web1
f12
web2
ctrl+u
web3
bp captures the packet to see the response header
web4
The file is in robots.txt
web5
index.phps
web6
www.zip leaked, visit fl000g.txt
web7
Visit /.git/index.php
web8
.svn leaked, visit .svn directly
web9
index.php.swp
web10
cookie中
web11
Check the flag https://zijian.aliyun.com/ TXT record through dns check, which generally refers to the instructions set for a certain host name or domain name.
TXT records generally refer to instructions set for a host name or domain name
web12
At the bottom there is
access /admin/, enter admin,372619038 to get the flag.
web13
f12, find document.pdf below, download it to get the background page, user name and password, log in to get the flag.
web14
A very strange question. According to the prompt, it is said that it is editor. I didn't realize the existence of /editor. I was still looking for the editor information in f12. Another point is that dirsearch scans too slowly, which has something to do with the station.
After knowing about /editor, I opened it and found that it was a kindeditor editor. This question was misunderstood because of this mistake. My first reaction was to take advantage of its upload vulnerability. I saw that the version did meet:
Then try to upload the file, and it turns out that you can directly access the file space:
then find where the flag is, and you can access it directly.
web15
Although this question may have some clues, it is actually collection of information. Once the mailbox is leaked, you can check the relevant information of this mailbox, and even social work.
Find the QQ mailbox at the bottom of the page, visit /admin and click forgot password. The secret question is to ask about the location, which is the same as the location on the QQ number. You can reset the password and log in to get the flag directly by filling in Xi'an.
web16
PHP probe is really something I don't know, I checked it on the Internet:
The php probe is used to detect space, server operating status and PHP information. The probe can view server hard disk resources, memory usage, network card traffic, system load, server time and other information in real time. Is a tool to view server information.
For example, check what the server supports, what does not, space speed, and so on!
Common PHP probe pages are about these: l.php, p.php, tanzhen.php, tz.php, u.php, etc.
After testing tz.php, Yahei's probe. Find phpinfo in it, click to jump to the phpinfo page, and just find the flag inside.
web17
Find the subdomain name:
111.231.70.44
web18
For games written in js, take a look at the source code of js:
You won, go to Yaoyao and have a look
Visit 110.php to get the flag.
web19
I'm too good at it. . I thought I knew the encryption method to reverse decrypt the input pazzword, but suddenly I remembered that I don't know how to js... At last look at WP, it turns out that you can submit your username and password directly through POST, which can avoid javascript encryption. I'm still too good at it. .
web20
Scan the directory to the /db/ directory, but you can't access it directly. I checked the existence of /db/db.mdb on the Internet, downloaded it and opened it to find the flag.
The mdb file is a database file of the early asp+access architecture. The file leak is equivalent to the database being taken off.
Basically, this file is leaked and the library is dragged, and then various useful information can be obtained in the real penetration, and even various user names and passwords, and then log in to the background to get a shell just around the corner.