Secret Web 1 database
Topic Address: http://116.85.43.88:8080/ZVDHKBUVUZSTJCNX/dfe3ia/index.php
Henryzhao master solution
Use a proxy to write a page of PHP, the request and signed proxy. After using common tools such as sqlmap inject the PHP page.
1 |
|
I used to write a python proxy TO DO:
Wfox master solution
Unlock the burpsuite "new features": burpsuite the match and replace
Gangster do not know how fuzz testing, their testing process:
1 |
admin ' and . 1 # normally displays the result of admin |
So a Boolean blind judge whether the conditions for the response body in there admin / test results returned!
Gangster script debugging it is still very troublesome, you need to modify js, not for me, but which use third-party libraries execjs python js code execution can learn about, though js function is actually executed a bit sha1 function: )
Attached basics
curl
command line tools and libarbry for transferring data with URLs
curl is a command-line tool, the role of a network request, and then extracted to obtain data showing the "standard output" (stdout) in the above. It supports multiple protocols, here its various uses
1 |
Curl -o URL # save the page |
You can also form encoding, file upload etc.
See: http://www.ruanyifeng.com/blog/2011/09/curl.html
jsbeautifier : JS landscaping tools
Web 2 exclusive link
Bigwigs sensitivity to the html source code of good high base64
1 |
<title>滴滴一下,让出行更美好</title> |
The base64 decoded to get back links favicon.ico
, 010 Editor open the picture, found you can only download .class .xml .ico .ks files
, can determine the presence of any file download vulnerability.
Henryzhao master more powerful, direct observation of the logo exception ...
In addition, under the guidance of the master template can be found by similar Github source code disclosure, that is, the basic structure of the entire site
Spring default configuration file: applicationContext.xml, you can develop profiles, generically named web.xml
find from 500 error page
com.didichuxing.ctf.controller.user.FlagController.submitFlag(FlagController.java:36)
Thus obtaining the corresponding path
../../WEB-INF/classes/com/didichuxing/ctf/controller/user/FlagController.class
Use jd-gui (java decompile) get behind java java source code and related content decryption, temporarily not interested ...
Attached basics
JVM
JVM: (Java Virtual Machine): a virtual machine capable of running java bytecode, java language to realize the most important feature that the platform independence
Java compiler: the java source file (.java) file compiled into bytecode (.class are special binary file, binary file byte code), may be simply viewed as the javac.exe compiler java
Java interpreter: is part of the JVM. Java interpreter to explain the execution of the program after the Java compiler. java.exe can be simply seen as a Java interpreter.
HMAC
HMAC (Hash-Based Message Authentication Code) hash message authentication code, has a key and a message as input, generates as output a message digest.
Original: Large column reproducibility && think DDCTF web