# xctf-攻防世界新手练习区web

题目1：view\_source

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpBHpSKWq4cl8u0SkW%2F-MdpH-bObu1TehB_oYKH%2Fimage.png?alt=media\&token=00bc5511-5298-4d16-b8f6-2a2d79accd42)

解答过程：直接F12查看源码，得到flag

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpJXZYJMYoyLn2lt7d%2F-MdpJdROnH54Uke_Dq9S%2Fimage.png?alt=media\&token=0e92567e-f51a-499c-9b1e-bd1e8ef4af8b)

题目2：robots

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpJgE42_aMq2xG2DIa%2F-MdpMEmMCTZtaPW1k0d9%2Fimage.png?alt=media\&token=f2fa4a6a-38c4-488a-8caa-f19af929d71a)

解答过程：

题目提示Robots，因此直奔robots.txt

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpMO15R5tIWpcprGJI%2F-MdpMkr0SXKE67GqiHmF%2Fimage.png?alt=media\&token=94a2b5c3-939e-4012-8600-99cf0f31b319)

发现了有意思的东西，直接访问该php

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpMO15R5tIWpcprGJI%2F-MdpMzoPevde90OB4z98%2Fimage.png?alt=media\&token=4da1c14e-850d-4a08-925e-ba57d7670e52)

题目3：backup

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpMO15R5tIWpcprGJI%2F-MdpNEEdVs2CFQnpzpsT%2Fimage.png?alt=media\&token=1324179b-0ed7-40dc-9ec3-aef0fcb7622e)

解答过程：

题目提示你知道index.php的备份文件名

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpNMjsJq6awe3kIG04%2F-MdpNm73qhc6Lrdm3hJQ%2Fimage.png?alt=media\&token=f589fa3e-6b53-43c2-b829-d29e836d158d)

因此，直接访问.index.php.swp/.index.php.bak/index.php.bak

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpNMjsJq6awe3kIG04%2F-MdpO70zW9Z75pNx_aF_%2Fimage.png?alt=media\&token=11a1ebcf-4ef4-44cd-a19d-8d7c3cf56162)

题目4：cookie

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpOBczeFNAYzrrvJno%2F-MdpOQiLlk9gXGlBZkH7%2Fimage.png?alt=media\&token=af27b067-eff4-43c4-9fa0-9574898d4823)

解答过程：

cookie提示,F12查看cookie得知需要访问cookie.php

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpOBczeFNAYzrrvJno%2F-MdpUEzutrlS8wiWvYW3%2Fimage.png?alt=media\&token=f6b570df-33dd-4c58-bdfc-6fd08a28c785)

访问cookie.php，提示see http response

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpOBczeFNAYzrrvJno%2F-MdpUZmrvF14Rqrbo5ys%2Fimage.png?alt=media\&token=d1fc4eca-c376-44df-a9f4-7ea8f2b74838)

题目5：disabled\_button

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpUkH7h3SeXIzKipBV%2F-MdpUpSvqAL2vqjIZUQG%2Fimage.png?alt=media\&token=85790706-eb4f-4f97-8064-71326168468f)

解答过程：F12,审计源代码，定位按钮，去掉disable

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpUuDKA_k5dOkwFc_4%2F-MdpVJ31Wey5Nm8JQUxi%2Fimage.png?alt=media\&token=1df57bea-3dc6-4288-a47f-ef7e2b531f23)

题目6：weak\_auth

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpVSskAOYIy_mUBE5l%2F-MdpVkt_52CE6Rs4GRzI%2Fimage.png?alt=media\&token=d329bf22-40fd-4ca8-b393-2fe3efb6b77f)

解答过程：

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpX4Yp0suLHGWAbbI9%2F-MdpX6-Pmk8KiH0qtw2U%2Fimage.png?alt=media\&token=07f0ccfd-6c85-4e61-83f4-035ba571aab9)

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpX4Yp0suLHGWAbbI9%2F-MdpXx-P2SSnb9gYtE09%2Fimage.png?alt=media\&token=1ad7717d-bb3f-459d-91e7-8b34464f8a87)

题目7：simple\_php

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpX4Yp0suLHGWAbbI9%2F-MdpYFbUAEpUoUMZriWO%2Fimage.png?alt=media\&token=b7f6bac1-705f-480d-b810-23fedbdaec3f)

解答过程：

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpYJcw-xPiczBnVTDF%2F-MdpYXtrnenfVIJE3h7W%2Fimage.png?alt=media\&token=866dc0dc-a381-4f42-bd04-45346c509aa6)

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpYJcw-xPiczBnVTDF%2F-MdpYppgrU1RiAG8o7Nn%2Fimage.png?alt=media\&token=2187984f-73c2-43fa-b78e-4ce4a8836d7d)

