CTFshow-Web入门模块-爆破-web23

CTFshow-Web入门模块-爆破-web23

题目源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 11:43:51
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 11:56:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
error_reporting(0);

include('flag.php');
if(isset($_GET['token'])){
    $token = md5($_GET['token']);
    if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
        if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
            echo $flag;
        }
    }
}else{
    highlight_file(__FILE__);

}
?>

php代码爆破

<?php
// 设置爆破范围
for ($i = 0; $i < 10000; $i++) {
    // 生成 MD5 哈希
    $token = md5($i);

    // 提取需要验证的字符
    $a = intval(substr($token, 1, 1));  // 第 1 个字符
    $b = intval(substr($token, 14, 1)); // 第 14 个字符
    $c = intval(substr($token, 17, 1)); // 第 17 个字符
    $d = intval(substr($token, 31, 1)); // 第 31 个字符

    // 检查条件 1：字符位置相等
    if (substr($token, 1, 1) === substr($token, 14, 1) && substr($token, 14, 1) === substr($token, 17, 1)) {
        // 检查条件 2：数学运算结果
        if ($a !== 0 && ($a + $b + $c) / $a === $d) {
            // 输出满足条件的结果
            echo "Found valid token: $i\n";
            echo "MD5 hash: $token\n";
            break; // 找到后退出循环
        }
    }
}
?>

https://www.bejson.com/runcode/php/

https://00a5ad8c-664e-47f6-aed8-fe3f9a6954e9.challenge.ctf.show/?token=422