A few days ago found a good platform MOCTF but has not time to brush. In the past few days to update the web problem WP
Web1: A water problem
Get in a bunch of frogs.
View the source code and see flag
WEB2: or a water problem
The Discovery Password box cannot be entered, so F12 review element, delete disable attribute, and change length to 5, enter MOCTF. Get flag
WEB3: Access Restrictions
Topic hint with NAIVE browser, so think burp change user-agent:naive
Run gets flag
WEB4: Robot Snake
This question .... I... A long time to go in to play the snake ....
Later examined the elements, found robots.txt point in the flag327a6c4304ad5938eaf0efb6cc3e53dc.php
Go in, F12 find flag.
Web5:php Black Magic
Topic Tip php~
Go inside to view the source code, PHP black magic.
The general meaning is
1. Enter a, b two parameter, cannot be empty
2. These two parameters cannot be equal
3. The two parameters are equal after being MD5 encrypted.
Condition 2 and Condition 3 seem to conflict.
Two methods:
1. Constructs an array, MD5 encryption returns False when the array is encountered, so it is equal, but the values are not equal. a[]=1&b[]=2
2.md5 0e is equal to the beginning of the encryption, for example: 240610708 and Qnkcdzo.? a=240610708&b=qnkcdzo
Both of these methods have been given flag
WEB6: I want the money.
In the PHP audit
Four conditions are required to get flag
1. The parameter is money and is passed for get
2.money is less than 4 in length
3.money to greater than time (), time () the value returned by Baidu a bit, seems to be from 1970 to now the number of seconds, anyway is particularly large.
4.money cannot be an array
Naturally think of scientific notation, construct MONEY=2E10 get flag
Web7: Login is right.
A look is the SQL injection problem, the user name constructs the Universal password: ' or ' 1 ' = ' 1 ' # password any get flag
Where's web8:flag?
Page only a hyperlink, click and Burp, the beginning of nothing found, and then saw that there are 302 jump, jump to five pages, respectively:
/where_is_flag.php
/flag.php
/i_have_a_frog.php
/i_have_a_flag.php
/no_flag.php
Guess flag should be in flagfrog.php or frogflag.php.
Access to two pages have no results, and then burp, all got the flag .... The brain hole is big ...
WEB9: Death exit
Master P has an article in detail about the bypass death exit, but has not seen before, in reference Yu Master's WP when he saw this article,
Know the importance of it!!! So I had a good read.
Original link: https://www.leavesongs.com/PENETRATION/php-filter-magic.html
Then write the shell and Base64 code, and then decode the time, the < 、?、, >, space, etc. a total of 7 characters do not conform to the Base64 encoded character range will be ignored, so the final decoded character only "phpexit" and we passed in other characters.
But the base64 algorithm decodes a group of 4 bytes, so give him a "a" to add a total of 8 characters. In this way, the "Phpexita" is decoded normally, and the base64 content of the Webshell that we passed in later is also decoded normally. The result is <?php exit; ?>
No.
Refer to Yu Master's shell:<?php system (' Cat flag.php '); > base64 after encryption: pd9wahagc3lzdgvtkcdjyxqgzmxhzy5wahanktsgpz4=
Combining tmp.php structure payload to file=php://filter/write=convert.base64-decode/resource=tmp.php&c= pd9wahagc3lzdgvtkcdjyxqgzmxhzy5wahanktsgpz4=
Review elements get flag
WEB10: file contains
View the source code to see the prompt information flag.php, combined with the title file contains
Construction payload:?file=php://filter/convert.base64-encode/resource=flag.php
Get a string of encrypted characters, Base64 decrypt to get flag
WEB11: Delicious Biscuits
Go in is a landing page, try weak password login admin,admin smooth login, and later found that seemingly arbitrary account password can go in ....
Grab bag finds a string: set-cookie:zwuxmwniyje5mduyztqwyja3ywfjmgnhmdywyzizzwu%3d
%3d is the URL encoding for "=", so the zwuxmwniyje5mduyztqwyja3ywfjmgnhmdywyzizzwu= is Base64 decoded, Get MD5 ciphertext ee11cbb19052e40b07aac0ca060c23ee, decrypt and get user
So use admin first MD5 after Base64, plus cookie, get flag
MOCTF Web writeup