view_source

Open the source code and find the answer here

robots

see robots.txt file

Find out flag File and open

backup

There are backup files in the website , Common backup file suffixes are ：“.git” 、“.svn”、“ .swp”“.~”、“.bak”、“.bash_history”、“.bkf” Try to URL Back , Try to find that the file suffix of this problem is .bak

Get a file to open and get the answer

cookie

Check first according to the title cookie

Find out look-here The value of is cookie.php Open this. php file

Follow the prompts to view this http Response package for

Get the answer

disabled_button

When you open the topic and see the button you can't press, you will think of a familiar topic you learned before

Open the source code and you will see this disable

Delete disable We can press this button
This will not make it disappear

Get the answer

weak auth

Open the title to get a login interface

Just type in and you will be prompted to say The user is called admin
View the source code to see
Then we'll use it burp Blow up the password
Set the Firefox proxy to open the request
Send to tester
Input the downloaded password dictionary to explode
notice 123456 The higher the frequency, the correct password should be
（ I don't know what went wrong. There was no answer after the explosion Then I input the user name and password on the web page to get the answer ）

simple_php

Analysis of the php It means
You can understand a And b Both of these values are in get The way

Then we must comply with a And b And must be bypassed in some way

We make a=0.0;b=1234*2 Go around

get_post

First we should understand get And post Usage of

We go through get Add... After the URL ?a=1
Get the following request

adopt hackbug quantum Plugins enable b=2 With post Form submission

Get the final answer

xff_referer

Read other people's blogs to understand what this title means

1. xff yes http The extended head , Role is to make Web The server gets the IP Real address （ Forgeable ）. Because many users access through a proxy server , The server can only get the proxy server's IP Address , and xff Its purpose is to record the reality of users IP. Usually you can modify it directly http In the header X-Forwarded-For Field to simulate the final of the request ip.
2. referer yes http The extended head , The function is to record the address of the source page of the current request page . Server usage referer Confirm the source of the visit , If referer The content does not meet the requirements , The server can intercept or redirect requests .

So use brup Grab the bag , See in the response that it must come from Google , So add another Referer: https://www.google.com, You can get flag.

It is sent to the repeater

The first step is to write... In the left box X-Forwarded-For：123.123.123.123i
It is found that... Appears in the response HTML Must be https://www.google.com
Step 2 continue to write Referer：https://www.google.com
Click send to get the answer

webshell

In a word, Trojans
I went backstage with a kitchen knife to get the answer
First add a shell Get the answer

command_execution

• Command Execution Vulnerability ： Symbol &、|、|| Can be used as a command connector , The user submits the execution command through the browser , Because the server does not filter the execution function , Causes the command to be executed without specifying an absolute path .

Open and find a PING The page of , Try it first ,ping Local ,ping 127.0.0.1 Discovery can ping through .
Then we mixed it with orders ls To operate ：127.0.0.1 && ls, Found to be executable .

After use find Command to find all txt Text
Reuse cat Open about flag The text of simple_js
According to the title, we can know that this question is about js Knowledge of language View the source code of the web page and observe the main body js The code finds that whatever is entered, the last value returned is
dechiffre(h)
So we're going to go straight to

\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30
Conduct url Decrypt （ take \x Convert to %）
Get a bunch of ASCII code
Decimal conversion gives the answer