CTF之Web习题--找回密码/js白盒审计

web15

原始信息

信息收集类题目，收集到了下面的信息：

1156631961@qq.com
0000000 

Locations
+12586954775
demo@gmail.com

解题

先瞄一眼扫出来的结果：

[200][text/html; charset=UTF-8][1.07kb] http://e22d0c31-672f-47c0-a393-1a1f77bd2d06.challenge.ctf.show/admin/?/login
[200][text/html; charset=UTF-8][1.07kb] http://e22d0c31-672f-47c0-a393-1a1f77bd2d06.challenge.ctf.show/admin/
[200][text/html; charset=UTF-8][1.07kb] http://e22d0c31-672f-47c0-a393-1a1f77bd2d06.challenge.ctf.show/admin/index.php
[200][text/html][8.31kb] http://e22d0c31-672f-47c0-a393-1a1f77bd2d06.challenge.ctf.show/concerts.html
[200][text/html][7.93kb] http://e22d0c31-672f-47c0-a393-1a1f77bd2d06.challenge.ctf.show/about.html
[200][text/html][6.97kb] http://e22d0c31-672f-47c0-a393-1a1f77bd2d06.challenge.ctf.show/contact.html
[200][text/html][9.95kb] http://e22d0c31-672f-47c0-a393-1a1f77bd2d06.challenge.ctf.show/gallery.html

这不用说，在admin页面登录即可。

登录框信息：
    用户名：
    密码：
    登录    重置密码

我们的目的是登录账户
那么，肯定是不择手段，这里需要改密码。

点击忘记密码，出现的是密保问题：我来自哪个城市？
这个问题的解决办法：上面不是挖掘一个QQ邮箱吗？
既然如此，QQ查下这个账户，发现这个账户就在西安。

那么密保问题填上西安就解决了。
后面是直接给你密码：
    您的密码已重置为admin7789

然后admin登录即可得到flag

总结

收集页面的相关个人敏感信息。

web16

原始信息

原始信息是一个站点，上面放着元素周期表。

扫目录扫不出所以然。

对于测试用的探针，使用完毕后要及时删除，可能会造成信息泄露

很难理解

解题

连个登录框都找不到，基本上是无解哇……

payload提示： /tz.php
尝试访问得到的是一个页面。
页面显示了各个详细信息。

想要找flag也简单，找到带phpinfo的页面即可。
页面内就有flag
ctfshow{ab26a421-2f87-4b90-9fbe-6ff533f92264} 

web18

原始信息

除了题目的那个啥游戏，最次的就是js。
下面是js：

var cvs = document.getElementById("cvs");
var ctx = cvs.getContext("2d");
var img_Bird = document.getElementById("bird");
var img_Back1 = document.getElementById("back1");
var img_Back2 = document.getElementById("back2");
var g = 0.002;
var fly_Power = -0.6;
var background_speed = 3;
var between = 200;
var game_over = false;
var score = 0;
var Bird = function (img, x, y, speed, ctx) {
    this.img = img;
    this.x = x;
    this.y = y;
    this.speed = speed;
    this.ctx = ctx;
}
Bird.prototype.draw = function () {
    this.ctx.drawImage(this.img, this.x, this.y, 48, 42);
}
Bird.prototype.update = function (t) {
    this.speed = g * t + this.speed;
    this.y += Math.floor(0.5 * g * t * t + this.speed * t);
}
var backGround = function (img1, img2, x, y, speed, ctx) {
    this.img1 = img1;
    this.img2 = img2;
    this.x = x;
    this.y = y;
    this.speed = speed;
    this.ctx = ctx;
}
backGround.prototype.draw = function () {
    this.ctx.drawImage(this.img1, this.x, this.y, 1200, 600);
    this.ctx.drawImage(this.img2, this.x + 1200, this.y, 1200, 600);
}
backGround.prototype.update = function () {
    if (this.x == -1200) {
        this.x = 0;
    }
    this.x = this.x - background_speed;
}
var bucket = function (x, long, ctx) {
    this.x = x;
    this.long = long;
    this.ctx = ctx;
}
bucket.prototype.draw = function () {
    ctx.beginPath();
    ctx.fillStyle = "#F75000";
    ctx.fillRect(this.x, 0, 50, this.long);
    ctx.fillRect(this.x - 5, this.long, 60, 10);
    ctx.fillRect(this.x - 5, this.long + 10 + between, 60, 10);
    ctx.fillRect(this.x, this.long + 10 + between + 10, 50, 600 - (this.long + 10 + between + 10));
    ctx.closePath();
    ctx.stroke();
}
bucket.prototype.update = function () {
    if (this.x == -300) {
        this.x = 1200;
        this.long = Math.floor(Math.random() * 300 + 50);
    }
    this.x = this.x - background_speed - 2;
}
bucket.prototype.hit = function (bx, by) {
    if ((bx + 48 > this.x - 5 && bx + 48 < this.x + 55 && by < this.long + 10) || (bx + 48 > this.x - 5 && bx + 48 < this.x + 55 && by > this.long + 10 + between)) {
        game_over = true;
    }
    if ((bx > this.x - 5 && bx < this.x + 55 && by < this.long + 10) || (bx > this.x - 5 && bx < this.x + 55 && by > this.long + 10 + between)) {
        game_over = true;
    }
    if ((bx + 48 > this.x - 5 && bx + 48 < this.x + 55 && by + 42 < this.long + 10) || (bx + 48 > this.x - 5 && bx + 48 < this.x + 55 && by + 42 > this.long + 10 + between)) {
        game_over = true;
    }
    if ((bx > this.x - 5 && bx < this.x + 55 && by + 42 < this.long + 10) || (bx > this.x - 5 && bx < this.x + 55 && by + 42 > this.long + 10 + between)) {
        game_over = true;
    }
}
var defen = function (score) {
    ctx.font = '60pxMicrosoftYaHei';
    ctx.fillStyle = '#DCDCDC';
    ctx.fillText(score, 30, 70);
}
var preTime = Date.now();
var b = new Bird(img_Bird, cvs.width / 5, cvs.height / 8, 0.0003, ctx);
var back = new backGround(img_Back1, img_Back2, 0, 0, background_speed, ctx);
var bucket_one = new bucket(1200, Math.floor(Math.random() * 300 + 50), ctx);
var bucket_two = new bucket(1500, Math.floor(Math.random() * 300 + 50), ctx);
var bucket_three = new bucket(1800, Math.floor(Math.random() * 300 + 50), ctx);
var bucket_four = new bucket(2100, Math.floor(Math.random() * 300 + 50), ctx);
var bucket_five = new bucket(2400, Math.floor(Math.random() * 300 + 50), ctx);

