Trying to decode the findings do not receive the desired ~
Recall topic that is good practice to back up, suggesting that referred to the backup , the backup file should be the source of the leak of a class, to think about the problem from here
Add points knowledge:
Normally the backup file is added after the extension * .bak
* .Bak (or auxiliary files are automatically created by the command, which contains the most recent version of a file)
http://123.206.87.240:8002/web16/ default access is the index.php file path
Then visit http://123.206.87.240:8002/web16/ index.php.bak
Use Notepad to open, I put it code to the notepad, write in a specific code analysis inside ~
So when you pass ? Key1 = a & key2 = b time through the filter becomes 1 = a & 2 = b then you can double write to bypass incoming? Kekeyy1 = A &? Keleyy2 = b , after filtration will get key1 = key2 = B & A .
It means that the two parameters in the get replacement key is empty (this may be bypassed kekeyy), then the value of key1, key2 is md5 encrypted, and compared,
The following comparison of typical md5 comparison function is weakly typed bypass php
There are two ways to bypass:
1, md5 () function can not handle an array , if passed in an array, returns NULL, so after two arrays are encrypted get NULL, which is equal.
2, the use of loopholes in comparison ==
如果两个字符经MD5加密后的值为 0exxxxx形式,就会被认为是科学计数法,且表示的是0*10的xxxx次方,还是零,都是相等的。
下列的字符串的MD5值都是0e开头的:
QNKCDZO
240610708
s878926199a
s155964671a
s214587387a
s214587387a
构造payload:?kkeyey1=QNKCDZO&kkeyey2=240610708 (随便选就行)
