Location>code7788 >text

WebShell Traffic Characterization_Godzilla

Popularity:419 ℃/2024-09-05 11:20:19

IV. Godzilla (Godzilla v3.0)

① All types of shells can bypass most of the static checks on the market.

②Traffic encryption bypasses most traffic waf

③Godzilla comes with a plug-in that Ice Scorpion and Ant Sword can't match.

1. Main functions

The functions it can realize besides the traditional command execution, file management, and database management, depending on the shell type:

(1) MSF Linkage

(2) Bypassing OpenBasedir

(3) ZIP compression ZIP decompression

(4) Code execution

(5) Bypassing DisableFunctions

(6)Mimikatz

(7) Read the configuration information of the server FileZilla Navicat Sqlyog Winscp XMangager and its password.

(8) Virtual terminal can be connected with netcat.

(9) Windows Elevation of Privilege (2012-2019 Rotten Potatoes)

(10) Read the account password saved by the server Google IE Firefox browser

(11) Windows Privilege Elevation Rotten Potatoes C# Version Sweet Potatoes

(12) Support Godzilla, Scorpion, Chopper, ReGeorg's memory shell and uninstallation.

(13) Screenshots

(14) Servlet Management Servlet Uninstallation

(15) Memory Load Jar Load Jar to SystemClassLoader

2. Basic configuration

Let's start with the most used encrypted shell of type PHP_XOR_BASE64. The main configuration of the shell used is as follows:

①URL:http://172.16.159.129/godzilla_shell.php

②Password: pass

③Key: key

④ Payload: PhpDynamicPayload

⑤ Encryptor: PHP_XOR_BASE64

⑥ Godzilla's Shell configuration includes basic configuration and request configuration, where the basic configuration mainly sets the shell address, password, key, encryptor and other information

Note the difference between a password and a key here:

① password: and ant sword, chopper, the password is the name of the parameter in the POST request, in this case Godzilla submitted each request is pass = xxxxxxxxxx such form

② Key: used to encrypt the requested data, however, the encryption process does not directly use the key plaintext, but calculates the md5 value of the key and then takes itsahead16-bitFor encryption processes

③ Godzilla shell request configuration is mainly used to customize the HTTP request header, as well as in the final request data around and then append some scrambled data to further reduce the characteristics of the traffic

3. PHP_XOR_BASE64 encryptor

Godzilla has 3 built-in Payloads as well as 6 encryptors, 6 support script suffixes, 20 built-in plug-ins, the following are mainly based on thePHP_XOR_BASE64 is analyzed as an example.

(1) Principle of encryption

XOR operation

Among the logical operations, except forANDcap (a poem)ORThere's another one.XORoperation, known in Chinese as the "different-or operation".
Its definition is: when two values are the same, return false, otherwise return true. that is, XOR can be used to determine whether two values are different.

JavaScript
The binary operations of the language have a specialized XOR operator, written ^.

In the above code, if the two binary bits are the same, it returns 0, which means false; otherwise it returns 1, which means true.

XOR encryption

The XOR operation has a wonderful feature: if you do two consecutive XORs on a value, it will return the value itself.

In the code above, the original message ismessageThe key iskeyThe first XOR will result in encrypted text.cipherText. When the other side gets it, then usekeyDoing an XOR operation reduces it tomessage
If each of thekeyallrandomizedThen the resultingCipherTexthas all possible values and is uniformly distributed, it is not possible to start from theCipherTextmake outmessageIt has the largest "information entropy", which is called the XOR. It has the largest "information entropy", which is called the XOR of the"Perfect confidentiality"(perfect secrecy)。
This feature of XOR allows it to be used for encryption of information.

(2) Client-side encryption module analysis

Godzilla's source code was decompiled by decompiling theGot it, the author did not do code obfuscation.

From the code, it can be analyzed that the content of the sent payload is first encrypted by XOR, then the ciphertext is base64 encoded, and finally URL encoded.

The key for XOR encryption comes from the user-supplied key after a 32-bit digest of MD5, taking the first 16 bits of the value.

(3) Shell server-side code analysis

PHP_XOR_BASE64The server-side code for an encrypted shell of typeencodefunction to encrypt or decrypt the request data. Since the encryption is achieved by bitwise dissimilarity, theencodeFunctions can be used for encryption as well as decryption.

The basic execution process of the shell is: the server receives the first request sent by Godzilla, because at this time the session has not been established, so the POST request data decrypted (the contents of the shell operations need to be used in the definition of the relevant php function code) into the session, the subsequent Godzilla will only be submitted to the relevant operation of the correspondingThe name of the function (e.g., the function corresponding to getting a list of files in a directory is getFile) and the related parameters, so that Godzilla's related operations do not need to send a lot of request data.

(4) Packet analysis

Here from Shell Settingdialog box in thetest connectionThe operation begins to analyze the Shell Setting dialog box, which produces a total of threePOSTpacket, the parameter names in the POST request message are allpass(i.e., the shell's connection password), and the parameter values are all encrypted data.

