-
-
看雪CTF.TSRC 2018 团队赛-第10题
-
2018-12-19 15:00
2219
-
1. delphi的程序, 内置了一个TWebBrowser
在_Tfrmcrackme_FormShow中初始化脚本
添加语句的时候都会调用GetOleObject函数
CODE:0046906C push offset _str___DOCTYPE_HTML_.Text
CODE:00469071 push offset dword_46950C
CODE:00469076 push offset dword_469518
CODE:0046907B lea edx, [ebp-30h]
CODE:0046907E mov eax, [ebp-8]
CODE:00469081 mov eax, [eax+2F8h]
CODE:00469087 call @Olectrls@TOleControl@GetOleObject$qqrv ; Olectrls::TOleControl::GetOleObject(void)
在GetOleObject下断, 可以得到完整的脚本(直接运行后搜整个内存也行)
<input value="" id="pswd" size=39></input>
<input type=button value="checkMyFlag" onclick="ckpswd();>
<script>
eval(function(s, p, a, c, k, e, d) {
for (i = 0; i < k.length; i++) k[i] = k[i].replace(s, '');
e = function(c) {
eval(document.write(String.fromCharCode(13)));
return (eval(c < a) ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if (!''.replace(/^/, String)) {
while (c--) d[e(c)] = k[c] || e(c);
k = [function(e) {
return d[e]
}];
e = function() {
return '\\w+'
};
c = 1
};
while (c--)
if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
return p
}('$$$', '8 4() { 1 = 6.3.e.f; 9 (1 == "b") { 2("5!") } 7 { 2("g!<" + 1 + "> a d c 0 ;-)") }}', 62, 17, 'GUID$$$@a$$$@alert$$$@all$$$@ckpswd$$$@congratulations$$$@document$$$@else$$$@function$$$@if$$$@is$$$@kanxueCTF2018bySimpower91$$$@my$$$@not$$$@pswd$$$@value$$$@wrong$$$'.split('@'), 0, {}))
</script>
在return p之前加一行document.write(p);得到明文脚本
function ckpswd() { a = document.all.pswd.value; if (a == "kanxueCTF2018bySimpower91") { alert("congratulations!") } else { alert("wrong!<" + a + "> is not my GUID ;-)") }}
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
最后于 2018-12-19 23:20
被风间仁编辑
,原因:
