-
2022强网杯WP
MISC签到
Flag值:
flag{we1come_t0_qwb_s6}强网先锋 rcefile
经过多次上传试验发现只能上传图片格式的文件,php、php5等格式的文件无法上传,但是可以利用.或者. . 绕过从而上传成功,但是蚁剑无法连接
经过多次试探,发现phar文件可以上传(需要验证文件类型,改成jpg格式即可)并成功连接
蚁剑成功连接
往上翻目录,找到flag
flag值:
flag{5d3c9f27-e8fe-4e5d-9a2d-4e907a32adec}Web babyweb
先注册一个账号,是一个聊天机器人,按照提示发送help
有两个功能,一个是changepw更改密码,一个是向管理员提交漏洞
试了试XSS,好像没什么用 Burp抓包,是websocket通信
百度搜索到websocket劫持漏洞
再结合更改密码+管理员身份,根据做题经验猜测是想办法更改管理员密码,从而拿到管理员权限。
于是就有了一个方向,很类似于Csrf,开始着手准备。
需要想办法让管理员去点击我们构造的更改密码的界面- 1
- 2
- 3
- 4
- 5
- 6
将之放在外网服务器上,在漏洞提交界面,也就是通过bugreport 向管理员提交
从而造成管理员在其本地访问这个页面并发送了更改密码的指令
然后我们再登录管理员账户,成功
还有一层,购买个hint,发现是源代码
进行代码审计,burp抓包
成功得到flag
flag值:
flag{617a3096-f514-4e7d-9472-e98924fbbec7}强网先锋asr
import gmpy2 n= 8250871280281573979365095715711359115372504458973444367083195431861307534563246537364248104106494598081988216584432003199198805753721448450911308558041115465900179230798939615583517756265557814710419157462721793864532239042758808298575522666358352726060578194045804198551989679722201244547561044646931280001 a=gmpy2.iroot(n, 2) print(a)- 1
- 2
- 3
- 4
- 5
先用gmpy2对n进行开方
得到a (就是标准的n)
a=2872432989693854281918578458293603200587306199407874717707522587993136874097838265650829958344702997782980206004276973399784460125581362617464018665640001
然后用yafu对这个数进行分解
得到
p = 260594583349478633632570848336184053653
q = 223213222467584072959434495118689164399
运行脚本解得mimport gmpy2 from Crypto.Util.number import * p = 260594583349478633632570848336184053653 q = 223213222467584072959434495118689164399 #r = 218566259296037866647273372633238739089 #s = 225933944608558304529179430753170813347 e=3 phi=p*(p-1)*q*(q-1) d=inverse(e,phi) n=p*p*q*q c=945272793717722090962030960824180726576357481511799904903841312265308706852971155205003971821843069272938250385935597609059700446530436381124650731751982419593070224310399320617914955227288662661442416421725698368791013785074809691867988444306279231013360024747585261790352627234450209996422862329513284149 m=pow(c,d,n) #mm1 = 1248984295174749683050825615411469211061247361327166117293032213981703895553936323127707213641064897178474925251326429742817744892644764737209862 flag = m.to_bytes(64,byteorder='big') print(m)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
flag值
flag{Fear_can_hold_you_prisoner_Hope_can_set_you_free}Crypto myJWT
JWT和ECDSA签名
TOKEN由三部分构成,heaerd的base64,payload的base64,Signature(签名)
根据给的源码可知header内容没有变化,payload里面我们要让username等于administrator,同时具有管理员权限()
根据它给出的token ,我们base64解码,得到header和payload:
{"typ":"JWT","alg":"myES"} {"iss":"qwb","name":"administrator","admin":false,"exp":1659241547664}- 1
- 2
把payload改成
{"iss":"qwb","name":"administrator","admin":true,"exp":165924154766400}- 1
同时根据源码和ecdsa的特性,我们把jwt第三部分改成base64过去是乱码的’AAA=’
得到新的token
eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=.eyJpc3MiOiJxd2IiLCJuYW1lIjoiYWRtaW5pc3RyYXRvciIsImFkbWluIjp0cnVlLCJleHAiOjE2NTkyNDE1NDc2NjQwMH0=.AAA=
