Title: ctf's WEB Exercise 1

1. Find backup files

1.Catalogue scan python3 dirsearch.py -u http://10.10.10.175:32770 -e * 2. Finally get the index.php.bk backup file, then download it to view the source code, and you can get the flag flag: Cyberpeace{855A1C4B3401294CB6604CCC98BDE334}

2. Flag hidden in cookies

1. Crawl the http header information for IP access through the packet capture tool, and find that the cookie contains information: Cookie:look-here=cookie.php 2. Then visit the URL: http://220.249.52.13:41440/cookie.php, display the text prompt See the http response, indicating that the flag may be in the response package 3. Make a request to the URL http://220.249.52.13:41440/cookie.php, view the response package, and you can see the flag information 4. The final flag is: cyberpeace{71de0ba3c98781d7f78c4af6e5b684be}

3. Flag1 hidden under the button. Open the URL, http://220.249.52.13:52359/, find the button gray, and it is not possible to use it. At this time, element review is performed through f12.2. Delete disabled='', and then click the button to get the flag 3. The final flag is: cyberpeace{e61ed8f7f37f036a89f6d3c5622bb8e9} 4. Get flag1 with weak password. Open the URL: http://220.249.52.13:35249/

2. Enter the user name admin, 123456, you can log in to the system and get flag 3. The final flag is: cyberpeace{a136364c15e239b4f32b99d2d23e42ce}3. Simple file contains audit to obtain flag?php

show_source(__FILE__);

include('config.php');$a=@$_GET['a'];$b=@$_GET['b'];

if($a==0and$a){

echo$flag1;

}

if(is_numeric($b)){

exit();

}

if($b1234){

echo$flag2;

}?The meaning of this php code is to get the values of a and b through the get method, and then if $a==0 and $a is true, you get flag1, if b is an integer or a numeric string, you exit, and then if $b1234, you get flag2.

Basic knowledge: (Master the comparison of weak types of php) Two of the comparison symbols in php :

==: First convert the string type into the same, then compare

===: First determine whether the types of the two strings are equal, and then compare

When using==, the string will be converted to a numeric type and then compared.

var_dump('a'==0);//true, at this time, the a string type is converted into a number, because no number is found at the beginning of the a string, so it is converted to 0

var_dump('123a'==123);//true, here '123a' will be converted to 123

var_dump('a123'==123);//false, because there is a provision in php that the starting part of the string determines its value. If the string starts with a legal number, the number is used to end with the last number that is consecutive, otherwise the overall value will be 0 when compared.

var_dump('root'==0);

var_dump('22r22oot'==22); //true, first convert the string 22r22oot into a numeric type that is the same as 0. Because the string starts to have a legal value, it will take its continuous legal value 22. Since the 22 after r is not continuous with the legal value at the beginning, it will not take its value. 22==22, so it is true.

var_dump('root22'==0); //true, first convert the string root22 into a numeric type that is the same as 0. Because the string has no legal value at the beginning, the string root22 is converted to 0, and finally 0==0, so it is true.

var_dump('0e170'=='0e180');//true, because the string contains a value starting with e, then the php code will regard it as a scientific notation as a whole. The last 0 is to the power of 170==0 is to the power of 180, that is, 0==0, so it is true

var_dump(0==='root');//fals,===When comparing, we will first determine whether the types of the two sides are equal. The values and string types are obviously different, so they are not valid

var_dump ('0e830400451993494058024219903391'=='0e830400451993494058024219904444');//true, first convert the strings 0e830400451993494058024219903391 and 0e830400451993494058024219904444 respectively into numerical types. Because both strings have legal values at the beginning, the string 0e830400451993494058024219904444 is converted to 0, and finally 0==0, so it is true.

var_dump('123.a1bc'==123);//truevar_dump('123.2abc'==123);//falsevar_dump('123e2abc'==123);//falsevar_dump('123ea1bc'==123);//falsevar_dump('123ea1bc'==123);//true start part has numbers. If consecutive numbers contain. E or E will interfere with the comparison between the string and the number, because. represents a floating point number. E and E represent scientific notation. As long as the string contains these, the comparison mentioned above cannot ideally implement the beginning part of the string to determine its value. If the string starts with a legal value, use this value, otherwise its value is 01. Open the page, conduct a code audit, and find that both $a==0 and $a are satisfied When flag1 is displayed.

2. The weak type comparison in php will make 'abc'==0 true, so when entering a=c, you can get flag1, as shown in the figure. (abc can be replaced with any character).

http://220.249.52.133:53517/index.php?a=abc

3. The is_numeric() function will judge that if it is a numeric string, it will return TRUE, otherwise it will return FALSE, and when the weak type comparison in php is compared, (‘1234a’==1234) will be true, so when inputting a=abcb=1235a, flag2 can be obtained, as shown in the figure.

Enter a=abcb=1235a and you can get flag2, as shown in the figure.

http://220.249.52.133:53517/index.php?a=abcb=12345f IV. Flag1 of post and get method. Construct the get method to access http://220.249.52.133:48752/index.php?a=1 2. Then follow the page prompts, submit the post data through the plug-in hackbar in firefox, b=2, and you can get flag 5. http header pseudo-bypass restricted access to obtain the basic knowledge of flag: xff is the http request header field that tells the server the final ip of the current requester

Usually, you can directly modify the X-Forwarded-For field in the http header to copy the final ireferer of the request, which is to tell the server which URL address the current visitor jumps to his or her. Like xff, the referer can also be modified directly.

