【root-me CTF練習】Web伺服器安全-PHP -寬鬆的比較
阿新 • • 發佈:2018-12-09
靶機地址
解題思路
檢視提示的原始碼,發現需要滿足
$s != false && $h != false
if($s.$r == $h)
也就是說,s和h引數值只能為字母和數字,且s值加上一串隨機數 == md5(h),
這裡考的是php弱等於問題,在php中,兩個等於號不判斷資料型別是否相同,而以0開頭第二位不為數字的字串轉換到int型為0:比如:0x33。
那麼首先要使MD5(h)等於0第二位不為數字的字串,恰好這樣的字串很多,如:
QNKCDZO => 0e830400451993494058024219903391
s1665632922a => 0e731198061491163073197128363787
而s轉換到int為0則更簡單了,一樣的道理。
所以答案就是:
0e == QNKCDZO
相當於
0e112233 == 0e830400451993494058024219903391
0 = 0 =>true
<html>
<body>
<form action="index.php" class="authform" method="post" accept-charset="utf-8">
<fieldset>
<legend>Unbreakable Random</legend>
<input type= "text" id="s" name="s" value="" placeholder="seed" />
<input type="text" id="h" name="h" value="" placeholder="hash" />
<input type="submit" name="submit" value="Check" />
<div class="return-value" style="padding: 10px 0"> </div>
< /fieldset>
</form>
<?php
function gen_secured_random() { // cause random is the way
$a = rand(1337,2600)*42;
$b = rand(1879,1955)*42;
$a < $b ? $a ^= $b ^= $a ^= $b : $a = $b;
return $a+$b;
}
function secured_hash_function($plain) { // cause md5 is the best hash ever
$secured_plain = sanitize_user_input($plain);
return md5($secured_plain);
}
function sanitize_user_input($input) { // cause someone told me to never trust user input
$re = '/[^a-zA-Z0-9]/';
$secured_input = preg_replace($re, "", $input);
return $secured_input;
}
if (isset($_GET['source'])) {
show_source(__FILE__);
die();
}
require_once "secret.php";
if (isset($_POST['s']) && isset($_POST['h'])) {
$s = sanitize_user_input($_POST['s']);
$h = secured_hash_function($_POST['h']);
$r = gen_secured_random();
if($s != false && $h != false) {
if($s.$r == $h) {
print "Well done! Here is your flag: ".$flag;
}
else {
print "Fail...";
}
}
else {
print "<p>Hum ...</p>";
}
}
?>
<p><em><a href="index.php?source">source code</a></em></p>
</body>
</html>