wp---Javascript
101 Javascript, secure?
看看下面的网站。它由一个简单的JavaScript保护来保护。试着打开它;)
秘密网页
打开秘密网站后,发现右键被禁用
直接用view-source:https://www.net-force.nl/challenge/level101/secret.html查看源代码
密码:JavaScript
102 This won't take long...
找到正确的密码并在挑战页面使用它!
审计代码,可以发现有生成密码的函数submitentry(),单独拿出来,直接放入控制台执行即可
可以删除与password无关的操作以下是我简化的函数
var numletter=“0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”; password = numletter.substring(11,12); password = password + numletter.substring(18,19); password = password + numletter.substring(23,24); password = password + numletter.substring(16,17); password = password + numletter.substring(24,25); password = password + numletter.substring(1,4);
alert(password);//输出密码
确实没等多久
103 Escape now!!!
查看源码,在源码中可以看到unescape()函数对某些内容进行了解码,修改既可以得到
text2.value,“user”,text1.value,“member”
104 Is this safe...?!?
查看源码后再15 行可以找到如下提示<!-- soulslayer:2aBl6E94IuUfo or guess it....--> 用户名:soulslayer 密码:2aBl6E94IuUfo 但输入到网站只会跳转到首页,所以这不是真正的密码,密码符合BASE64的特征,所以使用MD5解码,得blatt 
原本以为结束了,但仔细查看js代码可以发现其实是把blatt和html拼接指向看另一个链接,访问原网址+/blatt.html 效果如图: 105 Micro$oft crap...
要用IE浏览器!要用IE浏览器!要用IE浏览器!(请抛弃万恶的IE吧)
首先把那一串最显眼的Words转化一下,根据题目的提示,转化后的乱码八九不离十就是Jscript.encode
解密网站https://www.jb51.net/tools/onlinetools/jiemi/jsendecode.htm
代码如下:
<!–
//Start Encode
function tester(){
var pass = document.form.passwd.value;
var cryptpass = “VDkPWd0lakHPl”;
var addr = ‘solution.php?passwd=’;
var locatie = location.href;
var out = ‘’;
var pass2 = cryptpass.substring(10, 25+1)+cryptpass.substring(2(2+2), 3+6)+cryptpass.substring(3+5-1, 8)+cryptpass.substr(7,1)+cryptpass.substr(6,1);pass=locatie.substr(locatie.indexOf(’?’)+1);addr=addr.substring(0, addr.indexOf(’?’)+1)+‘blabla=’;
for(i=0;i<pass.Len;i++){
if(pass.charAt(i) == pass2.charAt(i)){
document.write(pass.charAt(i));
}
}
location = addr+pass;
}
–>
仔细看完脚本后,我们能够确定它是用URL计算密码。我们稍微修改脚本,并使其显示存储在URL值中的密码。删除了for循环,因为这只是用来验证密码的代码。通过alert显示addr和pass2两个值。
最后找到藏有答案的链接
https://www.net-force.nl/challenge/level105/solution.php?blabla=Hall0
密码即为Hall0
106 HTML Guardian
右键查看不了,还是老套路加view-source:
经过查看15行为关键代码找到
< script> eval(unescape('%6B%3D%75%6E%65%73%63%61%70%65%28%22%25%30%44%25%30%41%22%29%3B%69%31%3D%20%6B%6F%68%28%66%77%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%69%31%29%3B%66%75%6E%63%74%69%6F%6E%20%6B%6F%68%28%73%29%20%7B%76%61%72%20%75%6E%3D%22%22%3B%6C%3D%73%2E%6C%65%6E%67%74%68%3B%6F%68%3D%4D%61%74%68%2E%72%6F%75%6E%64%28%6C%2F%32%29%3B%66%6F%72%28%69%3D%30%3B%69%3C%3D%6F%68%3B%69%2B%2B%29%7B%61%3D%73%2E%63%68%61%72%41%74%28%69%29%3B%62%3D%73%2E%63%68%61%72%41%74%28%69%2B%6F%68%29%3B%63%3D%61%2B%62%3B%75%6E%3D%75%6E%2B%63%3B%7D%3B%4D%3D%75%6E%2E%73%75%62%73%74%72%28%30%2C%6C%29%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%2F%60%2F%67%2C%22%27%22%29%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%2F%40%40%2F%67%2C%22%5C%5C%22%29%3B%66%20%3D%20%2F%71%67%2F%67%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%66%2C%6B%29%3B%72%65%74%75%72%6E%20%4D%3B%7D%3B')); </ script> eval()
函数可计算某个字符串,并执行其中的的 JavaScript 代码。 用alter将其打印出来 
对代码整理后 k = unescape("%0D%0A");
i1 = koh(fw);
document.write(i1);
function koh(s) {
var un = “”;
l = s.length;
oh = Math.round(l / 2);
for (i = 0; i <= oh; i++) {
a = s.charAt(i);
b = s.charAt(i + oh);
c = a + b;
un = un + c;
};
M = un.substr(0, l);
M = M.replace(/`/g, “’”);
M = M.replace(/@@/g, “\”);
f = /qg/g;
M = M.replace(f, k);
return M;
};
可以看到最后返回的M即是flag,所以在返回之前,处理之后将M打印出来即可,在return M前加alter(M)即可
最后的密码:0nd3rW4t3r
[个人小破站(空の城)](http://wanghaoxuan.site/)