LinTu's Blog
0%

imaginaryctf部分wp

发表于 分类于 阅读次数: Valine:

只有一点点。。

web

Idoriot

Source Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php

session_start();

// Check if user is logged in
if (!isset($_SESSION['user_id'])) {
    header("Location: login.php");
    exit();
}

// Check if session is expired
if (time() > $_SESSION['expires']) {
    header("Location: logout.php");
    exit();
}

// Display user ID on landing page
echo "Welcome, User ID: " . urlencode($_SESSION['user_id']);

// Get the user for admin
$db = new PDO('sqlite:memory:');
$admin = $db->query('SELECT * FROM users WHERE user_id = 0 LIMIT 1')->fetch();

// Check if the user is admin
if ($admin['user_id'] === $_SESSION['user_id']) {
    // Read the flag from flag.txt
    $flag = file_get_contents('flag.txt');
    echo "<h1>Flag</h1>";
    echo "<p>$flag</p>";
} else {
    // Display the source code for this file
    echo "<h1>Source Code</h1>";
    highlight_file(__FILE__);
}

?>

logout.php页面退出,在注册页面F12有<input type="hidden" name="user_id" value="830084615">,post个password=1&username=1&user_id=0

inspection

F12
位置大概在
/html/body/div[4]/div[2]/div[67]/div/div/div[2]/p[1]

blank

看源码,晕字,大概看出来
没过滤输入,"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
db.get('SELECT * FROM users WHERE username = "' + username + '" and password = "' + password+ '"', (err, row) => {
  if (err) {
    console.error(err);
    res.status(500).send('Error retrieving user');
  } else {
    if (row) {
      req.session.loggedIn = true;
      req.session.username = username;
      res.send('Login successful!');
    } else {
      res.status(401).send('Invalid username or password');
    }
  }
});

检测了username

1
2
3
4
5
6
7
8
9
10
app.get('/flag', (req, res) => {
  if (req.session.username == "admin") {
    res.send('Welcome admin. The flag is ' + fs.readFileSync('flag.txt', 'utf8'));
  }
  else if (req.session.loggedIn) {
    res.status(401).send('You must be admin to get the flag.');
  } else {
    res.status(401).send('Unauthorized. Please login first.');
  }
});

所以username=admin,只能在password注入

username=admin&password=" union select 1,2,3--

Login

右键查看源代码
最下面有一行/?source
加在url栏后有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<?php

if (isset($_GET['source'])) {
    highlight_file(__FILE__);
    die();
}

$flag = $_ENV['FLAG'] ?? 'jctf{test_flag}';
$magic = $_ENV['MAGIC'] ?? 'aabbccdd11223344';
$db = new SQLite3('/db.sqlite3');

$username = $_POST['username'] ?? '';
$password = $_POST['password'] ?? '';
$msg = '';

if (isset($_GET[$magic])) {
    $password .= $flag;
}

if ($username && $password) {
    $res = $db->querySingle("SELECT username, pwhash FROM users WHERE username = '$username'", true);
    if (!$res) {
        $msg = "Invalid username or password";
    } else if (password_verify($password, $res['pwhash'])) {
        $u = htmlentities($res['username']);
        $msg = "Welcome $u! But there is no flag here :P";
        if ($res['username'] === 'admin') {
            $msg .= "<!-- magic: $magic -->";
        }
    } else {
        $msg = "Invalid username or password";
    }
}
?>
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Login</title>
    <link type="text/css" rel="stylesheet" href="https://cdn.simplecss.org/simple.css" />
</head>

<body>
    <main>
        <h2>Login</h2>
        <form method="POST">
            <p>
                <label for="username">Username</label>
                <input type="text" name="username" placeholder="Username" />
            </p>
            <p>
                <label for="password">Password</label>
                <input type="password" name="password" placeholder="Password" />
            </p>
            <p>
                <button type="submit">Login</button>
            </p>
        </form>
        <p>
            <?= $msg ?>
        </p>
    </main>
</body>

</html>
<!-- /?source -->

然后还在研究

crypto

rsa

1
2
3
4
5
6
7
8
from Crypto.PublicKey import RSA
from Crypto.Util.number import *

cipher_text = open(r"D:\xxx\flag.enc", "rb").read()
c = bytes_to_long(cipher_text)
key1 = RSA.importKey(open(r"D:\xxx\private.pem").read())
key2 = RSA.importKey(open(r"D:\xxx\public.pem").read())
print(long_to_bytes(pow(c,key1.d,key2.n)))