Improper Error Handling
打开靶机是这样的
看源码
<html> <head> <title>Top Secret Project</title> <style> body { font-family: Arial, sans-serif; margin: 40px; } form { display: flex; flex-direction: column; align-items: center; } label { font-size: 1.2em; margin-bottom: 10px; } input[type="password"] { font-size: 1.2em; padding: 5px; width: 400px; margin-bottom: 20px; } button { font-size: 1.2em; padding: 5px 10px; background-color: #4CAF50; color: white; border-radius: 5px; cursor: pointer; } pre { background-color: #eee; padding: 20px; white-space: pre-wrap; margin-top: 20px; display: none; } .error { color: red; } </style> </head> <body> <h1>Top Secret Project</h1> <form> <label for="input">Enter the password:</label> <input type="password" id="input"> <button type="button" onclick="sendRequest()">Submit</button> </form> <p class="error" id="error-message"></p> <pre id="debug-message"></pre> </body> <script> function sendRequest() { let length = document.getElementById("input").value; fetch("/api/error?length=" + length) .then(response => response.text()) .then(text => { if (text.startsWith("Error")) { document.getElementById("error-message").textContent = text; document.getElementById("error-message").style.display = "block"; document.getElementById("debug-message").style.display = "none"; } else { document.getElementById("debug-message").textContent = text; document.getElementById("debug-message").style.display = "block"; document.getElementById("error-message").style.display = "none"; } }); } </script> </html>
定义了一个sendRequest()请求函数
访问:
/api/error?length=
试试传参
一步一步加长看看
当传任意参数到32位时,爆出了flag
Hi-Score
一秒点一百下就能拿flag
这种题,大概率跟js有关
先看看js
调试器打开,找到一个函数
function _0x59a2() {
var _0x78411b = [
"\x20cps",
"clicks",
"\x20Your\x20Reward\x20:\x20<a\x20href=\x22" +
"2f2e736563726574696f6e2f666c6167"
.match(/[\da-f]{2}/gi)
.map((h) => String.fromCharCode(parseInt(h, 16)))
.join("") +
"\x22\x20download=\x22flag\x22>Reward</a>",
"3526ccMajJ",
"innerHTML",
"4263236HVNRoh",
"3656895VkgrIX",
"503210VEeXpc",
"toFixed",
"5NfzyuJ",
"8399912tBbEFu",
"SCORE:\x20",
"6379703kdfIqT",
"getElementById",
"getTime",
"48bKPhCj",
"14Xmxuhh",
"reward",
"9wOTYQU",
"597OMUzhx",
"2046510XnQiaG",
];
_0x59a2 = function () {
return _0x78411b;
};
return _0x59a2();
}
看起来
"\x20Your\x20Reward\x20:\x20<a\x20href=\x22" +
"2f2e736563726574696f6e2f666c6167"
这段是回显reward,也就是flag的
一开始以为要解这个 2f2e736563726574696f6e2f666c6167
发现不行
_0x59a2 = function () { return _0x78411b; }; return _0x59a2(); }看到这,可以运行_0x59a2()这个函数,返回函数值
得到flag的地址
/.secretion/flag
访问下载打开