Authenticate your way to admin
Owen had created an authentication system which lets users login with their email-id or their team name. But that’s not fun is it? Logging in as the admin beats it all, so there’s your challenge.
The portal is running at 128.199.224.175:23000
Note: Use your Pragyan CTF credentials to login to the web portal.
提供了以下连个php
login.php
<?php
session_start();
require "helpers.php";
$type = $_POST['id_type'];
$identifier = $_POST['identifier'];
$password = $_POST['password'];
$_SESSION['id'] = $identifier;
if($type === 'team_name') {
$team_name = $identifier;
$_SESSION['id_type'] = 'team_name';
if(verify_teamname_password($team_name, $password) === true) {
$_SESSION['logged_in'] = true;
redirect('/homepage.php');
}
else {
die("Invalid Team Name-Password combination !!");
}
}
elseif ($type === 'email') {
$email = $identifier;
$_SESSION['id_type'] = 'email';
if(verify_email_password($email, $password) === true) {
$_SESSION['logged_in'] = true;
redirect('/homepage.php');
}
else {
die("Invalid Email-Password combination !!");
}
}
?>
homepage.php
<?php
session_start();
require "helpers.php";
if(! check_login())
redirect($LOGIN_URL);
$id_type = $_SESSION['id_type'];
$id = $_SESSION['id'];
?>
<!DOCTYPE html>
<html>
<head>
<title>Homepage</title>
</head>
<body style='background-color: #d6eaf8'>
<p style="float: right">
<a href='/logout.php'> Logout </a>
</p>
<p style="clear: both"></p>
<p style='height:30px; width:100%;'> </p>
<center>
<h2> Welcome User !! </h2>
<br><br>
<h3>
<?php
if($id_type === 'email') {
echo "Email :- ".$id;
}
elseif ($id_type === 'team_name')
{
echo "Team Name :- ".$id ;
}
?>
</h3>
<br><br>
<h4>
Here's a random funny saying for you :) <br>
</h4>
<br><br>
<?php
require "sayings.php";
printf(get_random_saying());
echo "<br><br>";
if($id === 'admin' && $id_type === 'team_name')
printf(output_flag());
?>
</center>
</body>
</html>
首先,用正常的账户登录,得到的session为logged_in=true
然后,用同样的sessionid访问login.php文件,post数据
identifier=admin&id_type=team_name&password=admin
即可使当前这个session的$id === 'admin' && $id_type === 'team_name'
然后,y用这个sessionid访问homepage即可得到flag
El33t Articles Hub
Are you a person interested in reading articles on hacking? You’ve come to the right place, check out our brand new website for article-reading enthusiasts.
The portal is running on 128.199.224.175:22000
有两个位置存在文件读取或者包含的可能
http://128.199.224.175:22000/index.php?file=Travel
http://128.199.224.175:22000/favicon.php?id=1
第一个链接测试发现做了过滤,第二个链接很容易发现问题
可以看到会尝试访问
‘./favicons/1..png’, ‘./favicons/1..ico’ or ‘./favicons/1..php’
提交file=../index
可以获取到各种相关的php源代码
然后在
发现了flag文件名,拼接一下
Quick Response
Tony had created a QR code for a specific purpose, and sent to his friend Rhody for deployment but when deployed, the QR code wasn’t working as it was supposed to. Figure out what’s wrong and help fix the problem.
QR Code的修复,
扫描器确定二维码的位置的方法很简单
只需要找到左上角、左下角和右上角的“回”字的正方图案俗称:定位点)
不需要完全对正
不同位置有无像素点的情况
可以被转换成 0/1的数据
进而还原二维码里面的文字
修复前
修复后
扫一扫
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至3213359017@qq.com