先貼網址:網絡安全實驗室
1.key又又找不到了:
打開題目發現一個超鏈接,習慣性burp抓包看看
key這不就來了么
2.快速口算:
既然是腳本關,人算不如機算,快滾去寫代碼,掏出py吧少年。
1 import requests, re 2 url = 'http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php' 3 s = requests.session() 4 c = s.get(url).content 5 print(c) 6 c=c.decode('utf-8')#python3一定要加上這一句 7 r = re.findall(r'[\d]{2,}',c) 8 r = int(r[0])*int(r[1])+int(r[2])*(int(r[3])+int(r[4])) 9 c1 = s.post(url, data={'v':r}).content 10 print(c1.decode('utf-8'))
走你
3.這個題目是空的
試了一圈最后發現是null,還不能大寫,因為我第一下猜的就是大寫的。
4.怎么就是不彈出key呢?
先點了鏈接發現沒反應,審查元素后發現一大段js代碼,發現a是個匿名函數,代碼中還有禁止彈窗的函數,復制下來,刪除前面幾個函數,修改打印的值。
js代碼並不是很了解,所以貼一下別人的wirteup......
1 <script> 2 var a = function () { 3 var b = function (p, a, c, k, e, r) { 4 e = function (c) { 5 return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) 6 }; 7 if (!''.replace(/^/, String)) { 8 while (c--) r[e(c)] = k[c] || e(c); 9 k = [ 10 function (e) { 11 return r[e] 12 } 13 ]; 14 e = function () { 15 return '\\w+' 16 }; 17 c = 1 18 }; 19 while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]); 20 return p 21 }('1s(1e(p,a,c,k,e,r){e=1e(c){1d(c<a?\'\':e(1p(c/a)))+((c=c%a)>1q?1f.1j(c+1k):c.1n(1o))};1g(!\'\'.1h(/^/,1f)){1i(c--)r[e(c)]=k[c]||e(c);k=[1e(e){1d r[e]}];e=1e(){1d\'\\\\w+\'};c=1};1i(c--)1g(k[c])p=p.1h(1l 1m(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c]);1d p}(\'Y(R(p,a,c,k,e,r){e=R(c){S(c<a?\\\'\\\':e(18(c/a)))+((c=c%a)>17?T.16(c+15):c.12(13))};U(!\\\'\\\'.V(/^/,T)){W(c--)r[e(c)]=k[c]||e(c);k=[R(e){S r[e]}];e=R(){S\\\'\\\\\\\\w+\\\'};c=1};W(c--)U(k[c])p=p.V(Z 11(\\\'\\\\\\\\b\\\'+e(c)+\\\'\\\\\\\\b\\\',\\\'g\\\'),k[c]);S p}(\\\'G(B(p,a,c,k,e,r){e=B(c){A c.L(a)};E(!\\\\\\\'\\\\\\\'.C(/^/,F)){D(c--)r[e(c)]=k[c]||e(c);k=[B(e){A r[e]}];e=B(){A\\\\\\\'\\\\\\\\\\\\\\\\w+\\\\\\\'};c=1};D(c--)E(k[c])p=p.C(I J(\\\\\\\'\\\\\\\\\\\\\\\\b\\\\\\\'+e(c)+\\\\\\\'\\\\\\\\\\\\\\\\b\\\\\\\',\\\\\\\'g\\\\\\\'),k[c]);A p}(\\\\\\\'t(h(p,a,c,k,e,r){e=o;n(!\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\'.m(/^/,o)){l(c--)r[c]=k[c]||c;k=[h(e){f r[e]}];e=h(){f\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\w+\\\\\\\\\\\\\\\'};c=1};l(c--)n(k[c])p=p.m(q s(\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\b\\\\\\\\\\\\\\\'+e(c)+\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\b\\\\\\\\\\\\\\\',\\\\\\\\\\\\\\\'g\\\\\\\\\\\\\\\'),k[c]);f p}(\\\\\\\\\\\\\\\'1 3="6";1 4="7";1 5="";8(1 