The first Request request packet

Simply analyze the content of the payload, including run, bypass_open_basedir, formatParameter, evalFunc and so on more than twenty functional functions, with code execution, file operations, database operations and many other functions.

② The first Response response packet

This request does not contain any cookiesinformation, the server response message does not contain any data, but sets the PHPSESSIDThe cookie will be automatically carried by all subsequent requests.

③The second Request request packet

The second request message sends very little data (the actual content is a test connection command)test) that returns a small amount of data (i.e.ok

The second Response response packet

The process of decrypting the server response data is not complicated, first call thefindStrfunction removes the obfuscated strings appended to the left and right of the server response data (for thePHP_XOR_BASE64(for the encryption method, 16-bit obfuscation characters are appended to the front and back), and the resulting data is thenbase64Decoding, and then finally and shell connection key md5 value of the first 16 bits of the first bit by bit or, that is, to complete the response data decryption.

⑤ Third Request packet

Basic information about the system obtained by running the getBasicsInfo function in the Godzilla command execution code.

The third Response response packet

4. PHP_EVAL_XOR_BASE64 encryptor

The process of sending a request is the same for all of Godzilla's different encryptors, the difference is in the way the encryption/decryption is implemented.
The PHP_EVAL_XOR_BASE64 encrypted shell is characterized as follows:
Ø Request data encryption to get the ciphertext form: pass=evalContent&key=XXXXXXXX, wherepass is the shell password.key is the shell key
Ø The pass=evalContent in each request isIn the same way, evalContent is a way to take the contents of the shells/cryptions/phpXor/template/ fileEncoded (delete <?php on line 1, then replace {pass} with the shell password and {secretKey} with the shell key)
Ø It is the key=XXXXXXXX in each request that is theActual shell operations performed, encryption methods and PHP_XOR_BASE64 encrypted shellsequal
The encryption process for evalContent is as follows:
① Extract the contents of src/shells/cryptions/phpXor/template/file
②The contents of the document will bebase64 encoding
③Encode the string obtained in step 2.inverse order
④Take the string obtained in step 3 and perform theURL encoding
⑤ Splices the string obtained in step 4 into theeval(base64_decode(strrev(urldecode('the string obtained in step 4' )))); in that is the final evalContent

5、PHP_XOR_RAWencryptor

The PHP_XOR_RAW encrypted shell's encryption and decryption process simply combines the original data with the first 16 bits of the md5 value of the shell's key (in this case, key).by bitwise dissimilarity, and then the resultingThe binary byte code is sent directly to the server; the response data returned by the server is alsoBinary byte code with no further data appended to the left or right.

6. Rules on the ground

alert http any any -> any any (msg:"Godzilla/Godzilla PHP Base64 Connection Successful!";
flow:established,from_server;
flowbits:txisset,Godzilla_webshell_request_match;
;
content:"Rising", negate;
http.response_body;
bsize:36;
pcre:"/^([0-9A-F]{16}|[0-9a-f]{16})/";
pcre:"/([0-9A-F]{16}|[0-9a-f]{16})$/";
pcre:"/^[\s\S]{16}(.*)[\s\S]{16}$/";
pcrexform:"^[\s\S]{16}(.*)[\s\S]{16}$";
pcre:"/[\s\S]/";
base64;
flowbits:unset,Godzilla_webshell_request_match;
)
  • alert http any any -> any any Indicates that an alert is generated for any HTTP traffic between the source and destination IPs.
  • msg: "Godzilla/Godzilla PHP Base64 Connection Successful" is a descriptive message for the alert.
  • flow:from server,established Indicates that only traffic from the server side with an established connection is detected.
  • flowbits:isset,Godzilla webshell request match Checks if the flow status bit named "Godzilla webshell request match" is set. (Note the use of isset instead of txisset).
  • Indicates that only HTTP server responses are examined.
  • content:!" Rising" means that the string "Rising" is not included in the HTTP response body.
  • body Indicates that the body portion of the HTTP response is examined.
  • bsize:36 Specifies that only the first 36 bytes of the response body are detected.
  • pcre:"/^([0-9A-F]{16}|[0-9a-f]{16})/" and pcre:"/([0-9A-F]{16}|[0-9a-f]{16})$/" Use Perl-compatible Regular Expressions (PCRE) to detect if the response body starts and ends with 16 hexadecimal characters.
  • pcre:"/^[\s\S]{16}(. *)[\s\S]{16}$/" and pcrexform:"^[\s\S]{16}(. *)[\s\S]{16}$" use PCRE to detect if the response body conforms to a specific pattern, i.e., starts with 16 arbitrary characters, has an arbitrary string as the middle part, and ends with 16 arbitrary characters.
  • pcre:"/[\s\S]/" Matches a single arbitrary character surrounded by square brackets in the response body.
  • isbase64:3 means decode the matched content in base64, and check whether the number of bytes after decoding is a multiple of 3.
  • flowbits: unset,Godzilla webshell request match Clearing a file named"Godzilla webshell request match"stream status bits。