菜刀HTTP流量中转代理过WAF技术详解<\/h1>

0x00 背景与概述<\/h2>

在渗透测试中，Webshell的免杀需要解决两个核心问题：<\/p>

源脚本免杀 - 确保Webshell本身不被检测<\/li>

流量混淆 - 对传输内容进行编码加密，绕过WAF和流量检测系统<\/li> <\/ol>

传统菜刀工具(caidao.exe)存在以下局限性：<\/p>

仅支持request包的自定义编码<\/li>
response返回包通常是明文状态<\/li>

无法定义服务端response内容的编码方法<\/li> <\/ul>

本文介绍的CaiDaoProxy.py是一个中间人HTTP流量代理脚本，可同时修改request和response内容，实现完整的流量混淆。<\/p>

0x01 开发原因<\/h2>

选择基于caidao.exe(20160620版)开发CaiDaoProxy.py的原因：<\/p>

该版本菜刀拥有配置文件(caidao.conf)，可直接修改发往服务器的语句<\/li>
中间人代理模式对流量的可操作性强，可任意修改收发内容<\/li>
避免重复造轮子，在现有工具基础上增强功能<\/li>

表面使用普通菜刀，实际使用过WAF代理，隐蔽性高<\/li> <\/ol>

0x02 工作原理<\/h2>

CaiDaoProxy.py作为中间代理：<\/p>

拦截caidao.exe发送的request，进行编码混淆<\/li>
拦截服务器返回的response，进行编码混淆<\/li>

实现双向流量加密，避免特征检测<\/li> <\/ol>

流量路径：<\/p>

caidao.exe -> (明文) -> CaiDaoProxy.py -> (加密) -> 目标服务器
目标服务器 -> (加密) -> CaiDaoProxy.py -> (解密) -> caidao.exe
<\/code><\/pre>
0x03 源文件免杀技术<\/h2>
JSP Webshell免杀方法<\/h3>
使用Unicode编码绕过检测：<\/p>

Java编译器可编译Unicode编码的源代码<\/li>
将关键代码转换为"\uxxxx"形式的Unicode编码<\/li>
示例密码：LandGrey<\/li>
<\/ul>
实现原理：<\/p>

服务器接收Unicode编码的JSP文件<\/li>
Tomcat将其编译为正常class文件<\/li>
反编译后显示的是Unicode编码的源代码<\/li>
<\/ol>
0x04 传输内容加密方案<\/h2>
加密目标<\/h3>

客户端->服务端：混淆POST参数名和参数值<\/li>
服务端->客户端：混淆返回的执行结果<\/li>
<\/ol>
通用加密思路（PHP\/ASP\/ASPX）<\/h3>

拦截请求时：

随机化参数名<\/li>
组合多种简单编码（如base64_encode -> strrev -> base64_encode）<\/li>
<\/ul>
<\/li>
服务端执行：

修改caidao.conf或代理脚本统一编码方式<\/li>
服务端解码后执行<\/li>
<\/ul>
<\/li>
返回结果时：

服务端对输出进行编码<\/li>
代理解码后返回给菜刀<\/li>
<\/ul>
<\/li>
<\/ol>
JSP专用加密方案（DES对称加密）<\/h3>
通信流程：<\/p>