Flag值
flag{cve-2022-21449_Secur1ty_0f_c0de_1mplementation}强网先锋 polydiv
task.py里表明服务器上有两层解密,第一层是已知sha256和部分明文,求前四位明文,直接爆破可以得到;
import hashlib ss = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' txt2 = "T9up62MRPNfO53WN" sha256enc="ab79fb51140b7edd2b9010e0c5a4f4fe3ff73c68c17f5fb1264de03b0388cda7" key=txt2 for a in ss: for b in ss: for c in ss: for d in ss: code = a+b+c+d encinfo = hashlib.sha256(bytes( (code+key).encode() ) ).hexdigest() if encinfo == sha256enc: print(code) print(encinfo) break- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
第二层是40次多项式计算,同样采用爆破的思路。
Poly2.py里面的函数和定义给了我们多项式的乘法和加法,简单分析后可得,题中多项式的乘法和除法仅保留了系数为1的单项式,利用给出的多项式第三个定义,同时观察题目得最高次数为14,b(x)最高次数为7,这里爆破到七层循环基本上就全部能解出来b(x)
得到单个求b(x)的脚本;class Polynomial2(): ''' 模二多项式环,定义方式有三种 一是从高到低给出每一项的系数 >>> Polynomial2([1,1,0,1]) x^3 + x^2 + 1 二是写成01字符串形式 >>> Polynomial2('1101') x^3 + x^2 + 1 三是直接给出系数为1的项的阶 >>> Poly([3,1,4]) x^4 + x^3 + x >>> Poly([]) # 加法元 0 >>> Poly(0) # 乘法元 1 >>> Poly(1,2) * Poly(2,3) x^5 + x^3 ''' def __init__(self, ll): if type(ll) == str: ll = list(map(int, ll)) self.param = ll[::-1] self.ones = [i for i in range(len(self.param)) if self.param[i] == 1] # 系数为1的项的阶数列表 self.Latex = self.latex() self.b = ''.join([str(i) for i in ll]) # 01串形式打印系数 self.order = 0 # 最高阶 try: self.order = max(self.ones) except: pass def format(self, reverse=True): ''' 格式化打印字符串 默认高位在左 reverse = False时,低位在左 但是注意定义多项式时只能高位在右 ''' r = '' if len(self.ones) == 0: return '0' if reverse: return ( (' + '.join(f'x^{i}' for i in self.ones[::-1]) + ' ').replace('x^0', '1').replace('x^1 ', 'x ')).strip() return ((' + '.join(f'x^{i}' for i in self.ones) + ' ').replace('x^0', '1').replace('x^1 ', 'x ')).strip() def __call__(self, x): ''' 懒得写了,用不到 ''' print(f'call({x})') def __add__(self, other): ''' 多项式加法 ''' a, b = self.param[::-1], other.param[::-1] if len(a) < len(b): a, b = b, a for i in range(len(a)): try: a[-1 - i] = (b[-1 - i] + a[-1 - i]) % 2 except: break return Polynomial2(a) def __mul__(self, other): ''' 多项式乘法 ''' a, b = self.param[::-1], other.param[::-1] r = [0 for i in range(len(a) + len(b) - 1)] for i in range(len(b)): if b[-i - 1] == 1: if i != 0: sa = a + [0] * i else: sa = a sa = [0] * (len(r) - len(sa)) + sa # r += np.array(sa) # r %= 2 r = [(r[t] + sa[t]) % 2 for t in range(len(r))] return Polynomial2(r) def __sub__(self, oo): # 模二多项式环,加减相同 return self + oo def __repr__(self) -> str: return self.format() def __str__(self) -> str: return self.format() def __pow__(self, a): # 没有大数阶乘的需求,就没写快速幂 t = Polynomial2([1]) for i in range(a): t *= self return t def latex(self, reverse=True): ''' Latex格式打印...