CTF show 信息收集篇
web1https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160140194-669598184.png
f12查看网页源代码
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160144012-678884902.png
web2
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160152108-871244294.png
打开发现无法f12查看源代码
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160226763-276319664.png
方法1:禁用js
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160246949-371057440.png
方法2:打开空白网页提前f12查看源代码然后复制url打开
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160251466-1003150082.png
方法3:Ctrl+u查看
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160256166-2050558893.png
web3
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160304032-1193039886.png
burp抓包
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160317833-766056433.png
web4
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160409807-2085802024.png
打开网页访问robots.txt文件
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160413093-383828272.png
根据robots.txt内容访问flagishere.txt文件
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160418985-1719030594.png
robots.txt是一个文本文件,位于网站根目录下,用于告诉搜索引擎爬虫哪些网页可以被爬取,哪些网页不可以被爬取。该文件包含了一些指令,告诉爬虫哪些页面可以访问、哪些页面不可以访问,以及爬虫的访问频率等信息。
web5
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160433719-1942678005.png
.phps" 后缀,这是 PHP 源码文件的一种特殊形式,它会将代码高亮显示并以只读方式呈现。在一些 web 服务器的配置中,如果访问的是 PHP 源码文件而不是已解析的 PHP 文件,可以通过在文件扩展名后添加 "s" 来强制以只读方式显示代码,从而避免源代码泄露。
访问index.phps
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160448997-173768347.png
web6
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160454072-429380581.png
题目描述解压源码,通常来说源码会打包成www.zip所以直接访问下载zip
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160501838-1313079744.png
打开txt文档得到flag
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160507730-347999269.png
web7
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160512380-175279096.png
版本控制常用的有git和svn,访问.git获得flag
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160518342-1501855366.png
web8
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160523909-441167382.png
访问/.svn
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160528767-1177190454.png
源码泄露文章
web9
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160810017-253730576.png
在Linux中使用vim编辑时,如果出现编辑器崩溃或系统崩溃,则会自动备份,如果开发环境没有删除则会导致泄露
可能的备份文件(index.php为例):
.index.php.swp
.index.php.swo
index.php~
index.php.bak
index.php.txt
index.php.old
访问index.php.swp
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160829904-1393750412.png
web10
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160920747-1269110856.png
f12-》网络-》查看cookie
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160924988-1003115064.png
web11
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160935208-570114960.png
DNS中也会存在信息
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318160940502-193507329.png
域名解析网站
web12
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161051581-889577068.png
打开网页进行查看
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161057539-524765468.png
没有什么有效信息,考虑搜索其他可能存在泄露信息的网页
搜索robots.txt
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161107655-109949590.png
得到一个不允许访问的网页,那么访问一下
需要登录
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161112550-1419639263.png
再结合题目提示网上公布的信息就是密码
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161117101-1134903628.png
滑到最后有一串数字,进行登录
获取到flag
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161122810-1014480867.png
web13
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161213125-1813202174.png
根据题目在页面内查找技术文档
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161216617-2009619046.png
打开文档后可以获取后台登录地址以及账号密码
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161222211-971180171.png
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161227997-1770779873.png
web14
editor目录遍历
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161236885-1437581082.png
按照题目提示访问/editor目录
提示编辑器有遍历目录的漏洞
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161240992-594430560.png
上传图片-》图片空间-》查找flag
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161245710-1690463554.png
flag在/var/www/html/nothinghere/fl000g.txt
直接URL上访问/nothinghere/fl000g.txt
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318161252280-1073041136.png
web15
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163436114-406809347.png
先拿御剑扫一下后台看看有没有什么可以访问的目录
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163439239-1255470006.png
扫到一个后台登录界面,点进去有一个忘记密码
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163443280-17142338.png
再根据题目所说的邮箱的信息泄露,返回页面查看是否有邮箱
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163448141-376226948.png
搜索QQ号是,获取到城市信息
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163452613-1680590139.png
选择重置密码,然后进行登录
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163456063-1082341956.png
web16
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163503202-1645795144.png
常用的探针有PHPinfo探针,雅黑探针,UPUPW PHP探针(基于web服务端的探针)
既然是信息泄露还是老样子先扫描后台文件
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163507746-599696525.png
tz.php就是雅黑探针直接访问
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163511568-1983703226.png
全局搜索ctfshow没有发现,并且雅黑探针的系统参数相对来说没有那么全,那么在php参数页面可以看到phpinfo,访问
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163516298-1664723037.png
全局搜索ctfshow
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163555405-2106164826.png
web17
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163558718-630511166.png
根据题目搜索以及网站语言类型判断数据库可能是mysql数据库,所以直接搜索MySQL数据库的备份文件名
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163602004-689251393.png
猜测题目的备份文件名为backup.sql,访问后直接下载
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163605287-1463489749.png
打开文件就可以看到flag
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163608685-839728661.png
web18
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163622325-1309297942.png
打开是个小游戏,直接f12看js源代码,查看判断逻辑
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163626325-1830709862.png
分数大于100分就会弹出一句话,这是用Unicode编写的,解码得到
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163630091-2012499319.png
访问110.php得到flag
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163633657-1516982229.png
web19
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163636942-1731501429.png
f12查看源代码,可以看到题目的一个判断思路
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163640063-60171856.png
将账号密码以post的方式复制给u和$p,当u和p等于特定值就输出flag
然后根据抓包或网页源代码可以看出,密码在客户端会经过aes加密然后传给服务器
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318163645805-892404879.png
使用burp抓包修改username和pazzword的值就可以得到flag
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318164343368-448792002.png
web20
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318164349204-1801232564.png
关键词db,访问/db网页显示403,说明可能存在文件。
再访问db.mdb就可以下载数据库文件
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318164353463-328474200.png
全局搜索flag
https://img2023.cnblogs.com/blog/2643789/202303/2643789-20230318164357412-1271828856.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]