1. Open the URL http://220.249.52.13:54968/, and the prompt must be the source ip of 123.123.123.123 to access

2. By grabbing the packet, add xff forged request header in the http header, X-Forwarded-For:123.123.123.123.123, and then visit, and find that the response page contains, the request header must be accessed from https://www.google.com. You need to add it here, referer:https://www.google.com, and then access to get flag Finally get flag:cyberpeace{f116fe3f881eef96edaaf3159a3131f8}

6. Remote command execution to obtain basic knowledge of flags: command1 command2 under windows or linux execute command1 first, if true, then execute command2. command1 | command2 Only command2 is executed. command1 command2 execute command2 first and then execute command1. command1 || command2 First execute command1. If it is false, then execute command21. Enter the IP address, it is best to 127.0.0.1 here. If echo occurs, there is a command execution 2. By adding the command: 127.0.0.1| find/-name flag.txt to the backdoor, the directory is: /home/flag.txt 3. Use command 127.0.0.1| cat /home/flag.txt to view the flag of flag.txt Finally got flag:cyberpeace{400f6c86f9dd25994afb930d13cc28b8}

After the JS code obtains the flag and enters the environment, we encounter the password input, so we enter any password casually, click OK for code audit, and found that no matter what is entered, it will jump to the fake password. The real password is located in the execution process fromCharCode:

1. First, define a dechiffre function, let's not care, because it has not been called yet

Note: First convert \x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x34\x2c\x31\x31\x36\x2c\x31\x30 hexadecimal number into a string, print in python, or URL: https://www.bejson.com/convert/ox2str/

Output result 55, 56, 54, 79, 115, 69, 114, 116, 107, 49, 50

2. Execute String['fromCharCode'](dechiffre('55,56,54,79,115,69,114,116,107,49,50

'));

3. Call dechiffre and execute the dechiffre function

String['fromCharCode'](dechiffre('55,56,54,79,115,69,114,116,107,49,50

'));

(1) First, '55,56,54,79,115,69,114,116,107,49,50

'Bring in the dechiffre function to execute, i.e. dechiffre(pass_enc)=dechiffre('55,56,54,79,115,69,114,116,107,49,50

')

(2) Then we see the pass variable, and put it for now

(3) Because pass_enc='55,56,54,79,115,69,114,116,107,49,50'

Split the pass_enc string into a string array and assign it to the tab parameter, so:

tab=[55,56,54,79,115,69,114,116,107,49,50] Note: tab is a string array at this time!

(3) Pass segmentation is also subsequently

tab2=[70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65]

(4) Variable assignment code analysis: var i,j,k,l=0,m,n,o,p='';i=0;j=tab.length;

At the beginning, i,j,k,m,n,o, has no assignment, it is undefined, other parameters l=0, p='', later i is assigned=0, j is assigned to 11

(5) At this time, n is assigned to 0, so k=11+0+0, and finally equals 11 Note: Here (l) is the English letter l, not the number 1

(6) In line ten, n=18

(7) The first for loop, simplify the code:

for(i=0; i (18); i++ )

{o=tab[i-l];p +=String.fromCharCode((o=tab2[i]));

if(i==5)break;}

Explanation: The previous o=tab[i-1] is useless, because it will be re-overwritten by the value of o=tab2[i].

First loop: o=tab[0];p=p+String.fromCharCode((o=tab2[0])

=o=70;p=''+String.fromCharCode(70)=p=English letter F

The second time.

The third time.

The fourth time.

The fifth time.

So, the last p of this for loop is (although there is no output, as long as we know it here) FAUX P

(8) The second for loop, simplify the code:

for(i=0; i 18; i++ ){

o=tab[i-l];

if(i 5 i 17)

p +=String.fromCharCode((o=tab2[i]));

}

Explanation: The for loop here is similar to the above. Note that the p value here is now FAUX P after the first for loop is executed.

Add the p value of the first for loop, and the last p is FAUX PASSWORD HAH

(9)p +=String.fromCharCode(tab2[17]);

Because tab2=[70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65]

So: p=FAUX PASSWORD HAH + A

Therefore, the last p is FAUX PASSWORD HAHA

(10)pass=p;return pass;

That is, pass=FAUX PASSWORD HAHA; return FAUX PASSWORD HAHA;

The last function output is FAUX PASSWORD HAHA

3. After the dechiffre function is executed, continue to execute other codes.

h=window.prompt('Enter password');

alert( dechiffre(h) );

h=The content you enter in the pop-up box

Afterwards, the value of dechiffre(h) pops up. From all the previous codes, we can see that the value of p in the code has nothing to do with tab, because it will eventually be replaced by the value of tab2. Therefore, no matter what we input, that is, pass_enc=h, no matter what the input h is equal to, no matter whether the tab can be divided into a string array or whether it exists, it will only use tab2. In layman's terms, both the parameters and values of the tab can be considered as none, so it doesn't make sense what the pass_enc parameter is.

4. Finally, the conclusion is that no matter what value we enter in the pop-up box, we will only return FAUX PASSWORD HAHA

I just guess whether String['fromCharCode'](dechiffre('\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x31\x34\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30')); This syntax is wrong, and the last correct value that has not been calculated is not the correct value, that is, flag~

So, I don't use it so that no matter what is input to pass_enc parameter, it will display the FAUX PASSWORD HAHA function. We also abandon it and rewrite the code and execute it ourselves.

!DOCTYPE html

html

head

meta charset='utf-8'

/head

Body

script

var n=String.fromCharCode(55,56,54,79,115,69,114,116,107,49,50);

document.write(n);

/script

/body

/html

The final result is: 786OsErtk12

Convert hexadecimal to asic encoding through python script

a=[55,56