[WSO SHELL] XOR encrypt and decrypt - Cryptology - 0x00sec - The Home of the Hacker
2019-07-04 14:40:38 Author: 0x00sec.org(查看原文) 阅读量:221 收藏

#1

Hello guys,

A friend of me sent this and asked me to make it compatible

with the latest version of wso shell the 4v and above.

After downloading the wso file, we have these first lines that show us everything happen when

there is a POST Request:

Screenshot_4

We notice something weird ! a decrypt() function in each REQUEST

Let’s see what we have

function decrypt($str,$pwd){
	$pwd=base64_encode($pwd);
	$str=base64_decode($str);
	$enc_chr="";
	$enc_str="";
	$i=0;
	while($i<strlen($str)){
	for($j=0;$j<strlen($pwd);$j++){
	$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));
	$enc_str.=$enc_chr;
	$i++;
	if($i>=strlen($str))break;
	}
	}
return base64_decode($enc_str);
}

It’s looks like an XOR encryption what I can quote from someone is :

XOR is symmetric, we use the same method to encrypt and decrypt.

I’ll put the wso shell in my localhost and open burpsuite so I’ll understand more how stuff works .

Screenshot_5

We have an encrypted values for some requests let’s take the a value

GBMlAA==

Using the decrypt function we’ll get

Php

Everything is okay for now, and by googling the function I found something in REDDIT

The only discussion about it in the whole internet.

So how to go from

Php To GBMlAA==

My Final PHP script can run a specified command in many uploaded shells

Before the gist link

This Script used for authorized testing and/or educational purposes only.
Run it on your own localhost or your server.
I take no responsibility for the abuse of the script.

#2

Hey,
I don’t really understand what you are trying to achieve, but i’ll answer to this :

How to go from Php To GBMlAA== ?

You have the encoding and decoding routines, just use them, no ? Just like that :

<?php
function encrypt($str, $pwd) {
    $str=base64_encode($str);
    $pwd=base64_encode($pwd);
    $enc_chr='';
    $enc_str='';
    $i=0;
    while ($i < strlen($str)) {
        for($j=0; $j < strlen($pwd); $j++){
            $enc_str .= chr(ord($str[$i]) ^ ord($pwd[$j]));
            $i++;
            if($i >= strlen($str)) break;
        }
    }
    return base64_encode($enc_str);
}

function decrypt($str,$pwd){
	$pwd=base64_encode($pwd);
	$str=base64_decode($str);
	$enc_chr="";
	$enc_str="";
	$i=0;
	while($i<strlen($str)){
		for($j=0;$j<strlen($pwd);$j++){
		$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));
		$enc_str.=$enc_chr;
		$i++;
			if($i>=strlen($str))break;
		}
	}
	return base64_decode($enc_str);
}

$key = md5('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0');

echo "Encoded value : " . encrypt('Php', $key); //returns GBMlAA==
echo "<br>";
echo "Decoded value : " . decrypt('GBMlAA==', $key); //returns Php

Regards


文章来源: https://0x00sec.org/t/wso-shell-xor-encrypt-and-decrypt/14720
如有侵权请联系:admin#unsafe.sh