Yxing

WEBezjs import requestsurl="http://27.25.151.26:53243/getflag.php"payload="score=100000000000"headers={'Content-Type':...

WEBCatBank逻辑漏洞，允许余额为负值，那么多注册几个账号后相互转账，到一百万时获得flag palu{0a2c13c6a72e4429a5ef89057f01ee16} CatNet扫目录发现/admin路由，提示本地访问，添加X-Forwarded-For:127.0.0.1，响应包中看到需要带上X-Internal-Auth:cateye-internal-000去访问/flag，但是错误，爆破数字在123时获得flag palu{e60ed7efcfe648b09439e4334b319e6e} ezblog(复现)反编译dashboard.class获得如下源码，但是不知道怎么找realkey package com.example.demo.Controller;import org.noear.solon.annotation.Controller;import org.noear.solon.annotation.Mapping;import...

WEBWelcome ！！ ctbuctf{we1c0me_t0_CT9UC7F2025} Sql_No_map…?原先还在自己测，结果发现目录有东西…… //index.php<?phprequire 'lib.php';header("Content-Type: text/html; charset=utf-8");$err = '';$selected_id = $_GET['id'] ?? '';$selected_article = null;// 获取文章列表$list_sql = "SELECT id, title FROM article ORDER BY id ASC"; //升序排列$list_res = db()->query($list_sql);$articles = [];while ($row = $list_res->fetch_assoc()) { $articles[]...

WEBYWB_Web_xff源码泄露 <?phpif ($_SERVER["REQUEST_METHOD"] == "POST") { $cip = $_SERVER["HTTP_X_FORWARDED_FOR"]; if ($cip == "2.2.2.1") { echo '<div class="success">'; echo '<h2>登录成功！</h2>'; $flag = file_get_contents('/flag.txt'); echo '<p>flag{' . htmlspecialchars($flag) . '}</p>'; echo...

2025区域赛WEB哪吒的试炼提示食物，莲藕，传参为food=lotus root。发现不可用按钮，去掉disable获得源码 <?phpif (isset($_POST['nezha'])) { $nezha = json_decode($_POST['nezha']); $seal_incantation = $nezha->incantation; $md5 = $nezha->md5; $secret_power = $nezha->power; $true_incantation = "I_am_the_spirit_of_fire"; $final_incantation = preg_replace( "/" . preg_quote($true_incantation, '/') . "/", '', ...

WEBnot so web 1题目先随便注册登录进入后base64解码得到源码 import base64, json, timeimport os, sys, binasciifrom dataclasses import dataclass, asdictfrom typing import Dict, Tuplefrom secret import KEY, ADMIN_PASSWORDfrom Crypto.Cipher import AESfrom Crypto.Util.Padding import pad, unpadfrom flask import ( Flask, render_template, render_template_string, request, redirect, url_for, flash, session,)app = Flask(__name__)app.secret_key = KEY@dataclass(kw_only=True)class APPUser: name:...

黑客密室逃脱找到字符串d9d1c4d9e0aac2ccc8b162656c5eac9796ab92a88f9e9ba694686692a0999ad5c8dac5a097df696898ae 爆破得name=app.py获得加密函数 访问name=hidden.txt获得密钥secret_key2031，通过python脚本获得flag import binasciidef decrypt(encrypted_str, secret_key): key_ascii = [ord(c) for c in secret_key] binary_data = binascii.unhexlify(encrypted_str) byte_list = list(binary_data) plaintext = bytearray() for i in range(len(byte_list)): decrypted_byte = byte_list[i] - key_ascii[i % len(key_ascii)] ...

WEBezLaravel-ucsc(Laravel框架漏洞)CVE-2024-40075，参考文章Laravel v11.x PHP反序列化漏洞分析(CVE-2024-40075)-先知社区 在routes/web.php中找到源码如下 Route::get('/', function (\Illuminate\Http\Request $request) { $str = base64_decode($request->input("str")); if(preg_match("/pearcmd/i",$str)){ exit("这个不行"); } unserialize($str); return "CTF";}); 那么就要找到链子，参考文章中的pop链 <?phpnamespace Termwind\ValueObjects{ Class...

WEBMD5考点:MD5绕过 robots.txt找到free.php，源码如下 <?phphighlight_file(__FILE__);error_reporting(0);include 'flag.php'; // 或 require 'flag.php';if (isset($_GET['name1']) && isset($_POST['password1']) && isset($_GET['name2']) && isset($_POST['password2']) ){ $name1 = $_GET['name1']; $name2 = $_GET['name2']; $password1 = $_POST['password1']; $password2 =...

目录遍历漏洞(SQCTF-Through)原理某些使用不当参数包含的使用导致能都读取服务器上任意文件 比如在网页html中使用<img src="/image?filename=1.png">来加载image下的1.png文件 当攻击者读取任意文件可以使用filename=../../../../../etc/passwd时就成为 /var/www/images/../../../../../etc/passwd就等价于/etc/passwd 在Linux中，../表示返回上级目录；在Windows中，../和..\都表示返回上级目录 在根目录使用../只会返回当前页面 攻击方法如下题，那么file参数就可能有目录遍历的风险 <!DOCTYPE html><html><head></head><body><a href=action.php?file=1.txt>my dairy</a><a...