CTF练习平台——web(3)

1、Web4

CTF练习平台——web(3)_第1张图片

var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62'; var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b'; eval(unescape(p1) + unescape('%35%34%61%61%32' + p2)); var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62'; var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b'; eval(unescape(p1) + unescape('%35%34%61%61%32' + p2)); var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62'; var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b'; eval(unescape(p1) + unescape('%35%34%61%61%32' + p2)); var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';

var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';

eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));

根据提示将上面的URL编码拼接到一起,再URL解码

function checkSubmit(){var a=document.getElementById("password");if("undefined"!=typeof a){if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value)return!0;alert("Error");a.focus();return!1}}document.getElementById("levelQuest").onsubmit=checkSubmit;

根据脚本提示,将67d709b2b54aa2aa648cf6e87a7114f1写入输入框,点击提交,即得到flag


CTF练习平台——web(3)_第2张图片
KEY{J22JK-HS11}

2、web5

CTF练习平台——web(3)_第3张图片

查看源代码

根据提示JSPFUCK解码


CTF练习平台——web(3)_第4张图片
CTF{WHATFK}

3、flag在index里

CTF练习平台——web(3)_第5张图片

刚开始查看了下源代码,失败

抓包失败

发现file参数,又提示flag在index中,所以想到了文件包含,构造payload:

http://120.24.86.145:8005/post/index.php?file=php://filter/read=convert.base64-encode/resource=index.php

CTF练习平台——web(3)_第6张图片

获得base64编码的内容,解码得到flag:

flag{edulcni_elif_lacol_si_siht}

4、输入密码查看flag

CTF练习平台——web(3)_第7张图片

一看密码有5位数,只有进行爆破了

CTF练习平台——web(3)_第8张图片

虽然有点慢,但是最后得到答案

flag{bugku-baopo-hah}

5、前女友

CTF练习平台——web(3)_第9张图片

通过读这长篇,发现链接两个字

查看源代码


发现链接

点开链接,看到php代码


CTF练习平台——web(3)_第10张图片

利用md5弱类型匹配(PHP手册中的md5()函数的描述是string md5 ( string $str [, bool $raw_output = false ] ),md5()中的需要是一个string类型的参数。但是当你传递一个array时,md5()不会报错,只是无法正确地求出array的md5值,这样就会导致任意2个array的md5值都会相等。

和strcmp的数组的get漏洞

所以构造payload:

http://47.93.190.246:49162/?v1=QNKCDZO&v2=240610708&v3[]=0

得到flag:

SKCTF{Php_1s_tH3_B3St_L4NgUag3}

6、javascript

CTF练习平台——web(3)_第11张图片

进入网页查看源代码,发现


CTF练习平台——web(3)_第12张图片

post方法,只要将clicks赋值大于10000000就可以了


CTF练习平台——web(3)_第13张图片
flag{Not_C00kI3Cl1ck3r}

7、听说备份是个好习惯

CTF练习平台——web(3)_第14张图片

这道题尝试了目前掌握的各种方法没搞出来,在网上看到一个大佬的wp

在地址栏里输入:

CTF练习平台——web(3)_第15张图片

可以下载到源代码

/**

 *Created by PhpStorm.

 *User: Norse

 *Date: 2017/8/6

 *Time: 20:22

*/


include_once "flag.php";

ini_set("display_errors", 0);

$str = strstr($_SERVER['REQUEST_URI'],'?');

$str = substr($str,1);

$str = str_replace('key','',$str);

parse_str($str);

echo md5($key1);


echo md5($key2);

if(md5($key1) == md5($key2) &&$key1 !== $key2){

   echo $flag."取得flag";

}

?>

跟之前某题类似,md5的弱类型比较,构造payload:

kekeyy1=QNKCDZO&kkeyey2=240610708

Bugku{OH_YOU_FIND_MY_MOMY}

你可能感兴趣的:(CTF练习平台——web(3))