[MRCTF2020]Ezaudit
dirsearch扫出来三个文件,访问login.html,,要求我们输入用户名,密码和私钥。用户名从index.php里看出来是crispr,密码用万能密码,主要是这个私钥。
<?php
header('Content-type:text/html; charset=utf-8');
error_reporting(0);
if(isset($_POST['login'])){
$username = $_POST['username'];$password = $_POST['password'];$Private_key = $_POST['Private_key'];if (($username == '') || ($password == '') ||($Private_key == '')) {
// 若为空,视为未填写,提示错误,并3秒后返回登录界面header('refresh:2; url=login.html');echo "用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!";exit;
}else if($Private_key != '*************' ){
header('refresh:2; url=login.html');echo "假密钥,咋会让你登录?crispr会让你在2秒后跳转到登录界面的!";exit;}else{
if($Private_key === '************'){
$getuser = "SELECT flag FROM user WHERE username= 'crispr' AND password = '$password'".';'; $link=mysql_connect("localhost","root","root");mysql_select_db("test",$link);$result = mysql_query($getuser);while($row=mysql_fetch_assoc($result)){
echo "<tr><td>".$row["username"]."</td><td>".$row["flag"]."</td><td>";}}}}
// genarate public_key
function public_key($length = 16) {
$strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';$public_key = '';for ( $i = 0; $i < $length; $i++ )$public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);return $public_key;}//genarate private_keyfunction private_key($length = 12) {
$strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';$private_key = '';for ( $i = 0; $i < $length; $i++ )$private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);return $private_key;}$Public_key = public_key();//$Public_key = KVQP0LdJKRaV3n9D how to get crispr's private_key???
伪随机数题
这道题和枯燥的抽奖那道很像,你们可以去看我写的这篇
https://blog.csdn.net/scrawman/article/details/119110675
祖传脚本改一下公钥的格式,方便我们用php_mt_seed
str1='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
str2='2vRheEpPK8'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):for j in range(len(str1)):if str2[i] == str1[j]:res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' 'break
print(res)
打印出来的结果交给php_mt_seed运行,爆破出来seed是1775196155。
再重新把题目里的生成密钥的脚本跑一遍,注意这里php的版本要是5.2.1到7之间的,然后public_key()的部分也是需要的。
<?php
mt_srand(1775196155);
function public_key($length = 16) {
$strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';$public_key = '';for ( $i = 0; $i < $length; $i++ )$public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);return $public_key;
}
function private_key($length = 12) {
$strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';$private_key = '';for ( $i = 0; $i < $length; $i++ )$private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);return $private_key;
}
public_key();
echo private_key();
?>