NaNNaNNaNNaN-Batman
Test site:
- js code audit ability
- The difference between the source code on the pop-up window and the source code of the page, that is, the ability to obtain the complete source code
Knowledge points:
- Understanding of the function document.getElementById("c") (that is, return the value of the reference to the first object with the specified ID)
- Function e.match(/^be0f23/) (that is, match whether these characters exist in e, match is true, else is null)
- The splice(0,1) function means to delete a value from the 0th position, and you can also increase the value
splice(0,0,"hello"); that is, add a hello to the zeroth position
Problem solving:
Because it is garbled and executed, the
source code is obtained after changing eval to alert
function $()
{
var e=document.getElementById("c").value;
if(e.length==16)
if(e.match(/^be0f23/)!=null)
if(e.match(/233ac/)!=null)
if(e.match(/e98aa$/)!=null)
if(e.match(/c7be9/)!=null)
{
var t=["fl","s_a","i","e}"];
var n=["a","_h0l","n"];
var r=["g{","e","_0"];
var i=["it'","_","n"];
var s=[t,n,r,i];
for(var o=0;o<13;++o)
{
document.write(s[o%4][0]);
s[o%4].splice(0,1)
}
}
}
document.write('<input id="c"><button οnclick=$()>Ok</button>');
delete _
be0f233ac7be98aa
After the audit conditions, that is, the function is executed after several if conditions are met
var t=["fl","s_a","i","e}"];
var n=["a","_h0l","n"];
var r=["g{","e","_0"];
var i=["it'","_","n"];
var s=[t,n,r,i];
for(var o=0;o<13;++o)
{
document.write(s[o%4][0]);
s[o%4].splice(0,1)
}
//因为该代码的完整功能即是用于判断这个按钮的反馈
//因此构建出提交获取的e值be0f233ac7be98aa
Obtained flag flag {it's_a_h0le_in_0ne}
PHP2
Test site:
- url encoding construction
- PHP basic code audit capability
- When passing parameters, the corresponding value class in ascii will be parsed again. For example, if %61 is passed in, it will be immediately resolved to a, that is, the actual incoming parameter is a
Problem-solving:
①Get the source code.
Commonly get the source code
index.php
index.phps (you will know if you do more), that is, the page
code to get the source code
<?php
if("admin"===$_GET[id]) //即最开始$_GET[id]!=admin,但urldecode编码后是admin
{
echo("<p>not allowed!</p>");
exit();
}
$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "admin")
{
echo "<p>Access granted!</p>";
echo "<p>Key: xxxxxxx </p>";
}
?>
Therefore, it can be known that the URL is encoded twice to obtain this,
and the common ascii table is as follows.
Therefore, %2561dmin or %2564 and so on can be constructed (that is, %25 is the encoding of %),
so it hooks up on index.php, and because get reads The id is taken, so it is constructed to
get the flag
cyberpeace{c99b4462f095b1a09c9a6ef6ec1224fe}