跳转至

Failure to Restrict URL Access Challenge 2(没有限制URL访问 2)

题介绍

需要找到以管理员账号发送请求,获得通关密钥

功能实现

查看页面,只有一个按钮,发送请求未发现有什么功能

POST /challenges/278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fa HTTP/1.1


guestData=sOdjh318UD8ismcoa98smcj21dmdoaoIS9

对应解析代码

try
{
    String userData = request.getParameter("adminData"); //用户请求参数 
    boolean tamperedRequest = !userData.equalsIgnoreCase("youAreAnAdminOfAwesomenessWoopWoop"); //判断是否是这个管理员值 
    if(!tamperedRequest)
        log.debug("No request tampering detected");
    else
        log.debug("User Submitted - " + userData);

    if(!tamperedRequest)
    {
        String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName"));
        htmlOutput = "<h2 class='title'>" + bundle.getString("admin.clicked") + "</h2>"
            + "<p>" + bundle.getString("admin.keyMessage.1") + "<br /> "
            + "<a>" + userKey + "</a><br />" 
            + bundle.getString("admin.keyMessage.2") + "</p>";
    }
    else
        htmlOutput = "<h2 class='title'>" + bundle.getString("response.failue") + "</h2>"
                + "<p>" + bundle.getString("response.failue.message") + "</p>"
                + "<!-- " + Encode.forHtml(userData) + " -->";
}

但我们请求的值是 sOdjh318UD8ismcoa98smcj21dmdoaoIS9

在看哪里能找到 youAreAnAdminOfAwesomenessWoopWoop 这个值?

查看页面源代码,发现如下功能

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('$("#A").f(3(){$("#8").5("9");$("#7").4("1");$("#2").5("1",3(){e 0=$.h({i:"j",b:"v",c:{u:"t",},d:g});m(0.6==k){$("#2").a(0.s)}q{$("#2").a("<p> l r n: "+0.6+" "+0.o+"</p>")}$("#2").4("1",3(){$("#7").5("9",3(){$("#8").4("1")})})})});$("#w").f(3(){$("#8").5("9");$("#7").4("1");$("#2").5("1",3(){e 0=$.h({i:"j",b:"x",c:{y:"z",},d:g});m(0.6==k){$("#2").a(0.s)}q{$("#2").a("<p> l r n: "+0.6+" "+0.o+"</p>")}$("#2").4("1",3(){$("#7").5("9",3(){$("#8").4("1")})})})});',37,37,'ajaxCall|slow|resultsDiv|function|show|hide|status|loadingSign|submitButton|fast|html|url|data|async|var|submit|false|ajax|type|POST|200|An|if|Occurred|statusText||else|Error|responseText|sOdjh318UD8ismcoa98smcj21dmdoaoIS9|guestData|278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fa|leAdministratorFormOfAwesomeness|278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fahghghmin|adminData|youAreAnAdminOfAwesomenessWoopWoop|leForm'.split('|'),0,{}))

将eval 修改为 console.log 在浏览器控制台执行

$("#leForm").submit(function() {
    $("#submitButton").hide("fast");
    $("#loadingSign").show("slow");
    $("#resultsDiv").hide("slow", function() {
        var ajaxCall = $.ajax({
            type: "POST",
            url: "278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fa",
            data: {
                guestData: "sOdjh318UD8ismcoa98smcj21dmdoaoIS9",
            },
            async: false
        });
        if (ajaxCall.status == 200) {
            $("#resultsDiv").html(ajaxCall.responseText)
        } else {
            $("#resultsDiv").html("<p> An Error Occurred: " + ajaxCall.status + " " + ajaxCall.statusText + "</p>")
        }
        $("#resultsDiv").show("slow", function() {
            $("#loadingSign").hide("fast", function() {
                $("#submitButton").show("slow")
            })
        })
    })
});
$("#leAdministratorFormOfAwesomeness").submit(function() {
    $("#submitButton").hide("fast");
    $("#loadingSign").show("slow");
    $("#resultsDiv").hide("slow", function() {
        var ajaxCall = $.ajax({
            type: "POST",
            url: "278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fahghghmin",
            data: {
                adminData: "youAreAnAdminOfAwesomenessWoopWoop",
            },
            async: false
        });
        if (ajaxCall.status == 200) {
            $("#resultsDiv").html(ajaxCall.responseText)
        } else {
            $("#resultsDiv").html("<p> An Error Occurred: " + ajaxCall.status + " " + ajaxCall.statusText + "</p>")
        }
        $("#resultsDiv").show("slow", function() {
            $("#loadingSign").hide("fast", function() {
                $("#submitButton").show("slow")
            })
        })
    })
});
undefined

发现管理员功能代码 ,请求的路径 278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fahghghmin
参数数 adminData=youAreAnAdminOfAwesomenessWoopWoop

解题步骤

请求地址

/challenges/278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fahghghmin

请求参数

adminData=youAreAnAdminOfAwesomenessWoopWoop

总结

前端加密比较弱,花一些时间,是可以破解出来的

Back to top