CTF实验室-超简单的js题

超简单的js题

源代码：

<html><head><title>超简单的js题</title></head><body><p>这是从一个老外那里抄来的题，应该很简单的。。吧？</p><form id="levelQuest" method="post"><p>密码:</p><p><input type="password" name="password" class="input" id="password"> <input type="submit" class="button" value="走你！"></p></form><p id="errorMessage"></p><script>var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%34';var p2 = '%37%37%66%31%62%32%31%66%65%65%66%65%65%65%32%65%63%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';eval(unescape(p1) + unescape('%39%32%32%33%63%32%39%33%35%64%38%66%36%37' + p2));</script></body> </html>

可以看到一段奇怪的script

<script>var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%34';var p2 = '%37%37%66%31%62%32%31%66%65%65%66%65%65%65%32%65%63%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';eval(unescape(p1) + unescape('%39%32%32%33%63%32%39%33%35%64%38%66%36%37' + p2));</script>

URL编码，将p1和p2连接起来。这里的URL代码是动态的，貌似每次打开一个页面都会不同。我这个页面产生的是这样的编码，别人产生的是另外的一种。

eval(unescape(p1) + unescape('%39%32%32%33%63%32%39%33%35%64%38%66%36%37' + p2));

代码的意思在p1后加

%39%32%32%33%63%32%39%33%35%64%38%66%36%37

再加p2。

整理完得到：

%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%34%39%32%32%33%63%32%39%33%35%64%38%66%36%37%37%37%66%31%62%32%31%66%65%65%66%65%65%65%32%65%63%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b

通过xss神器解密：

function checkSubmit(){var a=document.getElementById("password");if("undefined"!=typeof a){if("49223c2935d8f6777f1b21feefeee2ec"==a.value)return!0;alert("Error");a.focus();return!1}}document.getElementById("levelQuest").onsubmit=checkSubmit;

看到只要把其中

49223c2935d8f6777f1b21feefeee2ec

回到网页提交后就可以看到