webhacking/client

TheBlackSheep Javascript 1~8

qkqhxla1 2015. 1. 12. 19:39

http://www.bright-shadows.net/


1.

<link rel="stylesheet" type="text/css" href="/styles.css"><script type="text/javascript">

  function usercheck() {

    input_user=document.formular.user.value;

    if (input_user=="warmup") {

      window.location.href=input_user +".php";

    }

    else {

      alert("Go home!");

      window.location.href="http://www.disney.com";

    }

  }

</script>

warmup.php



2.

view-source:http://www.bright-shadows.net/challenges/scripts/js2/index.php

<body onLoad="password()" class="usual" link="#FF9900" bgcolor="#D0D0D0"> 를 보면


D0D0FF.php



3. view-source:http://www.bright-shadows.net/challenges/levelj3/index.php

add  = year;

  for (i = 1; i<= year;i++)

  {

    add +=year+i;

  }

  if (add == 395425559298) 

  {

    alert("Good job! You got it!");

    window.location.href=year+".php";

  }

인데 무식하게 반복문으로 돌리면 안된다. 살펴보면 다음과 같은 공식을 도출해 낼 수 있다.

year + (year + 1) + (year + 2) + (year + 3) ... + (year + year) = 395425559298 이걸 또 간추리면.

year + (year * year) + (1+2+3+4....year) = 395425559298 이 된다. year=n이라고 하면.

n + n^2 + (n(n+1))/2 = 395425559298 가 되고.... 밑변에 2씩 곱한후 좌측으로 다 옮기면

3n^2 + 3n -2*395425559298 = 0이 된다. 이걸 근의 공식을 쓰면 513436 가 나온다.

513436.php



4.

http://www.bright-shadows.net/challenges/levelj4/JavaScript 에 소스가 숨겨져 있다.

thebestoneisthis.php



5. 해석해보면 이렇게 하면 될거라는걸 알 수 있다.




6. view-source:http://www.bright-shadows.net/challenges/javascript6/index.php 에서

<link rel="stylesheet" type="text/css" href="/styles.css"><script type="text/javascript" src="www.bright-shadows.net/challenges/js/check.js"></script> 발견.

http://www.bright-shadows.net/challenges/javascript6/www.bright-shadows.net/challenges/js/check.js

niceeyes.php



7.

<script language="JScript.Encode">#@~^xgMAAA==@#@&0; mDkW P14+13\+v0G.s#P@#@& @#@&\m.~Ek+MPxPWGM: EknDc\Cs!+@#@&-mD~wmdkPx,0KD:cwmd/c\CV!+@#@&b0PvcEk+D,xxPr:bm.W^.mwE#,'[,`2Ck/Pxx,J8DKVxE*#@#@&dP@#@&7dmVnDD`E%kmDb2Ycwta~r/,XKE.P.C 3;wrbi@#@&7N@#@&+sd@#@&dP@#@&dC^+MY`r?K.DHR~KMX~CTlk ZJ*i@#@&7.+DEMx~0Csk+I@#@&78@#@&N@#@&0EU^DkGx,[b/C(VIkTtD/VbmV`#@#@&P@#@&,~\mDPsnd/moPxPE]bo4Y,^VbmV~9k/C8^+[Jp@#@&P~@#@&,Pk6`e[W1Eh+ Y .botD/Vbm3Grdl(VNbP&&,kUkDrl^k"n@#@&P~`@#@&~P,~b0c9W1E:xD VmXnDk#~@#@&PP,~ @#@&P,~~P,NKm;:nUDR^laOEM+3-xYdcA\nxD triU2Grg#p@#@&,P~P,P[G1E:UYcWxsG;/NKhUPx~9kdl(s+"kL4DZVr^0i@#@&,~,PN@#@&,PP,+^d+,NGm!:nUDRW ^W Y+XOh+ E,'~Nrdm4s+"ro4Y/sbm3I@#@&P~P,.Y;Mx,NW1EsnxDR.kTtO/^km09kkl4^n[P{PDD;+I@#@&P~8@#@&P,kWc9Wm;hxOR^CH+.kP-uPvNK^Es+UYconOAV+snxDAX&[~[LPeNGm;hxORmsV*#@#@&,P @#@&,P~PbW,`nch4km4'{+u-+ h4k^4{'&*@#@&,PP,`@#@&,P,P~PCsDO`sn/klLn*i@#@&~,P~P,.Y;Mx,0l^/I@#@&P~P,8@#@&,P8@#@&P,+Vkn@#@&,PP@#@&P~~,ls+MO`s+ddmo+bI@#@&~P,~M+O!D P0mVkni@#@&~P)@#@&N@#@&Nbdl(V+"rLtDZ^k^3cbp@#@&HAwBAA==^#~@</script>

가 보이는데

http://www.greymagic.com/security/tools/decoder/decoder.asp 에서 해독

jscript.php



8. view-source:http://www.bright-shadows.net/challenges/javascript9/index.php

<script language="JavaScript">

  function password() {

    pass=unescape("%32%33%34%36%61%64%32%37%64%37%35%36%38%62%61%39%38%39%36%66%31%62%37%64%61%36%62%35%39%39%31%32%35%31%64%65%62%64%66%32");

    input="";

    do {

      input=prompt("Password:","");

    } while ((input=="")||(input==null));

    if (hex_crypt(input) == pass)

    {

      window.location.href=input+".php";

    }

    else

    {

      window.location.href="wrong.php";

    }

  }

</script>

이고 hex_crypt함수는 http://www.bright-shadows.net/challenges/javascript9/crypt.js 에 있다. 처음엔 복호화 코드를 짜려고했는데 너무 복잡하다.

unescape("%32%33%34%36%61%64%32%37%64%37%35%36%38%62%61%39%38%39%36%66%31%62%37%64%61%36%62%35%39%39%31%32%35%31%64%65%62%64%66%32");값과 내가넣은값을 hex_crypt함수에 돌린 값과 같아야하는데 unescape해보면 영소문자+숫자 40자이다. sha1를 예상하고 풀어봤더니 hash가 나왔다.

'webhacking > client' 카테고리의 다른 글

happy-security.de javascript 1~7,9,10  (0) 2015.01.22
hack this site JavaScript 1~7  (0) 2015.01.20
webhacking.kr 10,14,15,16,17,20,23,24  (0) 2015.01.08
Security Override Javascript 1~8  (0) 2014.12.19
Net-Force javascript 7  (0) 2014.12.04