其实就是给两位及以上的数字加个括号{} ''' def latex_pow(x): if len(str(x)) <= 1: return str(x) return '{' + str(x) + '}' r = '' if len(self.ones) == 0: return '0' if reverse: return (' + '.join(f'x^{latex_pow(i)}' for i in self.ones[::-1]) + ' ').replace('x^0', '1').replace(' x^1 ', ' x ').strip() return (' + '.join(f'x^{latex_pow(i)}' for i in self.ones) + ' ').replace('x^0', '1').replace(' x^1 ', ' x ').strip() def __eq__(self, other): return self.ones == other.ones def __lt__(self, other): return max(self.ones) < max(other.ones) def __le__(self, other): return max(self.ones) <= max(other.ones) def Poly(*args): ''' 另一种定义方式 Poly([3,1,4]) 或 Poly(3,1,4) ''' if len(args) == 1 and type(args[0]) in [list, tuple]: args = args[0] if len(args) == 0: return Polynomial2('0') ll = [0 for i in range(max(args) + 1)] for i in args: ll[i] = 1 return Polynomial2(ll[::-1]) PP = Polynomial2 P = Poly # 简化名称,按长度区分 P 和 PP if __name__ == '__main__': pr = Poly([14,13,12,8,5,2,0]) pa = Poly([7,6,4,3,2]) pc = Poly([6,4,0]) for a in range(8): bx = Poly(a) if(bx * pa + pc == pr): print(bx) break for a in range(8): for b in range(a+1,8): bx = Poly(a,b) ccx = bx * pa if(bx * pa + pc == pr): print(bx) break for a in range(8): for b in range(a+1,8): for c in range(b+1,8): bx = Poly(a,b,c) ccx= bx * pa if(bx * pa + pc == pr): print(bx) break for a in range(8): for b in range(a+1,8): for c in range(b+1,8): for d in range(c+1,8): bx = Poly(a,b,c,d) ccx = bx * pa if(bx * pa + pc == pr): print(bx) break for a in range(8): for b in range(a+1,8): for c in range(b+1,8): for d in range(c+1,8): for e in range(d+1,8): bx = Poly(a,b,c,d,e) ccx = bx * pa if(bx * pa + pc == pr): print(bx) break for a in range(8): for b in range(a+1,8): for c in range(b+1,8): for d in range(c+1,8): for e in range(d+1,8): for f in range(e+1,8): ccx = bx * pa bx = Poly(a,b,c,d,e,f) if(bx * pa + pc == pr): print(bx) break for a in range(8): for b in range(a+1,8): for c in range(b+1,8): for d in range(c+1,8): for e in range(d+1,8): for f in range(e+1,8): for g in range(f+1,8): ccx = bx * pa bx = Poly(a,b,c,d,e,f,g) if(bx * pa + pc == pr): print(bx) break for a in range(8): for b in range(a+1,8): for c in range(b+1,8): for d in range(c+1,8): for e in range(d+1,8): for f in range(e+1,8): for g in range(f+1,8): for h in range(g+1,8): ccx = bx * pa bx = Poly(a,b,c,d,e,f,g,h) if(bx * pa + pc == pr): print(bx) break for a in range(8): for b in range(a + 1, 8): for c in range(b + 1, 8): for d in range(c + 1, 8): for e in range(d + 1, 8): for f in range(e + 1, 8): for g in range(f + 1, 8): for h in range(g + 1, 8): for i in range(h+1,8): ccx = bx * pa bx = Poly(a, b, c, d, e, f, g, h,i) if (bx * pa + pc == pr): print(bx) break- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
题目中有40次循环,手动输入太慢,写一个自动提交的脚本:
import hashlib from pwn import * ss = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' def talk_with_server(known, shaenc): for a in ss: for b in ss: for c in ss: for d in ss: code = a + b + c + d # print(type(code)) encinfo = hashlib.sha256(bytes((code + known).encode())).hexdigest() if encinfo == shaenc: print('code', code) print(encinfo) return code class Polynomial2(): ''' 模二多项式环,定义方式有三种 一是从高到低给出每一项的系数 >>> Polynomial2([1,1,0,1]) x^3 + x^2 + 1 二是写成01字符串形式 >>> Polynomial2('1101') x^3 + x^2 + 1 三是直接给出系数为1的项的阶 >>> Poly([3,1,4]) x^4 + x^3 + x >>> Poly([]) # 加法元 0 >>> Poly(0) # 乘法元 1 >>> Poly(1,2) * Poly(2,3) x^5 + x^3 ''' def __init__(self, ll): if type(ll) == str: ll = list(map(int, ll)) self.param = ll[::-1] self.ones = [i for i in range(len(self.param)) if self.param[i] == 1] # 系数为1的项的阶数列表 self.Latex = self.latex() self.b = ''.join([str(i) for i in ll]) # 01串形式打印系数 self.order = 0 # 最高阶 try: self.order = max(self.ones) except: pass def format(self, reverse=True): ''' 格式化打印字符串 默认高位在左 reverse = False时,低位在左 但是注意定义多项式时只能高位在右 ''' r = '' if len(self.ones) == 0: return '0' if reverse: return ( (' + '.join(f'x^{i}' for i in self.ones[::-1]) + ' ').replace('x^0', '1').replace('x^1 ', 'x ')).strip() return ((' + '.join(f'x^{i}' for i in self.ones) + ' ').replace('x^0', '1').replace('x^1 ', 'x ')).strip() def __call__(self, x): ''' 懒得写了,用不到 ''' print(f'call({x})') def __add__(self, other): ''' 多项式加法 ''' a, b = self.param[::-1], other.param[::-1] if len(a) < len(b): a, b = b, a for i in range(len(a)): try: a[-1 - i] = (b[-1 - i] + a[-1 - i]) % 2 except: break return Polynomial2(a) def __mul__(self, other): ''' 多项式乘法 ''' a, b = self.param[::-1], other.param[::-1] r = [0 for i in range(len(a) + len(b) - 1)] for i in range(len(b)): if b[-i - 1] == 1: if i != 0: sa = a + [0] * i else: sa = a sa = [0] * (len(r) - len(sa)) + sa # r += np.array(sa) # r %= 2 r = [(r[t] + sa[t]) % 2 for t in range(len(r))] return Polynomial2(r) def __sub__(self, oo): # 模二多项式环,加减相同 return self + oo def __repr__(self) -> str: return self.format() def __str__(self) -> str: return self.format() def __pow__(self, a): # 没有大数阶乘的需求,就没写快速幂 t = Polynomial2([1]) for i in range(a): t *= self return t def latex(self, reverse=True): ''' Latex格式打印...其实就是给两位及以上的数字加个括号{} ''' def latex_pow(x): if len(str(x)) <= 1: return str(x) return '{' + str(x) + '}' r = '' if len(self.ones) == 0: return '0' if reverse: return (' + '.join(f'x^{latex_pow(i)}' for i in self.ones[::-1]) + ' ').replace('x^0', '1').replace(' x^1 ', ' x ').strip() return (' + '.join(f'x^{latex_pow(i)}' for i in self.ones) + ' ').replace('x^0', '1').replace(' x^1 ', ' x ').strip() def __eq__(self, other): return self.ones == other.ones def __lt__(self, other): return max(self.ones) < max(other.ones) def __le__(self, other): return max(self.ones) <= max(other.ones) def Poly(*args): ''' 另一种定义方式 Poly([3,1,4]) 或 Poly(3,1,4) ''' if len(args) == 1 and type(args[0]) in [list, tuple]: args = args[0] if len(args) == 0: return Polynomial2('0') ll = [0 for i in range(max(args) + 1)] for i in args: ll[i] = 1 return Polynomial2(ll[::-1]) PP = Polynomial2 P = Poly # 简化名称,按长度区分 P 和 PP def get_bx(r1, a1, c1): # pr = Poly([14,13,11,10,9,3,1,0]) # pa = Poly([7,3,1,0]) # pc = Poly([6,5,2,1]) # r = {} # a = {} # c = {} # lenR = input("R len") # for i in range(int(lenR)): # r[i] = input() # lenA = input("A len") # for i in range(int(lenA)): # a[i] = input() # lenC = input('C len') # for i in range(int(lenC)): # c[i] = input() pr = Poly(r1) pa = Poly(a1) pc = Poly(c1) print(pr) for a in range(8): bx = Poly(a) if (bx * pa + pc == pr): print(bx) return bx for a in range(8): for b in range(a + 1, 8): bx = Poly(a, b) ccx = bx * pa if (bx * pa + pc == pr): print(bx) return bx for a in range(8): for b in range(a + 1, 8): for c in range(b + 1, 8): bx = Poly(a, b, c) ccx = bx * pa if (bx * pa + pc == pr): print(bx) return bx for a in range(8): for b in range(a + 1, 8): for c in range(b + 1, 8): for d in range(c + 1, 8): bx = Poly(a, b, c, d) ccx = bx * pa if (bx * pa + pc == pr): print(bx) return bx for a in range(8): for b in range(a + 1, 8): for c in range(b + 1, 8): for d in range(c + 1, 8): for e in range(d + 1, 8): bx = Poly(a, b, c, d, e) ccx = bx * pa if (bx * pa + pc == pr): print(bx) return bx for a in range(8): for b in range(a + 1, 8): for c in range(b + 1, 8): for d in range(c + 1, 8): for e in range(d + 1, 8): for f in range(e + 1, 8): bx = Poly(a, b, c, d, e, f) ccx = bx * pa bx = Poly(a, b, c, d, e, f) if (bx * pa + pc == pr): print(bx) return bx for a in range(8): for b in range(a + 1, 8): for c in range(b + 1, 8): for d in range(c + 1, 8): for e in range(d + 1, 8): for f in range(e + 1, 8): for g in range(f + 1, 8): bx = Poly(a, b, c, d, e, f, g) ccx = bx * pa bx = Poly(a, b, c, d, e, f, g) if (bx * pa + pc == pr): print(bx) return bx for a in range(8): for b in range(a + 1, 8): for c in range(b + 1, 8): for d in range(c + 1, 8): for e in range(d + 1, 8): for f in range(e + 1, 8): for g in range(f + 1, 8): for h in range(g + 1, 8): bx = Poly(a, b, c, d, e, f, g, h) ccx = bx * pa bx = Poly(a, b, c, d, e, f, g, h) if (bx * pa + pc == pr): print(bx) return bx for a in range(8): for b in range(a + 1, 8): for c in range(b + 1, 8): for d in range(c + 1, 8): for e in range(d + 1, 8): for f in range(e + 1, 8): for g in range(f + 1, 8): for h in range(g + 1, 8): for i in range(h + 1, 8): # bx = Poly(a, b, c, d, e, f,g,h,i) ccx = bx * pa bx = Poly(a, b, c, d, e, f, g, h, i) if (bx * pa + pc == pr): print(bx) return bx tableR = ['x^14 ', 'x^13 ', 'x^12 ', 'x^11 ', 'x^10 ', 'x^9 ', 'x^8 ', 'x^7 ', 'x^6 ', 'x^5 ', 'x^4 ', 'x^3 ', 'x^2 ', 'x ', '1'] tableR1 = ['x^14', 'x^13', 'x^12', 'x^11', 'x^10', 'x^9', 'x^8', 'x^7', 'x^6', 'x^5', 'x^4', 'x^3', 'x^2', 'x', '1'] tableA = ['x^7 ', 'x^6 ', 'x^5 ', 'x^4 ', 'x^3 ', 'x^2 ', 'x ', '1'] tableA1 = ['x^7', 'x^6', 'x^5', 'x^4', 'x^3', 'x^2', 'x', '1'] tableC = ['x^6 ', 'x^5 ', 'x^4 ', 'x^3 ', 'x^2 ', 'x ', '1'] tableC1 = ['x^6', 'x^5', 'x^4', 'x^3', 'x^2', 'x', '1'] def