Chybeta

ringzer0team-js-writeup

发表于 | 分类于 | 阅读次数

未完待续..待续..

Client side validation is so secure?

查看源代码,发现下面的js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<script>
		// Look's like weak JavaScript auth script :)
		$(".c_submit").click(function(event) {
			event.preventDefault()
			var u = $("#cuser").val();
			var p = $("#cpass").val();
			if(u == "admin" && p == String.fromCharCode(74,97,118,97,83,99,114,105,112,116,73,115,83,101,99,117,114,101)) {
				if(document.location.href.indexOf("?p=") == -1) {   
					document.location = document.location.href + "?p=" + p;
				}
			} else {
				$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
			}
		});
</script>

用控制台运行一下得到密码为:

1
2
String.fromCharCode(74,97,118,97,83,99,114,105,112,116,73,115,83,101,99,117,114,101)
"JavaScriptIsSecure"

填入账号admin,密码JavaScriptIsSecure,得到flag:

1
FLAG-66Jq5u688he0y46564481WRh

Is hashing more secure?

查看源代码,发现js:

1
2
3
4
5
6
7
8
9
10
11
$(".c_submit").click(function(event) {
	event.preventDefault();
	var p = $("#cpass").val();
	if(Sha1.hash(p) == "b89356ff6151527e89c4f3e3d30c8e6586c63962") {
		if(document.location.href.indexOf("?p=") == -1) {   
			document.location = document.location.href + "?p=" + p;
		}
	} else {
		$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
	}
});

工具网站:http://hashtoolkit.com
得到密码为;adminz。填入,得到flag。

1
FLAG-bXNsYg9tLCaIX6h1UiQMmMYB

Then obfuscation is more secure?

1
2
3
4
<script>
			// Look's like weak JavaScript auth script :)
			var _0xc360=["\x76\x61\x6C","\x23\x63\x70\x61\x73\x73","\x61\x6C\x6B\x33","\x30\x32\x6C\x31","\x3F\x70\x3D","\x69\x6E\x64\x65\x78\x4F\x66","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x27\x65\x72\x72\x6F\x72\x27\x3E\x57\x72\x6F\x6E\x67\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x73\x6F\x72\x72\x79\x2E\x3C\x2F\x64\x69\x76\x3E","\x68\x74\x6D\x6C","\x23\x63\x72\x65\x73\x70\x6F\x6E\x73\x65","\x63\x6C\x69\x63\x6B","\x2E\x63\x5F\x73\x75\x62\x6D\x69\x74"];$(.c_submit)[click](function (){var _0xf382x1=$(#cpass)[val]();var _0xf382x2=alk3;if(_0xf382x1==02l1+_0xf382x2){if(document[location][href][indexOf](?p=)==-1){document[location]=document[location][href]+?p=+_0xf382x1;} ;} else {$(#cresponse)[html](<div class='error'>Wrong password sorry.</div>);} ;} );
</script>

拖到http://ddecode.com/
解一下得到如下代码:

1
2
3
4
5
// Look's like weak JavaScript auth script :)
var _0xc360 = ["val", "#cpass", "alk3", "02l1", "?p=", "indexOf", "href", "location", "<div class='error'>Wrong password sorry.</div>", "html", "#cresponse", "click", ".c_submit"];
$(_0xc360[12])[_0xc360[11]](function() {    var _0xf382x1 = $(_0xc360[1])[_0xc360[0]]();    var _0xf382x2 = _0xc360[2];    if (_0xf382x1 == _0xc360[3] + _0xf382x2) {        if (document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4]) == -1) {            document[_0xc360[7]] = document[_0xc360[7]][_0xc360[6]] + _0xc360[4] + _0xf382x1;        };    } else {        $(_0xc360[10])[_0xc360[9]](_0xc360[8]);    };});

