文章目錄
- 前言
- 給你shell
前言
學習網上各大佬的姿勢進行學習,很開心
給你shell
審查元素,發現關鍵資訊
①
<!--flag is in /flag.txt-->
②
<a href='./?view_source'
下面進行最枯燥的代碼審計環節啦~~
<?php
error_reporting(0);
include "config.php";
//這句話沒啥用跳過
if (isset($_GET['view_source'])) {
show_source(__FILE__);
die;
}
//
function checkCookie($s) {
//以:為分隔符将$s分為兩部分
$arr = explode(':', $s);
//從下面等得出$s的格式為{"secret":"大寫字母或者數字"}
if ($arr[0] === '{"secret"' && preg_match('/^[\"0-9A-Z]*}$/', $arr[1]) && count($arr) === 2 ) {
return true;
} else {
//如果不符合條件那麼設定cookie
if ( !theFirstTimeSetCookie() ) setcookie('secret', '', time()-1);
return false;
}
}
function haveFun($_f_g) {
$_g_r = 32;
$_m_u = md5($_f_g);//将$_f_g通過md5函數指派給$_m_u
$_h_p = strtoupper($_m_u);//将$_m_u大寫
for ($i = 0; $i < $_g_r; $i++) {
$_i = substr($_h_p, $i, 1);//逐位取值
$_i = ord($_i); //傳回字元的ascii碼值
print_r($_i & 0xC0);//1100 0000 數字都會變成0輸出,而字母都會變成64輸出
}
die;
}
//如果cookie中有secret字段指派給$json變量
isset($_COOKIE['secret']) ? $json = $_COOKIE['secret'] : setcookie('secret', '{"secret":"' . strtoupper(md5('y1ng')) . '"}', time()+7200 );
checkCookie($json) ? $obj = @json_decode($json, true) : die('no');
if ($obj && isset($_GET['give_me_shell'])) {
($obj['secret'] != $flag_md5 ) ? haveFun($flag) : echo "here is your webshell: $shell_path";
}
die;
根據源碼含義
首先從cookie中取出secret,進入checkCookie函數
如果secret鍵對應的值!=$flag_md5進入havefun函數
爆破一下。發現在secret為115時候有回顯
<?php
error_reporting(0);
session_start();
//there are some secret waf that you will never know fuzz me if you can
require "hidden_filter.php";
if (!$_SESSION['login'])
die('');
if (!isset($_GET['code'])) {
show_source(__FILE__);
exit();
} else {
$code = $_GET['code'];
if (!preg_match($secret_waf $code)) {
//清空session 從頭再來
eval("\$_SESSION[" . $code . "]=false;"); //you know here is your webshell an eval() without any disabled_function. However eval() for $_SESSION only XDDD you noob hacker
} else die('hacker');
}
/*
* When you feel that you are lost do not give up fight and move on.
* Being a hacker is not easy it requires effort and sacrifice.
* But remember … we are legion!
* ————Deep CTF 2020
*/