[CTFSHOW]給你shell-Writeup

文章目錄

• ​​前言​​
• ​​給你shell​​

前言

學習網上各大佬的姿勢進行學習，很開心

給你shell

審查元素，發現關鍵資訊

①​

​<!--flag is in /flag.txt-->​

​​ ②​

​<a href='./?view_source'​

​

下面進行最枯燥的代碼審計環節啦~~

<?php
error_reporting(0);
include "config.php";
//這句話沒啥用跳過
if (isset($_GET['view_source'])) {
    show_source(__FILE__);
    die;
}
//
function checkCookie($s) {
    //以：為分隔符将$s分為兩部分
    $arr = explode(':', $s);
    //從下面等得出$s的格式為{"secret":"大寫字母或者數字"}
    if ($arr[0] === '{"secret"' && preg_match('/^[\"0-9A-Z]*}$/', $arr[1]) && count($arr) === 2 ) {
        return true;
    } else {
    //如果不符合條件那麼設定cookie
        if ( !theFirstTimeSetCookie() ) setcookie('secret', '', time()-1);
        return false;
    }
}

function haveFun($_f_g) {
    $_g_r = 32;
    $_m_u = md5($_f_g);//将$_f_g通過md5函數指派給$_m_u
    $_h_p = strtoupper($_m_u);//将$_m_u大寫
    for ($i = 0; $i < $_g_r; $i++) {
        $_i = substr($_h_p, $i, 1);//逐位取值
        $_i = ord($_i); //傳回字元的ascii碼值
        print_r($_i & 0xC0);//1100 0000 數字都會變成0輸出，而字母都會變成64輸出

    }
    die;
}
//如果cookie中有secret字段指派給$json變量
isset($_COOKIE['secret']) ? $json = $_COOKIE['secret'] : setcookie('secret', '{"secret":"' . strtoupper(md5('y1ng')) . '"}', time()+7200 );
checkCookie($json) ? $obj = @json_decode($json, true) : die('no');

if ($obj && isset($_GET['give_me_shell'])) {
    ($obj['secret'] != $flag_md5 ) ? haveFun($flag) : echo "here is your webshell: $shell_path";
}

die;      

根據源碼含義

首先從cookie中取出secret，進入checkCookie函數

如果secret鍵對應的值!=$flag_md5進入havefun函數

爆破一下。發現在secret為115時候有回顯

<?php
error_reporting(0);
session_start();
 
//there are some secret waf that you will never know fuzz me if you can
require "hidden_filter.php";
 
if (!$_SESSION['login'])
    die('');
 
if (!isset($_GET['code'])) {
    show_source(__FILE__);
    exit();
} else {
    $code = $_GET['code'];
    if (!preg_match($secret_waf $code)) {
        //清空session 從頭再來
        eval("\$_SESSION[" . $code . "]=false;"); //you know here is your webshell an eval（) without any disabled_function. However eval（) for $_SESSION only XDDD you noob hacker
    } else die('hacker');
}
 
 
/*
 * When you feel that you are lost do not give up fight and move on.
 * Being a hacker is not easy it requires effort and sacrifice.
 * But remember … we are legion!
 *  ————Deep CTF 2020
*/