WEB
签到题
打开题目
image.png
0改成1
image.png
查看源码,有flag
测试你与flag的缘分
题目
image.png
打开flag.txt ,一段js密码,解密是一串base16,再解是qp,最后,假的密码
回到题目,查看源码,发现一段base16
image.png
解密,解出来是base64,解两次,flag
简单的代码审计
打开题目一片空白,查看源码
image.png
image.png
题目是代码审计,php伪协议,
file=php://filter/read=convert.base64-encode/resource=once.php
image.png
出来一串base64
PGh0bWw+PGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1HQksiPg0KCTx0aXRsZT5PbmNlIE1vcmU8L3RpdGxlPg0KPC9oZWFkPg0KPGJvZHk+PGJyPg0KPGNlbnRlcj4NCjxwPllvdSBwYXNzd29yZCBtdXN0IGJlIGFscGhhbnVtZXJpYzwvcD48YnI+DQo8Zm9ybSBtZXRob2Q9ImdldCI+DQoJPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBhc3N3b3JkIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiPjxicj48YnI+DQoJPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IkNoZWNrIj4NCjwvZm9ybT4NCjxocj48YnI+DQo8L2JvZHk+PC9odG1sPg0KPD9waHANCmVycm9yX3JlcG9ydGluZygwKTsgDQppbmNsdWRlX29uY2UoJy4vZmxhZy9mbGFnMC5waHAnKTsNCmlmIChpc3NldCAoJF9HRVRbJ3Bhc3N3b3JkJ10pKSB7DQoJaWYgKGVyZWcgKCJeW2EtekEtWjAtOV0rJCIsICRfR0VUWydwYXNzd29yZCddKSA9PT0gRkFMU0UpDQoJew0KCQllY2hvICc8cD5Zb3UgcGFzc3dvcmQgbXVzdCBiZSBhbHBoYW51bWVyaWM8L3A+JzsNCgl9DQoJZWxzZSBpZiAoc3RybGVuKCRfR0VUWydwYXNzd29yZCddKSA8IDggJiYgJF9HRVRbJ3Bhc3N3b3JkJ10gPiA5OTk5OTk5OTkpDQoJew0KCQlpZiAoc3RycG9zICgkX0dFVFsncGFzc3dvcmQnXSwgJyotKicpICE9PSBGQUxTRSkNCgkJew0KCQkJZGllKCdGbGFnOiAnIC4gJGZsYWcpOw0KCQl9DQoJCWVsc2UNCgkJew0KCQkJZWNobygnPHA+Ki0qIGhhdmUgbm90IGJlZW4gZm91bmQ8L3A+Jyk7DQoJCX0NCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAnPHA+SW52YWxpZCBwYXNzd29yZDwvcD4nOw0KCX0NCn0NCj8+DQo=
base 64解密出来
<html><head>
<meta http-equiv="content-type" content="text/html; charset=GBK">
<title>Once More</title>
</head>
<body><br>
<center>
<p>You password must be alphanumeric</p><br>
<form method="get">
<input type="text" name="password" placeholder="Password"><br><br>
<input type="submit" value="Check">
</form>
<hr><br>
</body></html>
<?php
error_reporting(0);
include_once('./flag/flag0.php');
if (isset ($_GET['password'])) {
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
{
echo '<p>You password must be alphanumeric</p>';
}
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 999999999)
{
if (strpos ($_GET['password'], '*-*') !== FALSE)
{
die('Flag: ' . $flag);
}
else
{
echo('<p>*-* have not been found</p>');
}
}
else
{
echo '<p>Invalid password</p>';
}
}
?>
ereg():输入的password必须是大小写字母和数字
strlen():输入值必须大于999999999并且长度小于8
strops():输入的值中必须含有 * - *
利用ereg函数的截断漏洞可以构造playload:1e9%00-
得到flag
image.png
网友评论