Press "Enter" to skip to content

Tag: Web

[SEC-T] Naughty ads

Solution http://naughtyads.alieni.se/

So, maybe we can read the source code through http://naughtyads.alieni.se/index.phps ??

We can see that there has a very secure filter for $_REQUEST[‘id’] , but not for $_GET[‘id’]. It do nothing and parse $_GET[‘id’] to the function. So, we can bypass the filter like this

Finally, i got the username and password. Username:webmasterofdoom3755 Password:5ebe2294ecd0e0f08eab7690d2a6ee69 Reverse the md5 here: https://md5.gromweb.com/?md5=5ebe2294ecd0e0f08eab7690d2a6ee69 And found that the real password is secret. Use this identity to login into the website, and fill in the phone number for submit the form, and then the website will give you the flag.

Leave a Comment

[SEC-T] Sprinkler system

Solution Firstly, we can take a look at robots.txt:

And i found that there are contains test-cgi in cgi-bin folder. After have some research, i have found that test-cgi have vulnerability. And it seems that it is able to list directory through this vulnerability. Exploit Url: http://sprinklers.alieni.se/cgi-bin/test-cgi?/* Output:

It works!!. So, i change the parameter to “*”. Which means list all the fire in current directory. Url: http://sprinklers.alieni.se/cgi-bin/test-cgi?* Output:

Finally, we access http://sprinklers.alieni.se/cgi-bin/enable_sprinkler_system . And it print flag.

Leave a Comment

[CSAW2017] Orange v1

Question I wrote a little proxy program in NodeJS for my poems folder. Everyone wants to read flag.txt but I like it too much to share. http://web.chal.csaw.io:7311/?path=orange.txt   Solution Based on the challenge name. It seems the concept are based on the presentation of Orange Tsai on DEFCON25. About uri handling in node.js. If \xff are exists in uri, it will throw it away. What if we input %EF%BC%AE%EF%BC%AE/ ? %EF%BC%AE is ‘Full Width Latin Capital Letter N ‘. And it’s Unicode is \uFF2E. So, if N appears in URL, node.js will delete \xff. So \x2e will be translated to “.”. Buf after have some try, %EF%BC%AE%EF%BC%AE/ is not work for this question. So i try to change one %EF%BC%AE to “.”. And it works.   Finally payload: http://web.chal.csaw.io:7311/?path=.%EF%BC%AE/flag.txt     Reference https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Orange-Tsai-A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages.pdf http://bobao.360.cn/learning/detail/4183.html http://www.fileformat.info/info/unicode/char/ff2e/index.htm

Leave a Comment

[MeePwnCTF2017] Br0kenMySQL

Question

Solution So, the task is we have to set the $row[“username”] to ‘guest’ in first query. But in the second query, we have to make it equals to ‘admin’. Because of each time of guest query, it will add one new record into logs table. I think we can have make a use of it. 1.We have to count the number of rows in logs table without using count funciton.

2.We have to use if funciton in the union select query

If we change 1=1 to 1=2 , the username will be equals to ‘guest’ 3. According to the number of rows in logs table, we can make a query to check is the number are equals something than output something. Here is our final payload:

and have few times of refresh we finally get the flag.

Leave a Comment