WEB｜[Zer0pts2020]Can you guess it?

Posted 2023-05-06 scarecr0w7

源码

<?php
include \'config.php\'; // FLAG is defined in config.php

if (preg_match(\'/config\\.php\\/*$/i\', $_SERVER[\'PHP_SELF\'])) 
  exit("I don\'t know what you are thinking, but I won\'t let you read it :)");


if (isset($_GET[\'source\'])) 
  highlight_file(basename($_SERVER[\'PHP_SELF\']));
  exit();


$secret = bin2hex(random_bytes(64));
if (isset($_POST[\'guess\'])) 
  $guess = (string) $_POST[\'guess\'];
  if (hash_equals($secret, $guess)) 
    $message = \'Congratulations! The flag is: \' . FLAG;
   else 
    $message = \'Wrong.\';
  

源码分析

if (preg_match(\'/config\\.php\\/*$/i\', $_SERVER[\'PHP_SELF\'])) 
  exit("I don\'t know what you are thinking, but I won\'t let you read it :)");

访问路径不能以/config.php/结尾

$_SERVER[\'PHP_SELF\'])：当前正在执行脚本的文件名；PHP中$_SERVER的详细用法
http://123.com/index.php --> index.php
http://123.com/index.php/config.php --> config.php

if (isset($_GET[\'source\'])) 
  highlight_file(basename($_SERVER[\'PHP_SELF\']));
  exit();

GET方法获取到source参数就显示显示文件内容，这里使用basename()存在漏洞，代码提示flag在config.php文件，可以利用这里查看config.php文件

basename()：返回路径中的文件名部分
basename() 在使用默认语言环境设置时，会删除文件名开头的非 ASCII 字符，%ff、%2b、%0d等，中文内容也可以：汉字、？、《、》、；等

$secret = bin2hex(random_bytes(64));
if (isset($_POST[\'guess\'])) 
  $guess = (string) $_POST[\'guess\'];
  if (hash_equals($secret, $guess)) 
    $message = \'Congratulations! The flag is: \' . FLAG;
   

随机生成字符并转为16进制，POST方式获取guess，guess值与secret值相比较，如果相等显示flag，但是这里使用的是hash_equals避免了时序攻击和 php 弱类型，无法利用

hash_equals()：用于同时比较两个字符串是否相等，无论字符串是否相等，函数的时间消耗是恒定的，可以有效的防止时序攻击

解法

利用basename()读取config.php的内容，$_SERVER[\'PHP_SELF\']就要等于config.php，但是preg_match禁止以config.php结尾，这里就利用到了basename()漏洞加字符绕过
payload

/index.php/config.php/字?source

这里/index.php/config.php，虽然$_SERVER[\'PHP_SELF\']获取的值等于config.php，但是浏览器可以解析为index.php从而正常显示页面
构造请求，得到flag

flage8b0c7d6-f24c-4227-9e4e-445dfea96b22

HDU 4027 Can you answer these queries?(线段树)

HDU 4027 Can you answer these queries?

题目链接

题意：给定一个数列。两种操作

0 a b 把[a,b]区间内的数字都开根
1 a b 询问区间[a,b]和

思路：注意开根最多开到1或0就不在变化，那么一个数字最多开63次，然后题目保证数列和小于2^63，所以实际上对于每一个数字的改动总次数并不多，因此改动操作每次就单点改动，线段树多开一个标记，表示这个区间是否所有都已经不变了

代码：

#include <cstdio>
#include <cstring>
#include <cmath>
#include <algorithm>
using namespace std;

typedef long long ll;
const int N = 100005;

#define lson(x) ((x<<1)+1)
#define rson(x) ((x<<1)+2)

struct Node {
	int l, r;
	ll sum;
	bool cover;
} node[4 * N];

int n;

void pushup(int x) {
	node[x].cover = (node[lson(x)].cover && node[rson(x)].cover);
	node[x].sum = node[lson(x)].sum + node[rson(x)].sum;
}

void build(int l, int r, int x = 0) {
	node[x].l = l; node[x].r = r; node[x].cover = false;
	if (l == r) {
		scanf("%I64d", &node[x].sum);
		if (node[x].sum == 0 || node[x].sum == 1) node[x].cover = true;
		return;
	}
	int mid = (l + r) / 2;
	build(l, mid, lson(x));
	build(mid + 1, r, rson(x));
	pushup(x);
}

void add(int l, int r, int x = 0) {
	if (node[x].cover) return;
	if (node[x].l == node[x].r) {
		node[x].sum = (ll)sqrt(node[x].sum * 1.0);
		if (node[x].sum == 1) node[x].cover = true;
		return;
	}
	int mid = (node[x].l + node[x].r) / 2;
	if (l <= mid) add(l, r, lson(x));
	if (r > mid) add(l, r, rson(x));
	pushup(x);
}

ll query(int l, int r, int x = 0) {
	if (node[x].l >= l && node[x].r <= r)
		return node[x].sum;
	int mid = (node[x].l + node[x].r) / 2;
	ll ans = 0;
	if (l <= mid) ans += query(l, r, lson(x));
	if (r > mid) ans += query(l, r, rson(x));
	return ans;
}

int main() {
	int cas = 0;
	while (~scanf("%d", &n)) {
		build(1, n);
		scanf("%d", &n);
		int op, a, b;
		printf("Case #%d:\n", ++cas);
		while (n--) {
			scanf("%d%d%d", &op, &a, &b);
			if (a > b) swap(a, b);
			if (op == 0) add(a, b);
			else printf("%I64d\n", query(a, b));
		}
		printf("\n");
	}
	return 0;
}