自己再替换一下。总算能看了。

1
2
3
4
5
6
7
8
9
10
11
12
13
var _0xc360 = ["val", "#cpass", "alk3", "02l1", "?p=", "indexOf", "href", "location", "<div class='error'>Wrong password sorry.</div>", "html", "#cresponse", "click", ".c_submit"];
$(".c_submit")["click"](function() {    
	var _0xf382x1 = $("#cpass")["val"]();    
	var _0xf382x2 = "alk3";    
	if (_0xf382x1 == "02l1" + _0xf382x2) {        
		if (document["location"]["href"]["indexOf"]("?p=",) == -1) {            
			document["location"] = document["location"]["href"] + "?p=", + _0xf382x1;        
		};    
	} else {        
		$("#cresponse")["html"]("<div class='error'>Wrong password sorry.</div>");    
	};
});

所以密码是 02l1alk3,得到flag:

1
FLAG-5PJne3T8d73UGv4SCqN44DXj

Why not?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$(".c_submit").click(function(event) {
	event.preventDefault();
	var k = new Array(176,214,205,246,264,255,227,237,242,244,265,270,283);
	var u = $("#cuser").val();
	var p = $("#cpass").val();
	var t = true;
	if(u == "administrator") {
		for(i = 0; i < u.length; i++) {
			if((u.charCodeAt(i) + p.charCodeAt(i) + i * 10) != k[i]) {
				$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
				t = false;
				break;
			}
		}
	} else {
		$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
		t = false;
	}
	if(t) {
		if(document.location.href.indexOf("?p=") == -1) {
			document.location = document.location.href + "?p=" + p;
			}
	}
});

写一个js脚本。

1
2
3
4
5
6
7
8
9
<script>
	var k = new Array(176,214,205,246,264,255,227,237,242,244,265,270,283);
	var u = "administrator";
	var p = "";
	for (i = 0; i < u.length; i++){
		p += String.fromCharCode(k[i] - i * 10 - u.charCodeAt(i) );
	}
	alert(p);
</script>

弹框得到结果:OhLord4309111,得到flag:

1
FLAG-65t23674o6N2NehA44272G24

Valid key required

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<script>
		function curry( orig_func ) {
			var ap = Array.prototype, args = arguments;
			function fn() {
			ap.push.apply( fn.args, arguments );
			return fn.args.length < orig_func.length ? fn : orig_func.apply( this, fn.args );
			}
			return function() {
			fn.args = ap.slice.call( args, 1 );
			return fn.apply( this, arguments );
			};
		}
		function callback(x,y,i,a) {
		  return !y.call(x, a[a["length"]-1-i].toString().slice(19,21)) ? x : {};
		}
		var ref = {T : "BG8",J : "jep",j : "M2L",K : "L23",H : "r1A"};
		function validatekey()
		{
			e = false;
			var _strKey = "";
		    try {
				_strKey = document.getElementById("key").value;
		        var a = _strKey.split("-");
		        if(a.length !== 5)
		        	e = true;
		        var o=a.map(genFunc).reduceRight(callback, new (genFunc(a[4]))(Function));
		        if(!equal(o,ref))
					e = true;
		    }catch(e){
		    	e = true;
		    }
		    if(!e) {
		    	if(document.location.href.indexOf("?p=") == -1) {
					document.location = document.location.href + "?p=" + _strKey;
           		}
		    } else {
		    	$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
			}   
		}
		function equal(o,o1)
		{
		    var keys1 = Object.keys(o1);
		    var keys = Object.keys(o);
		    if(keys1.length != keys.length)
		        return false;
		    for(var i=0;i<keys.length;i++)
		         if(keys[i] != keys1[i] || o[keys[i]] != o1[keys1[i]])
		            return false;
		    return true;
		}
		function hook(f1,f2,f3) {
		    return function(x) { return f2(f1(x),f3(x));};
		}
		var h = curry(hook);
		var fn = h(function(x) {return x >= 48;},new Function("a","b","return a && b;"));
		function genFunc(_part) {
		    if(!_part || !(_part.length) || _part.length !== 4)
		        return function() {};
		    return new Function(_part.substring(1,3), "this." + _part[3] + "=" + _part.slice(1,3) + "+" + (fn(function(y){return y<=57})(_part.charCodeAt(0)) ?  _part[0] : "'"+ _part[0] + "'"));
		}
</script>
微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:ringzer0team-js-writeup

文章作者:chybeta

发布时间:2017年06月30日 - 13:06

最后更新:2017年07月28日 - 15:07

原始链接:http://chybeta.github.io/2017/06/30/–ringzer0team-js-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。