美文网首页
bugkuctf wp2

bugkuctf wp2

作者: 萍水间人 | 来源:发表于2019-02-12 15:12 被阅读4次

    秋名山老司机

    <head>
    <title>下面的表达式的值是秋名山的车速</title>
    <meta charset="UTF-8">
    </head>
    <p>亲请在2s内计算老司机的车速是多少</p>
    <div>1782911879+706686703-1996813020-984998196*1213520247-1805071043*379299795+1623596400-1052850963+2102818407-2101949215=?;</div>
    <style>
    div,p{
    text-align: center;
    margin: 0 auto;
    }
    </style>
    

    两秒之内计算出式子中的值, 再提交

    菜鸡还不太会写脚本
    参考了dalao们的代码

    import requests
    import re
    url = 'http://120.24.86.145:8002/qiumingshan/'
    s = requests.Session()
    source = s.get(url)
    expression = re.search(r'(\d+[+\-*])+(\d+)', source.text).group()
    result = eval(expression)
    post = {'value': result}
    print(s.post(url, data = post).text)
    
    

    不过还是没搞出来。


    复习一下requests

    import requests
    #构造requests对象
    
    s = requests.get(url)
    s.post(url,   )
    
    #差不多就这些了
    
    

    cookies欺骗

    题目

    然而注意到URL中的line和file时就能做出来了。

    #用脚本把代码跑出来
    import requests
    a=30
    for i in range(a):
        url="http://120.24.86.145:8002/web11/index.php?line="+str(i)+"&filename=aW5kZXgucGhw" 
        s=requests.get(url)
        print s.text
    
    
    <?php
     
    error_reporting(0);
    $file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
    
    $line=isset($_GET['line'])?intval($_GET['line']):0;
     
    if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
    $file_list = array(
    '0' =>'keys.txt',
    '1' =>'index.php',
    );
    if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){       //看这里
     $file_list[2]='keys.php';
     }
    if(in_array($file, $file_list)){
    $fa = file($file);
    echo $fa[$line];
    } 
    ?>
    

    构造cookie就行啦
    (然而没搞出flag来)

    login4

    CBC字节翻转攻击
    放一张经典的图


    CBC

    据师傅们的wp说是有一个index.php.swp文件存在。
    然而没找到, 先把师傅们找到的源码放上来

    <?php
    define("SECRET_KEY", file_get_contents('/root/key'));
    define("METHOD", "aes-128-cbc");
    session_start();
    function get_random_iv(){
        $random_iv='';
        for($i=0;$i<16;$i++){
            $random_iv.=chr(rand(1,255));
        }
        return $random_iv;
    }
    function login($info){
        $iv = get_random_iv();
        $plain = serialize($info);
        $cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);
        $_SESSION['username'] = $info['username'];
        setcookie("iv", base64_encode($iv));
        setcookie("cipher", base64_encode($cipher));
    }
    function check_login(){
        if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){
            $cipher = base64_decode($_COOKIE['cipher']);
            $iv = base64_decode($_COOKIE["iv"]);
            if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){
                $info = unserialize($plain) or die("<p>base64_decode('".base64_encode($plain)."') can't unserialize</p>");
                $_SESSION['username'] = $info['username'];
            }else{
                die("ERROR!");
            }
        }
    }
    function show_homepage(){
        if ($_SESSION["username"]==='admin'){
            echo '<p>Hello admin</p>';
            echo '<p>Flag is $flag</p>';
        }else{
            echo '<p>hello '.$_SESSION['username'].'</p>';
            echo '<p>Only admin can see flag</p>';
        }
        echo '<p><a href="loginout.php">Log out</a></p>';
    }
    if(isset($_POST['username']) && isset($_POST['password'])){
        $username = (string)$_POST['username'];
        $password = (string)$_POST['password'];
        if($username === 'admin'){
            exit('<p>admin are not allowed to login</p>');
        }else{
            $info = array('username'=>$username,'password'=>$password);
            login($info);
            show_homepage();
        }
    }else{
        if(isset($_SESSION["username"])){
            check_login();
            show_homepage();
        }else{
            echo '<body class="login-body">
                    <div id="wrapper">
                        <div class="user-icon"></div>
                        <div class="pass-icon"></div>
                        <form name="login-form" class="login-form" action="" method="post">
                            <div class="header">
                            <h1>Login Form</h1>
                            <span>Fill out the form below to login to my super awesome imaginary control panel.</span>
                            </div>
                            <div class="content">
                            <input name="username" type="text" class="input username" value="Username" onfocus="this.value=\'\'" />
                            <input name="password" type="password" class="input password" value="Password" onfocus="this.value=\'\'" />
                            </div>
                            <div class="footer">
                            <input type="submit" name="submit" value="Login" class="button" />
                            </div>
                        </form>
                    </div>
                </body>';
        }
    }
    ?>
    </html>
    
    

    参考资料

    秋名山老司机
    cookie欺骗
    CBC字节翻转攻击

    python requests库学习

    相关文章

      网友评论

          本文标题:bugkuctf wp2

          本文链接:https://www.haomeiwen.com/subject/uqqkeqtx.html