Weevil’s Whisper

考点:流量分析,代码审计

下载附件,进行流量分析,看到上传的代码

image-20250118152835441

进行代码审计可以知道,在http中的返回结果是由$p$kh$r$kf组成的,而$p,$kh,$kf是固定的,所以可以提取出来$r。

再看代码,$r是$o进行一系列加密而成,而$o就是执行完成后返回的结果,所以只需要写脚本反解$r就能出现结果。

exp:

提取$r的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import re

# 示例字符串列表
strings = [
    "lFDu8RwONqmag5ex45089b3446eeSaoCUFRXAGExNS5kaQ==4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoCUVRSBofUNDFgR2Uu4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSapiXZwT7J5S6ST5d8pqvEtS7r6h3xg76c7bnajhvB2IIsfYvx7Tppa1JhN/WUI48PTopzqz/731u6ZuSoFbcdJuYfXx/as8o6+uMn43pzUhamP/MG1QoKqvsb2nBEElYEh9HRrc9bISccd6uGcFpPn2+SG9tH+7+XJwpKq8/aR9NzkJPli0iCXWcWrDqCfM/ebpr7pkrFYT45Rzd4EgBetan+Vk6Bpw40QjtpcuHS4BY1JWWkcGXWoZCFp1wO20Y+kx7e7l+VSwDDJr7hC75YdT18DGMt8BpdLXxfsKUwFTt9dxcRc84dO65fl+JwoEaVSJo6psvA/7BQNuEHa8V8V2/2ekcK2DJUBNXhUA+FtVYWh9e09r24fBJ+MAN5cGYbIY/TqOrzwr3Gn9+Y9vPGke3VobnQcgMjZ07P4e4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSap6KU+uuy3+Gn+oqy3SgTM2GBxmng==4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSapC0+gVG0z5/30rTq37qxq4GK1KbBlNfJ+1VoCpeyTdVAHewkwIQg0KDcNeR4REFocJJk1HBl0qNk7deBc=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSapiXZwT7J5S6ST5d8pqvEtS7r6h3xg76c7bnajhvB2IIsfYvx7Tppa1JhN/WUI48PTopzqz/731u6ZuSoFbcdJuYfXx/as8o6+uMn43pzUhamP/MG1QoKqvsb2nBEElYEh9HRocex13UHArABWxOndUQ9OgshQjxynrZlCq/6T5cu61Krv/IHD3+b2orH9lOVptWeGII4RxOXL8430BAdncvckuSSO0sLezOyQtVRZDXEBUIN0WNIiXiPDjTSEHYr27l+n0o2bkLikF+AhTDZWmqPLwPjZQDwG2XfWAkgPXY1EUbDC4bYsoIhZp4dXo5aotJl8EN2fSNHw/A6OAF3bAzSZ0VwBTYY5PCI1JO6H3dvTFKjQH1eUHgFG2VQRT5weB1TK8SJbDV7ljYnci/EA=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSapk9b8P9VQl8+6WNSyPLHPzvij/ylGSUNpA5t/uHJmJm+BTi7aP7VLJygt/d3FEQUimFkyDmbL8mFAVMhgF+1Gs7oBe4PQqwN9d2TrCgLfYKoAmZ0Urg7pPrwOnlrE0kk7EkRo4ixqPCo6yK130dz4vGutEl+3+73+xeqIlSVX5Yto45yKnaJCMGyqoTnnS8wwwP+8n50+ZdAM4qvo/mRr+y5ip4DufES6xa2CtH70/I8loiokseAeG7uOO/6knTkKXYtT3jYy4nkA9pBHV16zWEk9K4rbAYxUP7Wg5VjiTuQIOXn7obn8BiHrv0F7qr/0wsTDNvohMh/nDE48kg7Q6aOF9LRLGw3q0CC9v7TJ1ESDAK+/EDa1VVxZ2NFhCau/sJPDj7RIoyYcQM6DngEBgUAdYZHmZ1JaIgRat0p2LPt0KBKwtw7whLX8IYbleQO+EAw6Z9xoxfeTrfg==4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoMNdkK9FQ96jqRfbz7Eb2ahw+iHTdlC4Jycu3Wc6NzHvj1CkDJnwN7Y0tlljncCpyGmLWKkJ8P9vn7+LMgkb6enEWqTEEo6SqEXMEx0hkif8i1ylrtYQMZtXrJOmPDJdFRbnFNkW5LpGJo7YkFXvcsKco+DEXDYbfwpfoOLwbRVOG7szZ2/62QRq1YgBUHQ3WMH6R9AKmA60x7lNTaxCR4own8gOMQQHihtK6txmaS+OFGZJXAN7voVNEJvBXvFOZdq3JAPdTCjmeAlrPcstZowZPuO43GbdE=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSapC0+gVG0z5/30rTq37qxq4GK1KbBlNfJ+1VoCpeyTdVAHewkwIQg0KLWVSMCOW4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaq88Ykq5AQp8Y5Ku1nbYo0yjmWk/JdGMnvNM6SvX9LEE2xigxZnaBkevdBZ0SzjRJMK8tdPvGU8jCHt7GAH5H26TORj1sKJr5Kun5azyBfL7VycyFicwHpZ3dNlCfQKgmnXwXjqOUaEoQzUKr1Tl8I4triU1OQURapT0lulJK50NfNqPGAXJ8Xn1V2LYVm0G5XJRBNy/ReWo7ed+7l6s/MxHEyH6XMnfBeZdtpmA619VEnyc79tzVa40twaBUYtr6UaH3BnKkQN1shhZwzITAiwEK4xOJ1MO0nIRsvyXOCE5ABChBqc7g3tN79p7dZ6sjNZ2TQl4s7AtCOzyP2KBEXLE9lyrhwjV9N+n3uE3MfQvjChErcCmWNfuE7mcHq4W8XunjLiw4W5cHWaJiEzqDeza77m3+cPvHijF0HB52HNyEedxDbZOahxSuXnUmDO+k49fVa/s5h/wppFk/vjEHgg83Mo3zpAMsw5UqJTogEihVRbGDY5wUenU0nW70cdM45s3+wEA9a8VsDn2tgRPBnbNhtktiE3A7S+DH1fsV52Nf1V/sQbS5ssncWL/6EWJuwy42AK3I4s6lgzCT3An2Hf5rhfGXPpogKVGeIGexqRSrjv09hGwqBSeYJO8EHrI6IqWeFoDuYEI2jvP2DAM/+zri6Z8n2fsDkDeBbyYtFBHr7f2NqbL4AcTuszXn9pcqH238vIjZaPJBqbqvDTzeOsEYDc01cLkHk4rzqYoLQq9m7arE591m+q1sKHBsa0lcqqVpfpLjo7H0UzWt2uHlVNUjr96ijvXvNermcaEfhatwceGBGR64xGuZWAzN8o1I+V6469kyeG5pfE3uaDo0EcFlW7TdogYacKoMRTeOE0vcNibkNKaRj9CiAc/jrKrq+Nm30eYtpC5AZh38Cc85V6B2T3e16g4p1dJ9fgwWTSTbVQrv2zsJEp4QgFoyiuYrPIV62Lx++LhGsiVMyRnCh4deY5WX8vBuZOfC5Nhg==4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSapiXZwT7J5S6ST5d8pqvEtS7r6h3xg76c7bnajhvB2IIsfYvx7Tppa1JhN/WUI48PTopzqz/731u6ZuSoFbcdJuYfXx/as8o6+uMn43pzUhamP/MG1QoKqvsb2nBEElYEh9HRrc9bISccd6uGcFpPn2+SG9tH+7+XJwpKq8/aR9NzkJPli0iCXWcWrDqCfM/ebpr7pkrFYT45Rzd4EgBetan+Vk6Bpw40QjtpcuHS4BY1JWWkcGXWoZCFp1wO20Y+kx7e7l+VSwDDJr7hC75YdT18DGMt8BpdLXxfsKUwFTt9dxcRc84dO65fl+JwoEaVSJo6psvA/7BQNuEHa8V8V2/2ekcK2DJUBNXhUA+FtVYWh9e09r24fBJ+MAN5cGYbIY/TqOrzwr3yn9OYyvPisf3VobnQcgMjZ13f4I4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSaoyZWJkN2U=4e0d86dbcf92",
    "lFDu8RwONqmag5ex45089b3446eeSap6risomCodHP/PqrQaqvueeU+wURkueAeGLStP+bQE+HqsLq39zTQ2L1hsAA==4e0d86dbcf92",
]

# 定义正则表达式模式
pattern = re.compile(r'lFDu8RwONqmag5ex45089b3446ee(.*?)4e0d86dbcf92')

# 提取并打印结果
for string in strings:
    match = pattern.search(string)
    if match:
        extracted_string = match.group(1)
        print(f"Extracted: {extracted_string}")
    else:
        print(f"No match found in: {string}")

