web 21 - Weak Password Blaster & custom iterator
Go in and ask for the account password, account inputadminIf you want to use it, you can use the administrator's username, password, and then burpsuite to grab the packets.
You can see the account password in theAuthorizationTransmission, in the form ofAccount:Passwordof base64 encryption, send him to theIntrudermodule (in software)
mode selectionsniperIf you want to encrypt the entire account password characters, you can't burst them separately, so check the place you want to burst.
optioncustom iteratormode, writing in position 1admindelimiter writes:
Position 2 imports the supplied dictionary
increasebase64Encryption, uncheck the Palyload Encoding encoding, because when doing base64 encryption at the end there may be a==This affects the results of base64 encryption
To start the attack, click on the status code to filter it and find the password that was blasted out, decrypting the password asshark63If you type it in, you will get the flag.
web 22 - subdomain blasting &oneforall
OneForAll, a subdomain collection tool open-sourced by shmilylty on Github, enables the blasting of subdomains
python --target run
You can see that a lot of results were blasted out, but the domain name for this question is invalid, otherwise there should be a
web 23 - md5 blast&burp&python
Take a look at the code that passesgetway to submit atokenparameter, request the MD5 encryption result of the second, fifteenth and eighteenth characters are equal, and the sum of the numbers of these three characters divided by the value of the second character is equal to the value of the 32nd character.
Method 1 - burpsuite blasting
Regardless of what conditions he in the end, directly burpsuite blast numbers 0-500, found 422 when the return length is different, 422 is to meet the conditions of the
Method 2 - python script blasting
Two usable strings are obtained by traversing the two-character string and finding the string that matches the conditions3jcap (a poem)ZE
import hashlib
dic = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
for a in dic: for b in dic.
for b in dic.
t = str(a) + str(b)
md5 = hashlib.md5(('utf-8')).hexdigest()
if md5[1] == md5[14] == md5[17]: # Ensure that the characters in these positions are the same
# Make sure these characters are numbers
if 48 <= ord(md5[1]) <= 57 and 48 <= ord(md5[14]) <= 57 and 48 <= ord(md5[17]) <= 57.
# Make sure md5[31] is also a number and matches the math relationship
if 48 <= ord(md5[31]) <= 57:.
num1 = int(md5[1])
num14 = int(md5[14])
num17 = int(md5[17])
num31 = int(md5[31])
# Determine if the divisor is zero
if num1 == 0.
continue # Skip current loop
if (num1 + num14 + num17) / num1 == num31: print(t).
print(t)
web 24 - A First Look at Pseudo-Random Numbers
This question examines php pseudo-random numbers, which are passed through themt_srand(1);After seeding, and then through the same random number algorithm to calculate the random value is fixed, so just look at the server php version, and then locally up the following code will be able to get a random number, you masters can also try to refresh, will find that each time to give out the value is the same.
<?php
mt_srand(372619038);
echo "Random number: ".mt_rand();
? >
web 25 - Pseudo-Random Numbers & Seed Blasting
To get the flag, you must entertokenis the sum of the second and third random numbers, so it must be known thatseedwhat?
transmitted inwards?r=0It is possible to get the negative value of the first random number for the-449307572
The next step is to blow it up.seedHere we use the php_mt_seed tool, download and use of the method please Baidu. You can see the burst out a lot ofseedThe random numbers generated will be slightly different for different php versions, so you need to choose the one that corresponds to your server's php version.seed
Take a look at the php version, choose 1103714832, here you may have to try a few of them, the blogger tried after two did not come out!
Write a php script that outputs the required random numbers
<?php
mt_srand(1103714832);
echo mt_rand()."\n";
$result = mt_rand()+mt_rand();
echo $result;
?>
submit (a report etc)rcap (a poem)tokenI got the flag.
web 26 - Database Password Blasting
This question is still weak password blasting, is to change to the scene of the system installation, directly to the password for the number of blasting can be, the answer is 7758521, the amount of blasting is quite big!
In addition, the code logic of this question is a bit of a problem, nothing to fill in the point to install and then capture the packet will find the flag directly in the return packet, but this will not have the flavor of the blast, or suggest the above method of explosion!
web 27 - Portal Blast
See a login screen, but now what information is not, certainly can not directly blast, see the following list of admissions and school registration information query system
Seeing this, the guess is to blast the ID number (here it's the birthday that's hidden) and then get the password through the admissions query
Catch packets, this question is strange, Firefox seems to have a hard time catching packets, either use Google to catch them, or use Firefox to keep clicking on them, it always catches them. Give to the birthday to blast, payload type selection date, select the beginning and end of the year, month and day, select the date format, y on behalf of the year, M on behalf of the month, d on behalf of the day
Finding packets of different lengths
The return message needs to be decoded in Unicode, the result gives the student number and password, and the login gets the flag
# Original string
encoded_str = r"\u606d\u559c\u60a8\uff0c\u60a8\u5df2\u88ab\u6211\u6821\u5f55\u53d6\uff0c\u4f60\u7684\u5b66\u53f7\u4e3a02015237 \u521d \u59cb\u5bc6\u7801\u4e3a\u8eab\u4efd\u8bc1\u53f7\u7801"
# Use unicode_escape to decode
decoded_str = encoded_str.encode('utf-8').decode('unicode_escape')
print(decoded_str)
web 28 - Directory Blast
Seeing that the url is/0/1/The guess is to blast the numbers in the catalog, deleting them, to the0cap (a poem)1Blasting, withcluster bombparadigm
Set payload set 1 and 2 to numbers 0-99.
Blast, find a directory you can access, take a look at the return packet is the flag