├── README.md
├── py_decrypt.py
└── decropt.php


/README.md:
--------------------------------------------------------------------------------
 1 | <center>解密</center>
 2 | 
 3 | 
 4 | 
 5 | 此脚本用于冰蝎流量的解密。
 6 | 
 7 | > 暂时只支持将冰蝎流量解析为php原始代码。
 8 | >
 9 | > 后续有人用的话，就把该代码处理一下。直接表示为执行的命令操作。
10 | >
11 | >  
12 | >
13 | > (ps.冰蝎通信过程中 请求中的内容实际是代码。响应的内容实际上是json字符串，需要注意的是，json的value值被base64编码了)
14 | >
15 | > 
16 | 
17 | 
18 | 
19 | 
20 | 
21 | 
22 | 
23 | 暂只支持php，测试环境behinder 3.0 Beta6没有问题。
24 | 
25 | 
26 | 
27 | 直接使用php文件即可解析冰蝎流量。
28 | 
29 | ```
30 | php decropt.php -a 后面接要解密的字符串
31 | ```
32 | 
33 | 
34 | 
35 | ```
36 | php decropt.php -f 解密的字符串的文件
37 | ```
38 | 
39 | > 此处的密文字符串文件只允许存在密文，不允许有http请求体。
40 | 
41 | 
42 | 
43 | ```
44 | php decropt.php -k 秘钥 -a 解密字符串
45 | ```
46 | 
47 | > 默认的key值为冰蝎默认密码。
48 | 
49 | 
50 | 
51 | 使用py文件可以支持解析pcap包流量。(ps.需要注意的是：一个长post包是由多个tcp组成的，需要将该http请求的tcp包截取完整，否则可能会造成解析出错。)
52 | 
53 | 
54 | 
55 | 使用示例：
56 | 
57 | ```
58 | python3 py_decrypt.py -f /tmp/test.pcap -k qwertyuioplkjhgf
59 | ```
60 | 
61 | 
62 | 有什么使用上的问题，欢迎提issues
63 | 
64 | 


--------------------------------------------------------------------------------
/py_decrypt.py:
--------------------------------------------------------------------------------
  1 | # import scapy
  2 | from scapy.all import *
  3 | # from scapy.utils import PcapReader
  4 | from scapy.layers.http import *
  5 | from subprocess import Popen,PIPE,STDOUT
  6 | import time
  7 | import json
  8 | import ast 
  9 | import base64
 10 | import re
 11 | import argparse
 12 | 
 13 | 
 14 | def extract_data(type_http,raw_data,decrypt_key):
 15 |     # print('raw_data is :',raw_data)
 16 |     filename = str(int(time.time()))
 17 | 
 18 |     open(filename,'a+').write(raw_data)
 19 |     b = Popen('php decropt.php -f '+filename+' -t '+type_http+' -d t '+' -k '+decrypt_key, shell=True, stdout=PIPE, stderr=STDOUT)
 20 | 
 21 |     result = b.stdout.read()
 22 |     # print("the result is :",result)
 23 |     if result.startswith(b'{'):
 24 |         # print(json.loads(get_safe_str(result),strict=False))
 25 |         print(get_safe_str(result))
 26 |     else:
 27 |         print(get_safe_str(result))
 28 | 
 29 | def get_safe_str(in_str) -> str:
 30 |     try:
 31 |         return in_str.decode('utf-8').strip()
 32 |     except Exception as l:
 33 |         return in_str.decode('latin1')
 34 | 
 35 | 
 36 | def main(file_path,decrypt_key):
 37 |     raw_result = {}
 38 |     load_layer('http')
 39 |     pkts = sniff(offline=file_path,session=TCPSession)
 40 |     # pkts = sniff(offline='/tmp/true_curl_demo.pcap',session=TCPSession)
 41 |     # for pkt in pkts:
 42 |     # ls('1')
 43 |     # print(pkts[10]['HTTP']['Raw'].load.decode('utf-8'))    # this demo is avaible
 44 | 
 45 |     # raw_data = pkts[7]["HTTP"]['HTTPRequest']['Raw'].load.decode('latin1')
 46 |     # type_http = 'requests'
 47 |     # filename = str(int(time.time()))
 48 |     # tag = str(pkts[7]['IP'].ack)
 49 |     # raw_result[tag] = raw_data
 50 |     # open(filename,'a+').write(raw_data)
 51 |     # b = Popen('php /tmp/test/decropt_3.php -f '+filename+' -t '+type_http, shell=True, stdout=PIPE, stderr=STDOUT)
 52 | 
 53 |     # result = b.stdout.read()
 54 |     # print('this is result:',result.decode('latin1'))
 55 |     # exit('此处退出')
 56 | 
 57 |     for pkt in pkts:
 58 |         type_http = ''
 59 |         conti = False
 60 |         try:
 61 |             try:
 62 |                 message = pkt["HTTP"]['HTTPRequest']['Raw'].load.decode('latin1')
 63 |                 print('这是一个请求')
 64 |                 type_http = 'requests'
 65 |                 conti = True
 66 |             except IndexError as identifier:
 67 | 
 68 |                 pass
 69 | 
 70 |             if not conti:
 71 |                 try:
 72 |                     message = pkt["HTTP"]['HTTPResponse']['Raw'].load.decode('latin1')
 73 |                     print('这是一个响应')
 74 |                     type_http = 'response'
 75 |                 except IndexError as identifier:
 76 |                     continue
 77 |             # print(message)
 78 |             tag = str(pkt['IP'].ack)
 79 |             if tag not in raw_result.keys():
 80 |                 raw_result[tag] = []
 81 |                 raw_result[tag].append(type_http)
 82 |                 raw_result[tag].append(message)
 83 |             else:
 84 |                 # print("加入")
 85 |                 raw_result[tag][1] += message
 86 |             # print(raw_result.keys())
 87 |         except IndexError as identifier:
 88 |             continue
 89 | 
 90 |     print("长度为：",len(raw_result))
 91 |     # exit()
 92 | 
 93 | 
 94 |     for key,value in raw_result.items():
 95 |         extract_data(value[0],value[1],decrypt_key)
 96 |         time.sleep(1)
 97 |         # open(key,'a+').write(value)
 98 |         print("\n\n\n")
 99 | 
100 | 
101 | if __name__ == "__main__":
102 | 
103 |     parse = argparse.ArgumentParser(description="redis利用脚本")
104 |     parse.add_argument('-f','--file',help="输入pcap包文件路径")
105 |     parse.add_argument('-k','--key',help='输入key秘钥值，默认为冰蝎默认密码',default='e45e329feb5d925b')
106 |     args = parse.parse_args()
107 |     if not args.file:
108 |         print("请输出pcap包路径")
109 |         exit()
110 |     decrypt_key = args.key
111 |     file_path = args.file
112 | 
113 |     print('文件路径：',file_path,' 秘钥为：',decrypt_key)
114 |     # exit()
115 |     main(file_path,decrypt_key)
116 | 


--------------------------------------------------------------------------------
/decropt.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | $arr = getopt('a:k:f:t:d:');
  3 | echo "进入php文件\n\n\n\n\n";
  4 | // exit();
  5 | // echo "进行php 脚本中";
  6 | // try {
  7 | //     $key = $arr['k'];
  8 | // } catch (\Throwable $e) {
  9 | //     //日志方法，具体自己实现
 10 | //     $key="e45e329feb5d925b";
 11 | //  }
 12 | isset($arr['k'])?$key=$arr['k']:$key='e45e329feb5d925b';
 13 | isset($arr['t'])?$http_type=$arr['t']:$http_type='requests';
 14 | // echo "this is \$key:".$key."\n this is \$http_type:".$http_type;
 15 | // echo "\$post is :".$post."\n\n";
 16 | if (isset($arr['f'])){
 17 |     $file=$arr['f'];
 18 |     $post_raw = file_get_contents($file);
 19 |     if(isset($arr['d'])){
 20 |         $arr['d'] = 't';
 21 |         unlink($file);
 22 |     }
 23 | 
 24 | }else{
 25 |     if (isset($arr['a'])){
 26 |         $post_raw= $arr['a'];
 27 |     }
 28 | }
 29 | 
 30 | function aes_convert_str($post_raw,$key){
 31 |     // preg_match('//');
 32 |     preg_match('/[a-zA-Z0-9\+\=\/]{24,}/i',$post_raw,$post);
 33 |     // echo "\$post is :".$post[0];
 34 |     // echo "aes的数据为：";
 35 |     if (count($post) === 0){
 36 |         return 'no';
 37 |     }
 38 |     // echo "进入intoaes函数：".$post[0];
