123456789101112131415161718192021<?phpheader(“content-type:text/html;charset=utf-8”);show_source(__FILE__);echo ‘<pre>’;include(‘u/ip.php’);include(‘flag.php’);if (in_array($_SERVER[‘REMOTE_ADDR’],$ip)){die(“您的ip已进入系统黑名单”);}var_dump($ip);if ($_POST[substr($flag,5...
安装go语言环境和gityum install golang git -y
go env检测环境是否正确
git下载ngrok源码cd /usr/local/
git clone https://github.com/inconshreveable/ngrok.git
配置环境变量export GOPATH=/usr/local/ngrok/
export NGROK_DOMAIN=”iloveflag.com”
生成证书:cd /usr/local/ngrok
openssl genrsa -out rootCA.key 2048
openssl req ...
直接拉取中文仓库:
https://github.com/debiancn/repo
搜狗输入法:im-config 改为fictx ctrl+空格 切换输入法
sublime python+php环境配置插件:
配置c环境:http://www.mingw.org/
做了安恒月赛后深受打击,要做点题提高一下观察respond包里面有个base64加密的flag
手速要快,肯定是要脚本了:
123456789101112import requests,base64url="http://d14acf28eaad4509867c8e946fb41af8f417e367a8d847ec.game.ichunqiu.com/"a=requests.session()r=a.get(url)flag=base64.b64decode(r.headers['flag...
压缩包打开看crc32
前面三个文本合起来就是压缩包密码
通过crc去还原文本内容
每一个都有很多种可能
通过python整合一下
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657list1=["05J728","0EvF7h","2ysXnu","3y2iul","R9DrOf","WQkoQX"...
svn泄露,工具获得源码
在login发现sql注入,waf把’变成\
令人疑惑的是为什么要加一个\才能有结果,主要思考逻辑结构:
payload1:or 1=1#
单引号内都是当做字符串去查询
payload2:or 1=1#’
本地复现:
1234567891011121314151617181920<?php $dbServername="localhost";$dbUser="root";$dbPassword="";$dbName="...
安装epel扩展源:
sudo yum -y install epel-release
建立仓库:vi /etc/repos.d/nginx.repo
写入源:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
重启:systemctl restart nginx
yum install...
看过来,你踩到的坑我这里都有
看到源码第一反应应该是写入webshell到服务器上,写php木马的烂招式肯定是没用了,23333
参考大佬的exp:<a href=”https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2017/babyfirst-revenge/exploit.py“ target=”_blank” rel=”nofollow” https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitc...
记一下,不然每次都忘了
yum install httpd restart
yum install mysql mysql-server -y
yum install php php-fpm -y
yum install php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc -y
service php-fpm restart
service mysqld restart
service httpd restart
mysql设置密码:
mysqladmin -u roo...
filter-文件包含例题:http://4.chinalover.sinaapp.com/web7/index.php
参考:https://blog.csdn.net/qq_35544379/article/details/78230629
发现有一个get file的的文件包含,但是要如何获取flag呢?一直想不通
悄咪咪地搜索了下write up
payload为http://4.chinalover.sinaapp.com/web7/index.php?file=php://filter/read=convert.base64-encode/resource=index.php...