wechall-部分题解

最新推荐文章于 2022-02-23 20:30:21 发布

R_1v3r

最新推荐文章于 2022-02-23 20:30:21 发布

阅读量1.1k

点赞数

CC 4.0 BY-SA版权

分类专栏： web攻防

本文链接：https://blog.youkuaiyun.com/qq_20307987/article/details/82627581

web攻防专栏收录该内容

23 篇文章

订阅专栏

Training: Encodings I

We intercepted this message from one challenger to another, maybe you can find out what they were talking about.
To help you on your progress I coded a small java application, called JPK.
Note: The message is most likely in english.    

10101001101000110100111100110100
00011101001100101111100011101000
10000011010011110011010000001101
11010110111000101101001111010001
00000110010111011101100011110111
11100100110010111001000100000110
00011110011110001111010011101001
01011100100000101100111011111110
10111100100100000111000011000011
11001111100111110111110111111100
10110010001000001101001111001101
00000110010111000011110011111100
11110011111010011000011110010111
0100110010111100100101110

利用题主提供的JPK，以7位为一组二进制串分割，然后转换为ASCII码。

Training: WWW-Basics

需要服务器，就是搭建一个服务器，在特定目录特定文件写入特定内容

Limited Access

AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName "Authorization Required for the Limited Access Challenge"
AuthType Basic
<Limit GET>require valid-user
</Limit>

从.htaccess中只是限制了GET请求，用POST请求即可，注意在POST时候回自动添加POST字段~~~~

Limited Access Too

http://www.chiange.com/wechall-limited-access-too-exploit-http/
HTTP允许的方法：GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, LOCK, UNLOCK, TRACE

换一种方法就可以了，用curl直接请求也行，用python脚本写请求也行

PHP 0815 (Exploit, PHP)


<?php
# Only allow these ID's
$whitelist = array(1, 2, 3);

# if show is not set die with error.if (false === ($show = isset($_GET['show']) ? $_GET['show'] : false)) {
        die('MISSING PARAMETER; USE foo.bar?show=[1-3]');
}
# check if get var is sane (is it in whitelist ?)
elseif (in_array($show, $whitelist)){
        $query = "SELECT 1 FROM `table` WHERE `id`=$show";
        echo 'Query: '.htmlspecialchars($query, ENT_QUOTES).'<br/>';
        die('SHOWING NUMBER '.htmlspecialchars($show, ENT_QUOTES));
}else # Not in whitelist !
{
        die('HACKER NONONO');
}
?>

 exploit function is : in_array  
 soultion: 
 $query = "SELECT 1 FROM `table` WHERE `id`=int($show)";
 $query = "SELECT 1 FROM `table` WHERE `id`=intval($show)";
 $query = "SELECT 1 FROM `table` WHERE `id`=$show+0";
 $query = "SELECT 1 FROM `table` WHERE `id`=$show/1";
 so answer is : /1 or +0  

 in real world , a way is in_array($show,$whitelist,true)