冰蝎加密通信 特征密钥交换阶段通信阶段通用特征 实例
有填充字段
分为密钥交换阶段和加密通信阶段
密钥交换阶段:
返回16位的密钥,是从md5中截取的(md5不区分大小写,解密后内容相同)加密通信阶段:
base64加密,然后再AES 或 XOR 加密 特征 密钥交换阶段弱特征:url
url: .(php|jsp|asp|jspx|asa)?(w){1,10}=d{2,3}HTTP/1.1弱特征:responseBody
responseBody:16位的密钥,是从md5值中截取的但是返回的数据包可以改造,以网页的形式,其中有密钥 通信阶段弱特征:通信阶段
在加密通讯过程中,没有URL参数。是的,没有参数本身也是一种特征。.(php|jsp|asp|jspx|asa) HTTP/1.1弱特征:加密数据上行
在加密通讯时,php/jsp shell会提交 base64 编码后的数据。用如下正则便可以很好的匹配。
rnrn[a-zA-Zd+/]{20,} 返回加密的数据,其中有 /^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$3Mn1yNMtoZViV5wotQHPJ[sS]*?[sS]*?@[sS]*??[sS]*?@[sS]*??[sS]*?弱特征:通信时返回二进制数据
rnrn[w]{0,6}[^ws><=-'"/.:;,!(){}]+二进制数据 的content-type
Content-Type: text/html Content-Type: application/octet-stream;charset=utf-8 通用特征Content-type
在冰蝎3.0中,代码为 request.getReader().readLine()代码的意思是,直接读取post请求中body的内容。所以请求的http中,content-type一定为application/octet-stream。否则就会出现非预期http编码的情况。Accept字段
Accept: text/html,image/gif, image/jpeg, *; q=.2, */*; q=.2弱特征:长连接
Connection: Keep-Alive弱特征:Use-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50Opera/9.80 (Windows NT 6.1; U; zh-cn) Presto/2.9.168 Version/11.50Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0; .NET4.0E)Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.0)Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; SE 2.X MetaSr 1.0)Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 Safari/535.1 QQBrowser/6.9.11079.201Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) QQBrowser/6.9.11079.201Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 实例