February 20 CTF Record

The first question is game1

This problem is a building game problem , Not found in the source code at first flag Value found a piece of request data
Development tool network find request send , Find out js call , Use the console command line to call the author function to get score And encryption base64, Put it in get Request Submission
Found request header file GET contain score and sign Two parts, of which score For the score sign Pass... For the score base64 Encryption plus authentication
Such as ：zM + base64 Coding part + ==
Reconstruct score and sign Return to the request header flag value

The second question is Website is hacked

Source data packets are not found flag value , There is no back door for hackers
Yujian scan website backstage
Get background as ip Add shell.php
Backstage burp The password obtained by blasting is hack, And then you get flag value

Third question bp

Select according to the prompt burp Blast
download top1000 Dictionary filtering Z Password at the beginning

grep  Regular expressions   file name  >  Target file 

Blasting finds that the return length remains unchanged ,burp Check grep-match Re blasting
View the returned content and find zxx123 Return different from others ?code=hacker1000
obtain flag

Fourth question eval

<?php
    include "flag.php";				///include Yes, it will flag.php The file contains the page code , By the way flag Location 
    $a = @$_REQUEST['hello'];		///$_REQUEST Can be used to accept get and post Parameters passed 
    eval( "var_dump($a);");			///eval The function can treat a string as php Command execution 
    show_source(__FILE__);
?>

structure /?hello=system(‘tac flag.php’), obtain flag

Fifth question Variable 1

<?php  

error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
    
    $args = $_GET['args'];
    if(!preg_match("/^\w+$/",$args)){
    
        die("args error!");
    }
    eval("var_dump($$args);");
}
?>

Construct request ?args=GLOBALS obtain flag

• $GLOBALS Global variables are used in PHP Access global variable output anywhere in the script flag value

Sixth question First class

Direct developer tools to find header file ,flag On the inside

Question seven forge

From the girlfriend chat flag In a small bug People ,QQ Changed its name to little bug, Input yourself QQ obtain

The eighth question picture

• （ Fix ） Eight bytes 89 50 4E 47 0D 0A 1A 0A by png The file header of
• （ Fix ） Four bytes 00 00 00 0D（ It's decimal 13） The length of the representative data block is 13
• （ Fix ） Four bytes 49 48 44 52（ That is to say ASCII The code IHDR） Is the identification of the file header data block （IDCH）
• （ variable ）13 Bit data block （IHDR)
  • The first four bytes represent the width of the picture
  • The last four bytes represent the height of the picture
  • The last five bytes are ：
    Bit depth、ColorType、Compression method、Filter method、Interlace method
• （ variable ） The remaining four bytes are the png Of CRC Inspection code , From IDCH To IHDR Seventeen bytes of crc To calculate the .