web1
Development comments were not deleted in time
f12 gets flag
web2
js front desk interception === invalid operation
It shows that the source code cannot be viewed, neither f12 nor the right mouse button works. You can choose here burp抓包
, or you can choose to ctrl+u
view it directly.
web3
When you have no idea, grab a bag and take a look, you may get unexpected results.
This time f12 has nothing. Try using burp to grab a package.
Get the flag, the flag is in the response header
web4
There are always people who write the backend address into robots to help lead the way for the big guys.
The question starting interface is the same as the previous question. Although the question has hints, robots
sometimes the questions often do not give hints, so scan it with dirsearch first.
There is a file in the scan /robots.txt
, and then I go to access it and it shows that there is /flagishere.txt
a file.
Access /flagishere.txt
the file and get the flag
web5
PHP source code leaks can sometimes help
There is still nothing with f12, and dirsearch can’t find anything.
According to the title hint, phps
the source code is leaked. When accessing, /index.phps
a file will be downloaded. After viewing the content, the flag will be obtained.
web6
Unzip the source code to the current directory, test normally, and call it a day.
The guess is that /www.zip
you directly access the downloaded file and get the flag.
web7
Version control is important, but not deploying to production is even more important.
Didn't get anything from the packet capture
Scan dirsearch and find that /.git源码泄露
you can get the flag after accessing it.
web8
Version control is important, but not deploying to production is even more important.
Same as the previous question, burp can’t catch it, so just use dirsearch to scan it.
I scanned /.svn
the file and got the flag after accessing it.
web9
Found a typo on a web page? Quickly change it in vim in the production environment. No, it crashed.
I scanned dirsearch directly, but there was nothing.
There is nothing in burp packet capture.
You can only access it according to hint, hint prompt vim缓存泄露
, index.php.swp
payload:
http://b1aecb15-06c9-48a7-996e-06bfe79cab32.challenge.ctf.show/index.php.swp
A file will be downloaded and opened with Notepad to get the flag.
web10
A cookie is just a cookie and cannot store any private data
Burp captures the packet and finds that the flag is in the cookie. Just decode the url.
web11
In fact, domain names can also hide information. For example, flag.ctfshow.com hides a piece of information.
Website using domain name resolution records: Domain name resolution record online query tool: Nslookup detects real domain name resolution records
You can see the txt record and get the flag
web12
Sometimes the public information on the website is the administrator’s commonly used passwords.
After entering the environment, use dirsearch to scan (I don’t know why I only scan one file per second, which is difficult to find)
Access /admin, prompt for account and password, but username and password are required
The account number is admin
, and the password is according to the public information on the website described in the title.372619038
Get flag after logging in
web13
Do not include sensitive information in technical documents, and promptly change the default password after deployment to the production environment.
I scanned it with dirsearch first, but found nothing useful.
Scroll down the website, see it document
, and click on it
Slide the document down
Go to visit /system1103/login.php
, user admin
, admin1103
get the flag after successful login with password
web14
Sometimes important (editor) information can be inadvertently leaked in the source code, and the default configuration can kill people.
The old rule is to scan it with dirsearch first.
You can scan it out editor
, visit it, reach the editing interface, and then click these two buttons.
The flag can be found through the file space,var->www->html->nothinghere->fl000g.txt
Construct the payload to access the file
http://8c753168-a6de-4c82-9253-4b8580dc83e2.challenge.ctf.show/nothinghere/fl000g.txt
web15
Public information, such as email addresses, may cause information leakage and have serious consequences.
Scan /admin
the path with dirsearch, visit it, forget the password
If you need to know his city, scroll to the bottom of the website and there is a QQ mailbox. QQ add this QQ number.
At first I thought it was an email check, pure clown
Add a friend, 在西安
,
Fill in Xi'an and the password has been reset.
Log in, account number admin
, password is admin7789
, get flag
web16
For test probes, they must be deleted promptly after use, which may cause information leakage.
Dirsearch can't scan anything, and packet capture can't find anything either.
Hint shows that it is 探针
, and the default file of the probe is tz.php
to access it.
You can view phpinfo from here
web17
Backup sql files can reveal sensitive information
dirseach scannedbackup.sql
A file will be downloaded, open it and get the flag
web18
Don't be anxious, rest, take a rest, play 101 points to give you the flag
f12 view source code
You can know that this is unicode
encryption, decrypt it
Access 110.php
to get flag
web19
Don’t put keys or anything like that on the front end.
f12 View the source code and find the key
We need our username and admin
password to be encrypted a599ac85a73384ee3219fa684296eaa62667238d608efa81837030bd1ce1bf04
, then look at the encrypted code
Through the code we can know thatAES加密
If we want to decrypt, we need AES 加密模式
, 填充
, 密码
, 偏移量
, 输出
, which are all given in the code.
key=0000000372619038
It's the password, iv = ilove36dverymuch
it's the offset, 16位字符串
it tells us it's the output, CBC
it's the pattern, ZeroPadding
it's the padding, it's the online decryption
The password is i_want_a_36d_girl
(can this really be said), account number admin
, log in and get the flag
web20
dirsearch didn't scan anything, and burp couldn't catch anything either.
But there is nothing in scanning this directory. It does not mean that there is nothing in other directories. From the scan results, you can see that there is another /db/
directory .
Scan /db/
the directory and see /dn.mdb
files
Visit it and db.mdb
the file will be downloaded. After opening it, search for flag using ctrl+f.