题目8：get\_post

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpZRWpn1ZoN45_C1-D%2F-MdpZWZhYxET5zzTpg96%2Fimage.png?alt=media\&token=7e6ed9d4-3956-46b5-bc8f-a7e668bf9c64)

解答过程：

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpZRWpn1ZoN45_C1-D%2F-MdpZuIOuhc1d865SvUD%2Fimage.png?alt=media\&token=34a3588c-fa02-440e-9a84-0f031622cb63)

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpZRWpn1ZoN45_C1-D%2F-Mdp_8BT_Kpvc3NURNZH%2Fimage.png?alt=media\&token=d1a35bf8-0720-4395-a85c-355a5f33a759)

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpZRWpn1ZoN45_C1-D%2F-Mdp_CvoJmuYYQSvNgDq%2Fimage.png?alt=media\&token=fad57c83-9458-4d5d-98c3-c84e16a07837)

题目9：xff\_referer

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpZRWpn1ZoN45_C1-D%2F-Mdp_Tfp30rWoBGzKJ6_%2Fimage.png?alt=media\&token=512cea49-82b5-4a82-9106-47d2b43cf265)

解答过程：

X-Forwarded-For:简称XFF头，它代表客户端，也就是HTTP的请求端真实的IP，只有在通过了HTTP 代理或者负载均衡服务器时才会添加该项

HTTP Referer是header的一部分，当浏览器向web服务器发送请求的时候，一般会带上Referer，告诉服务器我是从哪个页面链接过来的

&#x20;请求头添加`X-Forwarded-For: 123.123.123.123`

&#x20;请求头内添加`Referer: https://www.google.com`，可获得flag

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpZRWpn1ZoN45_C1-D%2F-Mdpe0VlYej2BXUWg3P_%2Fimage.png?alt=media\&token=05a063ae-251f-4d48-9b29-d8f6ef017914)

题目10：webshell

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpZRWpn1ZoN45_C1-D%2F-Mdpehyz6X0Ad4OwxkGF%2Fimage.png?alt=media\&token=a29409b7-eb6f-442e-95c6-5064208f617f)

解答过程：

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpfQaWYI0JxRx6xlSb%2F-Mdpga-_CFZbIAcyAbys%2Fimage.png?alt=media\&token=a8a28d2d-8a1b-4c58-9092-cc25fffe035c)

题目11：command\_execution

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-MdpgbwPPDNhwHI3yplj%2F-Mdph-wDsBAmBxdQsnZ6%2Fimage.png?alt=media\&token=06354e64-aa88-4a1f-ace2-fa6ca31bab25)

解答过程：

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-Mdph5t6PF-aVSV063dj%2F-MdpjL1u5TRkmyEU7Tq7%2Fimage.png?alt=media\&token=5144b3e4-2806-4e63-9111-1328ffeb9f9c)

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-Mdph5t6PF-aVSV063dj%2F-MdpjTa7epAwpeLewpwY%2Fimage.png?alt=media\&token=c3a6be48-3ea6-4ba1-97ea-a5a27d9941f1)

题目12：simple\_js

![](https://1702163534-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M7oudw7uWMhEPV8wJgq%2F-Mdpjdc3jcEOvaPFYnhT%2F-Mdpjk1mkBf5qbJhS9rQ%2Fimage.png?alt=media\&token=bbed2657-f80c-4a3d-b34e-e46023b39681)

解答过程：

抓包：

```javascript
   function dechiffre(pass_enc){
        var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65";
        var tab  = pass_enc.split(',');
                var tab2 = pass.split(',');var i,j,k,l=0,m,n,o,p = "";i = 0;j = tab.length;
                        k = j + (l) + (n=0);
                        n = tab2.length;
                        for(i = (o=0); i < (k = j = n); i++ ){o = tab[i-l];p += String.fromCharCode((o = tab2[i]));
                                if(i == 5)break;}
                        for(i = (o=0); i < (k = j = n); i++ ){
                        o = tab[i-l];
                                if(i > 5 && i < k-1)
                                        p += String.fromCharCode((o = tab2[i]));
                        }
        p += String.fromCharCode(tab2[17]);
        pass = p;return pass;
    }
```

\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30

先将字符串用python处理一下，得到数组\[55,56,54,79,115,69,114,116,107,49,50]，exp如下。

```python
s="\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30" 
print (s)
```

将得到的数字分别进行ascii处理，可得到字符串786OsErtk12，exp如下。

```python
a = [55,56,54,79,115,69,114,116,107,49,50]
c = ""
for i in a:
    b = chr(i)
    c = c + b
print(c)
```