MOCTF Web writeup

A few days ago found a good platform MOCTF but has not time to brush. In the past few days to update the web problem WP

Web1: A water problem

Get in a bunch of frogs.

View the source code and see flag

WEB2: or a water problem

The Discovery Password box cannot be entered, so F12 review element, delete disable attribute, and change length to 5, enter MOCTF. Get flag

WEB3: Access Restrictions

Topic hint with NAIVE browser, so think burp change user-agent:naive

Run gets flag

WEB4: Robot Snake

This question .... I... A long time to go in to play the snake ....

Later examined the elements, found robots.txt point in the flag327a6c4304ad5938eaf0efb6cc3e53dc.php

Go in, F12 find flag.

Web5:php Black Magic

Topic Tip php~

Go inside to view the source code, PHP black magic.

The general meaning is

1. Enter a, b two parameter, cannot be empty

2. These two parameters cannot be equal

3. The two parameters are equal after being MD5 encrypted.

Condition 2 and Condition 3 seem to conflict.

Two methods:

1. Constructs an array, MD5 encryption returns False when the array is encountered, so it is equal, but the values are not equal. a[]=1&b[]=2

2.md5 0e is equal to the beginning of the encryption, for example: 240610708 and Qnkcdzo.? a=240610708&b=qnkcdzo

Both of these methods have been given flag

WEB6: I want the money.

In the PHP audit

Four conditions are required to get flag

1. The parameter is money and is passed for get

2.money is less than 4 in length

3.money to greater than time (), time () the value returned by Baidu a bit, seems to be from 1970 to now the number of seconds, anyway is particularly large.

4.money cannot be an array

Naturally think of scientific notation, construct MONEY=2E10 get flag

Web7: Login is right.

A look is the SQL injection problem, the user name constructs the Universal password: ' or ' 1 ' = ' 1 ' # password any get flag

Where's web8:flag?

Page only a hyperlink, click and Burp, the beginning of nothing found, and then saw that there are 302 jump, jump to five pages, respectively:

/where_is_flag.php

/flag.php

/i_have_a_frog.php

/i_have_a_flag.php

/no_flag.php

Guess flag should be in flagfrog.php or frogflag.php.

Access to two pages have no results, and then burp, all got the flag .... The brain hole is big ...

WEB9: Death exit

Master P has an article in detail about the bypass death exit, but has not seen before, in reference Yu Master's WP when he saw this article,

Know the importance of it!!! So I had a good read.

Original link: https://www.leavesongs.com/PENETRATION/php-filter-magic.html

Then write the shell and Base64 code, and then decode the time, the < 、?、, >, space, etc. a total of 7 characters do not conform to the Base64 encoded character range will be ignored, so the final decoded character only "phpexit" and we passed in other characters.

But the base64 algorithm decodes a group of 4 bytes, so give him a "a" to add a total of 8 characters. In this way, the "Phpexita" is decoded normally, and the base64 content of the Webshell that we passed in later is also decoded normally. The result is <?php exit; ?> No.

Refer to Yu Master's shell:<?php system (' Cat flag.php '); > base64 after encryption: pd9wahagc3lzdgvtkcdjyxqgzmxhzy5wahanktsgpz4=

Combining tmp.php structure payload to file=php://filter/write=convert.base64-decode/resource=tmp.php&c= pd9wahagc3lzdgvtkcdjyxqgzmxhzy5wahanktsgpz4=

Review elements get flag

WEB10: file contains

View the source code to see the prompt information flag.php, combined with the title file contains

Construction payload:?file=php://filter/convert.base64-encode/resource=flag.php

Get a string of encrypted characters, Base64 decrypt to get flag

WEB11: Delicious Biscuits

Go in is a landing page, try weak password login admin,admin smooth login, and later found that seemingly arbitrary account password can go in ....

Grab bag finds a string: set-cookie:zwuxmwniyje5mduyztqwyja3ywfjmgnhmdywyzizzwu%3d

%3d is the URL encoding for "=", so the zwuxmwniyje5mduyztqwyja3ywfjmgnhmdywyzizzwu= is Base64 decoded, Get MD5 ciphertext ee11cbb19052e40b07aac0ca060c23ee, decrypt and get user

So use admin first MD5 after Base64, plus cookie, get flag

MOCTF Web writeup