web-never give up

打开题目连接

?id=1 ，疑是注入点 但是输入其他数字无果

打开源码，发现注释有网页链接

 

打开连接 123.206.87.240:8006/test/1p.html

发现回到了bugku的论坛首页，应该是重定向出问题

 

观察在连接前面添加  view-source 用来查看源码

用url解码得到中间一串base64编码

1 JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ==

 

 base64解码

1 %22%3Bif%28%21%24_GET%5B%27id%27%5D%29%0A%7B%0A%09header%28%27Location%3A%20hello.php%3Fid%3D1%27%29%3B%0A%09exit%28%29%3B%0A%7D%0A%24id%3D%24_GET%5B%27id%27%5D%3B%0A%24a%3D%24_GET%5B%27a%27%5D%3B%0A%24b%3D%24_GET%5B%27b%27%5D%3B%0Aif%28stripos%28%24a%2C%27.%27%29%29%0A%7B%0A%09echo%20%27no%20no%20no%20no%20no%20no%20no%27%3B%0A%09return%20%3B%0A%7D%0A%24data%20%3D%20@file_get_contents%28%24a%2C%27r%27%29%3B%0Aif%28%24data%3D%3D%22bugku%20is%20a%20nice%20plateform%21%22%20and%20%24id%3D%3D0%20and%20strlen%28%24b%29%3E5%20and%20eregi%28%22111%22.substr%28%24b%2C0%2C1%29%2C%221114%22%29%20and%20substr%28%24b%2C0%2C1%29%21%3D4%29%0A%7B%0A%09require%28%22f4l2a3g.txt%22%29%3B%0A%7D%0Aelse%0A%7B%0A%09print%20%22never%20never%20never%20give%20up%20%21%21%21%22%3B%0A%7D%0A%0A%0A%3F%3E

得到一串url编码，继续解码

 1 if(!$_GET['id'])
 2 {
 3     header('Location: hello.php?id=1');
 4     exit();
 5 }
 6 $id=$_GET['id'];
 7 $a=$_GET['a'];
 8 $b=$_GET['b'];
 9 if(stripos($a,'.'))
10 {
11     echo 'no no no no no no no';
12     return ;
13 }
14 $data = @file_get_contents($a,'r');
15 if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
16 {
17     require("f4l2a3g.txt");
18 }
19 else
20 {
21     print "never never never give up !!!";
22 }
23 
24 
25 ?>

分析代码，要满足以下条件，才能得到flag

1、要使id为非空非零的变量

2、a不能包含符号 “ . ”

3、$data要传值，内容为“bugku is a nice plateform!”

4、id等于0

5、b长度大于5，且“1114”等于 “111b[0]” , 但b[0]不能为4

 

解

 $id可以用  .  或0e绕过（弱类型）

 $a用伪协议php://input来传值bugku is a nice plateform!

$b可以用*或？或 . 号绕过正则表达式的匹配

构造payloa  ?id=.&a=php://input&b=.12345

 

 

补充

stripos(a,b)   寻找b在a第一次出现的位置

file_get_contents()  把整个文件读入一个字符串中

strlen（） 返回字符串长度

substr(start，length)    开始截断，以及截断长度

eregi()  在一个字符串搜索指定的模式的字符串。搜索不区分大小写

 

转载于:https://www.cnblogs.com/gaonuoqi/p/11376109.html