Code Audit Challenges

Some interesting code audit "minor" topics.

1. Provide some help for code audit novices/newbies, and provide some routines for CTF-Web-dog.
2. For now, let me tell you that the best languages ​​in the world are:
   1. php
   2. python
   3. node-js
   4. Ruby
3. I would like to tell everyone in the future: Java and so on are also the best languages.
4. We will continue to organize and update, and delete/replace some questions.

• Major CTF-OJ platforms
• Major CTF events
• Public parts of knowledge sharing platforms such as Knowledge Planet
• The imagination of the masters

The code involved in the question may not be enough to directly support a complete environment. If you want to build a simulation locally, please modify it yourself.

This repo only provides explanations and corresponding answers to interesting points/vulnerabilities in the original code. If you have any good topics, please provide them.

• Challenge 1: Hash length extension attack

• Challenge 1: File reading, URL processing
• Challenge 2: SQL injection

• Challenge 1: SQL injection

• Challenge 1: phpBug #69892
• Challenge 2: PHP weak typing, is_numeric(), forced type conversion
• Challenge 3: PHP configuration file writing problem
• Challenge 4
• Challenge 5: webshell, waf bypass
• Challenge 6: Command execution, waf bypass
• Challenge 7: PHP weak typing
• Challenge 8: SQL injection
• Challenge 9: php Session serialization problem
• Challenge 10: php://input, php weak type, eregi
• Challenge 11: SQL injection
• Challenge 12: Command Execution
• Challenge 13: PHP weak type, strcmp comparison, ereg
• Challenge 14: SQL injection
• Challenge 15: PHP weak typing
• Challenge 16: SQL injection, logic vulnerability
• Challenge 17: Variable coverage
• Challenge 18: SQL injection
• Challenge 19: SQL injection
• Challenge 20: SQL injection
• Challenge 21: Comparison of stripos and php weak types
• Challenge 22:
• Challenge 23: Variable coverage
• Challenge 24: SQL injection
• Challenge 25: heredoc
• Challenge 26: PHP weak typing
• Challenge 27: php global variables, $GLOBALS
• Challenge 28
• Challenge 29
• Challenge 30
• Challenge 31
• Challenge 32
• Challenge 33
• Challenge 34
• Challenge 35
• Challenge 36
• Challenge 37
• Challenge 38
• Challenge 39
• Challenge 40
• Challenge 41
• Challenge 42
• Challenge 43
• Challenge 44
• Challenge 45
• Challenge 46
• Challenge 47
• Challenge 48
• Challenge 49: Hash length extension attack
• Challenge 50: SQL injection
• Challenge 51
• Challenge 52
• Challenge 53
• Challenge 54: Padding Oracle
• Challenge 55: SSRF
• Challenge 56: SQL injection
• Challenge 57
• Challenge 58
• Challenge 59: Hash collision
• Challenge 60: Command Execution
• Challenge 61: SSRF
• Challenge 62:
• Challenge 63:
• Challenge 64: PHP weak type, PHP integer overflow, PHP pseudo-protocol, etc.

• SQL injection

  • PHP:
    • Challenge 8
    • Challenge 11
    • Challenge 14
    • Challenge 16
    • Challenge 18
    • Challenge 19
    • Challenge 20
    • Challenge 24
    • Challenge 50
  • Ruby:
    • Challenge 1
  • Node.js:
    • Challenge 2

• command execution

  • PHP:
    • Challenge 4
    • Challenge 6
    • Challenge 12
    • Challenge 60: Command Execution

• Weak type comparison, etc.

  • PHP:
    • Challenge 1
    • Challenge 2
    • Challenge 7
    • Challenge 10
    • Challenge 13
    • Challenge 15
    • Challenge 21
    • Challenge 26
    • Challenge 64

• Deserialization

  • PHP:
    • Challenge 9

• variable override

  • PHP:
    • Challenge 17
    • Challenge 23

• cryptography related

  • PHP:
    • Challenge 49
    • Challenge 54
    • Challenge 59
  • PYTHON:
    • Challenge 1

• other

  • PHP:

    • Challenge 1
    • Challenge 3
    • Challenge 5
    • Challenge 25
    • Challenge 27
    • Challenge 49

  • Node-js:

    • Challenge 1