23-day

 · 2019-8-22 · 次阅读


54.让我进去(http://ctf5.shiyanbar.com/web/kzhan.php)
  进入页面前有提示:Hint:你可能希望知道服务器端发生了什么。。这个服务器端怎么才能进到呢,进入页面后显示admins only然后是一个登陆框还显示:If you have the correct credentials, log in below. If not, please LEAVE.F12看一下,没有其他重要线索,现在用BP抓包看一下,在cookie中发现了一个奇怪的参数source=0把它改为1发包出去后得到提示代码
$flag = “XXXXXXXXXXXXXXXXXXXXXXX”;
$secret = “XXXXXXXXXXXXXXX”; // This secret is 15 characters long for security!

$username = $_POST[“username”];
$password = $_POST[“password”];

if (!empty($_COOKIE[“getmein”])) {
if (urldecode($username) === “admin” && urldecode($password) != “admin”) {
if ($COOKIE[“getmein”] === md5($secret . urldecode($username . $password))) {
echo “Congratulations! You are a registered user.\n”;
die (“The flag is “. $flag);
}
else {
die (“Your cookies don’t match up! STOP HACKING THIS SITE.”);
}
}
else {
die (“You are not an admin! LEAVE.”);
}
}

setcookie(“sample-hash”, md5($secret . urldecode(“admin” . “admin”)), time() + (60 * 60 * 24 * 7));

if (empty($_COOKIE[“source”])) {
setcookie(“source”, 0, time() + (60 * 60 * 24 * 7));
}
else {
if ($_COOKIE[“source”] != 0) {
echo “”; // This source code is outputted here
}
}
阅读代码可以发现首先必须要求一个cookie叫getmein,其次username的urldecode需要等于admin,password的Urldecode不能等于admin,其次cookie getmein需要等于md5的($secret . urldecode($username . $password)).现在就需要构造了,首先构造一个叫getmein的cookie,其次这个getmein的值为md5的这一串。username=admin,password=12345将他们Url编码后为:%61%64%6d%69%6e%2e%31%32%33%34%35,secret=15个1,用.链接之后再md5传入cookie看一下。getmein=2861c306fc5e3dd08048dd533eaabddc这样得不到正确答案,应该还有什么问题没有注意到。setcookie(“sample-hash”, md5($secret . urldecode(“admin” . “admin”)), time() + (60 * 60 * 24 * 7));这儿它的setcookie的方式值得注意编码的时候明明都是admin admin意思是password必须也为admin也就是password应该是admin+绕过判断的东西。从他人的WP中学习到了一种叫哈希长度扩展攻击。关于什么叫md5扩展攻击,只能留一个博文慢慢学习了:https://www.cnblogs.com/p00mj/p/6288337.html