在?看看密码
给了一个vmem文件,内存取证
搞密码肯定一开始想到系统用户的密码
volatility --profile=Win7SP1x64 -f looklookpassword.vmem hivelist
volatility --profile=Win7SP1x64 -f looklookpassword.vmem hashdump -y 0xfffff8a000024010 -s 0xfffff8a000dd7010
找一下竟然没有密码
那可能是浏览器里面保存了的密码
volatility --profile=Win7SP1x64 -f looklookpassword.vmem pslist
Firefox的很多,先试试这个
需要dump出两个文件
key4.db
和logins.json
volatility -f looklookpassword.vmem --profile=Win7SP1x64 filescan |grep 'key4.db'
volatility -f looklookpassword.vmem --profile=Win7SP1x64 filescan |grep 'logins.json'
dump出来
volatility -f looklookpassword.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000003d6ab4b0 -D ./
volatility -f looklookpassword.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000003ec70d00 -D ./
把名字改成key4.db和logins.json
打开passwordfox,选择这个文件夹,他会自动搞出密码
cjbweb
<?php
error_reporting(0);
$safe="Hack me!";
class Hacker{
public $name="var_dump";
public $msg="Happy to cjb";
public function __wakeup()
{
global $safe;
if(preg_match('/\d|\/|,|\([^()]*\([^()]*\)/',$this->msg)){
$this->name="var_dump";
$this->msg="You look dangerous!!!";
$safe="I think waf is enough.";
}
call_user_func($this->name,$this->msg);
}
public function __destruct()
{
global $safe;
var_dump($safe);
}
}
if(isset($_POST['info'])){
$info=$_POST['info'];
if(