxYig0pMsDUNO8kgjHsg01SYMAW8pNiXCg7tViEJk450rIEZWKr3630zD2E6Mu4Eeb2shhIqoB41Hs0dyEgd7RUz65e006Ksiw0pAVUAT9UeOIL4kmeFdzZZUU1H7JMPvh3vbawqRPKm0SNlbA3vgi7gg1GPVuYcetkCiU5IXKStEmlUsSOtKYcgIwTMf4x4yY0K24EOKqFR4C19XBZs9vtU12POL7Yd6Siw7U4Ho1jhak7AiAieeyOKqU4sXK5LyqDDXlcgm8s4p5aJ0IAvShjWxjmrO2MZVx3rzwunTrGyF3jYRhTe16ytLUGLEvLcs052lhpcjPOnA7iGNe8S33sOxaiknEqCnUDXn6Qihog3G7nE6Y8jg7nEFOXJbj9W273g5TH8C8XB5uodnsvtKNy3MT8tPihRgNN8y1x8i0iaQ2cdxAhHoRAR1iHAMO7JV3RVirahYo6SOX4qLP9SkFMmyzcyr7FKtvStx3pkvg8PzbqKtjTivTYegtIvcKIxa74v8VKljXCQn3G6UZz3zrDXEutMblp3T0PEL6l6raNPo27HhCZmaSj6BnX4eSUULabGWTCEIAZO2MjumlLDbjcnvAAzAx7rDAGNk4oKfuQfkzmBafV2EufD3yaJqM3vL6zwBsBup0cwHSxkKKU2vinhAcT1rlksQA2336GV6Aaft4MFMJ6s2KaZaVIH7pIQfVP5hy8Ia1w06LWw7wJwjiBFW5V56o9cgr26L18DqhwYU0tXuEvaZrtAvUCPqf8vOSbc1LeyNGgEtO6rNAqEfRFbfJjjtkTHgZqgJSZWUpUPTfQoL0xnkScz3VWd4zlgjJcFaKQOYKXwjmVXf5wQX6ZSOPwR6nfjjYVzm0Ok3eh0mBmFFHrVhTCA6OllGWYVGITuxwu1te"================================... ...
... ...
... ...================================
请求序号: 28023
---- CMD内容输出... ----
cd /d "D:\phpstudy_pro\WWW\laravel\"&cat flag.txt
---- 回显输出... ----过滤：tcp.ack== 19010
mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j6liCGnygPOzvWRVLzOLRwRDwMYcBtbhK0VChJsePWE4XRc3ijmyRT27DNFksikgxfkeBAG3cIg0q/Zo4honXaVXC+TqUYblTXjGejENXBbCApQx1A7Nl0qzDYiyAXjso08wuecl9EKax4gQmw+nFdpHx2zL7yWRDihRDvDICBlvA==解码成功：
"status":"success","msg":"'cat' 不是内部或外部命令，也不是可运行的程序
或批处理文件。
"
================================
请求序号: 28033
---- CMD内容输出... ----
cd /d "D:\phpstudy_pro\WWW\laravel\"&type flag.txt
---- 回显输出... ----解码失败！！
================================
请求序号: 28044
---- CMD内容输出... ----
cd /d "D:\phpstudy_pro\WWW\laravel\"&type flag.txt
---- 回显输出... ----过滤：tcp.ack== 6316
mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j76ltx/pIQNdsmAnC2xCEH4owazED+VbgLKE95MAERuViEdAlmUINg6IlGkWt0WbuEnAic0BcpLq8GrC7OzCj8j解码成功：
"status":"success","msg":"flag{6ao6bnliyelpf2m5wudmt8ldudtnger8}"
================================D:\=MAX230_Wiki=\题库\Archives\Misc\流量分析\202212_冰蝎流量>