[WSO SHELL] XOR encrypt and decrypt

Hello guys,

A friend of me sent this and asked me to make it compatible

with the latest version of wso shell the 4v and above.

After downloading the wso file, we have these first lines that show us everything happen when

there is a POST Request:

We notice something weird ! a decrypt() function in each REQUEST

Let’s see what we have

function decrypt($str,$pwd){
	$pwd=base64_encode($pwd);
	$str=base64_decode($str);
	$enc_chr="";
	$enc_str="";
	$i=0;
	while($i<strlen($str)){
	for($j=0;$j<strlen($pwd);$j++){
	$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));
	$enc_str.=$enc_chr;
	$i++;
	if($i>=strlen($str))break;
	}
	}
return base64_decode($enc_str);
}

It’s looks like an XOR encryption what I can quote from someone is :

XOR is symmetric, we use the same method to encrypt and decrypt.

I’ll put the wso shell in my localhost and open burpsuite so I’ll understand more how stuff works .

Screenshot_5

We have an encrypted values for some requests let’s take the a value

GBMlAA==

Using the decrypt function we’ll get

Php

Everything is okay for now, and by googling the function I found something in REDDIT

The only discussion about it in the whole internet.

So how to go from

Php To GBMlAA==

The key in our function is called pwd and we get the value of pwd from this:

$_COOKIE[md5($_SERVER[‘HTTP_HOST’]).“key”]

Means:

$▙ = md5($_SERVER['HTTP_USER_AGENT']);

So for the encoding function will always base64 encode the “pwd” value

My Final PHP script can run a specified command in many uploaded shells

Before the gist link

This Script used for authorized testing and/or educational purposes only.
Run it on your own localhost or your server.
I take no responsibility for the abuse of the script.

1 Like

Hey,
I don’t really understand what you are trying to achieve, but i’ll answer to this :

How to go from Php To GBMlAA== ?

You have the encoding and decoding routines, just use them, no ? Just like that :

<?php
function encrypt($str, $pwd) {
    $str=base64_encode($str);
    $pwd=base64_encode($pwd);
    $enc_chr='';
    $enc_str='';
    $i=0;
    while ($i < strlen($str)) {
        for($j=0; $j < strlen($pwd); $j++){
            $enc_str .= chr(ord($str[$i]) ^ ord($pwd[$j]));
            $i++;
            if($i >= strlen($str)) break;
        }
    }
    return base64_encode($enc_str);
}

function decrypt($str,$pwd){
	$pwd=base64_encode($pwd);
	$str=base64_decode($str);
	$enc_chr="";
	$enc_str="";
	$i=0;
	while($i<strlen($str)){
		for($j=0;$j<strlen($pwd);$j++){
		$enc_chr=chr(ord($str[$i])^ord($pwd[$j]));
		$enc_str.=$enc_chr;
		$i++;
			if($i>=strlen($str))break;
		}
	}
	return base64_decode($enc_str);
}

$key = md5('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0');

echo "Encoded value : " . encrypt('Php', $key); //returns GBMlAA==
echo "<br>";
echo "Decoded value : " . decrypt('GBMlAA==', $key); //returns Php

Regards

Where is the encoding routine you talking about in wso shell ?

My Topic wasn’t clear and I ignored many things but I think people now understand these basics
stuff but there were no solution in net for that now when someone will google that he will find an
answer :wink: