From e1a61c8bee36ff788bb31e2dedbc241779d315ad Mon Sep 17 00:00:00 2001
From: pnck <hio131@gmail.com>
Date: Wed, 9 Dec 2015 01:19:09 +0800
Subject: [PATCH] import from lorexxar

---
 404/README.md            | 15 +++++++++++++++
 404/webI.php             | 13 +++++++++++++
 404/webl.php             |  8 ++++++++
 PersonalBlog/README.md   |  9 +++++++++
 fuck===/README.md        | 10 ++++++++++
 fuck===/index.php        | 30 ++++++++++++++++++++++++++++++
 injection/README.md      | 16 ++++++++++++++++
 injection/index.php      | 30 ++++++++++++++++++++++++++++++
 injection/saaave_233.txt |  0
 injection/t3stt3et.xml   | 27 +++++++++++++++++++++++++++
 10 files changed, 158 insertions(+)
 create mode 100644 404/README.md
 create mode 100644 404/webI.php
 create mode 100644 404/webl.php
 create mode 100644 PersonalBlog/README.md
 create mode 100644 fuck===/README.md
 create mode 100644 fuck===/index.php
 create mode 100644 injection/README.md
 create mode 100644 injection/index.php
 create mode 100644 injection/saaave_233.txt
 create mode 100644 injection/t3stt3et.xml

diff --git a/404/README.md b/404/README.md
new file mode 100644
index 0000000..df9dbea
--- /dev/null
+++ b/404/README.md
@@ -0,0 +1,15 @@
+# 404
+##
+题目非常简单，其实有100种方式可以做出来。F12可以，curl -I可以，抓包也可以。
+```
+ ➜ ~ curl ‐I http://133.130.108.39:12340/3d9d48dc016f0417558ff26d82ec13cc/webI.php
+ HTTP/1.1 302 Moved Temporarily
+ Server: nginx
+ Date: Sun, 06 Dec 2015 15:37:43 GMT
+ Content‐Type: text/html; charset=UTF‐8
+ Connection: keep‐alive
+ X‐Powered‐By: PHP/5.6.15
+ flag: hctf{w3lcome_t0_hc7f_f4f4f4}
+ location: ./webl.php
+```
+然而你们非要说我这是脑洞题。。。我只能Orz
\ No newline at end of file
diff --git a/404/webI.php b/404/webI.php
new file mode 100644
index 0000000..bd0f6d0
--- /dev/null
+++ b/404/webI.php
@@ -0,0 +1,13 @@
+
+<html>
+<head><title>404 Not Found</title></head>
+<body bgcolor="white">
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx</center>
+</body>
+<?php
+header('flag: hctf{w3lcome_t0_hc7f_f4f4f4}');
+header('location:./webl.php');
+
+?>
+</html>
diff --git a/404/webl.php b/404/webl.php
new file mode 100644
index 0000000..770b644
--- /dev/null
+++ b/404/webl.php
@@ -0,0 +1,8 @@
+
+<html>
+<head><title>404 Not Found</title></head>
+<body bgcolor="white">
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx</center>
+</body>
+</html>
diff --git a/PersonalBlog/README.md b/PersonalBlog/README.md
new file mode 100644
index 0000000..1094196
--- /dev/null
+++ b/PersonalBlog/README.md
@@ -0,0 +1,9 @@
+# Personal blog
+## 出题思路：
+博客源码都在github上面，就不放在这里了，博客其实是hexo，然而静态博客一般都要放在github-Pages上面。
+
+## writeup：
+其实本意是找博客的特点，所以写了两条提示，一条是flag在页面的源码中，另一个是一个登陆框，这个登陆框既是坑，也是提示，仔细找找就能找到那个登陆框是个假的，只要点击按钮就会弹窗提示密码错误。说明这个博客其实是没有后台的，然后去搜索静态博客，就能知道这样的博客必须搭在github上面了，去搜索id就可以了。
+
+但是后来发现其实还有很多方式可以做，如果去抓包的话，可以发现一个github的**Server: GitHub.com**
+所以去搜就好了，甚至做成社工题目，直接去搜，虽然可能搜到我真正的博客，但是还是能搜到。
diff --git a/fuck===/README.md b/fuck===/README.md
new file mode 100644
index 0000000..8fb6e65
--- /dev/null
+++ b/fuck===/README.md
@@ -0,0 +1,10 @@
+# fuck===
+## 出题思路：
+忘记最早是那里见到的了，现在能找到的就是这篇文章。
+[http://www.secbox.cn/hacker/1889.html](http://www.secbox.cn/hacker/1889.html)
+
+## payload:
+?a[]=adsa&b[]=dsadsa
+
+## writeup:
+大部分人想到的都是之前比赛常见的md5,类似于0exxx==0exxx这样的，但是如果是===的话，这样是不成立的，所以这里利用的是md5不能加密数组，所以就会返回Null,而Null===Null,get flag.
