此文章为 小可莉 (KellyWong) 代发
web1
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7b4d2d99-406b-4517-b5f3-e6246e3e6b8b%2FUntitled.png?table=block&id=e1e955f4-b8a4-44fe-b954-28b003ad354e&t=e1e955f4-b8a4-44fe-b954-28b003ad354e&width=988&cache=v2)
右键查看源代码,发现flag
web2
右键无法查看源代码,但你可以在地址栏添加 view-source:
web3
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F8c7e01fc-16a2-46c8-a750-0b5e8cd0badc%2FUntitled.png?table=block&id=feee810a-cef7-4e2e-8148-325991ec1087&t=feee810a-cef7-4e2e-8148-325991ec1087&width=3266&cache=v2)
F12,藏在返回头部
web4
访问 /robots.txt 获得内容
再访问 /flagishere.txt 获得flag
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fbdd81c07-f466-4197-a3de-e30e0c1fc754%2FUntitled.png?table=block&id=56c4363a-02f4-4151-abed-4b32c23d5d8e&t=56c4363a-02f4-4151-abed-4b32c23d5d8e&width=968&cache=v2)
web5
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F8ae709a3-b6d8-4d39-9825-0d4ca2e7c44a%2FUntitled.png?table=block&id=1011e91f-46a2-418a-8610-a39ff6cbe874&t=1011e91f-46a2-418a-8610-a39ff6cbe874&width=468&cache=v2)
题目提示 phps 源码泄漏,访问 /index.phps 试试
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F8132bbd4-f789-4177-a441-b2cba63c4603%2FUntitled.png?table=block&id=89d3262b-e20e-4666-98a1-bf165972f81b&t=89d3262b-e20e-4666-98a1-bf165972f81b&width=809&cache=v2)
获得flag
web6
题目提示
解压源码到当前目录,测试正常,收工
一般运维会将网站目录压缩为 www.zip ,访问后获得压缩包
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F1f02c393-85dc-446d-b188-88bb2290cbe0%2FUntitled.png?table=block&id=37635dc6-6092-4a4f-b903-2dec6c6771bb&t=37635dc6-6092-4a4f-b903-2dec6c6771bb&width=928&cache=v2)
解压获得flag
web7
版本控制很重要,但不要部署到生产环境更重要。
关键词:版本控制,访问 /.git/
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fd304b120-a822-43f8-a264-eb1b8d1e0dd8%2FUntitled.png?table=block&id=0cec277b-364a-40c8-ab6c-5ea4a44279a1&t=0cec277b-364a-40c8-ab6c-5ea4a44279a1&width=815&cache=v2)
直接获得flag
web8
要求同上,版本控制一般有 .git 或者 .svn, 访问.svn
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa9f467a7-b94c-4a1a-9399-a5bea91c82fc%2FUntitled.png?table=block&id=330c0875-65a9-4508-a11b-059ef49886aa&t=330c0875-65a9-4508-a11b-059ef49886aa&width=899&cache=v2)
web9
关键词:vim
vim 在未正常关闭的时候会生成 .swp 文件
访问 /index.php.swp
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb18203c1-e9e6-4545-8170-878a454201b8%2FUntitled.png?table=block&id=14384a5a-21e7-4c12-aa9b-d74ae8343c94&t=14384a5a-21e7-4c12-aa9b-d74ae8343c94&width=809&cache=v2)
web10
关键词:cookie
使用 editthiscookie 打开查看得
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F8d25815e-e1f6-4b6c-9089-8855a248cb12%2FUntitled.png?table=block&id=426bbeef-60f7-4f7a-948f-e44fd0204a81&t=426bbeef-60f7-4f7a-948f-e44fd0204a81&width=1496&cache=v2)
web11
关键词:域名隐藏信息
web12
访问 /robots.txt 获得内容
访问 /admin
他404
把我整不会了
web13
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff78f5e8d-c23e-49f0-8aee-0e2383cec6f9%2FUntitled.png?table=block&id=225ff43f-bc34-4edb-be6e-1b18514036b3&t=225ff43f-bc34-4edb-be6e-1b18514036b3&width=3266&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Feaa72767-7603-40b1-aebb-cd4e8edc2bfa%2FUntitled.png?table=block&id=b328b9c5-5cf6-4ecb-9dec-d8cf630cb06e&t=b328b9c5-5cf6-4ecb-9dec-d8cf630cb06e&width=1104&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F78750b68-b847-432d-bbcd-a6236be9c038%2FUntitled.png?table=block&id=7fb98980-b4e3-404c-a105-f26129068681&t=7fb98980-b4e3-404c-a105-f26129068681&width=1906&cache=v2)
web14
提示中说明了 editor 翻找源代码发现有个/editor/uploads/xxx.png ,发现 /editor 可以直接访问
访问后点击上传附件按钮,点击文件空间
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F4557c066-d126-44a4-9d4b-425fcdbc9724%2FUntitled.png?table=block&id=76c569bb-c824-4eda-9451-ea89b8d1723b&t=76c569bb-c824-4eda-9451-ea89b8d1723b&width=2336&cache=v2)
发现 /var/www/html/nothinghere 存在文件 /fl000g.txt
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6d99c93f-0bef-415b-b126-b813e56ac04a%2FUntitled.png?table=block&id=97c5bd01-7996-46f4-a62f-fcf82a157e78&t=97c5bd01-7996-46f4-a62f-fcf82a157e78&width=1576&cache=v2)
根据路径访问,获得flag
web15
在网页底部获得邮箱 1156631961@qq.com ,qq号查询发现是西安的
访问 /admin 忘记密码,填写西安,重置密码获得flag
web16
访问 /tz.php ,点击phpinfo搜索flag
web18
在控制台直接修改score,访问 /110.php 获得flag
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff0dc92d6-9b67-4d54-b9de-8b5d7685c232%2FUntitled.png?table=block&id=4eaf09d6-3560-4e85-a22e-ffbbc3832c65&t=4eaf09d6-3560-4e85-a22e-ffbbc3832c65&width=2206&cache=v2)
web19
方向错了方向错了,我还想着我怎么解密呢,原来这题不用解密
右键查看源代码,获取用户名和加密后的密码,填入输入框,在控制台输入$("#loginForm").submit(); 获取flag
web20
这题没经验是真不会
早期access存放路径 /db/db.mdb,访问后搜索
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F5a3190b3-92f0-43e2-bfcc-9f5a43e972ee%2FUntitled.png?table=block&id=2d04b637-8e9a-44b4-be9d-de5c69da8648&t=2d04b637-8e9a-44b4-be9d-de5c69da8648&width=1618&cache=v2)
错漏补充
- 信息收集——装一些插件(待补充),写工具(知识武器化),写 CheckList
- vim会产生 .swp / .swo / .swn ,gedit会产生 文件名~的备份文件名
- webpack的反编译
- svn信息泄漏工具 SvnExploit
- Apache的php解析漏洞(CVE-2017-15715),上传文件gif文件头后路径结尾为 .php/ 可以使用
- 替换关键文件使用mv来覆盖
- HTTP协议头部,常见的字段
- 搞安全的整个昵称