【XCTF Web 练习题】 simple_js之Write Up
欢迎新同学的光临
… …
人若无名,便可专心练剑
我不是一条咸鱼,而是一条死鱼啊!
0x01 前言
XCTF Web 练习题地址:https://adworld.xctf.org.cn/
难度系数: 一星
题目来源: root-me
题目描述:小宁发现了一个网页,但却一直输不对密码。(Flag格式为 Cyberpeace{xxxxxxxxx} )
定义和用法
fromCharCode() 可接受一个指定的 Unicode 值,然后返回一个字符串。
注:该方法是 String 的静态方法,字符串中的每个字符都由单独的 Unicode 数字编码指定。使用语法: String.fromCharCode()
实例,将 Unicode 编码转为一个字符:
var n = String.fromCharCode(65);
n 输出结果:A
0x02 解题思路
1)按照页面回显结果和源码判断,不论输入任何密码,中都会跳转到错误密码
2)输入任意密码,点击确定,弹出提示:FAUX PASSWORD HAHA
注:假密码~!哈哈
3)修改HTML代码,将右击弹窗里选择Edit as HTML
4)替换dechiffre里的字符串放到 var pas 里
5)编辑文本将代码修改,用下方的可疑字符串代替函数中的常量
6)替换成功后,将当前HTML页面另存到本地
7)保存到本地后,用浏览器打开
8)打开后,弹窗出出啦的就是Flag
0x03 解题拆分步骤分析
1)在线HTML编辑地址,方便大家手工调试:https://www.runoob.com/runcode
2)该HTML的JS 代码如下:
function dechiffre(pass_enc){
var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65";
var tab = pass_enc.split(',');
var tab2 = pass.split(',');var i,j,k,l=0,m,n,o,p = "";i = 0;j = tab.length;
k = j + (l) + (n=0);
n = tab2.length;
for(i = (o=0); i < (k = j = n); i++ ){o = tab[i-l];p += String.fromCharCode((o = tab2[i]));
if(i == 5)break;}
for(i = (o=0); i < (k = j = n); i++ ){
o = tab[i-l];
if(i > 5 && i < k-1)
p += String.fromCharCode((o = tab2[i]));
}
p += String.fromCharCode(tab2[17]);
pass = p;return pass;
}
String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));
h = window.prompt('Enter password');
alert( dechiffre(h) );
3)去除无用变量:
function dechiffre() {
var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65";
var tab2 = pass.split(',');
var i, n, p = "";
n = tab2.length;
for (i = 0; i < n; i++) {
p += String.fromCharCode(tab2[i]);
if (i == 5) break;
}
for (i = 0; i < n; i++) {
if (i > 5 && i < n - 1) p += String.fromCharCode(tab2[i]);
}
p += String.fromCharCode(tab2[17]);
return p;
}
String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));
h = window.prompt('Enter password');
alert( dechiffre(h) );
4)合并两个循环:
function dechiffre() {
var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65";
var tab2 = pass.split(',');
var i;
var p = "";
for (i = 0; i < tab2.length - 1; i++) {
p += String.fromCharCode(tab2[i]);
}
p += String.fromCharCode(tab2[17]);
return p;
}
String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));
h = window.prompt('Enter password');
alert( dechiffre(h) );
5)末尾并入循环:
function dechiffre() {
var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65";
var tab2 = pass.split(',');
var i;
var p = "";
for (i = 0; i < tab2.length; i++) {
p += String.fromCharCode(tab2[i]);
}
return p;
}
String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));
h = window.prompt('Enter password');
alert( dechiffre(h) );
6)就逻辑上可见它只是将内容为逗号分隔的数字的字符串转成相应编码的字符串,将代码修改,用下方的可疑字符串代替函数中的常量,得到的整个网页代码是:
function dechiffre() {
var pass = "\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30";
var tab2 = pass.split(',');
var i;
var p = "";
for (i = 0; i < tab2.length; i++) {
p += String.fromCharCode(tab2[i]);
}
return p;
}
alert(dechiffre());
0x04 Python 脚本获得Flag
1)按照页面回显结果和源码判断,不论输入任何密码,中都会跳转到错误密码
2)输入任意密码,点击确定,弹出提示:FAUX PASSWORD HAHA
注:假密码~!哈哈
3)而真正的密码在这里,不在常量里面
4)通过观察JS代码,判断编码方式为 base16,写python脚本进行转码,代码如下
string = "\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"
a = string.split(",")
b = ""
for i in a:
i = chr(int(i))
print(i)
b+=i
print("Flag:",b)
运行结果如下:
或
>>> a = "\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"
>>> print(a)
55,56,54,79,115,69,114,116,107,49,50
>>> a = [55,56,54,79,115,69,114,116,107,49,50]
>>> for i in a:
... print(chr(i),end='')
...
786OsErtk12>>>
运行结果如下:
我自横刀向天笑,去留肝胆两昆仑