[WSO SHELL] XOR encrypt and decrypt

DamaneDz · July 3, 2019, 2:14pm

Hello guys,

A friend of me sent this and asked me to make it compatible

with the latest version of wso shell the 4v and above.

After downloading the wso file, we have these first lines that show us everything happen when

there is a POST Request:

Screenshot_4

We notice something weird ! a decrypt() function in each REQUEST

Let’s see what we have

function decrypt($str,$pwd){
	$pwd=base64_encode($pwd);
	$str=base64_decode($str);
	$enc_chr="";
	$enc_str="";
	$i=0;
	while($i<strlen($str)){
	for($j=0;$j<strlen($pwd);$j++){
	$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));
	$enc_str.=$enc_chr;
	$i++;
	if($i>=strlen($str))break;
	}
	}
return base64_decode($enc_str);
}

It’s looks like an XOR encryption what I can quote from someone is :

XOR is symmetric, we use the same method to encrypt and decrypt.

I’ll put the wso shell in my localhost and open burpsuite so I’ll understand more how stuff works .

Screenshot_5

We have an encrypted values for some requests let’s take the a value

GBMlAA==

Using the decrypt function we’ll get

Php

Everything is okay for now, and by googling the function I found something in REDDIT

The only discussion about it in the whole internet.

So how to go from

Php To GBMlAA==

The key in our function is called pwd and we get the value of pwd from this:

$_COOKIE[md5($_SERVER[‘HTTP_HOST’]).“key”]

Means:

$▙ = md5($_SERVER['HTTP_USER_AGENT']);

So for the encoding function will always base64 encode the “pwd” value

My Final PHP script can run a specified command in many uploaded shells

Before the gist link

This Script used for authorized testing and/or educational purposes only.
Run it on your own localhost or your server.
I take no responsibility for the abuse of the script.

gist.github.com

https://gist.github.com/DamaneDz/f41ef7c340daa8d47ca54b7ce4d1e3f8

wso_cmd.php

<?php
/*

 Mass COMMAND EXCUTER For WSO Shell 4.*.*
 Modified and Made on 26/06/2019 By DamaneDz
 
 This Script used for authorized testing and/or educational purposes only.
 Run it on your own localhost or your server.
 I take no responsibility for the abuse of the script.

This file has been truncated. show original

scylla · July 4, 2019, 4:06am

Hey,
I don’t really understand what you are trying to achieve, but i’ll answer to this :

How to go from Php To GBMlAA== ?

You have the encoding and decoding routines, just use them, no ? Just like that :

<?php
function encrypt($str, $pwd) {
    $str=base64_encode($str);
    $pwd=base64_encode($pwd);
    $enc_chr='';
    $enc_str='';
    $i=0;
    while ($i < strlen($str)) {
        for($j=0; $j < strlen($pwd); $j++){
            $enc_str .= chr(ord($str[$i]) ^ ord($pwd[$j]));
            $i++;
            if($i >= strlen($str)) break;
        }
    }
    return base64_encode($enc_str);
}

function decrypt($str,$pwd){
	$pwd=base64_encode($pwd);
	$str=base64_decode($str);
	$enc_chr="";
	$enc_str="";
	$i=0;
	while($i<strlen($str)){
		for($j=0;$j<strlen($pwd);$j++){
		$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));
		$enc_str.=$enc_chr;
		$i++;
			if($i>=strlen($str))break;
		}
	}
	return base64_decode($enc_str);
}

$key = md5('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0');

echo "Encoded value : " . encrypt('Php', $key); //returns GBMlAA==
echo "<br>";
echo "Decoded value : " . decrypt('GBMlAA==', $key); //returns Php

Regards

DamaneDz · July 4, 2019, 1:32pm

Where is the encoding routine you talking about in wso shell ?

My Topic wasn’t clear and I ignored many things but I think people now understand these basics
stuff but there were no solution in net for that now when someone will google that he will find an
answer

system · August 2, 2019, 2:15pm

This topic was automatically closed after 30 days. New replies are no longer allowed.