$flag = "XXXXXXXXXXXXXXXXXXXXXXX";
$secret = "XXXXXXXXXXXXXXX"; // This secret is 15 characters long for security!
$username = $_POST["username"];
$password = $_POST["password"];
if (!empty($_COOKIE["getmein"])) {
if (urldecode($username) === "admin" && urldecode($password) != "admin") {
if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password))) {
echo "Congratulations! You are a registered user.\n";
die ("The flag is ". $flag);
}
else {
die ("Your cookies don't match up! STOP HACKING THIS SITE.");
}
} else {
die ("You are not an admin! LEAVE.");
}
}
setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
if (empty($_COOKIE["source"])) {
setcookie("source", 0, time() + (60 * 60 * 24 * 7));
} else {
if ($_COOKIE["source"] != 0) {
echo ""; // This source code is outputted here
}
}
分析可知,用户名为admin,密码不能为admin,且cookie中getmein的值需要和md5($secret.urldecode(username . password)相等。才能通过验证。
以下为有用信息:
整理下我们知道的数据:
HashPump的安装及使用方法
把内容中值反转一下,把\x替换为%:
admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%00dyw
4a159f3519478f255d7b95df3cb036f8
将其输入到cookie对应的参数getmein中,获得flag: