<html>
<title>BUGKUCTF-WEB13</title>
<body>
<div style="display:none;"></div>
<form action="index.php" method="post" >
看看源代码?<br>
<br>
<script>
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));
</script>
<input type="input" name="flag" id="flag" />
<input type="submit" name="submit" value="Submit" />
</form>
%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62%35%34%61%61%32%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b
function checkSubmit(){
var a=document.getElementById("password");
if("undefined"!=typeof a){
if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value)
return!0;
alert("Error");
a.focus();
return!1
}
}
document.getElementById("levelQuest").onsubmit=checkSubmit;
输入然后提交,得到flag
用Burp Suite的Intruder模块从10000到99999爆破。
用dirsearch扫描
输入
python dirsearch.py -u <http://114.67.246.176:12324/> -e *
输出查找结果
[10:32:11] Starting:
[10:32:14] 403 - 298B - /.htaccess.bak1
[10:32:14] 403 - 297B - /.htaccessOLD2
[10:32:14] 403 - 298B - /.htaccess.orig
[10:32:14] 403 - 296B - /.htaccessBAK
[10:32:14] 403 - 296B - /.htaccessOLD
[10:32:14] 403 - 300B - /.htaccess.sample
[10:32:14] 403 - 298B - /.htaccess.save
[10:32:14] 403 - 295B - /.httr-oauth
[10:32:15] 403 - 288B - /.php
[10:33:41] 200 - 64B - /index.php/login/
[10:33:42] 200 - 64B - /index.php
[10:33:42] 200 - 378B - /index.php.bak
[10:34:22] 403 - 297B - /server-status
[10:34:23] 403 - 298B - /server-status/
在浏览器地址栏里输入备份文件下载/index.php.bak,用记事本打开。
<?php
/**
* Created by PhpStorm.
* User: Norse
* Date: 2017/8/6
* Time: 20:22
*/
include_once "flag.php"; //包含文件flag.php
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);//可以用双写绕过,将key1=240640708改为kekeyy1=240640708,key2类似操作
parse_str($str); //解析字符串,将value与key对应。
echo md5($key1); //输出key1的MD5
echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
echo $flag."取得flag";
}
?>