2=0;2<9;2++){5+=3+4}\\\\\\\\\\\\\\\',j,j,\\\\\\\\\\\\\\\'|u|i|b|c|d|v|x|y|j\\\\\\\\\\\\\\\'.z(\\\\\\\\\\\\\\\'|\\\\\\\\\\\\\\\'),0,{}))\\\\\\\',H,H,\\\\\\\'|||||||||||||||A||B||M||D|C|E|F||I||J|G|N|O||P|Q|K\\\\\\\'.K(\\\\\\\'|\\\\\\\'),0,{}))\\\',X,X,\\\'||||||||||||||||||||||||||||||||||||S|R|V|W|U|T|Y|13|Z|11|14|12|10|19|1a|1b|1c\\\'.14(\\\'|\\\'),0,{}))\',1t,1u,\'|||||||||||||||||||||||||||||||||||||||||||||||||||||1e|1d|1f|1g|1h|1i|1v|1s|1l||1m|1n|1o|1r|1k|1j|1q|1p|1w|1x|1y|1z\'.1r(\'|\'),0,{}))', 62, 98, '|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||return|function|String|if|replace|while|fromCharCode|29|new|RegExp|toString|36|parseInt|35|split|eval|62|75|53|var|slakfj|teslkjsdflk|for'.split('|'), 0, { 22 }); 23 var d = eval(b); 24 alert('key is first 14 chars' + '\n'+d.substr(0,14)); 25 }() 26 </script>
5.逗比驗證碼第一期
隨手一試發現驗證碼可以反復提交,立即拿出burp爆破啊
密碼到手,登錄后即可見flag。
6.逗比驗證碼第二期
這題完全沒思路,看了大佬的writeup,說是vcode參數為空就行了,這原理我並不太懂,有知道的老哥請賜教
同樣輸入密碼即可見flag。
7.逗比驗證碼第三期
方法同上,提示好像並沒有什么卵用
8.微笑一下就能過關
審查元素發現源代碼的地址,我貼一下源碼
1 <?php 2 header("Content-type: text/html; charset=utf-8"); 3 if (isset($_GET['view-source'])) { 4 show_source(__FILE__); 5 exit(); 6 } 7 8 include('flag.php'); 9 10 $smile = 1; 11 12 if (!isset ($_GET['^_^'])) $smile = 0; 13 if (preg_match ('/\./', $_GET['^_^'])) $smile = 0; 14 if (preg_match ('/%/', $_GET['^_^'])) $smile = 0; 15 if (preg_match ('/[0-9]/', $_GET['^_^'])) $smile = 0; 16 if (preg_match ('/http/', $_GET['^_^']) ) $smile = 0; 17 if (preg_match ('/https/', $_GET['^_^']) ) $smile = 0; 18 if (preg_match ('/ftp/', $_GET['^_^'])) $smile = 0; 19 if (preg_match ('/telnet/', $_GET['^_^'])) $smile = 0; 20 if (preg_match ('/_/', $_SERVER['QUERY_STRING'])) $smile = 0; 21 if ($smile) { 22 if (@file_exists ($_GET['^_^'])) $smile = 0; 23 } 24 if ($smile) { 25 $smile = @file_get_contents ($_GET['^_^']); 26 if ($smile === "(●'◡'●)") die($flag); 27 } 28 ?>
要求十分之苛刻,要求帶有^_^參數,又不許鍵中含有'_'字符,^_^必須是本地不存在的文件,又要讀取^_^的內容。
完全沒思路,去看看別人的writeup吧。
既要對"^_^"賦值,又得想辦法去掉"^_^"中的"_",那么可以采用Url編碼變為"%5f".所以我們輸入就應該為 "^%5f^".
代碼把 http https ftp telnet 這些給過濾了,而又要求通過file_get_contents()取出$_GET['^_^']里的值.但,$_GET['^_^']又必須不存在.所以$_GET['^_^']只能是字符串"(●'◡'●)",不可能是文件名.那么file_get_contents()里的參數應該是啥呢.查了一下,發現data://完美符合.所以我們輸入就應該為"^%5f^=data:,(●'◡'●)"
9.逗比的手機驗證碼
驗證碼輸入后提交出現以下提示
回去將手機號碼改一下按原驗證碼提交即可
10.基情燃燒的歲月
根據提示三位數密碼 首位不為0,立馬掏出burp爆破之
拿到密碼 登錄竟然得到發現........
氣憤的開始爆前任的菊花
成功爆菊 拿到flag