http://www.bright-shadows.net/
1.
<link rel="stylesheet" type="text/css" href="/styles.css"><script type="text/javascript">
function usercheck() {
input_user=document.formular.user.value;
if (input_user=="warmup") {
window.location.href=input_user +".php";
}
else {
alert("Go home!");
window.location.href="http://www.disney.com";
}
}
</script>
warmup.php
2.
view-source:http://www.bright-shadows.net/challenges/scripts/js2/index.php
<body onLoad="password()" class="usual" link="#FF9900" bgcolor="#D0D0D0"> 를 보면
D0D0FF.php
3. view-source:http://www.bright-shadows.net/challenges/levelj3/index.php
add = year;
for (i = 1; i<= year;i++)
{
add +=year+i;
}
if (add == 395425559298)
{
alert("Good job! You got it!");
window.location.href=year+".php";
}
인데 무식하게 반복문으로 돌리면 안된다. 살펴보면 다음과 같은 공식을 도출해 낼 수 있다.
year + (year + 1) + (year + 2) + (year + 3) ... + (year + year) = 395425559298 이걸 또 간추리면.
year + (year * year) + (1+2+3+4....year) = 395425559298 이 된다. year=n이라고 하면.
n + n^2 + (n(n+1))/2 = 395425559298 가 되고.... 밑변에 2씩 곱한후 좌측으로 다 옮기면
3n^2 + 3n -2*395425559298 = 0이 된다. 이걸 근의 공식을 쓰면 513436 가 나온다.
513436.php
4.
http://www.bright-shadows.net/challenges/levelj4/JavaScript 에 소스가 숨겨져 있다.
thebestoneisthis.php
5. 해석해보면 이렇게 하면 될거라는걸 알 수 있다.
6. view-source:http://www.bright-shadows.net/challenges/javascript6/index.php 에서
<link rel="stylesheet" type="text/css" href="/styles.css"><script type="text/javascript" src="www.bright-shadows.net/challenges/js/check.js"></script> 발견.
http://www.bright-shadows.net/challenges/javascript6/www.bright-shadows.net/challenges/js/check.js
niceeyes.php
7.
<script language="JScript.Encode">#@~^xgMAAA==@#@&0; mDkW P14+13\+v0G.s#P@#@& @#@&\m.~Ek+MPxPWGM: EknDc\Cs!+@#@&-mD~wmdkPx,0KD:cwmd/c\CV!+@#@&b0PvcEk+D,xxPr:bm.W^.mwE#,'[,`2Ck/Pxx,J8DKVxE*#@#@&dP@#@&7dmVnDD`E%kmDb2Ycwta~r/,XKE.P.C 3;wrbi@#@&7N@#@&+sd@#@&dP@#@&dC^+MY`r?K.DHR~KMX~CTlk ZJ*i@#@&7.+DEMx~0Csk+I@#@&78@#@&N@#@&0EU^DkGx,[b/C(VIkTtD/VbmV`#@#@&P@#@&,~\mDPsnd/moPxPE]bo4Y,^VbmV~9k/C8^+[Jp@#@&P~@#@&,Pk6`e[W1Eh+ Y .botD/Vbm3Grdl(VNbP&&,kUkDrl^k"n@#@&P~`@#@&~P,~b0c9W1E:xD VmXnDk#~@#@&PP,~ @#@&P,~~P,NKm;:nUDR^laOEM+3-xYdcA\nxD triU2Grg#p@#@&,P~P,P[G1E:UYcWxsG;/NKhUPx~9kdl(s+"kL4DZVr^0i@#@&,~,PN@#@&,PP,+^d+,NGm!:nUDRW ^W Y+XOh+ E,'~Nrdm4s+"ro4Y/sbm3I@#@&P~P,.Y;Mx,NW1EsnxDR.kTtO/^km09kkl4^n[P{PDD;+I@#@&P~8@#@&P,kWc9Wm;hxOR^CH+.kP-uPvNK^Es+UYconOAV+snxDAX&[~[LPeNGm;hxORmsV*#@#@&,P @#@&,P~PbW,`nch4km4'{+u-+ h4k^4{'&*@#@&,PP,`@#@&,P,P~PCsDO`sn/klLn*i@#@&~,P~P,.Y;Mx,0l^/I@#@&P~P,8@#@&,P8@#@&P,+Vkn@#@&,PP@#@&P~~,ls+MO`s+ddmo+bI@#@&~P,~M+O!D P0mVkni@#@&~P)@#@&N@#@&Nbdl(V+"rLtDZ^k^3cbp@#@&HAwBAA==^#~@</script>
가 보이는데
http://www.greymagic.com/security/tools/decoder/decoder.asp 에서 해독
jscript.php
8. view-source:http://www.bright-shadows.net/challenges/javascript9/index.php
<script language="JavaScript">
function password() {
pass=unescape("%32%33%34%36%61%64%32%37%64%37%35%36%38%62%61%39%38%39%36%66%31%62%37%64%61%36%62%35%39%39%31%32%35%31%64%65%62%64%66%32");
input="";
do {
input=prompt("Password:","");
} while ((input=="")||(input==null));
if (hex_crypt(input) == pass)
{
window.location.href=input+".php";
}
else
{
window.location.href="wrong.php";
}
}
</script>
이고 hex_crypt함수는 http://www.bright-shadows.net/challenges/javascript9/crypt.js 에 있다. 처음엔 복호화 코드를 짜려고했는데 너무 복잡하다.
unescape("%32%33%34%36%61%64%32%37%64%37%35%36%38%62%61%39%38%39%36%66%31%62%37%64%61%36%62%35%39%39%31%32%35%31%64%65%62%64%66%32");값과 내가넣은값을 hex_crypt함수에 돌린 값과 같아야하는데 unescape해보면 영소문자+숫자 40자이다. sha1를 예상하고 풀어봤더니 hash가 나왔다.
'webhacking > client' 카테고리의 다른 글
| happy-security.de javascript 1~7,9,10 (0) | 2015.01.22 |
|---|---|
| hack this site JavaScript 1~7 (0) | 2015.01.20 |
| webhacking.kr 10,14,15,16,17,20,23,24 (0) | 2015.01.08 |
| Security Override Javascript 1~8 (0) | 2014.12.19 |
| Net-Force javascript 7 (0) | 2014.12.04 |