你会日志分析吗
线索只有一份 access.log,你能从中分析到什么?
sectraffic
攻击者 B 在某次渗透测试过程中,也通过枚举弱口令的方式拿下了机器 B 的登录权限。他的部分操作也被系统捕捉并记录了下来,请分析他的操作并获取 flag。答案加 flag{}格式。
cubic
Please give me 6 pairs of positive integers (x,y,z) satisfying the equation x/(y+z) + y/(z+x) + z/(x+y) = 6
simultaneous
AGame_给转账
请转账
0xb4D288dE112799141064CF2Af23ab33C074863D4@ropsten
make is_successful be true
input address at http://8.140.187.205:25112/
SafeContract
What is in the contract
合约地址:
0x8C34E8c05846be833Faa82EbdcE48F2c3288dd38@ropsten
make safe be true
input address at http://8.140.187.205:6584/
apollo
附件补充 aarch64 库,同时此题的难点在于 vm 虚拟机的分析。 https://pan.baidu.com/s/1_RgBNGCBzJeBqlFKDBV0xg 提取码:GAME。
hint2: 漏洞点在于车辆前方的绿灯或黄灯的转化,使车辆到达了地图外
quiet
quiet-aarch64.zip 链接:https://pan.baidu.com/s/1VhHCpGv8JdlwF8_xtYJmDQ 提取码:GAME
redemption_code
所谓的虐心手游,连发的兑换码都这么复杂。
CrackMe
Crack Me
GoEncrypt
Golang encrypter
internal_system
开发了一个公司内部的请求代理网站,好像有点问题,但来不及了还是先上线吧(─.─||)
http://8.140.152.226:47921/
/source 存在源码泄露;/proxy 存在 ssrf
const express = require("express");
const router = express.Router();
const axios = require("axios");
const isIp = require("is-ip");
const IP = require("ip");
const UrlParse = require("url-parse");
const { sha256, hint } = require("./utils");
const salt = "nooooooooodejssssssssss8_issssss_beeeeest";
const adminHash = sha256(sha256(salt + "admin") + sha256(salt + "admin"));
const port = process.env.PORT || 3000;
function formatResopnse(response) {
if (typeof response !== typeof "") {
return JSON.stringify(response);
} else {
return response;
}
}
function SSRF_WAF(url) {
const host = new UrlParse(url).hostname.replace(/\[|\]/g, "");
return isIp(host) && IP.isPublic(host);
}
function FLAG_WAF(url) {
const pathname = new UrlParse(url).pathname;
return !pathname.startsWith("/flag");
}
function OTHER_WAF(url) {
return true;
}
const WAF_LISTS = [OTHER_WAF, SSRF_WAF, FLAG_WAF];
router.get("/", (req, res, next) => {
if (req.session.admin === undefined || req.session.admin === null) {
res.redirect("/login");
} else {
res.redirect("/index");
}
});
router.get("/login", (req, res, next) => {
const { username, password } = req.query;
if (
!username ||
!password ||
username === password ||
username.length === password.length ||
username === "admin"
) {
res.render("login");
} else {
const hash = sha256(sha256(salt + username) + sha256(salt + password));
req.session.admin = hash === adminHash;
res.redirect("/index");
}
});
router.get("/index", (req, res, next) => {
if (req.session.admin === undefined || req.session.admin === null) {
res.redirect("/login");
} else {
res.render("index", { admin: req.session.admin });
}
});
router.get("/proxy", async (req, res, next) => {
if (!req.session.admin) {
return res.redirect("/index");
}
const url = decodeURI(req.query.url);
console.log(url);
const status = WAF_LISTS.map((waf) => waf(url)).reduce((a, b) => a && b);
if (!status) {
res.render("base", { title: "WAF", content: "Here is the waf..." });
} else {
try {
const response = await axios.get(
`http://127.0.0.1:${port}/search?url=${url}`
);
res.render("base", response.data);
} catch (error) {
res.render("base", error.message);
}
}
});
router.post("/proxy", async (req, res, next) => {
if (!req.session.admin) {
return res.redirect("/index");
}
const url = "https://postman-echo.com/post";
await axios.post(`http://127.0.0.1:${port}/search?url=${url}`);
res.render("base", "Something needs to be implemented");
});
router.all("/search", async (req, res, next) => {
if (!/127\.0\.0\.1/.test(req.ip)) {
return res.send({
title: "Error",
content: "You can only use proxy to aceess here!",
});
}
const result = { title: "Search Success", content: "" };
const method = req.method.toLowerCase();
const url = decodeURI(req.query.url);
const data = req.body;
try {
if (method == "get") {
const response = await axios.get(url);
result.content = formatResopnse(response.data);
} else if (method == "post") {
const response = await axios.post(url, data);
result.content = formatResopnse(response.data);
} else {
result.title = "Error";
result.content = "Unsupported Method";
}
} catch (error) {
result.title = "Error";
result.content = error.message;
}
return res.json(result);
});
router.get("/source", (req, res, next) => {
res.sendFile(__dirname + "/" + "route.js");
});
router.get("/flag", (req, res, next) => {
if (!/127\.0\.0\.1/.test(req.ip)) {
return res.send({ title: "Error", content: "No Flag For You!" });
}
return res.json({ hint: hint });
});
module.exports = router;
“慢慢做”管理系统
这个 sql 吧,有点 ssrf 的样子,首页是一个很普通的 sql 注入,没有什么花样,但是我的 admin.php 是一个内网的管理系统,只要你用“真-admin”的密码登录了,就可以拿到 flag,反正慢慢做就对了,不要急躁,静下心。
第一步登录的 sql 语句是"SELECT * FROM users WHERE password = '".md5($password,true)."' limit 0,1";
签到
师傅们常说,要善于学习,细致入微;师傅们也常说,要善于分享,总结归纳。
2021 年 3 月 28 日,PHP 维护的官方 Git 服务器 git.php.net 被袭击,其 Git 仓库遭到恶意篡改。如果开发者使用这些遭到篡改的源代码进行网页的开发的话,网站就会在不知情的情况下被感染。
unsetme
是缺陷还是漏洞呢。
<?php
$f3=require('lib/base.php');
$f3->set('DEBUG',1);
if ((float)PCRE_VERSION<8.0)
trigger_error('PCRE version is out of date');
highlight_file(__FILE__);
$a=$_GET['a'];
unset($f3->$a);
$f3->run();
