Preface

Sort out some questions written before wp, Review review web Some related knowledge of brute force cracking .

One 、web21----custom iterator( Custom iterators )（base64 decode ）

subject

Look at the title and guess that it may be to blow up the account name and password , Try to grab a bag .

Seems to be base64 encryption , Decrypt it .

The format of account password transmission can be obtained after decryption
Account ： password
Then there is a certain idea for blasting . open bp, Use bp structure payload Blast , Mark the place to be blasted .

Set according to the previous format
position 1,2,3, In the third part, remember to import the common weak password dictionary

Join in base64 encryption , close URL code , Start blasting .

Check after blasting length The smallest return package , You can get flag,（ As the blasting time is too long, the demonstration will not be done ）

Two 、web22---- Subdomain explosion

subject

From the title, we can see , This is the subdomain explosion .
Find a tool to find subdomain names online Subdomain name query website

And then can be in vip.ctf.show Source code visible flag.

3、 ... and 、web23----substr() function （md5 encryption ）

The title is as follows

Simply read the code , We use get The parameter is passed in token Value needs to meet two conditions .
One ,MD5 The encrypted one should be in the second place , The 15th and 18th places are the same .（ Subscript from 0 Start ）
Two , Second + 15th + 18th / Second = 32nd ;
Use the script directly here
cv Other big guys python Script

import hashlib
dic = "0123456789qazwsxedcrfvtgbyhnujmikolp"
for a in dic:
    for b in dic:
        t = str(a)+str(b)
        md5 = hashlib.md5(t.encode(encoding='utf-8')).hexdigest()
        if md5[1:2] == md5[14:15] and md5[14:15] == md5[17:18]:
            if int(md5[1:2])+int(md5[14:15])+int(md5[17:18])/int(md5[1:2])==int(md5[31:32]):
                print(t)

python The script runs out as shown in the figure

See other big guys still use PHP Script
PHP The script is as follows , You can try .

<?php
for($v1=0;$v1<10;$v1++)
    for($v2=0;$v2<10;$v2++)
        for($v3=0;$v3<10;$v3++){
    
            $v=$v1.$v2.$v3;
            $token = md5($v);
            if (substr($token, 1, 1) === substr($token, 14, 1) && substr($token, 14, 1) === substr($token, 17, 1)) {
    
                if ((intval(substr($token, 1, 1)) + intval(substr($token, 14, 1)) + substr($token, 17, 1)) / substr($token, 1, 1) === intval(substr($token, 31, 1))) {
    
                    echo $v;
                }
            }
        }

?>

I think I need to master other small knowledge points
1.PHP function substr()

Test the above functions （ It's best to knock with your own hands to deepen your impression ）

Four 、web24----mt_srand(seed)

This question mainly involves PHP Generate random number
1.mt_srand() and mt_rand() function （ The following questions will be explained in detail ）
2.intval function

5、 ... and 、web25----mt_rand(),cookies

subject

Read the code , If we make r=0; You can get mt_rand() The first generated number , In order to push back the seeds . Then make r=mt_rand() The first generated number , You can enter the following statement .


The following statement has been entered .
Use The script to push back the seed
This page

Then put the script into Kali middle-distance race . Execute... Before executing the following command make command , Execute the following command after no error is reported .

Then do this code , Calculated value .get Pass the parameter to the original rand() Value , Then capture and modify cookie, Change to token The value of is the calculated value , Submit to get flag.

1.php in rand() Functions and mt_rand() function
See the explanation in the rookie tutorial .

6、 ... and 、web26---- Blast weak password

subject

Grab a bag and try
Just blow it up , You can get flag

7、 ... and 、web27---- Date of birth exploded

Information collect other relevant information and you will find a list

It is found that the month, year and day... Are missing from this form , The use bp Continue blasting birthday

Blasting to get a complete ID card , After logging in, you can get flag

8、 ... and 、web28---- Catalog explosion

subject

This directory is a bit strange , Get rid of 2.txt, Try blasting this directory directly

Blast payload Set up

summary

It mainly reviews some ideas related to blasting , brush CTF Questions can still be trained constantly , Consolidate what you have learned . Continue refueling , To rush ！！！