反解$r的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
$k="161ebd7d";$kh="45089b3446ee";$kf="4e0d86dbcf92";$p="lFDu8RwONqmag5ex";
function x($t,$k){
  $c=strlen($k);$l=strlen($t);$o="";
  for($i=0;$i<$l;){
    for($j=0;($j<$c&&$i<$l);$j++,$i++)
    {
      $o.=$t[$i]^$k[$j];
    }
  }
  return $o;
}

$r=array("SaoCUFRXAGExNS5kaQ==","SaoCUVRSBofUNDFgR2Uu","SaoyZWJkN2U=","SapiXZwT7J5S6ST5d8pqvEtS7r6h3xg76c7bnajhvB2IIsfYvx7Tppa1JhN/WUI48PTopzqz/731u6ZuSoFbcdJuYfXx/as8o6+uMn43pzUhamP/MG1QoKqvsb2nBEElYEh9HRrc9bISccd6uGcFpPn2+SG9tH+7+XJwpKq8/aR9NzkJPli0iCXWcWrDqCfM/ebpr7pkrFYT45Rzd4EgBetan+Vk6Bpw40QjtpcuHS4BY1JWWkcGXWoZCFp1wO20Y+kx7e7l+VSwDDJr7hC75YdT18DGMt8BpdLXxfsKUwFTt9dxcRc84dO65fl+JwoEaVSJo6psvA/7BQNuEHa8V8V2/2ekcK2DJUBNXhUA+FtVYWh9e09r24fBJ+MAN5cGYbIY/TqOrzwr3Gn9+Y9vPGke3VobnQcgMjZ07P4e","SaoyZWJkN2U=","Sap6KU+uuy3+Gn+oqy3SgTM2GBxmng==","SaoyZWJkN2U=","SaoyZWJkN2U=","SaoyZWJkN2U=","SapC0+gVG0z5/30rTq37qxq4GK1KbBlNfJ+1VoCpeyTdVAHewkwIQg0KDcNeR4REFocJJk1HBl0qNk7deBc=","SaoyZWJkN2U=","SapiXZwT7J5S6ST5d8pqvEtS7r6h3xg76c7bnajhvB2IIsfYvx7Tppa1JhN/WUI48PTopzqz/731u6ZuSoFbcdJuYfXx/as8o6+uMn43pzUhamP/MG1QoKqvsb2nBEElYEh9HRocex13UHArABWxOndUQ9OgshQjxynrZlCq/6T5cu61Krv/IHD3+b2orH9lOVptWeGII4RxOXL8430BAdncvckuSSO0sLezOyQtVRZDXEBUIN0WNIiXiPDjTSEHYr27l+n0o2bkLikF+AhTDZWmqPLwPjZQDwG2XfWAkgPXY1EUbDC4bYsoIhZp4dXo5aotJl8EN2fSNHw/A6OAF3bAzSZ0VwBTYY5PCI1JO6H3dvTFKjQH1eUHgFG2VQRT5weB1TK8SJbDV7ljYnci/EA=","SaoyZWJkN2U=","Sapk9b8P9VQl8+6WNSyPLHPzvij/ylGSUNpA5t/uHJmJm+BTi7aP7VLJygt/d3FEQUimFkyDmbL8mFAVMhgF+1Gs7oBe4PQqwN9d2TrCgLfYKoAmZ0Urg7pPrwOnlrE0kk7EkRo4ixqPCo6yK130dz4vGutEl+3+73+xeqIlSVX5Yto45yKnaJCMGyqoTnnS8wwwP+8n50+ZdAM4qvo/mRr+y5ip4DufES6xa2CtH70/I8loiokseAeG7uOO/6knTkKXYtT3jYy4nkA9pBHV16zWEk9K4rbAYxUP7Wg5VjiTuQIOXn7obn8BiHrv0F7qr/0wsTDNvohMh/nDE48kg7Q6aOF9LRLGw3q0CC9v7TJ1ESDAK+/EDa1VVxZ2NFhCau/sJPDj7RIoyYcQM6DngEBgUAdYZHmZ1JaIgRat0p2LPt0KBKwtw7whLX8IYbleQO+EAw6Z9xoxfeTrfg==","SaoyZWJkN2U=","SaoMNdkK9FQ96jqRfbz7Eb2ahw+iHTdlC4Jycu3Wc6NzHvj1CkDJnwN7Y0tlljncCpyGmLWKkJ8P9vn7+LMgkb6enEWqTEEo6SqEXMEx0hkif8i1ylrtYQMZtXrJOmPDJdFRbnFNkW5LpGJo7YkFXvcsKco+DEXDYbfwpfoOLwbRVOG7szZ2/62QRq1YgBUHQ3WMH6R9AKmA60x7lNTaxCR4own8gOMQQHihtK6txmaS+OFGZJXAN7voVNEJvBXvFOZdq3JAPdTCjmeAlrPcstZowZPuO43GbdE=","SaoyZWJkN2U=","SapC0+gVG0z5/30rTq37qxq4GK1KbBlNfJ+1VoCpeyTdVAHewkwIQg0KLWVSMCOW","SaoyZWJkN2U=","Saq88Ykq5AQp8Y5Ku1nbYo0yjmWk/JdGMnvNM6SvX9LEE2xigxZnaBkevdBZ0SzjRJMK8tdPvGU8jCHt7GAH5H26TORj1sKJr5Kun5azyBfL7VycyFicwHpZ3dNlCfQKgmnXwXjqOUaEoQzUKr1Tl8I4triU1OQURapT0lulJK50NfNqPGAXJ8Xn1V2LYVm0G5XJRBNy/ReWo7ed+7l6s/MxHEyH6XMnfBeZdtpmA619VEnyc79tzVa40twaBUYtr6UaH3BnKkQN1shhZwzITAiwEK4xOJ1MO0nIRsvyXOCE5ABChBqc7g3tN79p7dZ6sjNZ2TQl4s7AtCOzyP2KBEXLE9lyrhwjV9N+n3uE3MfQvjChErcCmWNfuE7mcHq4W8XunjLiw4W5cHWaJiEzqDeza77m3+cPvHijF0HB52HNyEedxDbZOahxSuXnUmDO+k49fVa/s5h/wppFk/vjEHgg83Mo3zpAMsw5UqJTogEihVRbGDY5wUenU0nW70cdM45s3+wEA9a8VsDn2tgRPBnbNhtktiE3A7S+DH1fsV52Nf1V/sQbS5ssncWL/6EWJuwy42AK3I4s6lgzCT3An2Hf5rhfGXPpogKVGeIGexqRSrjv09hGwqBSeYJO8EHrI6IqWeFoDuYEI2jvP2DAM/+zri6Z8n2fsDkDeBbyYtFBHr7f2NqbL4AcTuszXn9pcqH238vIjZaPJBqbqvDTzeOsEYDc01cLkHk4rzqYoLQq9m7arE591m+q1sKHBsa0lcqqVpfpLjo7H0UzWt2uHlVNUjr96ijvXvNermcaEfhatwceGBGR64xGuZWAzN8o1I+V6469kyeG5pfE3uaDo0EcFlW7TdogYacKoMRTeOE0vcNibkNKaRj9CiAc/jrKrq+Nm30eYtpC5AZh38Cc85V6B2T3e16g4p1dJ9fgwWTSTbVQrv2zsJEp4QgFoyiuYrPIV62Lx++LhGsiVMyRnCh4deY5WX8vBuZOfC5Nhg==","SaoyZWJkN2U=","SapiXZwT7J5S6ST5d8pqvEtS7r6h3xg76c7bnajhvB2IIsfYvx7Tppa1JhN/WUI48PTopzqz/731u6ZuSoFbcdJuYfXx/as8o6+uMn43pzUhamP/MG1QoKqvsb2nBEElYEh9HRrc9bISccd6uGcFpPn2+SG9tH+7+XJwpKq8/aR9NzkJPli0iCXWcWrDqCfM/ebpr7pkrFYT45Rzd4EgBetan+Vk6Bpw40QjtpcuHS4BY1JWWkcGXWoZCFp1wO20Y+kx7e7l+VSwDDJr7hC75YdT18DGMt8BpdLXxfsKUwFTt9dxcRc84dO65fl+JwoEaVSJo6psvA/7BQNuEHa8V8V2/2ekcK2DJUBNXhUA+FtVYWh9e09r24fBJ+MAN5cGYbIY/TqOrzwr3yn9OYyvPisf3VobnQcgMjZ13f4I","SaoyZWJkN2U=","Sap6risomCodHP/PqrQaqvueeU+wURkueAeGLStP+bQE+HqsLq39zTQ2L1hsAA==");
for ($i=0;$i<count($r);$i++) {
    $decr=gzuncompress(x(base64_decode($r[$i]),$k));
    print($decr);
}
?>

image-20250118153433654

flag{arsjxh-sjhxbr-3rdd78dfsh-3ndidjl}