csictf 2020 web部分wp

Secure Portal

查看源码,发现js代码:

1
var _0x575c=['\x32\x2d\x34','\x73\x75\x62\x73\x74\x72\x69\x6e\x67','\x34\x2d\x37','\x67\x65\x74\x49\x74\x65\x6d','\x64\x65\x6c\x65\x74\x65\x49\x74\x65\x6d','\x31\x32\x2d\x31\x34','\x30\x2d\x32','\x73\x65\x74\x49\x74\x65\x6d','\x39\x2d\x31\x32','\x5e\x37\x4d','\x75\x70\x64\x61\x74\x65\x49\x74\x65\x6d','\x62\x62\x3d','\x37\x2d\x39','\x31\x34\x2d\x31\x36','\x6c\x6f\x63\x61\x6c\x53\x74\x6f\x72\x61\x67\x65',];(function(_0x4f0aae,_0x575cf8){var _0x51eea2=function(_0x180eeb){while(--_0x180eeb){_0x4f0aae['push'](_0x4f0aae['shift']());}};_0x51eea2(++_0x575cf8);}(_0x575c,0x78));var _0x51ee=function(_0x4f0aae,_0x575cf8){_0x4f0aae=_0x4f0aae-0x0;var _0x51eea2=_0x575c[_0x4f0aae];return _0x51eea2;};function CheckPassword(_0x47df21){var _0x4bbdc3=[_0x51ee('0xe'),_0x51ee('0x3'),_0x51ee('0x7'),_0x51ee('0x4'),_0x51ee('0xa')];window[_0x4bbdc3[0x0]][_0x4bbdc3[0x2]]('9-12','BE*');window[_0x4bbdc3[0x0]][_0x4bbdc3[0x2]](_0x51ee('0x2'),_0x51ee('0xb'));window[_0x4bbdc3[0x0]][_0x4bbdc3[0x2]](_0x51ee('0x6'),'5W');window[_0x4bbdc3[0x0]][_0x4bbdc3[0x2]]('16',_0x51ee('0x9'));window[_0x4bbdc3[0x0]][_0x4bbdc3[0x2]](_0x51ee('0x5'),'pg');window[_0x4bbdc3[0x0]][_0x4bbdc3[0x2]]('7-9','+n');window[_0x4bbdc3[0x0]][_0x4bbdc3[0x2]](_0x51ee('0xd'),'4t');window[_0x4bbdc3[0x0]][_0x4bbdc3[0x2]](_0x51ee('0x0'),'$F');if(window[_0x4bbdc3[0x0]][_0x4bbdc3[0x1]](_0x51ee('0x8'))===_0x47df21[_0x51ee('0x1')](0x9,0xc)){if(window[_0x4bbdc3[0x0]][_0x4bbdc3[0x1]](_0x51ee('0x2'))===_0x47df21['substring'](0x4,0x7)){if(window[_0x4bbdc3[0x0]][_0x4bbdc3[0x1]](_0x51ee('0x6'))===_0x47df21[_0x51ee('0x1')](0x0,0x2)){if(window[_0x4bbdc3[0x0]][_0x4bbdc3[0x1]]('16')===_0x47df21[_0x51ee('0x1')](0x10)){if(window[_0x4bbdc3[0x0]][_0x4bbdc3[0x1]](_0x51ee('0x5'))===_0x47df21[_0x51ee('0x1')](0xc,0xe)){if(window[_0x4bbdc3[0x0]][_0x4bbdc3[0x1]](_0x51ee('0xc'))===_0x47df21[_0x51ee('0x1')](0x7,0x9)){if(window[_0x4bbdc3[0x0]][_0x4bbdc3[0x1]](_0x51ee('0xd'))===_0x47df21[_0x51ee('0x1')](0xe,0x10)){if(window[_0x4bbdc3[0x0]][_0x4bbdc3[0x1]](_0x51ee('0x0'))===_0x47df21[_0x51ee('0x1')](0x2,0x4))return!![];}}}}}}}return![];}

去在线网站进行反混淆:

http://jsnice.org/

得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
'use strict';
/** @type {!Array} */
var _0x575c = ["2-4", "substring", "4-7", "getItem", "deleteItem", "12-14", "0-2", "setItem", "9-12", "^7M", "updateItem", "bb=", "7-9", "14-16", "localStorage"];
(function(data, i) {
/**
* @param {number} localStorage
* @return {undefined}
*/
var visualizeData = function(localStorage) {
for (; --localStorage;) {
data["push"](data["shift"]());
}
};
visualizeData(++i);
})(_0x575c, 120);
/**
* @param {string} level
* @param {?} ai_test
* @return {?}
*/
var _0x51ee = function(level, ai_test) {
/** @type {number} */
level = level - 0;
var rowsOfColumns = _0x575c[level];
return rowsOfColumns;
};
/**
* @param {!Object} results
* @return {?}
*/
function CheckPassword(results) {
/** @type {!Array} */
var easing = [_0x51ee("0xe"), _0x51ee("0x3"), _0x51ee("0x7"), _0x51ee("0x4"), _0x51ee("0xa")];
window[easing[0]][easing[2]]("9-12", "BE*");
window[easing[0]][easing[2]](_0x51ee("0x2"), _0x51ee("0xb"));
window[easing[0]][easing[2]](_0x51ee("0x6"), "5W");
window[easing[0]][easing[2]]("16", _0x51ee("0x9"));
window[easing[0]][easing[2]](_0x51ee("0x5"), "pg");
window[easing[0]][easing[2]]("7-9", "+n");
window[easing[0]][easing[2]](_0x51ee("0xd"), "4t");
window[easing[0]][easing[2]](_0x51ee("0x0"), "$F");
if (window[easing[0]][easing[1]](_0x51ee("0x8")) === results[_0x51ee("0x1")](9, 12)) {
if (window[easing[0]][easing[1]](_0x51ee("0x2")) === results["substring"](4, 7)) {
if (window[easing[0]][easing[1]](_0x51ee("0x6")) === results[_0x51ee("0x1")](0, 2)) {
if (window[easing[0]][easing[1]]("16") === results[_0x51ee("0x1")](16)) {
if (window[easing[0]][easing[1]](_0x51ee("0x5")) === results[_0x51ee("0x1")](12, 14)) {
if (window[easing[0]][easing[1]](_0x51ee("0xc")) === results[_0x51ee("0x1")](7, 9)) {
if (window[easing[0]][easing[1]](_0x51ee("0xd")) === results[_0x51ee("0x1")](14, 16)) {
if (window[easing[0]][easing[1]](_0x51ee("0x0")) === results[_0x51ee("0x1")](2, 4)) {
return !![];
}
}
}
}
}
}
}
}
return ![];
}
;

可以看出我们传入的数据会经过CheckPassword进行判断。在chrome的console窗口进行调试,将easing变量输出,得到:

["localStorage", "getItem", "setItem", "deleteItem", "updateItem"]

那么window[easing[0]][easing[2]]就表示:

window.localStorage.setItem

window是浏览器的对象模型,html5的web storage包含两种存储方式,一种是localStorage,一种是sessionStorage;这两种都是本地存储,localStorage是持久化的本地存储,sessionStorage是会话级别的存储

我们在这8行赋值语句后面添加:

console.log(window.localStorage);

得到:

0-2: "5W"
2-4: "$F"
4-7: "bb="
7-9: "+n"
9-12: "BE*"
12-14: "pg"
14-16: "4t"
16: "16" 

之后进行8次判断,很明显是比较输出的和localStorage的值是否相同,!![]的值为true;

将下面这些变量转换为其值,即:

_0x51ee("0x1") = substring

console.log(window[easing[0]][easing[1]](_0x51ee("0x8")))
console.log(window[easing[0]][easing[1]](_0x51ee("0x2")))
console.log(window[easing[0]][easing[1]](_0x51ee("0x6")))
console.log(window[easing[0]][easing[1]]("16"))
console.log(window[easing[0]][easing[1]](_0x51ee("0x5")))
console.log(window[easing[0]][easing[1]](_0x51ee("0xc")))
console.log(window[easing[0]][easing[1]](_0x51ee("0xd")))
console.log(window[easing[0]][easing[1]](_0x51ee("0x0")))

BE*
bb=
5W
^7M
pg
+n
4t
$F

优化一下:

1
2
3
if("BE*" === results.substring(9,12)){
......
}

那么按照比较顺序,将localStorage的值拼接到一起即可:

5W$Fbb=+nBE*pg4t^7M

输入这个密码即可得到flag

Body Count

题目描述:

Here’s a character count service for you!

http://chall.csivit.com:30202

php://filter拿到源码,整理一下得到:

1
2
3
4
5
6
7
8
9
10
11
<?php
ini_set('max_execution_time', 5);
if ($_COOKIE['password'] !== getenv('PASSWORD')) {
setcookie('password', 'PASSWORD');
die('Sorry, only people from csivit are allowed to access this page.');
}
if (isset($_GET["text"])) {
$text = $_GET["text"];
echo "<h2>The Character Count is: " . exec('printf \'' . $text . '\' | wc -c') . "</h2>";
}
?>

/proc/self/environ是读不了的;扫目录发现robots.txt,内容为:

1
Disallow: /?file=checkpass.php

用伪协议读其源码,得到:

1
2
3
4
5
6
<?php
$password = "w0rdc0unt123";
// Cookie password.
echo "IMPORTANT!!! The page is still under development. This has a secret, do not push this page.";

header('Location: /');