Writeup

积累 沉稳


Jarvis OJ

PORT 51

Please use port 51 to visit this site.

本地51端口访问即可 要求 公网端口

用curl 即可

curl --local-port 51 http://web.jarvisoj.com:32770/

curl的使用 包括各个参数需要了解

LOCALHOST

localhost access only!!

要求本地访问

修改头文件

X-FORWARDED-FOR: 127.0.0.1

XXE 漏洞

Login

select * from `admin` where password='".md5($pass,true)."' 

http://mslc.ctf.su/wp/leet-more-2010-oh-those-admins-writeup/

https://cvk.posthaven.com/sql-injection-with-raw-md5-hashes

关于phpmd5函数的转换机制等问题 参考 7gugu’s Blog


World of Attack and Defend

simple-JS

function dechiffre(pass_enc){
        var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65";
        var tab  = pass_enc.split(',');
        var tab2 = pass.split(',');
        var i,j,k,l=0,m,n,o,p = "";
                i = 0;
                j = tab.length;
                k = j + (l) + (n=0);
                n = tab2.length;
                        for(i = (o=0); i < (k = j = n); i++ ){
                            o = tab[i-l];
                            p += String.fromCharCode((o = tab2[i]));
                                if(i == 5)break;}
                        // 加到第五个 即 p =  70,65,85,88,32
                        for(i = (o=0); i < (k = j = n); i++ ){
                        o = tab[i-l];
                                if(i > 5 && i < k-1)
                                        p += String.fromCharCode((o = tab2[i]));
                            // 加到最后一个
                        }
        p += String.fromCharCode(tab2[17]);
    // 加了 最后一个
        pass = p;
    return pass;
    }
    String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));

    h = window.prompt('Enter password');
    alert( dechiffre(h) );

16进制转字符串 Ascii转码 得到flag

786OsErtk12



CTF   Learning Web
本文作者:Ge15emium
版权声明:本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!