Hello guys,
A friend of me sent this and asked me to make it compatible
with the latest version of wso shell the 4v and above.
After downloading the wso file, we have these first lines that show us everything happen when
there is a POST Request:
We notice something weird ! a decrypt() function in each REQUEST
Let’s see what we have
function decrypt($str,$pwd){
$pwd=base64_encode($pwd);
$str=base64_decode($str);
$enc_chr="";
$enc_str="";
$i=0;
while($i<strlen($str)){
for($j=0;$j<strlen($pwd);$j++){
$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));
$enc_str.=$enc_chr;
$i++;
if($i>=strlen($str))break;
}
}
return base64_decode($enc_str);
}
It’s looks like an XOR encryption what I can quote from someone is :
XOR is symmetric, we use the same method to encrypt and decrypt.
I’ll put the wso shell in my localhost and open burpsuite so I’ll understand more how stuff works .
We have an encrypted values for some requests let’s take the a value
GBMlAA==
Using the decrypt function we’ll get
Php
Everything is okay for now, and by googling the function I found something in REDDIT
The only discussion about it in the whole internet.
So how to go from
Php
To GBMlAA==
The key in our function is called pwd and we get the value of pwd from this:
$_COOKIE[md5($_SERVER[‘HTTP_HOST’]).“key”]
Means:
$▙ = md5($_SERVER['HTTP_USER_AGENT']);
So for the encoding function will always base64 encode the “pwd” value
My Final PHP script can run a specified command in many uploaded shells
Before the gist link
This Script used for authorized testing and/or educational purposes only.
Run it on your own localhost or your server.
I take no responsibility for the abuse of the script.