 39 |     if (count($post) === 0){
 40 |         return 'no';
 41 |     }
 42 |     
 43 |     try {
 44 |         $post=openssl_decrypt($post[0], "AES128", $key);
 45 |         } catch (\Throwable $e) {
 46 |         //日志方法，具体自己实现
 47 |         // CoreHelper::write(json_encode(['eventName','order_id'=>$order->order_id??'',$e->getMessage()], JSON_UNESCAPED_UNICODE)); 
 48 |         return 'no';
 49 |     }
 50 | 
 51 |     // var_dump($post);
 52 |     if ($post == ''){
 53 |         return 'no';
 54 |     }
 55 |     return $post;
 56 | }
 57 | 
 58 | 
 59 | function xor_convert_str($post_raw,$key,$http_type){
 60 |     // echo "进入intoxor函数1,raw_data is :".$post_raw."xixixi\n\n\n\n\n\n\n";
 61 |     if ($http_type == 'requests'){
 62 |         // echo "this is :".$http_type."\n";
 63 | 		$t="base64_"."decode";
 64 |         $post=$t($post_raw."");
 65 |         $post_raw = $post;
 66 |         // echo "this is \033[[95mrequests\033[[1m";
 67 |     }
 68 |     // echo "thisresponse";
 69 |         $post = $post_raw;
 70 |         $pattern = '<b>Warning</b>:  session_start(): Cannot send session cache limiter - headers already sent in <b>D:\phpstudy_pro\WWW\sqli-labs\shell.php</b> on line <b>3</b><br />';
 71 |         // $pattern = 'on line <b>3</b><br />';
 72 |         // echo "hereis\$post".$post."\n\n\n\n";
 73 |         // var_dump(strpos($post,$pattern));
 74 |         if(strpos($post,$pattern) != false){
 75 |             $result = substr($post,strpos($post,$pattern)+strlen($pattern)+1);
 76 |             // echo "thatshouldberesult".$result."tty";
 77 |             if($result != ''){
 78 |                 $post = $result;
 79 |                 // echo "intotheconvert";
 80 |             }
 81 |         }
 82 |         
 83 | 
 84 | 		for($i=0;$i<strlen($post);$i++) {
 85 |     			 $post[$i] = $post[$i]^$key[$i+1&15]; 
 86 |                 }
 87 |     // echo "进入intoxor函数2".$post."xixixi";
 88 |     // echo "this is \$post:".$post;
 89 |     return $post;
 90 | }
 91 | 
 92 | $post = aes_convert_str($post_raw,$key);
 93 | // echo "aes函数complate".$post."\n";
 94 | $post === 'no'?$post = xor_convert_str($post_raw,$key,$http_type):$post;
 95 | // echo "this is \$post".$post;
 96 | if(preg_match('/^\{/i',$post)){
 97 |     // echo $post;
 98 |     // exit();
 99 |     // echo "error is ".$post;
100 |     $raw_data = json_decode($post);
101 |     $result = [];
102 |     try
103 |     {
104 |         foreach ($raw_data as $key => $value){
105 |             $result[$key] = base64_decode($value);
106 |         };
107 |         echo json_encode($result);
108 |     }
109 |     // 捕获异常
110 |     catch(Exception $e)
111 |     {
112 |         echo 'Message: ' .$e->getMessage();
113 |     }
114 | 
115 |     exit();
116 | }
117 | 
118 | $arr_2 = explode('|',$post);
119 | $func = $arr_2[0];
120 | isset($arr_2[1])?$parm=$arr_2[1]:$parm=$func;      # 解决tcp请求包截取不完整导致aes解密后没有
121 | // print("intotheexplode:".$parm);
122 | if ($parm === ''){
123 |     $parm='Y29udGVudCBpcyBlbXB0eQ==';       # 解决 http截取的tcp包不完整的情况
124 | }
125 | 
126 | preg_match('/[a-zA-Z0-9\+\=\/]{24,}/i',$parm,$last_result);
127 | // echo "匹配到的内容为".$result[0];
128 | 
129 | 
130 | if (count($last_result) > 0){
131 |     echo base64_decode($last_result[0]);
132 | }
133 | else{
134 |     echo $parm;
135 | }
136 | ?>
137 | 


--------------------------------------------------------------------------------