Title address ：http://nctf.nuptzj.cn/

The range is closed Can find a topic It's a question

Pass-01

Go in and say I'm not admin So it must be cracking admin Get your account password flag Click the source code below

<?php
if($_POST[user] && $_POST[pass]) {
  mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);   // Connect to database 
  mysql_select_db(SAE_MYSQL_DB);    // Set database name 
  $user = trim($_POST[user]);      // Need here post transmission    One user  Next one  passwd2 A string 
  $pass = md5(trim($_POST[pass]));
  $sql="select user from ctf where (user='".$user."') and (pw='".$pass."')";    //$sql yes   Judge   Whether the user name and password always   
    echo '</br>'.$sql;
  $query = mysql_fetch_array(mysql_query($sql));
  if($query[user]=="admin") {    // Check whether the above statement is true and return the result , Then judge whether the user name is admin
      echo "<p>Logged in! flag:******************** </p>";
  }
  if($query[user] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}
echo $query[user];
?>

You can see here just let sql The statement returns a result and the statement value is user yes admin It will output the result .

So here payload The upper  

select user from ctf where (user='".$user."') and (pw='".$pass."')"

Close here user Then let the latter set up

admin') and 1=1#

Pass-02

Title address ：key Where is the ？

The question is key Where is the   Right click directly to view the source code I found it key

Pass-03

Title address ： You are kidding me ？

Also find key  only one GIF picture Download pictures directly Then turn to txt visit

 Pass-04

Title address ：http://nctf.nuptzj.cn/web6/

  Login interface again

<?php
if($_POST[user] && $_POST[pass]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = $_POST[user];
  $pass = md5($_POST[pass]);     //post Of pass There will be MD5 Encryption processing 
  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));   // Look under the user name pw surface 
  if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {         // The request is false 
      echo "<p>Logged in! Key: ntcf{**************} </p>";
  }
  else {
    echo("<p>Log in failure!</p>");
  }
}
?>

$query[pw] This piece of data will show its truth Never mind strcasecmp($pass, $query[pw]) contrast Incoming pass Follow the query output pw Is it always  

If you let select pw from ctf where user='$user'   This sentence is transformed into  

select pw from ctf where user='admin1' union select md5(5)# So the front user The query will be false After the joint query md5 It will output normally

And here it meets the input  5 adopt post Of md5 What to add And the input of 5 Mismatch So you can bypass validation

therefore Construction statement Just enter for the user name admin1' union select md5(5)#    password Input 5

Pass-05

Title address ：asdf

  The title is click trigger, and then here   At first glance, the file contains Use it directly php Pseudo protocol to read show.php But the content is nothing   Come back and read index.php Found out key

Payload:php://filter/read=convert.base64-encode/resource=index.php( This sentence is really remembered how many times did not solve the difficult top Handwritten several times All input errors )

 Pass-06

http://nctf.nuptzj.cn/web8/

This question is to go in and say Click to find key  And then click on it Jump directly to   no_key_is_here_forever.php This interface  

Using the browser view_source Checked the source code He found that the process of jumping existed   search_key.php

  Read the source code of this page Found out key

Pass-07

Title address :http://nctf.nuptzj.cn/web9/

The same topic I thought I could also check the source code I tried. No Just use burpsuite I grabbed my bag and found key 

 Pass-08

Title address ：Do you know robots.txt？

The hint is to see robots.txt The hints of access discovery are as follows  

  Code audit topic   Key points Mentioned a sql.php The file of   The way to visit is   GET Request one id The content of Give Way id Satisfaction equals 1024 The requirements of

<?php
if($_GET[id]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $id = intval($_GET[id]);
  $query = @mysql_fetch_array(mysql_query("select content from ctf2 where id='$id'"));
  if ($_GET[id]==1024) {
      echo "<p>no! try again</p>";
  }
  else{
    echo($query[content]);
  }
}
?>

Here we use id=1025 and id=1023 Some other values will show content, but not flag

Look at the question above, it's right id The incoming content will have a intval Function to process So it's spread here 1024.1 It will be treated as 1024 To deal with it The array passed here has been tested Not yet. .

therefore payload:sql.php?id=1024.1

Pass-09

Title address ：​​​​​​SuperSo | by:p0tt1

At first, I got this question and thought it was for xss How to visit is to Baidu implementation , Think this is too terrible Then I didn't dare to look carefully . Later, I looked at it. In fact, this question is very simple, which is to be confident , Just keep chasing .

Check the root directory source code

  Find the first file   Follow the source code

Find the second In

I gave up when I did this before Thought it was fake It's different if you don't look carefully

  Go back in

  Read 404.html

Here's the answer I vomited. .

Pass- 10

Title address ：http://nctf.nuptzj.cn/web14/

Check the source code directly to find the email address It's not that difficult  

Read the relevant tips Say this is used vim Editor I don't know whether there is a hint in the first topic Otherwise, the guess is too awesome

And then visit Connection address submit.php The cache of   .submit.php.swp

Code audit beyond prevention

if(!empty($token)&&!empty($emailAddress)){
	if(strlen($token)!=10) die('fail');
	if($token!='0') die('fail');
	$sql = "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";
	$r = mysql_query($sql) or die('db error');
	$r = mysql_fetch_assoc($r);
	$r = $r['num'];
	if($r>0){
		echo $flag;
	}else{
		echo " Failed ";
	}
}

Originally Want to be here  "SELECT count(*) as num from `user` where token='$token' AND email='$emailAddress'";  It works token Write a or Bypass your judgment But it says token The transmission length is 10

Give up here Look at the following sentence Judge token If the content of is not equal to 0 Then kill directly This sentence is too fierce

Recall two conditions requirement token The content is 0 The length is 10  sql Support hexadecimal transfer The first thought is 16 Base number

From here you can see   Binary system Is to meet Required That is, the content is 0e00110000 As token The content of meets all conditions therefore payload That is to say 0e00110000