当前位置：网站首页>[attack and defense world web] difficulty 1-star 3-point introductory questions: get, post, robots,, cookies, buttons, weak, PHP, web, serialize

How to solve the problem ：
1、 Use developer tools to view the source code （F12、 Right click 、Ctrl+Shift+I、Ctrl+U）
2、 stay URL Head input view-source://
3、 take html The page is stored locally for viewing
4、 Use BurpSuite Grab the web page source code
5、 Close the browser js function

The process
Use developer tools to view the source code
view-source:http://61.147.171.105:65305/
html The page is stored locally for viewing
BurpSuite The agent grabs the package to obtain the web page source code
5、 Close the browser js function
You cannot right-click a blank page , May be js The front end of the control
Method 1 ： have access to js Switch plug-in
Method 2 ： Permanent ban js function
Enter... In the address bar of Firefox ：about:config
spot “ Accept the risk and continue ” Button
Search for javascript.enabled, Then double click the column , Change the value to false You can shut down js

Two 、get_post

How to solve the problem ：
1、 Using tools HackBar
2、 Use Robots agreement （ Can't view ）

The process
Using tools HackBar
Use Robots agreement （ Can't view ）

3、 ... and 、robots

How to solve the problem ：
1、 see robots.txt file

Knowledge point ：
【robots agreement 】 brief introduction 、 understand https://blog.csdn.net/qq_53079406/article/details/125898777?spm=1001.2014.3001.5502

The process
Add the /robots.txt
Check the access policy
visit /f1ag_1s_h3re.php page

Four 、backup

How to solve the problem ：
1、 Backup file suffix .bak

The process
Most administrators will write the suffix of the backup file as .bak, therefore , Here we find .bak The file of
find index.php Backup files for , So let's start with url Enter... In the column index.php.bak
.bak Ahead of .php For coverage. （ And cannot be opened directly ）
take .bak Get rid of it

5、 ... and 、cookie

How to solve the problem ：
1、 Using tools HackBar
2、 Use bp Grab the bag

The process
Using tools cookie Editor
（ Or use bp Grab the bag ）
Get into cookie.php This page
See
See the http response
（ Look at the return bag , Look directly inside the developer tool ）
（ Or use bp Grab the bag ）

6、 ... and 、disabled_button

How to solve the problem ：
1、 Delete special attributes

The process
Open the developer tool to view the page source code
Delete... In the button ‘disabled=" "’ attribute , The button can be used normally
Click on flag Button , appear flag

7、 ... and 、weak_auth

How to solve the problem ：
1、 Use bp Blow up weak passwords

The process
Enter nothing , Click directly to log in
Tips admin（ account number ）
Account number input admin, Just type in the password
And then use bp Grab the bag , And explode the password （ Send to intruder）
Set the payload position , And configure the payload dictionary
Judge the result , If the length is obviously inconsistent, it may be the correct password
View the response , get flag

8、 ... and 、simple_php

How to solve the problem ：
1、 Reading php Code

The process
a,b All for get The ginseng
flag1 and flag2 It's what we want
is_numeric() function ： Detects whether a variable is a number or a numeric string , Yes, go back to TRUE, Otherwise return to FALSE
http://61.147.171.105:51599/index.php?a=a&b=1235b

Nine 、baby_web

How to solve the problem ：
1、index.php It's usually php The initial page of

The process
The initial page described is that
php The initial page of is usually index.php
But they all jump to 1.php（ There's redirection ）
Try to get rid of 1.php The same is true for suffixes
Use bp Grab the packet and send it to repeater
Found in the returned package flag

Ten 、Training-WWW-Robots

How to solve the problem ：
1、 see robots.txt file

Knowledge point ：
【robots agreement 】 brief introduction 、 understand https://blog.csdn.net/qq_53079406/article/details/125898777?spm=1001.2014.3001.5502

The process
stay URL Followed by robots.txt
stay URL Followed by /fl0g.php

11、 ... and 、ics-06

How to solve the problem ：
1、 Use bp Yes id Value for blasting

The process
You can click in this place
The title says there is only one , Use bp Grab the bag for blasting
Set the payload position
Set to number （ It turned out 300 It's not enough. ,3000）
Set thread （30 Too slow ）
Found that the value is small , Enlarge again
The results of the analysis , There is a return packet size that is significantly different from others

Twelve 、PHP2

How to solve the problem ：
1、 Reading php Code

The process
index.php The page has nothing
scan , I'm going to sweep 41w strip , Too slow , First throw a start picture
Finally scan to index.phps
stay URL Followed by index.phps
The key information $_GET[id] == "admin"
urldecode($_GET[id]) There will be a decoding
And the browser will also decode
So be right admin Conduct 2 Second code
（ For the initials a The same goes for coding ）
%2561dmin
urldecode(%2561)=%61
urldecode(%61)=a

13、 ... and 、unserialize3

How to solve the problem ：
1、php serialize

Knowledge point ：
【PHP Deserialization 】PHP The principle of deserialization 、 function 、 Use process https://blog.csdn.net/qq_53079406/article/details/124227179?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165836724016781683973795%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165836724016781683973795&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-124227179-null-null.185%5Ev2%5Econtrol&utm_term=%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96&spm=1018.2226.3001.4450

The process
See __wakeup() I know it involves serialization 、 Deserialization
perform unserialize() When deserializing , I'll call __wakeup() function
Understand the meaning of serializing each character
You can look at this code and write the serialization result directly
?code=O:4:"xctf":1:{s:4:"flag";s:3:"111";}
__wakeup() Loophole ： When serializing the object represented by the string , When the number of attributes in its serialized string is greater than the number of real attributes, it will skip __wakeup Implementation
Put the variable 1 Change it to 2 Or something larger than 1 The number of
?code=O:4:"xctf":2:{s:4:"flag";s:3:"111";}