Bugku CTF - 源代碼 writeup (zh-TW)
題目資訊
- 分類: Web
- 難度: Easy
- 描述: 看看源代码?
- 解決人次: 13558
- 題目連結: https://ctf.bugku.com/challenges/detail/id/80.html
解題過程
Step 1: 發現混淆的 JavaScript
查看網頁原始碼,發現一段被 URL 編碼的 JavaScript:
<script>
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%35%34%61%61%32' + p2));
</script>
🔍 關鍵發現:
- 代碼被分成三段:
p1、中間段('%35%34%61%61%32')、p2 - 使用
unescape()解碼後再用eval()執行
Step 2: 識別編碼類型
URL 編碼特徵:
%66%75%6e%63...
^^
百分號 + 兩位十六進制數字
這是標準的 URL 編碼(也叫 Percent Encoding)。
Step 3: 解碼 JavaScript
方法 1: 使用瀏覽器控制台
// 在瀏覽器控制台執行
var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
console.log(unescape(p1));
console.log(unescape('%35%34%61%61%32'));
console.log(unescape(p2));
// 或直接拼接
console.log(unescape(p1) + unescape('%35%34%61%61%32' + p2));
方法 2: 線上工具
- https://www.urldecoder.org/
- https://meyerweb.com/eric/tools/dencoder/
編碼解碼工具
輸入文本 🔒 編碼
🔓 解碼 Base64
Base32
URL
Binary
Hexadecimal
Binary-Coded Decimal
ROT13
ROT47
Morse Code
Leetspeak 輸出結果 📋 複製結果
🔄 交換輸入輸出
🗑️ 清空全部
Kevin Chen
Step 4: 分析解碼後的代碼
解碼後得到:
function checkSubmit(){
var a=document.getElementById("password");
if("undefined"!=typeof a){
if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value)
return!0;
alert("Error");
a.focus();
return!1
}
}
document.getElementById("levelQuest").onsubmit=checkSubmit;
🎯 關鍵發現:密碼是 67d709b2b54aa2aa648cf6e87a7114f1
Step 5: 提交答案
在密碼欄位輸入破解出的明文密碼,點擊提交。
🎉 成功獲得 Flag!
學習重點
1. URL 編碼識別
編碼格式:
%XX - XX 是兩位十六進制數字
常見字符對照:
%20 = 空格 (space)
%22 = " (雙引號)
%3D = = (等號)
%7B = { (左大括號)
%7D = } (右大括號)
解碼方法:
// JavaScript
unescape('%66%75%6e%63') // 舊方法
decodeURIComponent('%66%75%6e%63') // 新方法(推薦)
2. JavaScript 混淆技術
常見混淆類型:
JSFuck
[][(![]+[])[+[]]+...]+...
Base64 編碼
eval(atob('ZnVuYw=='))
十六進制編碼
eval('\x66\x75\x6e\x63')
Packer 混淆
eval(function(p,a,c,k,e,d){...}('...',60,60,'...'))
URL 編碼(本題)
eval(unescape('%66%75%6e%63...'))
解混淆策略:
- 不要執行
eval(),改用console.log()查看內容 - 逐層解碼,不要一次全解
- 使用線上工具輔助
Member discussion