网站被黑
打开是一个贼酷炫的网站
这鼠标真酷炫,但是咋写呢?
尝试了几个admin.php
什么的,没找到登陆页面,上网找了一下,发现大家都在用御剑扫…
御剑扫一下
shell.php
就是登陆页面,放到burp里暴力走一遍,得到flag
管理员系统
打开网页随便提交了个东西
尝试构造X-Forwarded-For: 127.0.0.1
,返回Invalid credentials! Please try again!
,打开源码可以看到一个可疑的base64编码
转了一下是test123
,猜测是密码,而用户名应该是admin
,提交一下就解出来了
web4
看看源码
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));
转成js代码
function checkSubmit() {
var a = document.getElementById("password");
if ("undefined" != typeof a) {
if ("67d709b2b54aa2aa648cf6e87a7114f1" == a.value) return ! 0;
alert("Error");
a.focus();
return ! 1
}
}
document.getElementById("levelQuest").onsubmit = checkSubmit;
输入框输入67d709b2b54aa2aa648cf6e87a7114f1
,得到KEY{J22JK-HS11}