WEB
签到题
点开后是一个登陆框,直接查看源码得到关键代码
<!-- if (isset($_GET['Username']) && isset($_GET['password'])) {
$logined = true;
$Username = $_GET['Username'];
$password = $_GET['password'];
if (!ctype_alpha($Username)) {
$logined = false;}
if (!is_numeric($password) ) {
$logined = false;}
if (md5($Username) != md5($password)) {
$logined = false;}
if ($logined){
echo "successful";
} else {
echo "login failed!";
}
}
-->
弱类型比较,使username=QNKCDZO;password=240610708
,进入下一关
<!-- if (isset($_POST['message'])) {
$message = json_decode($_POST['message']);
$key ="*********";
if ($message->key == $key) {
echo "flag";
}
else {
echo "fail";
}
}
else{
echo "~~~~";
}
-->
直接构造
抽抽奖
Jsfuck 还有aaencode 的编码,有点大,还是调试js
(function() {
window.rotateFunc = function(awards,angle,text){
$('#lotteryBtn').stopRotate();
$("#lotteryBtn").rotate({
angle:0,
duration: 5000,
animateTo: angle+1440,
callback:function(){
getFlag(text);
}
});
};
})
直接点击下面的getFlag函数
(function() {
window.getFlag=function(text){
if(text=='1'){ alert("你最厉害啦!可惜没flag") } if(text=='2'){ alert("你太厉害了,竟然是二等奖") } if(text=='3'){ alert("你好厉害,三等奖啊") } if(text=='flag'){ alert("flag{951c712ac2c3e57053c43d80c0a9e543}") } if(text=='0'){ alert("再来一次吧") } }
})
继续抽
关键代码
$(function() {
var rotateFunc = function(jsctf0, jsctf1, jsctf2) {
$('token.php').stopRotate();
$("#lotteryBtn").rotate({
angle: 0x0,
duration: 0x1388,
animateTo: jsctf1 + 0x5a0,
callback: function() {
$.get('get.php?token=' + $("#token").val() + "&id=" + encode(md5(jsctf2)), function(jsctf3) {
alert(jsctf3['text'])
}, 'json');
$.get('token.php', function(jsctf3) {
$("#token").val(jsctf3)
}, 'json')
}
})
};
$("#lotteryBtn").rotate({
bind: {
click: function() {
var jsctf0 = [0x0];
jsctf0 = jsctf0[Math.floor(Math.random() * jsctf0.length)];
if (jsctf0 == 0x1) {
rotateFunc(0x1, 0x9d, 1)
};
if (jsctf0 == 0x2) {
rotateFunc(0x2, 0xf7, 2)
};
if (jsctf0 == 0x3) {
rotateFunc(0x3, 0x16, 3)
};
if (jsctf0 == 0x0) {
var jsctf1 = [0x43, 0x70, 0xca, 0x124, 0x151];
jsctf1 = jsctf1[Math.floor(Math.random() * jsctf1.length)];
rotateFunc(0x0, jsctf1, '\x30')
}
}
}
})
})
encode
function encode(string) {
var output = '';
for (var x = 0, y = string.length, charCode, hexCode; x < y; ++x) {
charCode = string.charCodeAt(x);
if (128 > charCode) {
charCode += 128
} else if (127 < charCode) {
charCode -= 128
}
charCode = 255 - charCode;
hexCode = charCode.toString(16);
if (2 > hexCode.length) {
hexCode = '0' + hexCode
}
output += hexCode
}
return output
}
通过查看一些js代码,可知是跟text
的值有关,但尝试几个都不对,直接爆破好啦,注意:这个必须绑定token
,所以有一个读取token
的代码
附上Mirage
队伍的脚本(小小的改动了一下)
import requests
import hashlib
def encode(str):
end = ""
for s in str:
if ord(s)<128:
end&#