\ No newline at end of file
diff --git a/fuck===/index.php b/fuck===/index.php
new file mode 100644
index 0000000..c19209b
--- /dev/null
+++ b/fuck===/index.php
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+	<title>colliding</title>
+</head>
+<body>
+
+<pre>
+if (isset($_GET['a']) and isset($_GET['b'])) {
+    if ($_GET['a'] != $_GET['b'])
+    	if (md5($_GET['a']) === md5($_GET['b']))
+        	die('Flag: '.$flag);
+    else
+        print 'Wrong.';
+</pre>
+
+</body>
+</html>
+
+<?php
+$flag='hctf{dd0g_fjdks4r3wrkq7jl}';
+if (isset($_GET['a']) and isset($_GET['b'])) {
+    if ($_GET['a'] != $_GET['b'])
+    	if (md5($_GET['a']) === md5($_GET['b']))
+        	die('Flag: '.$flag);
+    else
+        print 'Wrong.';
+}
+
+?>
\ No newline at end of file
diff --git a/injection/README.md b/injection/README.md
new file mode 100644
index 0000000..c18b12f
--- /dev/null
+++ b/injection/README.md
@@ -0,0 +1,16 @@
+# injection:
+
+#  出题思路：
+出题思路来源于这篇文章：
+[http://blog.csdn.net/yefan2222/article/details/7227932](http://blog.csdn.net/yefan2222/article/details/7227932)
+
+# payload
+user']|//*|['
+
+# writeup
+其实自己看看xpath的语法就知道是怎么回事了
+[http://www.w3school.com.cn/xpath/](http://www.w3school.com.cn/xpath/)
+
+上面的payload的类似于sqli的
+1' or '1'='1
+
diff --git a/injection/index.php b/injection/index.php
new file mode 100644
index 0000000..93397ff
--- /dev/null
+++ b/injection/index.php
@@ -0,0 +1,30 @@
+<?php
+
+
+$re = array('and','or','count','select','from','union','group','by','limit','insert','where','order','alter','delete','having','max','min','avg','sum','sqrt','rand','concat','sleep');
+
+setcookie('injection','c3FsaSBpcyBub3QgdGhlIG9ubHkgd2F5IGZvciBpbmplY3Rpb24=',time()+100000);
+
+if(file_exists('t3stt3st.xml')) {
+    $xml = simplexml_load_file('t3stt3st.xml');
+
+    $user=$_GET['user'];
+
+	$user=str_replace($re, ' ', $user);
+
+  //  $user=str_replace("'", "&apos", $user);
+
+    $query="user/username[@name='".$user."']";
+  
+    $ans = $xml->xpath($query);
+
+    foreach($ans as $x => $x_value)
+    {
+        echo $x.":  " . $x_value;
+        echo "<br />";
+    }
+
+}
+
+?>
+
diff --git a/injection/saaave_233.txt b/injection/saaave_233.txt
new file mode 100644
index 0000000..e69de29
diff --git a/injection/t3stt3et.xml b/injection/t3stt3et.xml
new file mode 100644
index 0000000..95a85f5
--- /dev/null
+++ b/injection/t3stt3et.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root1>
+    <user>
+        <username name='user1'>user1</username>
+        <key>KEY:1</key>
+        <username name='user2'>user2</username>
+        <key>KEY:2</key>
+        <username name='user3'>user3</username>
+        <key>KEY:3</key>
+        <username name='user4'>user4</username>
+        <key>KEY:4</key>
+        <username name='user5'>user5</username>
+        <key>KEY:5</key>
+        <username name='user6'>user6</username>
+        <key>KEY:6</key>
+        <username name='user7'>user7</username>
+        <key>KEY:7</key>
+        <username name='user8'>user8</username>
+        <key>KEY:8</key>
+        <username name='user9'>user9</username>
+        <key>KEY:9</key>
+    </user>
+    <hctfadmin>    
+        <username name='hctf1'>hctf</username>
+        <key>flag:hctf{Dd0g_fac3_t0_k3yboard233}</key>
+    </hctfadmin>
+</root1>
\ No newline at end of file