function run() {
    var now = Date.now();
    dt = now - preTime;
    preTime = now;
    ctx.clearRect(0, 0, 800, 600);

    back.update();
    back.draw();
    bucket_one.hit(b.x, b.y);
    bucket_one.update();
    bucket_one.draw();
    bucket_two.hit(b.x, b.y);
    bucket_two.update();
    bucket_two.draw();
    bucket_three.hit(b.x, b.y);
    bucket_three.update();
    bucket_three.draw();
    bucket_four.hit(b.x, b.y);
    bucket_four.update();
    bucket_four.draw();
    bucket_five.hit(b.x, b.y);
    bucket_five.update();
    bucket_five.draw();
    b.update(dt);
    b.draw();
    var flag = false;
    if (b.x == bucket_one.x || b.x == bucket_two.x || b.x == bucket_three.x || b.x == bucket_four.x || b.x == bucket_five.x) {
        flag = true;
    }
    if (flag == true) {
        score++;
    }
    flag = false;
    defen(score);
    if (b.y > 600 || b.y < 0) {
        game_over = true;
    }
    if (game_over == false) {
        requestAnimationFrame(run);
    } else {
        if (score > 100) {
            var result = window.confirm("\u4f60\u8d62\u4e86\uff0c\u53bb\u5e7a\u5e7a\u96f6\u70b9\u76ae\u7231\u5403\u76ae\u770b\u770b");
        }
        else {
            var result = window.confirm("GAMEOVER\n是否从新开始");
            if (result) {
                location.reload();
            }
        }
    }
}
requestAnimationFrame(run);
cvs.addEventListener("click", function () {
    b.speed = fly_Power;
});

解题

根据页面的回显信息显示，这个js的关键代码在：

if (score > 100) {
    var result = window.confirm("\u4f60\u8d62\u4e86\uff0c\u53bb\u5e7a\u5e7a\u96f6\u70b9\u76ae\u7231\u5403\u76ae\u770b\u770b");
}
else {
    var result = window.confirm("GAMEOVER\n是否从新开始");
    if (result) {
        location.reload();
    }
}

分析下都能看出，只要顺利通关，返回的必然是：

\u4f60\u8d62\u4e86\uff0c\u53bb\u5e7a\u5e7a\u96f6\u70b9\u76ae\u7231\u5403\u76ae\u770b\u770b

解码下就是

你赢了，去幺幺零点皮爱吃皮看看
提示信息：110.php

访问即得flag

总结

js白盒审计，没有原型链污染。

Unicode解码点我

web19

原始信息

其实信息就下面这些

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    <meta name="renderer" content="webkit"/>
    <script src="js/jquery.min.js"></script>
    <script src="js/crypto.js"></script>	
    <script src="js/cipher-core.js"></script>
	<script src="js/aes.js"></script>
	<script src="js/zero.js"></script>
    <title>ctfshow web入门 web19</title>
</head>
<body>
	    <form action="#" method="post" id="loginForm" >
            用户名：<input type="text" name="username"><br>
            密  码：<input type="password" name="pazzword" id="pazzword"><br>
            <button type="button" onclick="checkForm()">提交</button>
        </form>
</body>
<script type="text/javascript">
    function checkForm(){
        var key = "0000000372619038";
        var iv = "ilove36dverymuch";
        var pazzword = $("#pazzword").val();
        pazzword = encrypt(pazzword,key,iv);
        $("#pazzword").val(pazzword);
        $("#loginForm").submit();
        
    }
    function encrypt(data,key,iv) { //key,iv：16位的字符串
        var key1  = CryptoJS.enc.Latin1.parse(key);
        var iv1   = CryptoJS.enc.Latin1.parse(iv);
        return CryptoJS.AES.encrypt(data, key1,{
            iv : iv1,
            mode : CryptoJS.mode.CBC,
            padding : CryptoJS.pad.ZeroPadding
        }).toString();
    }

</script>
    <!--
    error_reporting(0);
    $flag="fakeflag"
    $u = $_POST['username'];
    $p = $_POST['pazzword'];
    if(isset($u) && isset($p)){
        if($u==='admin' && $p ==='a599ac85a73384ee3219fa684296eaa62667238d608efa81837030bd1ce1bf04'){
            echo $flag;
        }
}
    -->
</html>

解题

lou一波核心源代码就解决了

error_reporting(0);
$flag="fakeflag"
$u = $_POST['username'];
$p = $_POST['pazzword'];
if(isset($u) && isset($p)){
    if($u==='admin' && $p ==='a599ac85a73384ee3219fa684296eaa62667238d608efa81837030bd1ce1bf04'){
        echo $flag;
    }
}

有点web和php基础都知道这就是传个参数而已。

所以说，使用post按照上面配置下参数传上去，就抓到flag了。