CaiDaoProxy发送：

DES加密 -> Base64编码 -> 发送<\/li>
服务端接收：

Base64解码 -> DES解密 -> 执行<\/li>
服务端返回：

DES加密 -> Base64编码 -> 返回<\/li>
CaiDaoProxy接收：

Base64解码 -> DES解密 -> 显示<\/li>
<\/ol>
服务端关键代码（JSP）<\/h4>
import<\/span> javax.crypto.Cipher;<\/span>
<\/span><\/span>import<\/span> javax.crypto.SecretKey;<\/span>
<\/span><\/span>import<\/span> javax.crypto.spec.DESKeySpec;<\/span>
<\/span><\/span>import<\/span> javax.crypto.SecretKeyFactory;<\/span>
<\/span><\/span>import<\/span> java.security.SecureRandom;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 密钥
<\/span><\/span><\/span><\/span>String DesKey =<\/span> "LandGrey"<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ DES加密函数
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> DesEncrpyt<\/span>(<\/span>String content)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        SecureRandom random =<\/span> new<\/span> SecureRandom();<\/span>
<\/span><\/span>        DESKeySpec desKey =<\/span> new<\/span> DESKeySpec(<\/span>DesKey.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>        SecretKeyFactory keyFactory =<\/span> SecretKeyFactory.<\/span>getInstance<\/span>(<\/span>"DES"<\/span>);<\/span>
<\/span><\/span>        SecretKey securekey =<\/span> keyFactory.<\/span>generateSecret<\/span>(<\/span>desKey);<\/span>
<\/span><\/span>        Cipher cipher =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"DES"<\/span>);<\/span>
<\/span><\/span>        cipher.<\/span>init<\/span>(<\/span>Cipher.<\/span>ENCRYPT_MODE<\/span>,<\/span> securekey,<\/span> random);<\/span>
<\/span><\/span>        return<\/span> cipher.<\/span>doFinal<\/span>(<\/span>content.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Throwable e)<\/span> {<\/span>
<\/span><\/span>        e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ DES解密函数
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> DesDecrpyt<\/span>(<\/span>byte<\/span>[]<\/span> content)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        SecureRandom random =<\/span> new<\/span> SecureRandom();<\/span>
<\/span><\/span>        DESKeySpec desKey =<\/span> new<\/span> DESKeySpec(<\/span>DesKey.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>        SecretKeyFactory keyFactory =<\/span> SecretKeyFactory.<\/span>getInstance<\/span>(<\/span>"DES"<\/span>);<\/span>
<\/span><\/span>        SecretKey securekey =<\/span> keyFactory.<\/span>generateSecret<\/span>(<\/span>desKey);<\/span>
<\/span><\/span>        Cipher cipher =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"DES"<\/span>);<\/span>
<\/span><\/span>        cipher.<\/span>init<\/span>(<\/span>Cipher.<\/span>DECRYPT_MODE<\/span>,<\/span> securekey,<\/span> random);<\/span>
<\/span><\/span>        return<\/span> cipher.<\/span>doFinal<\/span>(<\/span>content);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Throwable e)<\/span> {<\/span>
<\/span><\/span>        e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>CaiDaoProxy关键代码（Python）<\/h4>
import<\/span> base64
<\/span><\/span>from<\/span> pyDes import<\/span> des, ECB, PAD_PKCS5
<\/span><\/span>
<\/span><\/span># 密钥<\/span>
<\/span><\/span>DesKey =<\/span> "LandGrey"<\/span>
<\/span><\/span>
<\/span><\/span># DES加解密类<\/span>
<\/span><\/span>class<\/span> DesCipher<\/span>:
<\/span><\/span>    def<\/span> __init__(self, secret_key):
<\/span><\/span>        self.<\/span>secret_key =<\/span> secret_key
<\/span><\/span>    
<\/span><\/span>    def<\/span> encrypt<\/span>(self, s):
<\/span><\/span>        iv =<\/span> self.<\/span>secret_key
<\/span><\/span>        k =<\/span> des(self.<\/span>secret_key, ECB, iv, pad=<\/span>None<\/span>, padmode=<\/span>PAD_PKCS5)
<\/span><\/span>        en =<\/span> k.<\/span>encrypt(bytes(s), padmode=<\/span>PAD_PKCS5)
<\/span><\/span>        return<\/span> en
<\/span><\/span>    
<\/span><\/span>    def<\/span> decrypt<\/span>(self, s):
<\/span><\/span>        iv =<\/span> self.<\/span>secret_key
<\/span><\/span>        k =<\/span> des(self.<\/span>secret_key, ECB, iv, pad=<\/span>None<\/span>, padmode=<\/span>PAD_PKCS5)
<\/span><\/span>        de =<\/span> k.<\/span>decrypt(s, padmode=<\/span>PAD_PKCS5)
<\/span><\/span>        return<\/span> de
<\/span><\/span><\/code><\/pre>0x05 部署与使用<\/h2>

配置CaiDaoProxy.py监听本地端口（如9000）<\/li>
在caidao.exe地址栏填写：

http:\/\/127.0.0.1:9000\/?=http:\/\/www.example.com\/webshell.jsp<\/code><\/li>
实际请求地址由CaiDaoProxy剥离并处理<\/li>
<\/ol>
0x06 局限性<\/h2>
虽然该方案能绕过多数检测，但仍存在以下可能被检测的场景：<\/p>

防护软件有进程监控功能<\/li>
组件监控或RASP(运行时应用自我保护)功能<\/li>
使用caidao.exe的虚拟终端功能时<\/li>
<\/ol>
0x07 总结<\/h2>
通过CaiDaoProxy.py可以实现：<\/p>

源文件级别的免杀（Unicode编码）<\/li>
双向流量加密（DES+Base64）<\/li>
保留原有工具使用习惯，隐蔽性高<\/li>
适用于PHP\/ASP\/JSP等多种Webshell<\/li>
<\/ol>
这种方案能够绕过大多数Webshell检测软件和监测平台的检测机制，是渗透测试中有效的绕过手段。<\/p>