parse_polyR(r, ply): ply = str(ply) for i in range(15): if ply.startswith(tableR[i]) and not ply.endswith(tableR1[i]): if ply.startswith(tableR[i]): r[i] = 14 - i ply = ply[len(tableR[i]) + 2:] if ply.endswith(tableR1[i]): r[i] = 14 - i def parse_polyA(a, ply): ply = str(ply) for i in range(8): if ply.startswith(tableA[i]) and not ply.endswith(tableA1[i]): if ply.startswith(tableA[i]): a[i] = 7 - i ply = ply[len(tableA[i]) + 2:] if ply.endswith(tableA1[i]): a[i] = 7 - i def parse_polyC(c, ply): ply = str(ply) for i in range(7): if ply.startswith(tableC[i]) and not ply.endswith(tableC1[i]): if ply.startswith(tableC[i]): c[i] = 6 - i ply = ply[len(tableC[i]) + 2:] if ply.endswith(tableC1[i]): c[i] = 6 - i if __name__ == '__main__': a1 = {} r1 = {} c1 = {} p = remote("182.92.223.176", 25342) p.recvuntil("sha256(XXXX+") given = str(p.recv(16).strip()) print('given', given, type(given), len(given)) given = given[2:-1] print('given', given, type(given), len(given)) p.recv(5) sha256enc = str(p.recv( 64)) sha256enc = sha256enc[2:-1] print(given, sha256enc) print(p.recvuntil(" XXXX:")) XXXX = talk_with_server(given, sha256enc) print(XXXX) p.sendline(str(XXXX)) j = 0 while j < 45: rx = str(p.recvline()) print(rx) if j > 0: print(str(rx[9:-3])) parse_polyR(r1, str(rx[9:-3])) else: print(str(rx[10:-3])) parse_polyR(r1, str(rx[10:-3])) ax = str(p.recvline()) print(ax) print(str(ax[9:-3])) cx = str(p.recvline()) print(cx) print(str(cx[9:-3])) j += 1 parse_polyA(a1, str(ax[9:-3])) parse_polyC(c1, str(cx[9:-3])) print('rx:', type(r1.values()), list(r1.values())) print('ax-:', a1.values()) print('cx-:', c1.values()) p.recvline() bx = get_bx(list(r1.values()), list(a1.values()), list(c1.values())) print(bx) p.sendline(str(bx)) print(p.recvline()) print('done', j) a1 = {} r1 = {} c1 = {}- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356
- 357
- 358
- 359
- 360
- 361
- 362
- 363
- 364
- 365
- 366
- 367
- 368
- 369
- 370
- 371
- 372
- 373
- 374
- 375
- 376
- 377
- 378
- 379
- 380
- 381
- 382
- 383
- 384
- 385
- 386
- 387
- 388
- 389
- 390
- 391
- 392
- 393
- 394
- 395
- 396
- 397
- 398
- 399
Flag值
flag{c0923e5c-805c-42e3-91c3-160dceb41979WEB Crash
提示flag在504页面,让网页响应时间超时就行。拿了网上的payload改了一下
然后多用几个repeater,重复多发几次就成功了
Flag值
flag{467e093c-08a5-4925-bdb8-cfa9eaa4506b}强网先锋WP_um
这道题目题目进入后有一些提示,安装Wordpress后,使用wpscan工具扫描
扫描得到用户名,MaoGePaMao安装时的提示密码为这样的规律
利用漏洞CVE-2022-0799
得到密码为:MaoGeYaoQiFeiLa
进入后台得到密码后进入后台管理,修改其中一个php文件,保存后访问
-
相关阅读:
Linux系统启动过程总结
NLLLOSS & CrossEntropyLoss
Python编程 列表的操作(上)
鸿蒙原生应用元服务开发-WebGL网页图形库开发无着色器绘制2D图形
C++ 语言学习 day01 (linux ),基本输入输出错误输出函数,名字空间的含义,内联函数,缺省参数,引用 ,、new操作符
Jetpack Compose 的 Navigation学习
A-Level Economics 真题及答案解析
八、【React拓展】错误边界
Cplex混合整数规划求解(Python API)
使用@Builder注解后,该对象 拷贝时出现java.lang.InstantiationException异常报错
- 原文地址:https://blog.csdn.net/qq_51594676/article/details/126231452
