目录
第一关
第二关
第三关
第四关
第五关
第一关
要求:
Pop an alert(1337) on sandbox.pwnfunction.com.
No user interaction.
代码:
<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>
spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>
第一步先判断传参点,发现位于倒数第二行。
<script>alert(1337)<script> 被过滤了
发现有一个标签没有被过滤,执行js代码
第二关
要求:
Pop an alert(1337) on sandbox.pwnfunction.com.
No user interaction.
<h2 id="maname"></h2>
<script>
let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
let ma = ""
eval(`ma = "Ma name ${jeff}"`)
setTimeout(_ => {
maname.innerText = ma
}, 1000)
</script>
看源码初步判断漏洞点 eval(`ma = "Ma name ${jeff}"`)
查看html页面
输出到了jefff的位置
alert(1337)被当作字符串输出到页面,运用sql中逃逸引号闭合
最后再加上-
第三关
<div id="uganda"></div>
<script>
let wey = (new URL(location).searchParams.get('wey') || "do you know da wey?");
wey = wey.replace(/[<>]/g, '')
uganda.innerHTML = `<input type="text" placeholder="${wey}" class="form-control">`
</script>
第四关
<form id="ricardo" method="GET">
<input name="milos" type="text" class="form-control" placeholder="True" value="True">
</form>
<script>
ricardo.action = (new URL(location).searchParams.get('ricardo') || '#')
setTimeout(_ => {
ricardo.submit()
}, 2000)
</script>
ricardo.submit() 发现提交没做任何限制就直接上传js。
第五关
<h2 id="will"></h2>
<script>
smith = (new URL(location).searchParams.get('markassbrownlee') || "Ah That's Hawt")
smith = smith.replace(/[\(\`\)\\]/g, '')
will.innerHTML = smith
</script>
没有过滤<>那就可以用img标签
括号被过滤,给括号编码(运用location)