Article Directory
One, web5
Title prompt "JSPFUCK"
Jsfuck introduction: –>Jsfuck – a very interesting Javascript feature<–
F12 View the source code and find the Jsfuck statement,
copy it to the command console and run it to get FLAG
Second, first class
The title is very interesting, " first class " => "header"
website has nothing.
Use Burpsuite to capture the packet-send to repeater-send, check the response, and find that FLAG is indeed in the header
Three, backup is a good habit
Mentioned backup, backup pages generally xxx.php.bak
, you can type directly download
code audit
to obtain FLAG need to pass two parameters key1
key2
, both required md5 encrypted value of the same but different plaintext values that need to bypass md5
before passing parameters, str_replace
will filter One-time key
string
So pass in variables kekeyy
or kkeyey
bypass string filtering
※PHP bypasses md5()
-
Array bypass
If md5 encryption is performed on the array, NULL will be returned, that is, the md5 values are equal -
0e bypass
Some strings are encrypted0e
at the beginning, and will be regarded as the power of 0 in scientific notation when compared, that is, the md5 values are compared and equal
Some 0e
beginning strings
Plaintext | md5 ciphertext |
---|---|
s1091221200a | 0e940624217856561557816327384675 |
s214587387a | 0e848240448830537924465865611904 |
s155964671a | 0e342768416822451524974117254469 |
s878926199a | 0e545993274517709034328855841020 |
?kkeyey1[]=x&kekeyy2[]=y
?kkeyey1=s1091221200a&kekeyy2=s878926199a
Get FLAG
Fourth, the flag is in the index
The title suggests that the flag is in the index, and there is nothing to enter the webpage, only a hyperlink.
View the way to open the webpage: This method has an LFI vulnerability,
so the source code can be obtained by using the vulnerability php://filter
and base64
coding
?file=php://filter/read=convert.base64-encode/resource=index.php
Base64 decode to get FLAG
Finish
Welcome to leave a message in the comment area.
Thanks for browsing