美文网首页
[实验吧]Web

[实验吧]Web

作者: JasonChiu17 | 来源:发表于2018-01-28 17:07 被阅读40次

    简单的登录题

    解题链接: [http://ctf5.shiyanbar.com/web/jiandan/index.php](javascript:;)

    define("SECRET_KEY", '***********'); 
    define("METHOD", "aes-128-cbc"); 
    error_reporting(0); include('conn.php'); 
    function sqliCheck($str){ 
    if(preg_match("/\\\|,|-|#|=|~|union|like|procedure/i",$str)){ 
    return 1; 
    } 
    return 0; } 
    function get_random_iv(){ 
    $random_iv=''; for($i=0;$i<16;$i++){ 
    $random_iv.=chr(rand(1,255)); } 
    return $random_iv; } 
    function login($info){ 
    $iv = get_random_iv(); 
    $plain = serialize($info); 
    $cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv); 
    setcookie("iv", base64_encode($iv)); 
    setcookie("cipher", base64_encode($cipher)); } 
    function show_homepage(){ 
    global $link; if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){ 
    $cipher = base64_decode($_COOKIE['cipher']); 
    $iv = base64_decode($_COOKIE["iv"]); 
    if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){ 
    $info = unserialize($plain) or die("
    
    base64_decode('".base64_encode($plain)."') can't unserialize
    "); 
    $sql="select * from users limit ".$info['id'].",0"; 
    $result=mysqli_query($link,$sql); if(mysqli_num_rows($result)>0 or die(mysqli_error($link))){ 
    $rows=mysqli_fetch_array($result); echo '
    Hello!'.$rows['username'].'
    '; } else{ echo '
    Hello!
    '; } }else{ die("ERROR!"); } } } if(isset($_POST['id'])){ 
    $id = (string)$_POST['id'];
    if(sqliCheck($id)) 
    die("
    sql inject detected!
    "); 
    $info = array('id'=>$id); login($info); echo '
    Hello!
    '; }else{ 
    if(isset($_COOKIE["iv"])&&isset($_COOKIE['cipher'])){ 
    show_homepage(); }else{ 
    echo '
    Login Form
    input id to login
    
    '; } }
    
    • 关键语句:
    1. sql语句:$sql="select * from users limit ".$info['id'].",0";
    2. 正则匹配:preg_match("/\\\|,|-|#|=|~|union|like|procedure/i",$str)
    • 未完待续。。。

    后台登录

    解题链接: http://ctf5.shiyanbar.com/web/houtai/ffifdyop.php

    • 源码:
    <!-- $password=$_POST['password'];
        $sql = "SELECT * FROM admin WHERE username = 'admin' and password = '".md5($password,true)."'";
        $result=mysqli_query($link,$sql);
            if(mysqli_num_rows($result)>0){
                echo 'flag is :'.$flag;
            }
            else{
                echo '密码错误!';
            } -->
    
    • post的密码要md5($password,true):
    md5(string, raw):    
    raw 可选,默认为false
    true:返回16字符2进制格式
    false:返回32字符16进制格式
    简单来说就是 true将16进制的md5转化为字符了
    
    • 思路:md5(string,true)='or'****,则可以注入了

    • 看url:http://ctf5.shiyanbar.com/web/houtai/ffifdyop.php
      md5(ffifdyop)(32字符16进制):276f722736c95d99e921722cf9ed621c
      利用16进制转字符
      md5(ffifdyop)(字符): 'or'6�]��!r,��b�(看别人的writeup是'or'6<trash>)
      后面出现乱码,不过,没关系,有'or'就行。

    • 将ffifdyop作为密码输入即可,sql语句变成了SELECT * FROM admin WHERE username = 'admin' and password = ''or'6�]��!r,��b�'

    • or 后面的'6�]��!r,��b�'为真。


    • flag{ffifdyop_has_trash}


    天下武功唯快不破

    看看响应头
    http://ctf5.shiyanbar.com/web/10/10.php

    • 页面显示:
      There is no martial art is indefectible, while the fastest speed is the only way for long success.
      >>>>>>----You must do it as fast as you can!----<<<<<<
    • 响应头


      head.png
    • 有个FLAG,base64加密了,解密之后:
      P0ST_THIS_T0_CH4NGE_FL4G:o3DLpyFV4
    • 每次flag都会变,写python脚本:
    import requests
    import base64
    url="http://ctf5.shiyanbar.com/web/10/10.php"
    s=requests.Session()
    response=s.get(url)
    head=response.headers
    print(head)
    flag_1=str(base64.b64decode(head['flag']),encoding = "utf-8")
    #base64解密之后是byte类型,要用str(a,encoding="utf-8"),转换成string类型,用于split()
    flag=flag_1.split(':')[1]
    print(flag)
    postdata={'key':flag}#这里为什么是key参数,试出来的
    result=s.post(url=url,data=postdata)
    print(result.text)
    
    • 运行结果
      {'Server': 'Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29', 'Content-Length': '216', 'Date': 'Sun, 28 Jan 2018 09:04:09 GMT', 'Connection': 'Keep-Alive', 'Content-Type': 'text/html', 'X-Powered-By': 'PHP/5.3.29', 'Keep-Alive': 'timeout=5, max=100', 'FLAG': 'UDBTVF9USElTX1QwX0NINE5HRV9GTDRHOklGQ09zOGVjdw=='}
      IFCOs8ecw
      CTF{Y0U_4R3_1NCR3D1BL3_F4ST!}
      [Finished in 19.0s]
    • CTF{Y0U_4R3_1NCR3D1BL3_F4ST!}

    相关文章

      网友评论

          本文标题:[实验吧]Web

          本文链接:https://www.haomeiwen.com/subject/cflzaxtx.html