simple_js
附上题目链接:https://adworld.xctf.org.cn/task/answer?type=web&number=3&grade=0&id=5067&page=1
点开题目场景后
任意输入一个密码,比如111,结果出现弹窗
查看网页源代码,发现里面有一段JS代码:
将JS代码提取出来为:
function dechiffre(pass_enc){
var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65"; var tab = pass_enc.split(',');var tab2 = pass.split(',');var i,j,k,l=0,m,n,o,p = "";i = 0;j = tab.length;k = j + (l) + (n=0);n = tab2.length;for(i = (o=0); i < (k = j = n); i++ ){
o = tab[i-l];p += String.fromCharCode((o = tab2[i]));if(i == 5)break;}for(i = (o=0); i < (k = j = n); i++ ){
o = tab[i-l];if(i > 5 && i < k-1)p += String.fromCharCode((o = tab2[i]));}p += String.fromCharCode(tab2[17]);pass = p;return pass;}String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));h = window.prompt('Enter password');alert( dechiffre(h) );分析之后我们发现,在dechiffre()函数中,并没有使用到我们输入的pass_enc变量,也就是说我们无论输入的密码是多少,输出的都是一样的为pass且pass的值始终为初始定义的值,即
pass=“70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65”
将这串十进制数字转换成ASCII码之后为:
(附上在线转换工具链接:http://www.ab126.com/goju/1711.html)
F,A,U,X, ,P,A,S,S,W,O,R,D, ,H,A,H,A
故可以联想到代码中dechiffre函数中的一串字符也是有用信息:
dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30")
将这串字符中的“\x”转换成“%”,变为:
%35%35%2c%35%36%2c%35%34%2c%37%39%2c%31%31%35%2c%36%39%2c%31%31%34%2c%31%31%36%2c%31%30%37%2c%34%39%2c%35%30
将这些字符进行URL解码得到:
55,56,54,79,115,69,114,116,107,49,50
解码我用的是火狐中的Hackbar插件,输入字符后点击Url Decode,可得到答案
将55,56,54,79,115,69,114,116,107,49,50通过十进制转ASCII工具转换成ASCII后为:
7,8,6,O,s,E,r,t,k,1,2
根据提示(Flag格式为 Cyberpeace{xxxxxxxxx} )提交答案
Cyberpeace{786OsErtk12}