PHP的一些 “特性”¶
ha1师傅扔来了一道国外CTF Web题 人傻了 做个总结 遇到好玩的特性 持续更新
parse_str绕过¶
<?php
if ($_SERVER["REQUEST_METHOD"] === "POST") {
if (isset($_GET["first"])) {
parse_str(parse_url($_SERVER["REQUEST_URI"])["query"], $params);
var_dump($_SERVER["REQUEST_URI"]);
var_dump(parse_url($_SERVER["REQUEST_URI"])["query"]);
if ($params["first"] !== "pickle_rick") {
if ($_GET["first"] === "pickle_rick") {
echo "success";
}
}
}
}else{
die("1");
}
>>> parse_url('/test')
=> [
"path" => "/test",
]
>>> parse_url('//test')
=> [
"host" => "test",
]
>>> parse_url('///test')
=> false
¶
最后放出来PoseidonCTF的Old Rick¶
<?php
session_start();
$_SESSION["is_rick"] = false;
include "secrets.php"; // storing the variables not declared in this file
include "ricksecret/db.php"; // storing the login credentials for the database
if ($_SERVER["REQUEST_METHOD"] === "POST") {
if (isset($_GET["first"])) {
parse_str(parse_url($_SERVER["REQUEST_URI"])["query"], $params);
if ($params["first"] !== "pickle_rick") {
if ($_GET["first"] === "pickle_rick") {
if (isset($_GET["second"])) {
$hashed = crypt(md5($_GET["second"], fa1se), "asdf");
if (hash_equals($hashed, crypt(md5($hopper, fa1se), "asdf"))) {
if (isset($_GET["third"])) {
if (strlen($_GET["third"]) <= 10) {
$x = fopen("rightpaperheremorty.txt", "r");
$tmp = file_get_contents($_GET["third"]);
$content = fread($x, filesize("rightpaperheremorty.txt"));
if ($tmp === $content) {
fclose($x);
if (isset($_GET["fourth"])) {
class injection_chambre {
public $sprue;
public $mold_plate1;
public $mold_plate2;
}
if (!preg_match("/(^|;|{|})O:[0-9]+:\"/", $_GET["fourth"])) {
$chambre = unserialize($_GET["fourth"]);
if ($chambre) {
$chambre->mold_plate1 = $barrel;
if ($chambre->sprue === "pass" && $chambre->mold_plate1 === $chambre->mold_plate2) {
if (isset($_POST["fifth"])) {
$md5sum = md5(trim(file_get_contents("secret_pass.txt")));
if (preg_match("/\/[a-z\.\/]+$/i", $_POST["fifth"])) {
if (file_exists($_POST["fifth"]) && substr(md5($_POST["fifth"]), 0, 8) == $md5sum) {
if (isset($_GET["sixth"])) {
if (filter_var($_GET["sixth"], FILTER_VALIDATE_URL)) {
$url = parse_url($_GET["sixth"]);
if (!preg_match("/tftp|sftp|http|https|file|dict/i", $url["scheme"]) && preg_match("/ricksecret/i", $url["path"]) && !preg_match("/\.\./i", $url["path"]) && !preg_match("/read|base|iconv|zlib/i", $url["path"])) {
echo file_get_contents($_GET["sixth"]) . "<br />";
if (isset($_GET["sixth_second"])) {
if (!preg_match("/sixth_second|sixth second/i", urldecode($_SERVER["QUERY_STRING"]))) {
$dbms = new mysqli($host, $username, $_GET["sixth_second"], $db_name); // There's one row where id=1 and secret='r1cks'
$dbms->set_charset("utf8");
if (!$dbms->connect_error) {
if (isset($_GET["seventh"])) {
if (!preg_match("/\.|_|%|regexp|like|\x09| |\x0d|\x0a|\x0b|\/|\*|x|0|r1cks|\(|\)/i", $_GET["seventh"])) {
$one = "SELECT secret FROM top_secrets WHERE secret='{$_GET["seventh"]}'";
$two = "SELECT secret FROM top_secrets /*{$_GET["seventh"]}*/";
$exe_one = $dbms->query($one);
if ($exe_one->num_rows > 0) {
$res = $exe_one->fetch_assoc();
if ($res["secret"] === "r1cks") {
$exe_two = $dbms->query($two);
if ($exe_two->num_rows > 0) {
$res = $exe_two->fetch_assoc();
if ($res["secret"] === "th3sm4rt3s7") {
if (isset($_GET["eigth"])) {
extract($_COOKIE);
if ($_SESSION["is_rick"]) {
if (isset($_POST["nineth"])) {
$E = $_POST["nineth"];
$y = create_function('', substr($E, 0, 12));
}
else {
die("Where would you find the components of the injection?");
}
}
else {
die("Access denied for non ricks.");
}
}
else {
die("Where would you find cookies Morty?");
}
}
else {
$dbms->close();
die("Oh not again Morty.");
}
}
else {
$dbms->close();
die("Maybe somehow close.");
}
}
else {
$dbms->close();
die("Wait what's that Morty?");
}
}
else {
$dbms->close();
die("That's not even close Morty.");
}
}
else {
$dbms->close();
die("You touched something that you're not supposed to touch.");
}
}
else {
$dbms->close();
die("Where would you find the components of the injection?");
}
}
else {
die("I don't think that's my password Morty.");
}
}
else {
die("You touched something that you're not supposed to touch.");
}
}
else {
die("Where would you find the components of the injection?");
}
}
else {
die("You touched something that you're not supposed to touch.");
}
}
else {
die("That's suspicious Morty.");
}
}
else {
die("Where would you find the components of the injection?");
}
}
else {
echo "{$md5sum}<br />";
die("You lost against the jugling of Rick.");
}
}
else {
die("You touched something that you're not supposed to touch.");
}
}
else {
die("Where would you find the components of the injection?");
}
}
else {
die("Absolutely not the same.");
}
}
else {
die("Are you sure that's Ok?");
}
}
else {
die("You touched something that you're not supposed to touch.");
}
}
else {
die("Where would you find the components of the injection?");
}
}
else {
fclose($x);
die("You picked up the wrong paper.");
}
}
else {
die("You don't know which paper reading it will lead to the right path.");
}
}
else {
die("Where would you find the components of the injection?");
}
}
else {
echo md5($hopper, false) . "<br />";
die("You didn't know which hopper to use for the injection.");
}
}
else {
die("Where would you find the components of the injection?");
}
}
else {
die("You were putting the wrong matter.");
}
}
else {
die("You made a mistake that resulted in an explotion.");
}
}
else {
die("Where would you find the components of the injection?");
}
}
else {
show_source(__FILE__);
exit(0);
}
?>