behinder_decrypt/py_decrypt.py at master · melody27/behinder_decrypt · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# import scapy
from scapy.all import *
# from scapy.utils import PcapReader
from scapy.layers.http import *
from subprocess import Popen,PIPE,STDOUT
import time
import json
import ast
import base64
import re
import argparse


def extract_data(type_http,raw_data,decrypt_key):
    # print('raw_data is :',raw_data)
    filename = str(int(time.time()))

    open(filename,'a+').write(raw_data)
    b = Popen('php decropt.php -f '+filename+' -t '+type_http+' -d t '+' -k '+decrypt_key, shell=True, stdout=PIPE, stderr=STDOUT)

    result = b.stdout.read()
    # print("the result is :",result)
    if result.startswith(b'{'):
        # print(json.loads(get_safe_str(result),strict=False))
        print(get_safe_str(result))
    else:
        print(get_safe_str(result))

def get_safe_str(in_str) -> str:
    try:
        return in_str.decode('utf-8').strip()
    except Exception as l:
        return in_str.decode('latin1')


def main(file_path,decrypt_key):
    raw_result = {}
    load_layer('http')
    pkts = sniff(offline=file_path,session=TCPSession)
    # pkts = sniff(offline='/tmp/true_curl_demo.pcap',session=TCPSession)
    # for pkt in pkts:
    # ls('1')
    # print(pkts[10]['HTTP']['Raw'].load.decode('utf-8'))    # this demo is avaible

    # raw_data = pkts[7]["HTTP"]['HTTPRequest']['Raw'].load.decode('latin1')
    # type_http = 'requests'
    # filename = str(int(time.time()))
    # tag = str(pkts[7]['IP'].ack)
    # raw_result[tag] = raw_data
    # open(filename,'a+').write(raw_data)
    # b = Popen('php /tmp/test/decropt_3.php -f '+filename+' -t '+type_http, shell=True, stdout=PIPE, stderr=STDOUT)

    # result = b.stdout.read()
    # print('this is result:',result.decode('latin1'))
    # exit('此处退出')

    for pkt in pkts:
        type_http = ''
        conti = False
        try:
            try:
                message = pkt["HTTP"]['HTTPRequest']['Raw'].load.decode('latin1')
                print('这是一个请求')
                type_http = 'requests'
                conti = True
            except IndexError as identifier:

                pass

            if not conti:
                try:
                    message = pkt["HTTP"]['HTTPResponse']['Raw'].load.decode('latin1')
                    print('这是一个响应')
                    type_http = 'response'
                except IndexError as identifier:
                    continue
            # print(message)
            tag = str(pkt['IP'].ack)
            if tag not in raw_result.keys():
                raw_result[tag] = []
                raw_result[tag].append(type_http)
                raw_result[tag].append(message)
            else:
                # print("加入")
                raw_result[tag][1] += message
            # print(raw_result.keys())
        except IndexError as identifier:
            continue

    print("长度为：",len(raw_result))
    # exit()


    for key,value in raw_result.items():
        extract_data(value[0],value[1],decrypt_key)
        time.sleep(1)
        # open(key,'a+').write(value)
        print("\n\n\n")


if __name__ == "__main__":

    parse = argparse.ArgumentParser(description="redis利用脚本")
    parse.add_argument('-f','--file',help="输入pcap包文件路径")
    parse.add_argument('-k','--key',help='输入key秘钥值，默认为冰蝎默认密码',default='e45e329feb5d925b')
    args = parse.parse_args()
    if not args.file:
        print("请输出pcap包路径")
        exit()
    decrypt_key = args.key
    file_path = args.file

    print('文件路径：',file_path,' 秘钥为：',decrypt_key)
    # exit()
    main(file_path,decrypt_key)