Chybeta

ringzer0team-js-writeup

未完待续..待续..

Client side validation is so secure?

查看源代码,发现下面的js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<script>
// Look's like weak JavaScript auth script :)
$(".c_submit").click(function(event) {
event.preventDefault()
var u = $("#cuser").val();
var p = $("#cpass").val();
if(u == "admin" && p == String.fromCharCode(74,97,118,97,83,99,114,105,112,116,73,115,83,101,99,117,114,101)) {
if(document.location.href.indexOf("?p=") == -1) {
document.location = document.location.href + "?p=" + p;
}
} else {
$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
}
});
</script>

用控制台运行一下得到密码为:

1
2
String.fromCharCode(74,97,118,97,83,99,114,105,112,116,73,115,83,101,99,117,114,101)
"JavaScriptIsSecure"

填入账号admin,密码JavaScriptIsSecure,得到flag:

1
FLAG-66Jq5u688he0y46564481WRh

Is hashing more secure?

查看源代码,发现js:

1
2
3
4
5
6
7
8
9
10
11
$(".c_submit").click(function(event) {
event.preventDefault();
var p = $("#cpass").val();
if(Sha1.hash(p) == "b89356ff6151527e89c4f3e3d30c8e6586c63962") {
if(document.location.href.indexOf("?p=") == -1) {
document.location = document.location.href + "?p=" + p;
}
} else {
$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
}
});

工具网站:http://hashtoolkit.com
得到密码为;adminz。填入,得到flag。

1
FLAG-bXNsYg9tLCaIX6h1UiQMmMYB

Then obfuscation is more secure?

1
2
3
4
<script>
// Look's like weak JavaScript auth script :)
var _0xc360=["\x76\x61\x6C","\x23\x63\x70\x61\x73\x73","\x61\x6C\x6B\x33","\x30\x32\x6C\x31","\x3F\x70\x3D","\x69\x6E\x64\x65\x78\x4F\x66","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x27\x65\x72\x72\x6F\x72\x27\x3E\x57\x72\x6F\x6E\x67\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x73\x6F\x72\x72\x79\x2E\x3C\x2F\x64\x69\x76\x3E","\x68\x74\x6D\x6C","\x23\x63\x72\x65\x73\x70\x6F\x6E\x73\x65","\x63\x6C\x69\x63\x6B","\x2E\x63\x5F\x73\x75\x62\x6D\x69\x74"];$(.c_submit)[click](function (){var _0xf382x1=$(#cpass)[val]();var _0xf382x2=alk3;if(_0xf382x1==02l1+_0xf382x2){if(document[location][href][indexOf](?p=)==-1){document[location]=document[location][href]+?p=+_0xf382x1;} ;} else {$(#cresponse)[html](<div class='error'>Wrong password sorry.</div>);} ;} );
</script>

拖到http://ddecode.com/
解一下得到如下代码:

1
2
3
4
5
// Look's like weak JavaScript auth script :)
var _0xc360 = ["val", "#cpass", "alk3", "02l1", "?p=", "indexOf", "href", "location", "<div class='error'>Wrong password sorry.</div>", "html", "#cresponse", "click", ".c_submit"];
$(_0xc360[12])[_0xc360[11]](function() { var _0xf382x1 = $(_0xc360[1])[_0xc360[0]](); var _0xf382x2 = _0xc360[2]; if (_0xf382x1 == _0xc360[3] + _0xf382x2) { if (document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4]) == -1) { document[_0xc360[7]] = document[_0xc360[7]][_0xc360[6]] + _0xc360[4] + _0xf382x1; }; } else { $(_0xc360[10])[_0xc360[9]](_0xc360[8]); };});

自己再替换一下。总算能看了。

1
2
3
4
5
6
7
8
9
10
11
12
13
var _0xc360 = ["val", "#cpass", "alk3", "02l1", "?p=", "indexOf", "href", "location", "<div class='error'>Wrong password sorry.</div>", "html", "#cresponse", "click", ".c_submit"];
$(".c_submit")["click"](function() {
var _0xf382x1 = $("#cpass")["val"]();
var _0xf382x2 = "alk3";
if (_0xf382x1 == "02l1" + _0xf382x2) {
if (document["location"]["href"]["indexOf"]("?p=",) == -1) {
document["location"] = document["location"]["href"] + "?p=", + _0xf382x1;
};
} else {
$("#cresponse")["html"]("<div class='error'>Wrong password sorry.</div>");
};
});

所以密码是 02l1alk3,得到flag:

1
FLAG-5PJne3T8d73UGv4SCqN44DXj

Why not?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$(".c_submit").click(function(event) {
event.preventDefault();
var k = new Array(176,214,205,246,264,255,227,237,242,244,265,270,283);
var u = $("#cuser").val();
var p = $("#cpass").val();
var t = true;
if(u == "administrator") {
for(i = 0; i < u.length; i++) {
if((u.charCodeAt(i) + p.charCodeAt(i) + i * 10) != k[i]) {
$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
t = false;
break;
}
}
} else {
$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
t = false;
}
if(t) {
if(document.location.href.indexOf("?p=") == -1) {
document.location = document.location.href + "?p=" + p;
}
}
});

写一个js脚本。

1
2
3
4
5
6
7
8
9
<script>
var k = new Array(176,214,205,246,264,255,227,237,242,244,265,270,283);
var u = "administrator";
var p = "";
for (i = 0; i < u.length; i++){
p += String.fromCharCode(k[i] - i * 10 - u.charCodeAt(i) );
}
alert(p);
</script>

弹框得到结果:OhLord4309111,得到flag:

1
FLAG-65t23674o6N2NehA44272G24

Valid key required

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<script>
function curry( orig_func ) {
var ap = Array.prototype, args = arguments;
function fn() {
ap.push.apply( fn.args, arguments );
return fn.args.length < orig_func.length ? fn : orig_func.apply( this, fn.args );
}
return function() {
fn.args = ap.slice.call( args, 1 );
return fn.apply( this, arguments );
};
}
function callback(x,y,i,a) {
return !y.call(x, a[a["length"]-1-i].toString().slice(19,21)) ? x : {};
}
var ref = {T : "BG8",J : "jep",j : "M2L",K : "L23",H : "r1A"};
function validatekey()
{
e = false;
var _strKey = "";
try {
_strKey = document.getElementById("key").value;
var a = _strKey.split("-");
if(a.length !== 5)
e = true;
var o=a.map(genFunc).reduceRight(callback, new (genFunc(a[4]))(Function));
if(!equal(o,ref))
e = true;
}catch(e){
e = true;
}
if(!e) {
if(document.location.href.indexOf("?p=") == -1) {
document.location = document.location.href + "?p=" + _strKey;
}
} else {
$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
}
}
function equal(o,o1)
{
var keys1 = Object.keys(o1);
var keys = Object.keys(o);
if(keys1.length != keys.length)
return false;
for(var i=0;i<keys.length;i++)
if(keys[i] != keys1[i] || o[keys[i]] != o1[keys1[i]])
return false;
return true;
}
function hook(f1,f2,f3) {
return function(x) { return f2(f1(x),f3(x));};
}
var h = curry(hook);
var fn = h(function(x) {return x >= 48;},new Function("a","b","return a && b;"));
function genFunc(_part) {
if(!_part || !(_part.length) || _part.length !== 4)
return function() {};
return new Function(_part.substring(1,3), "this." + _part[3] + "=" + _part.slice(1,3) + "+" + (fn(function(y){return y<=57})(_part.charCodeAt(0)) ? _part[0] : "'"+ _part[0] + "'"));
}
</script>
点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:ringzer0team-js-writeup

文章作者:chybeta

发布时间:2017年06月30日 - 13:06

最后更新:2017年07月28日 - 15:07

原始链接:http://chybeta.github.io/2017/06/30/–ringzer0team-js-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。