-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
pnck
committed
Dec 8, 2015
0 parents
commit e1a61c8
Showing
10 changed files
with
158 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # 404 | ||
| ## | ||
| 题目非常简单,其实有100种方式可以做出来。F12可以,curl -I可以,抓包也可以。 | ||
| ``` | ||
| ➜ ~ curl ‐I http://133.130.108.39:12340/3d9d48dc016f0417558ff26d82ec13cc/webI.php | ||
| HTTP/1.1 302 Moved Temporarily | ||
| Server: nginx | ||
| Date: Sun, 06 Dec 2015 15:37:43 GMT | ||
| Content‐Type: text/html; charset=UTF‐8 | ||
| Connection: keep‐alive | ||
| X‐Powered‐By: PHP/5.6.15 | ||
| flag: hctf{w3lcome_t0_hc7f_f4f4f4} | ||
| location: ./webl.php | ||
| ``` | ||
| 然而你们非要说我这是脑洞题。。。我只能Orz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
|
|
||
| <html> | ||
| <head><title>404 Not Found</title></head> | ||
| <body bgcolor="white"> | ||
| <center><h1>404 Not Found</h1></center> | ||
| <hr><center>nginx</center> | ||
| </body> | ||
| <?php | ||
| header('flag: hctf{w3lcome_t0_hc7f_f4f4f4}'); | ||
| header('location:./webl.php'); | ||
|
|
||
| ?> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
|
|
||
| <html> | ||
| <head><title>404 Not Found</title></head> | ||
| <body bgcolor="white"> | ||
| <center><h1>404 Not Found</h1></center> | ||
| <hr><center>nginx</center> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| # Personal blog | ||
| ## 出题思路: | ||
| 博客源码都在github上面,就不放在这里了,博客其实是hexo,然而静态博客一般都要放在github-Pages上面。 | ||
|
|
||
| ## writeup: | ||
| 其实本意是找博客的特点,所以写了两条提示,一条是flag在页面的源码中,另一个是一个登陆框,这个登陆框既是坑,也是提示,仔细找找就能找到那个登陆框是个假的,只要点击按钮就会弹窗提示密码错误。说明这个博客其实是没有后台的,然后去搜索静态博客,就能知道这样的博客必须搭在github上面了,去搜索id就可以了。 | ||
|
|
||
| 但是后来发现其实还有很多方式可以做,如果去抓包的话,可以发现一个github的**Server: github.com** | ||
| 所以去搜就好了,甚至做成社工题目,直接去搜,虽然可能搜到我真正的博客,但是还是能搜到。 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # fuck=== | ||
| ## 出题思路: | ||
| 忘记最早是那里见到的了,现在能找到的就是这篇文章。 | ||
| [http://www.secbox.cn/hacker/1889.html](http://www.secbox.cn/hacker/1889.html) | ||
|
|
||
| ## payload: | ||
| ?a[]=adsa&b[]=dsadsa | ||
|
|
||
| ## writeup: | ||
| 大部分人想到的都是之前比赛常见的md5,类似于0exxx==0exxx这样的,但是如果是===的话,这样是不成立的,所以这里利用的是md5不能加密数组,所以就会返回Null,而Null===Null,get flag. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| <!DOCTYPE html> | ||
| <html> | ||
| <head> | ||
| <title>colliding</title> | ||
| </head> | ||
| <body> | ||
|
|
||
| <pre> | ||
| if (isset($_GET['a']) and isset($_GET['b'])) { | ||
| if ($_GET['a'] != $_GET['b']) | ||
| if (md5($_GET['a']) === md5($_GET['b'])) | ||
| die('Flag: '.$flag); | ||
| else | ||
| print 'Wrong.'; | ||
| </pre> | ||
|
|
||
| </body> | ||
| </html> | ||
|
|
||
| <?php | ||
| $flag='hctf{dd0g_fjdks4r3wrkq7jl}'; | ||
| if (isset($_GET['a']) and isset($_GET['b'])) { | ||
| if ($_GET['a'] != $_GET['b']) | ||
| if (md5($_GET['a']) === md5($_GET['b'])) | ||
| die('Flag: '.$flag); | ||
| else | ||
| print 'Wrong.'; | ||
| } | ||
|
|
||
| ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # injection: | ||
|
|
||
| # 出题思路: | ||
| 出题思路来源于这篇文章: | ||
| [http://blog.csdn.net/yefan2222/article/details/7227932](http://blog.csdn.net/yefan2222/article/details/7227932) | ||
|
|
||
| # payload | ||
| user']|//*|[' | ||
|
|
||
| # writeup | ||
| 其实自己看看xpath的语法就知道是怎么回事了 | ||
| [http://www.w3school.com.cn/xpath/](http://www.w3school.com.cn/xpath/) | ||
|
|
||
| 上面的payload的类似于sqli的 | ||
| 1' or '1'='1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| <?php | ||
|
|
||
|
|
||
| $re = array('and','or','count','select','from','union','group','by','limit','insert','where','order','alter','delete','having','max','min','avg','sum','sqrt','rand','concat','sleep'); | ||
|
|
||
| setcookie('injection','c3FsaSBpcyBub3QgdGhlIG9ubHkgd2F5IGZvciBpbmplY3Rpb24=',time()+100000); | ||
|
|
||
| if(file_exists('t3stt3st.xml')) { | ||
| $xml = simplexml_load_file('t3stt3st.xml'); | ||
|
|
||
| $user=$_GET['user']; | ||
|
|
||
| $user=str_replace($re, ' ', $user); | ||
|
|
||
| // $user=str_replace("'", "&apos", $user); | ||
|
|
||
| $query="user/username[@name='".$user."']"; | ||
|
|
||
| $ans = $xml->xpath($query); | ||
|
|
||
| foreach($ans as $x => $x_value) | ||
| { | ||
| echo $x.": " . $x_value; | ||
| echo "<br />"; | ||
| } | ||
|
|
||
| } | ||
|
|
||
| ?> | ||
|
|
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <root1> | ||
| <user> | ||
| <username name='user1'>user1</username> | ||
| <key>KEY:1</key> | ||
| <username name='user2'>user2</username> | ||
| <key>KEY:2</key> | ||
| <username name='user3'>user3</username> | ||
| <key>KEY:3</key> | ||
| <username name='user4'>user4</username> | ||
| <key>KEY:4</key> | ||
| <username name='user5'>user5</username> | ||
| <key>KEY:5</key> | ||
| <username name='user6'>user6</username> | ||
| <key>KEY:6</key> | ||
| <username name='user7'>user7</username> | ||
| <key>KEY:7</key> | ||
| <username name='user8'>user8</username> | ||
| <key>KEY:8</key> | ||
| <username name='user9'>user9</username> | ||
| <key>KEY:9</key> | ||
| </user> | ||
| <hctfadmin> | ||
| <username name='hctf1'>hctf</username> | ||
| <key>flag:hctf{Dd0g_fac3_t0_k3yboard233}</key> | ||
| </hctfadmin> | ||
| </root1> |