101 Javascript, secure?

看看下面的网站。它由一个简单的JavaScript保护来保护。试着打开它;)

秘密网页

打开秘密网站后,发现右键被禁用


直接用view-source:https://www.net-force.nl/challenge/level101/secret.html查看源代码

密码:JavaScript

102 This won't take long...

找到正确的密码并在挑战页面使用它!

审计代码,可以发现有生成密码的函数submitentry(),单独拿出来,直接放入控制台执行即可

可以删除与password无关的操作以下是我简化的函数

var numletter="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; password = numletter.substring(11,12); password = password + numletter.substring(18,19); password = password + numletter.substring(23,24); password = password + numletter.substring(16,17); password = password + numletter.substring(24,25); password = password + numletter.substring(1,4);

alert(password);//输出密码

确实没等多久

103 Escape now!!!

查看源码,在源码中可以看到unescape()函数对某些内容进行了解码,修改既可以得到

text2.value,\"user\",text1.value,\"member\"

104 Is this safe...?!?

查看源码后再15 行可以找到如下提示

<!-- soulslayer:2aBl6E94IuUfo or guess it....-->
用户名:soulslayer
密码:2aBl6E94IuUfo
但输入到网站只会跳转到首页,所以这不是真正的密码,密码符合BASE64的特征,所以使用MD5解码,得blatt

原本以为结束了,但仔细查看js代码可以发现其实是把blatt和html拼接指向看另一个链接,访问原网址+/blatt.html

效果如图:

105 Micro$oft crap...

要用IE浏览器!要用IE浏览器!要用IE浏览器!(请抛弃万恶的IE吧)

首先把那一串最显眼的Words转化一下,根据题目的提示,转化后的乱码八九不离十就是Jscript.encode

解密网站https://www.jb51.net/tools/onlinetools/jiemi/jsendecode.htm

代码如下:

<!--
//***Start Encode***

function tester(){
var pass = document.form.passwd.value;
var cryptpass = "VDkPWd0lakHPl";
var addr = 'solution.php?passwd=';
var locatie = location.href;
var out = '';

var pass2 = cryptpass.substring(10, 2*5+1)+cryptpass.substring(2*(2+2), 3+6)+cryptpass.substring(3+5-1, 8)+cryptpass.substr(7,1)+cryptpass.substr(6,1);pass=locatie.substr(locatie.indexOf('?')+1);addr=addr.substring(0, addr.indexOf('?')+1)+'blabla=';
for(i=0;i<pass.Len;i++){
if(pass.charAt(i) == pass2.charAt(i)){
document.write(pass.charAt(i));
}
}
location = addr+pass;
}
-->

仔细看完脚本后,我们能够确定它是用URL计算密码。我们稍微修改脚本,并使其显示存储在URL值中的密码。删除了for循环,因为这只是用来验证密码的代码。通过alert显示addr和pass2两个值。

最后找到藏有答案的链接

https://www.net-force.nl/challenge/level105/solution.php?blabla=Hall0

密码即为Hall0

 

106 HTML Guardian

右键查看不了,还是老套路加view-source:

经过查看15行为关键代码找到

<script> eval(unescape('%6B%3D%75%6E%65%73%63%61%70%65%28%22%25%30%44%25%30%41%22%29%3B%69%31%3D%20%6B%6F%68%28%66%77%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%69%31%29%3B%66%75%6E%63%74%69%6F%6E%20%6B%6F%68%28%73%29%20%7B%76%61%72%20%75%6E%3D%22%22%3B%6C%3D%73%2E%6C%65%6E%67%74%68%3B%6F%68%3D%4D%61%74%68%2E%72%6F%75%6E%64%28%6C%2F%32%29%3B%66%6F%72%28%69%3D%30%3B%69%3C%3D%6F%68%3B%69%2B%2B%29%7B%61%3D%73%2E%63%68%61%72%41%74%28%69%29%3B%62%3D%73%2E%63%68%61%72%41%74%28%69%2B%6F%68%29%3B%63%3D%61%2B%62%3B%75%6E%3D%75%6E%2B%63%3B%7D%3B%4D%3D%75%6E%2E%73%75%62%73%74%72%28%30%2C%6C%29%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%2F%60%2F%67%2C%22%27%22%29%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%2F%40%40%2F%67%2C%22%5C%5C%22%29%3B%66%20%3D%20%2F%71%67%2F%67%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%66%2C%6B%29%3B%72%65%74%75%72%6E%20%4D%3B%7D%3B')); </script> eval()

函数可计算某个字符串,并执行其中的的 JavaScript 代码。 用alter将其打印出来 对代码整理后 k = unescape("%0D%0A");
i1 = koh(fw);
document.write(i1);
function koh(s) {
var un = "";
l = s.length;
oh = Math.round(l / 2);
for (i = 0; i <= oh; i++) {
a = s.charAt(i);
b = s.charAt(i + oh);
c = a + b;
un = un + c;
};
M = un.substr(0, l);
M = M.replace(/`/g, "'");
M = M.replace(/@@/g, "\\");
f = /qg/g;
M = M.replace(f, k);
return M;
};

可以看到最后返回的M即是flag,所以在返回之前,处理之后将M打印出来即可,在return M前加alter(M)即可

最后的密码:0nd3rW4t3r

 

 

 

 

 

 


初闻不知曲中意,再听已是曲中人