CG-CTF
https://cgctf.nuptsast.com/challenges#Web
Continued ~
Q7: Single two decades
View the source code;
In Flag acquired (Cheers ~);
This problem can also be burp capture, view return information made flag;
(As to why and hand speed related thought to understand ...);
Q8: php decode
Analysis: directly from the decoder, code analysis: defines a function CLSI (), with the gzinflate () function and decompression base_decode () BASE64 encoded string decoding function, and then a loop for each character string corresponding to a the ASCII code instead of a return value. eval () function is calculated in accordance with the PHP code string;
Idea: simply echo the results can be printed out;
In Flag acquired (Cheers ~);
Ninth title: file contains
View the source code;
Analysis:? File = show.php, it is clear that here is a file that contains the vulnerability, and which I have done before a PTE file containing a similar problem, flag should be hidden in the php code, such as hiding inside a comment, it does not show up, so the idea is to look at the contents of the PHP file directly instead of letting them code execution;
1 idea: construct URL, here used php package agreement php: //, and file content using base64 encryption, to ensure the php code is not executed, so that we can read the encrypted content;
In Flag is then decoded to obtain (Cheers ~);
2 ideas: the URL structure, also uses a built-in encapsulation protocol PHP php: // input, then burp Ethereal, readfile () function attempts to read the file;
It was found that did not succeed;
I looked back out before decoding the code, find input is filtered. . . ;
Question 10: Single one hundred useless
click the link;
Analysis: the source code page and do not have any information on a single topic and should be the same need to get caught with a burp;
After capture packets transmitted, it found flag in the return header (Cheers ~);
The eleventh question: Download ~!
EMMM, the subject did not, skip;
Twelfth title: COOKIE
分析:啥也没有,题目是Cookie,提示是0==not,感觉就是把Cookie里的0改为1,去尝试一下,用burp抓包并修改Cookie;
将Login=0改为Login=1,取得flag(干杯~);
第十三题:MYSQL
学习一下啥是robots.txt;
https://baike.baidu.com/item/robots%E5%8D%8F%E8%AE%AE?fr=aladdin&fromtitle=robots.txt;
查看robots.txt;
分析:可以看到又给了提示:sql.php,以及id不等于1024;
思路:intval() 函数用于获取变量的整数值,可以推测$id应为1024,但是输入的id不能是1024,尝试构造带小数的id:1024.1;
取得flag(干杯~);
未完待续~