web21
YWRtaW46MTIzNDU2
解密后:
admin:123456
爆破成功:
YWRtaW46c2hhcms2Mw==
admin:shark63
web22
子域名挖掘
web23
<?php
error_reporting(0);include('flag.php');
if(isset($_GET['token'])){$token = md5($_GET['token']);if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){echo $flag;}}
}else{highlight_file(__FILE__);}
?>
分析:
条件1:
substr($token, 1,1)===substr($token, 14,1)===substr($token, 17,1)
条件2:
(intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1)
写脚本
思路1:
import hashlib
dic = '0123456789qazwsxedcrfvtgbyhnujmikolp'
for a in dic: for b in dic: t = str(a) + str(b) md5 = hashlib.md5(t.encode('utf-8')).hexdigest() if md5[1:2] == md5[14:15] and md5[14:15] == md5[17:18]: if (ord(md5[1:2])) >= 48 and ord(md5[1:2]) <= 57 and (ord(md5[14:15])) >= 48 and ord(md5[14:15]) <= 57: if (ord(md5[17:18])) >= 48 and ord(md5[17:18]) <= 57 and (ord(md5[31:32])) >= 48 and ord( md5[31:32]) <= 57: if (int(md5[1:2]) + int(md5[14:15]) + int(md5[17:18])) / int(md5[1:2]) == int(md5[31:32]): print(t)
返回:
3j
思路2:
import hashlib
for i in range(1,10000):md5 = hashlib.md5(str(i).encode('utf-8')).hexdigest()if md5[1] != md5[14] or md5[14]!= md5[17]:continueif(ord(md5[1]))>=48 and ord(md5[1])<=57 and (ord(md5[31]))>=48 and ord(md5[31])<=57:if((int(md5[1])+int(md5[14])+int(md5[17]))/int(md5[1])==int(md5[31])):print(i)
返回:
422
1202
web24 伪随机数
<?php
error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){$r = $_GET['r'];mt_srand(372619038);if(intval($r)===intval(mt_rand())){echo $flag;}
}else{highlight_file(__FILE__);echo system('cat /proc/version');
}?>
考察伪随机数的概念,给定了种子,后面生产的随机数都是伪随机数
php版本很重要
php8.2.9是可以正确拿到的版本
https://onlinephp.io/
选择对应php版本
<?php
mt_srand(372619038);
echo intval(mt_rand());
返回
1155388967
GET:
?r=1155388967
web25
<?phperror_reporting(0);
include("flag.php");
if(isset($_GET['r'])){$r = $_GET['r'];mt_srand(hexdec(substr(md5($flag), 0,8)));$rand = intval($r)-intval(mt_rand());if((!$rand)){if($_COOKIE['token']==(mt_rand()+mt_rand())){echo $flag;}}else{echo $rand;}
}else{highlight_file(__FILE__);echo system('cat /proc/version');
}
mt_srand(hexdec(substr(md5($flag), 0,8)));
整个 mt_rand() 序列由 flag 决定,我们不知道 flag,所以看似无法知道种子,可以反向推导
第1个 mt_rand() 调用:
intval($r) == mt_rand()
第2个,第3个mt_rand() 调用:
$_COOKIE['token'] == (mt_rand() + mt_rand())
工具选择:
php_mt_seed:专门用于根据 mt_rand() 输出反推 seed 的 C 程序,速度极快(每秒数百万次尝试)
先传一个:
?r=0
返回:
-240978470
执行命令:
./php_mt_seed 240978470
返回:
Pattern: EXACT
Version: 3.0.7 to 5.2.0
Found 0, trying 0x04000000 - 0x07ffffff, speed 6710.9 Mseeds/s
seed = 0x05050f6c = 84217708 (PHP 3.0.7 to 5.2.0)
seed = 0x05050f6d = 84217709 (PHP 3.0.7 to 5.2.0)
Found 2, trying 0xfc000000 - 0xffffffff, speed 12811.7 Mseeds/s
Version: 5.2.1+
Found 2, trying 0x5e000000 - 0x5fffffff, speed 90.1 Mseeds/s
seed = 0x5ef87515 = 1593341205 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0x5ef87515 = 1593341205 (PHP 7.1.0+)
Found 4, trying 0xea000000 - 0xebffffff, speed 90.0 Mseeds/s
seed = 0xea087fe7 = 3926425575 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xea087fe7 = 3926425575 (PHP 7.1.0+)
Found 6, trying 0xfe000000 - 0xffffffff, speed 89.9 Mseeds/s
Found 6
找对应PHP/7.3.11版本的
1593341205
执行命令:
<?php
mt_srand(1593341205);
echo intval(mt_rand()) . "<br>";
echo intval(mt_rand())+ intval(mt_rand());
?>
返回:
240978470
2067597295
GET:
?r=240978470
COOKIE:
token=2067597295
web26
传统爆破
7758521
web27
爆破身份证日期
对应字典范围:19900001 到 20241231
姓名:高先伊
得到出生年月:19900201
高先伊
621022199002015237
返回:
恭喜您,您已被我校录取,你的学号为02015237 初始密码为身份证号码
web28
/0/1/2.txt
爆破路径中的数字
集束炸弹轰炸
结果:
