feat: [v3.5.2] 终极安全与逻辑闭环补丁
1. 升级军工级 HMAC 签名:将数据负载 (Base64) 卷入哈希,封死中间人篡改路径。 2. 引入高熵复合密钥:结合 CHAT_ID 与 TG_TOKEN,大幅提升抗暴力破解强度。 3. 实现全自动改名闭环:Master 确认 Agent 修改成功后自动同步数据库,彻底告别手动复制。
This commit is contained in:
hotyue
@@ -83,15 +83,19 @@ import time
|
||||
|
||||
PORT = int(sys.argv[1])
|
||||
|
||||
# 🛡️ 提取全局鉴权 Token (利用 CHAT_ID 作为 PSK 预共享密钥)
|
||||
# 🛡️ [军工级升级] 提取全局复合鉴权 Token
|
||||
AUTH_TOKEN = ""
|
||||
TG_TOKEN = ""
|
||||
if os.path.exists('/opt/ip_sentinel/config.conf'):
|
||||
with open('/opt/ip_sentinel/config.conf', 'r') as f:
|
||||
for line in f:
|
||||
line = line.strip()
|
||||
if line.startswith('CHAT_ID='):
|
||||
AUTH_TOKEN = line.split('=', 1)[1].strip('"\'')
|
||||
break
|
||||
elif line.startswith('TG_TOKEN='):
|
||||
TG_TOKEN = line.split('=', 1)[1].strip('"\'')
|
||||
# 构建高熵密钥
|
||||
SECRET_KEY = f"{AUTH_TOKEN}:{TG_TOKEN}"
|
||||
|
||||
class AgentHandler(http.server.BaseHTTPRequestHandler):
|
||||
def do_GET(self):
|
||||
@@ -123,9 +127,14 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
|
||||
self.end_headers()
|
||||
return
|
||||
|
||||
# 校验 3:HMAC 数据完整性与身份合法性校验
|
||||
msg = f"{req_path}:{req_t}".encode('utf-8')
|
||||
expected_sign = hmac.new(AUTH_TOKEN.encode('utf-8'), msg, hashlib.sha256).hexdigest()
|
||||
# 校验 3:HMAC 数据完整性与身份合法性校验 (全参数卷入)
|
||||
msg_str = f"{req_path}:{req_t}"
|
||||
b64_alias = query.get('b64', [''])[0]
|
||||
if b64_alias:
|
||||
msg_str += f":{b64_alias}"
|
||||
|
||||
msg = msg_str.encode('utf-8')
|
||||
expected_sign = hmac.new(SECRET_KEY.encode('utf-8'), msg, hashlib.sha256).hexdigest()
|
||||
|
||||
# 使用 compare_digest 防御时序攻击
|
||||
if not hmac.compare_digest(expected_sign, req_sign):
|
||||
@@ -276,23 +285,7 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
|
||||
|
||||
with open(config_path, 'w', encoding='utf-8') as f:
|
||||
f.writelines(lines)
|
||||
|
||||
# 4. 绕过 WAF:交由系统底层 curl 异步发包
|
||||
region = config_dict.get('REGION_CODE', 'UNKNOWN')
|
||||
node_name = config_dict.get('NODE_NAME', 'UNKNOWN')
|
||||
agent_ip = config_dict.get('PUBLIC_IP', '127.0.0.1')
|
||||
agent_port = config_dict.get('AGENT_PORT', '9527')
|
||||
chat_id = config_dict.get('CHAT_ID', '')
|
||||
tg_url = config_dict.get('TG_API_URL', '')
|
||||
|
||||
if tg_url and chat_id:
|
||||
reg_msg = f"#REGISTER#|{region}|{node_name}|{agent_ip}|{agent_port}|{safe_alias}"
|
||||
subprocess.Popen([
|
||||
'curl', '-s', '-m', '10', '-X', 'POST', tg_url,
|
||||
'-d', f'chat_id={chat_id}',
|
||||
'-d', f'text={reg_msg}'
|
||||
])
|
||||
|
||||
|
||||
self.send_response(200)
|
||||
self.send_header("Content-type", "text/plain")
|
||||
self.end_headers()
|
||||
|
||||
@@ -41,22 +41,32 @@ db_exec() {
|
||||
sqlite3 "$DB_FILE" "$1"
|
||||
}
|
||||
|
||||
# ================== [v3.0.4 核心: 动态 HMAC 签名生成器] ==================
|
