“百度杯”CTF比赛 九月场Code
-
打开题目可以看到
-
猜测文件包含,读取index.php
-
base64解密
<?php
/**
* Created by PhpStorm.
* Date: 2015/11/16
* Time: 1:31
*/
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
header('Refresh:0;url=./index.php?jpg=hei.jpg');
$file = $_GET['jpg'];
echo '<title>file:'.$file.'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
$file = str_replace("config","_", $file);
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
* Can you find the flag file?
*
*/
?>"
-
函数preg_replace()将$中所有非字母数字变为空
-
函数str_replace()将config变为了_
-
t x t = b a s e 6 4 e n c o d e ( f i l e g e t c o n t e n t s ( txt = base64_encode(file_get_contents( txt=base64encode(filegetcontents(file));最后以base64输出文件
本来没有什么想法了,然后可以看到前面有一个注释
/**
* Created by PhpStorm.
* Date: 2015/11/16
* Time: 1:31
*/
-
百度一下发现
phpstorm创建的文件目录下面自动生成一个workspace.xml
在认真搜索一下
可见会自动生成一个workspace.xml文件在.idea文件夹下
-
我们访问一下workspace.xml文件
.idea/workspace.xml
-
访问一下
发现啥都没
因为之前$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);这玩意把_给过滤了,怎么构造_题目已经说了,因为下一句把config给变成了_ 访问http://7fb17f774c7544298aec119ff6a0d777499faa17d81e4d8c.changame.ichunqiu.com/index.php?jpg=fl3gconfigichuqiu.php -
访问成功用base64得到以下代码
<?php
/**
* Created by PhpStorm.
* Date: 2015/11/16
* Time: 1:31
*/
error_reporting(E_ALL || ~E_NOTICE);
include('config.php');
function random($length, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
function encrypt($txt,$key){
for($i=0;$i<strlen($txt);$i++){
$tmp .= chr(ord($txt[$i])+10);
}
$txt = $tmp;
$rnd=random(4);
$key=md5($rnd.$key);
$s=0;
for($i=0;$i<strlen($txt);$i++){
if($s == 32) $s = 0;
$ttmp .= $txt[$i] ^ $key[++$s];
}
return base64_encode($rnd.$ttmp);
}
function decrypt($txt,$key){
$txt=base64_decode($txt);
$rnd = substr($txt,0,4);
$txt = substr($txt,4);
$key=md5($rnd.$key);
$s=0;
for($i=0;$i<strlen($txt);$i++){
if($s == 32) $s = 0;
$tmp .= $txt[$i]^$key[++$s];
}
for($i=0;$i<strlen($tmp);$i++){
$tmp1 .= chr(ord($tmp[$i])-10);
}
return $tmp1;
}
$username = decrypt($_COOKIE['user'],$key);
if ($username == 'system'){
echo $flag;
}else{
setcookie('user',encrypt('guest',$key));
echo "â•®(╯▽╰)â•";
}
?>
- 抓一下包我们得到guest经过key加密后的数据
- 写代码反解key的前五位(利用前面写好的解密函数)
# -*- coding: utf-8 -*
import requests
import string
from base64 import *
txt = b64decode('dHpaThNGV01K')
rnd = txt[:4]
ttmp = txt[4:]
keys = list('xxxxxx')
guest = list('guest')
for i in range(len(guest)):
# 得到tmp
guest[i] = chr(ord(guest[i])+10)
# 逆序反解得到key
for i in range(len(guest)):
keys[i] = chr(ord(ttmp[i])^ord(guest[i]))
system = list('system')
for i in range(len(system)):
system[i] = chr(ord(system[i])+10)
ttmp_new = ''
str = ''
letters = '1234567890abcdefghijklmnopqrstuvwxyz'
for ch in letters:
keys[5] = ch
for i in range(len(system)):
ttmp_new += chr(ord(keys[i]) ^ ord(system[i]))
str = rnd + ttmp_new
print b64encode(str)
ttmp_new = ''
得到以下结果
- 用burp发包得到结果
得到flag