hackim_2019_web_credz
网页源代码里有一句话:
remember me all the time, credz is not what you need lukeadmin/admin就可以登录进去。提示:
可以看到主页调用了一个叫做bjs_1的函数:
有个/js/fps.js中bjs_1具体代码:function bjs_1(e) {
var r = new fpbrowser_v1,
t = new fpbrowser_v1({
canvas: !0
}),
n = r.get(),
o = t.get(),
i = n + "" + o,
a = getbrowser(),
d = new XMLHttpRequest,
s = "trackuser.php",
w = "m=" + i;
w += "&token=" + e, w += "&b=" + a, d.open("POST", s, !0), d.setRequestHeader("Content-type", "application/x-www-form-urlencoded"), d.onreadystatechange = function() {
if (4 == d.readyState && 200 == d.status) {
d.responseText;
"index.php" == e && (document.getElementById("loaderDiv").innerHTML = "")
}
}, d.send(w)
}所以访问主页也能抓到请求了一个trackuser.php的包。
bjs_1生成了两个fpbrowser_v1类,调用了其get函数的代码: Fingerprint.prototype = {
get: function() {
var keys = [];
keys.push(navigator.userAgent);
keys.push(navigator.language);
keys.push(screen.colorDepth);
if (this.screen_resolution) {
var resolution = this.getScreenResolution();
if (typeof resolution !== 'undefined') {
keys.push(resolution.join('x'))
}
}
keys.push(new Date().getTimezoneOffset());
keys.push(this.hasSessionStorage());
keys.push(this.hasLocalStorage());
keys.push(!!window.indexedDB);
if (document.body) {
keys.push(typeof(document.body.addBehavior))
} else {
keys.push(typeof undefined)
}
keys.push(typeof(window.openDatabase));
keys.push(navigator.cpuClass);
keys.push(navigator.platform);
keys.push(navigator.doNotTrack);
keys.push(this.getPluginsString());
if (this.canvas && this.isCanvasSupported()) {
keys.push(this.getCanvasFingerprint())
}
if (this.hasher) {
return this.hasher(keys.join('###'), 31)
} else {
return this.fingerprint_js_browser(keys.join('###'), 31)
}navigator.language可以根据题目的描述Alice is a admin of abc company in india可以知道是Indian。navigator.userAgent可以根据hint知道是windows 10 chrome。getTimezoneOffset()是India的时区。getCanvasFingerprint()就是给出的图片:
data:image/png;base64,...计算得到m的值为2656613544186699742。
发包得到对应的cookie:
再添加那个bf后请求login.php:
访问/fea24a3a981cb8aa898dfbf30ccb4196/得到:
admin.php没权限访问,下载pack-9d392b4893d01af61c5712fdf5aafd8f24d06a10.pack,通过git tips来还原恢复:
$ git init
$ git unpack-objects < pack-9d392b4893d01af61c5712fdf5aafd8f24d06a10.pack
$ git fsck
$ git update-ref HEAD 29e3e14902aa1cc8caf8372c55e59f6720b5619b
$ git checkout 29e3e14902aa1cc8caf8372c55e59f6720b5619b得到admin.php:
<?php
if($_SESSION['go']){
$sp_php=explode('/', $_SERVER['PHP_SELF']);
$langfilename=$sp_php;
$pageListArray = array('index.php' => "1");
if($pageListArray [$langfilename]!=1){
echo "not_authorized";
Header("Location: index.php?not_authorized");
}
else{
echo "hackim19{}";
}
}
else{
echo "you need to complete the first barrier";
}
?>主要检查了index.php在不在里面,所以构造:admin.php/index.php
页:
[1]