1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
@error_reporting(0);
session_start();
$pass="pass";
$key="3c6e0b8a9c15224a";
function enc($data,$key){
    return openssl_encrypt($data,"AES-128-ECB",$key,OPENSSL_RAW_DATA);
}
function dec($data,$key){
    return openssl_decrypt($data,"AES-128-ECB",$key,OPENSSL_RAW_DATA);
}
$post=base64_decode($_POST[$pass]);
$data=dec($post,$key);
if(isset($_SESSION["payload"])){
    $resp="ok";
    echo substr(md5($pass.$key),0,16);
    echo base64_encode(enc($resp,$key));
    echo substr(md5($pass.$key),16);
}

可以看到泄露了这段代码,这个是加密逻辑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import base64, urllib.parse, hashlib
from Crypto.Cipher import AES

key = b"3c6e0b8a9c15224a"
password = "pass"

def unpad(data):
    return data[:-data[-1]]

def dec_b64_aes(s):
    raw = base64.b64decode(urllib.parse.unquote(s))
    return unpad(AES.new(key, AES.MODE_ECB).decrypt(raw))

posts = [
    "uObhMjrfo%2FS2Jscd%2FX%2FmwA%3D%3D",
    "rjXpwAmHmMcgWKUmjHmx9xgBJ7WPvZRL0i%2B2OfVC7GM%3D",
    "BY%2BMxkppnG%2FdNRoHmFM3gJAp79u%2FjzvfvzleDWZuV9tbv1K9EFUBNux6jKEAyqpS",
    "BY%2BMxkppnG%2FdNRoHmFM3gCoAgk5QPtbgfu%2BAN2fHpNW9c2GAfGMk9L%2BMgdUT23M%2B",
]

for p in posts:
    print(dec_b64_aes(p))