[蓝帽杯 2022 初赛]网站取证_2

一、找到与数据库有关系的PHP文件

打开内容如下，发现数据库密码是函数my_encrypt()返回的结果。

二、在文件夹encrypt中找到encrypt.php,内容如下，其中mcrypt已不再使用，所以使用php>=7版本可能没有执行结果，需要换成较低版本的PHP

<?php
function my_encrypt(){$str = 'P3LMJ4uCbkFJ/RarywrCvA==';$str = str_replace(array("/r/n", "/r", "/n"), "", $str);$key = 'PanGuShi';$iv = substr(sha1($key),0,16);$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");mcrypt_generic_init($td, "PanGuShi", $iv);$decode = base64_decode($str);$dencrypted = mdecrypt_generic($td, $decode);mcrypt_generic_deinit($td);mcrypt_module_close($td);$dencrypted = trim($dencrypted);return $dencrypted;
}

修改文件如下，并放置phpstudy的WWW目录下，再访问该文件，文件就会被执行，生成密码

<?php
function my_encrypt(){$str = 'P3LMJ4uCbkFJ/RarywrCvA==';$str = str_replace(array("/r/n", "/r", "/n"), "", $str);$key = 'PanGuShi';$iv = substr(sha1($key),0,16);$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");mcrypt_generic_init($td, "PanGuShi", $iv);$decode = base64_decode($str);$dencrypted = mdecrypt_generic($td, $decode);mcrypt_generic_deinit($td);mcrypt_module_close($td);$dencrypted = trim($dencrypted);return $dencrypted;
}
echo my_encrypt();
?>

得到flag