XCTF-NaNNaNNaNNaN-Batman
阿新 • • 發佈:2020-10-16
下載附件,開啟後發現有亂碼
使用網頁開啟後發現是一個輸入框
我們把最後的eval()函式換成console.log()過濾一下亂碼
再重新排版一下得到:
function $(){ var e=document.getElementById("c").value; if(e.length==16)//輸入引數要為16位 if(e.match(/^be0f23/)!=null) // if(e.match(/233ac/)!=null) if(e.match(/e98aa$/)!=null)if(e.match(/c7be9/)!=null){ var t=["fl","s_a","i","e}"]; var n=["a","_h0l","n"]; var r=["g{","e","_0"]; var i=["it'","_","n"]; var s=[t,n,r,i]; for(var o=0;o<13;++o){ document.write(s[o%4][0]);s[o%4].splice(0,1)} } } document.write('<input id="c"><button onclick=$()>Ok</button>'); delete _
審計程式碼後發現flag沒有我們輸入的引數,直接控制檯執行:
var t=["fl","s_a","i","e}"]; var n=["a","_h0l","n"]; var r=["g{","e","_0"];var i=["it'","_","n"]; var s=[t,n,r,i]; var r=""; for(var o=0;o<13;++o){ r+=s[o%4][0]; s[o%4].splice(0,1); } r
得到flag