Training:Get Sourced
查看页面源代码
最下边
答案:html_sourcecode
Training:Stegano
图片用winhex打开就有
Training:WWW-Robots
http://www.wechall.net/robots.txt
http://www.wechall.net/challenge/training/www/robots/T0PS3CR3T/
Training:ASCII
ASCII码转字符即可
Traing:URL
解码得到一串URL,访问即可
Training: Crypto - Caesar
凯撒密码解密,每一次刷新后的密文都不一样,所以答案也不同
答案应该是划掉的部分
java代码
public class ceaser {
public static void main(String args[]){
String string="FTQ CGUOW NDAIZ RAJ VGYBE AHQD FTQ XMLK PAS AR OMQEMD MZP KAGD GZUCGQ EAXGFUAZ UE EDUNDTMNOAEU";
int length=string.length();
for(int i=0;i<26;i++){
StringBuilder ss=new StringBuilder("");
for(int j=0;j'Z'){
c=(char)(c-26);
ss.append(c);
}
else ss.append(c);
}
}
System.out.println(ss);
}
}
}
Training: Encodings
题目给了一串二进制,用工具JPK,有一个Binary(二进制)模块,设置宽度位7位,在选择Binary中的Binary format选项,生成7位二进制格式,再选择Binary 中的 Binary to ASC II 生成ASC码
Training: Crypto - Transposition I
替换密码,把一串密文,写成矩阵的形式,然后再打乱列的顺序,即得到密文
因此,只需要把密文写成矩阵,根据列之间的规律关系,恢复原顺序即可
http://tholman.com/other/transposition/
当列位数为2时,可以得到
Wonderful.You can ······ now:elsnaiellggc
Training:PHP LFI
LFI(local file include),php的本地文件包含漏洞
题目要求是访问../solution.php,
分析代码,后面有一个 '.html' ,使用%00截断,?file=../solution.php%00提交,不对,再向上一级提交,file=../../solution.php%00,通过。
Training:PHP 0817
看代码逻辑,赋值给which提交,并且代码后面有.php,因此只把solution赋值给which即可。
?which=solution提交通过。
Training:Crypto-Substitution
密文:
猜测CTFQ=THE,用 https://quipqiup.com/解密
Training: Programming 1:
脚本:
import requests
url= 'http://www.wechall.net/challenge/training/programming1/index.php?action=request'
cookie = dict(WC = '************************')
re = requests.get(url, cookies = cookie)
key = re.text
url2 = 'http://www.wechall.net/challenge/training/programming1/index.php?answer='
a = requests.get(url2 + key, cookies = cookie)
wechall.net的cookie
Training: MYSQL I
看题目给的源码
setLogging(false);
$db->setEMailOnError(false);
return $db;
}
/**
* Exploit this!
* @param WC_Challenge $chall
* @param unknown_type $username
* @param unknown_type $password
* @return boolean
*/
function auth1_onLogin(WC_Challenge $chall, $username, $password)
{
$db = auth1_db();
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
if (false === ($result = $db->queryFirst($query))) {
echo GWF_HTML::error('Auth1', $chall->lang('err_unknown'), false); # Unknown user
return false;
}
# Welcome back!
echo GWF_HTML::message('Auth1', $chall->lang('msg_welcome_back', htmlspecialchars($result['username'])), false);
# Challenge solved?
if (strtolower($result['username']) === 'admin') {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
return true;
}
?>
admin 'or'1=1
Training: MYSQL II
源码:
setLogging(false);
$db->setEMailOnError(false);
return $db;
}
/**
* Exploit this! It is the same as MySQL-I, but with an additional check, marked with ###
* @param WC_Challenge $chall
* @param unknown_type $username
* @param unknown_type $password
* @return boolean
*/
function auth2_onLogin(WC_Challenge $chall, $username, $password)
{
$db = auth2_db();
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username'";
if (false === ($result = $db->queryFirst($query))) {
echo GWF_HTML::error('Auth2', $chall->lang('err_unknown'), false);
return false;
}
#############################
### This is the new check ###
if ($result['password'] !== $password) {
echo GWF_HTML::error('Auth2', $chall->lang('err_password'), false);
return false;
} # End of the new code ###
#############################
echo GWF_HTML::message('Auth2', $chall->lang('msg_welcome_back', array(htmlspecialchars($result['username']))), false);
if (strtolower($result['username']) === 'admin') {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
return true;
}
?>
空着吧先,改天再补
Training:LSB
给了一张图
stegsolve
Training: Register Globals
看源码:
[chdir](http://www.php.net/chdir)('../../../../');
[define](http://www.php.net/define)('GWF_PAGE_TITLE', 'Training: Register Globals');
require_once('challenge/html_head.php');
if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) { $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 2, 'challenge/training/php/globals/index.php');
}
$chall->showHeader();
GWF_Debug::setDieOnError(false);GWF_Debug::setMailOnError(false);
# EMULATE REGISTER GLOBALS = ON
foreach ($_GET as $k => $v) { $k = $v; }
# Send request?
if ([isset](http://www.php.net/isset)($_POST['password']) && [isset](http://www.php.net/isset)($_POST['username']) && [is_string](http://www.php.net/is_string)($_POST['password']) && [is_string](http://www.php.net/is_string)($_POST['username']) )
{
$uname = GDO::escape($_POST['username']); $pass = [md5](http://www.php.net/md5)($_POST['password']);
$query = "SELECT level FROM ".GWF_TABLE_PREFIX."wc_chall_reg_glob WHERE username='$uname' AND password='$pass'";
$db = gdo_db();
if (false === ($row = $db->queryFirst($query))) {
echo GWF_HTML::error('Register Globals', $chall->lang('err_failed')); } else {
# Login success
$login = [array](http://www.php.net/array)($_POST['username'], (int)$row['level']);
}
}
if ([isset](http://www.php.net/isset)($login))
{
echo GWF_HTML::message('Register Globals', $chall->lang('msg_welcome_back', [array](http://www.php.net/array)([htmlspecialchars](http://www.php.net/htmlspecialchars)($login[0]), [htmlspecialchars](http://www.php.net/htmlspecialchars)($login[1]))));
if ([strtolower](http://www.php.net/strtolower)($login[0]) === 'admin') { $chall->onChallengeSolved(GWF_Session::getUserID());
}
}
else
{?>
$v) { [unset](http://www.php.net/unset)($k); }
require_once 'challenge/html_foot.php';
?>
明显要求login[0]=admin,登陆即可
Host me
源码
本来以为改成host:localhost,尝试不对,看别人的wp
题目提示:
Fun Fact: There is even a virtualhost named localhost, which probably does not make it easier.
It seems like we need to reinstall the box, unless you can access this page with the correct constraints.
意思是还有一台名localhost的虚拟机,
访问主机与虚拟host存在相同路径,,而头部是自省略的写法,所以会因无法识别主机host而导致,
在修改host为localhost的前提下,需要补全路径,加上http协议即可