web
1.GET
就GET传入一个p3得了
header函数: 用于发送原生的 HTTP 头
header用法
<?php
error_reporting(0);
include('flag.php');
if($_GET['p1'] == '' or $_GET['p2'] == '') {
header('location: index.php?p1=CDUSEC&p2=CTF');
}
highlight_file('index.php');
print $_GET['p1'];
print '<br>';
print $_GET['p2'];
print '<br>';
if($_GET['p3'] === 'flag') {
print $flag;
}
2.POST
post p3=flag就行了
3.百度
没啥思路。ctrl+u看源代码发现有个baidu.png,访问baidu.png下下来还试了下隐写...抓包也没收获。扫描发现robots.txt,进去就看到flag了....
4.矛盾
post f2=0 就行了
<?php
include('flag.php');
$f1 = @$_GET['f1'];
$f2 = @$_POST['f2'];
$f3 = @$_COOKIE['f3'];
if($f2 !== '0') {
echo 'no';
}
else {
if($f1 == 0 and $f1 !== 0) {
$f2 == $f3;
if(md5($f2) == 0 and $f2 == 0) {
echo $flag;
}
}
}
highlight_file(__FILE__);
5.HASH
function ctt($key)
{
$t="";
for($i=0;$i<strlen($key);++$i)
{
$t.=chr(ord($key[$i])^$i);
}
return $t;
}
$auth = false;
$role1 = "xxxxxxxxx";
$salt = "xxxxxxxxxx";//闀垮害涓嶈秴杩�15
if (isset($_COOKIE["role_true"])) {
$hsh = $_COOKIE["hsh"];
if ($_COOKIE["role_true"] === $role1 && $hsh === md5($salt.urldecode($_COOKIE["role"]))) {
$auth = true;
} else {
$auth = false;
}
} else {
$s =$role1;
setcookie('role',ctt(base64_encode($s)));
$hsh = md5($salt.ctt(base64_encode($s)));
setcookie('hsh',$hsh);
}
if ($auth) {
echo "<h3>Welcome Admin. Your flag is ";
} else {
echo "<h3>Only True Admin can see the flag!!</h3>";
}
if的第二个判断恒成立,主要在if的第一个判断。 ^异或的性质: 两次异或是本身, 抓包可以看到role=YVPweR3oRN%3B%7Bnj32;注意里面有两个url编码得字符。转码后异或得YWRtaW5hZG1pbg==, base64解码得答案.
6.serialization-1
<?php
error_reporting(0);
class Test
{
private $a = 'nothing';
public function __destruct()
{
if($this->a != 'nothing') {
highlight_file('flag.php');
}
else {
echo 'No Flag!';
}
}
}
if(isset($_GET['data'])) {
unserialize($_GET['data']);
}
else {
highlight_file(__FILE__);
}
就...最简单得反序列化,,,, 没啥思路好写的...
'O:4:"Test":1:{s:7:"\00Test\00a";s:7:"oothing";}'
7.sql1
手工注入貌似不太行.上sqlmap.
post传参使用方法参考我前面写的一篇
sqlmap跑了半个小时...
开始时间
结束时间
8.WeekPassword
题目名字都叫弱口令了..
但是没爆破出来..