||||
# 用法: generate_signed_url <IP> <PORT> <PATH>
|
||||
# ================== [v3.5.2 军工级: 全链路 HMAC 签名生成器] ==================
|
||||
# 用法: generate_signed_url <IP> <PORT> <PATH> [B64_PAYLOAD]
|
||||
generate_signed_url() {
|
||||
local target_ip=$1
|
||||
local target_port=$2
|
||||
local action_path=$3
|
||||
local extra_payload=$4
|
||||
local current_t=$(date +%s)
|
||||
|
||||
# 构建加密载荷: "路径:时间戳"
|
||||
# 构建基础加密载荷: "路径:时间戳"
|
||||
local payload="${action_path}:${current_t}"
|
||||
|
||||
# 使用 CHAT_ID 作为密钥,生成 SHA256 HMAC 签名
|
||||
local signature=$(echo -n "$payload" | openssl dgst -sha256 -hmac "$CHAT_ID" | awk '{print $NF}')
|
||||
# [安全升级] 如果存在 B64 数据,将其卷入签名载荷,彻底封死中间人篡改漏洞
|
||||
if [ -n "$extra_payload" ]; then
|
||||
payload="${payload}:${extra_payload}"
|
||||
fi
|
||||
|
||||
# 返回最终带签名的 URL
|
||||
echo "http://${target_ip}:${target_port}${action_path}?t=${current_t}&sign=${signature}"
|
||||
# [安全升级] 引入高熵复合密钥 (CHAT_ID + TG_TOKEN),防暴力破解与社工泄露
|
||||
local secret_key="${CHAT_ID}:${TG_TOKEN}"
|
||||
local signature=$(echo -n "$payload" | openssl dgst -sha256 -hmac "$secret_key" | awk '{print $NF}')
|
||||
|
||||
local final_url="http://${target_ip}:${target_port}${action_path}?t=${current_t}&sign=${signature}"
|
||||
if [ -n "$extra_payload" ]; then
|
||||
final_url="${final_url}&b64=${extra_payload}"
|
||||
fi
|
||||
echo "$final_url"
|
||||
}
|
||||
# ========================================================================
|
||||
|
||||
@@ -337,18 +347,20 @@ while true; do
|
||||
if [ -n "$AGENT_IP" ] && [ -n "$AGENT_PORT" ]; then
|
||||
send_msg "$CHAT_ID" "⏳ 正在向 \`$TARGET_NODE\` 下发重命名指令,正在建立加密隧道..."
|
||||
|
||||
TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_rename")
|
||||
|
||||
# [绝密防线: Base64 编码绕过一切传输限制与 WAF 拦截]
|
||||
ALIAS_B64=$(echo -n "$NEW_ALIAS" | base64 | tr -d '\n' | tr '+/' '-_')
|
||||
TARGET_URL="${TARGET_URL}&b64=${ALIAS_B64}"
|
||||
|
||||
# [安全升级] 将 B64 数据作为第4个参数传入,完美卷入 HMAC 签名引擎
|
||||
TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_rename" "$ALIAS_B64")
|
||||
|
||||
RESPONSE=$(curl -s -m 5 "$TARGET_URL" || echo "FAILED")
|
||||
|
||||
if [ "$RESPONSE" == "FAILED" ]; then
|
||||
send_msg "$CHAT_ID" "❌ 指令下发超时!请检查节点连通性。"
|
||||
elif [[ "$RESPONSE" == *"Action Accepted"* ]]; then
|
||||
send_msg "$CHAT_ID" "✅ 通讯成功!节点别名已下发: \`$NEW_ALIAS\`\n*(注: 节点随后将自动向中枢报备刷新面板)*"
|
||||
# [极致丝滑] 确认 Agent 修改成功后,Master 立即自动同步本地 SQLite,终结手动复制!
|
||||
db_exec "UPDATE nodes SET node_alias='$NEW_ALIAS' WHERE chat_id='$CHAT_ID' AND node_name='$TARGET_NODE';"
|
||||
send_msg "$CHAT_ID" "✅ 通讯成功!节点别名已下发: \`$NEW_ALIAS\`\n*(司令部档案已自动刷新,雷达面板已同步)*"
|
||||
else
|
||||
# 增加输出 RESPONSE 调试信息,排查任何拦截死因
|
||||
send_msg "$CHAT_ID" "⚠️ 节点拒绝了请求,请确保 Agent 已更新至 v3.5.2\n(回传信息: \`${RESPONSE}\`)"
|
||||
|
||||
Reference in New Issue
Block a user