类型:web
网址:http://www.shiyanbar.com/ctf/1808
攻击:vim缓存文件
一句话总结:
vim缓存文件.submit.php.swp
Writeup:
查看源码发现可疑代码
<meta name="admin" content="[email protected]" />
<meta name="editor" content="Vim" />
判断可能跟vim缓存文件有关,猜测缓存文件/.step1.php.swp、/.step2.php.swp、/.step3.php.swp、/.index.php.swp、/.submit.php.swp,发现/.submit.php.swp显示提示信息。
根据提示
“ if(strlen($token)!=10) die(‘fail’); if($token!=‘0’) die(‘fail’);
$sql = “SELECT count(*) as num from `user` where token=’$token’ AND
email=’$emailAddress’”; ”
判断token是长度10个字符且0开头的字符串,所以token=‘0e12345678’
根据提示“如果登录邮箱地址不是管理员则 die()”,判断[email protected]
最后,payload:
/10/upload/[email protected]&token=0e12345678
FLAG
SimCTF{huachuan_TdsWX}