OverTheWire的natas游戏(21-34)

natas solution(21-34)

Natas Level 20 → Level 21

Username: natas21
URL:      http://natas21.natas.labs.overthewire.org

这一关涉及到一个共享session的知识点，算是本关的收获吧。

进入页面后看到提示

Note: this website is colocated with http://natas21-experimenter.natas.labs.overthewire.org

在看看这个网站之前先看看本站的源码

<?

function print_credentials() {
    /* {
   {
   { */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
   
    print "You are an admin. The credentials for the next level are:
";
    print "
Username: natas22\n";
    print "Password: 
";
    } else {
   
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";
    }
}
/* }}} */

session_start();
print_credentials();

?> 

跟上一关一样关键是$_SESSION["admin"]==1

进入另外一个网站后有3个框框给你填来控制中间的div

看看源码

  

session_start();

// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
   
    foreach($_REQUEST as $key => $val) {
   
    $_SESSION[$key] = $val;
    }
}

if(array_key_exists("debug", $_GET)) {
   
    print "[DEBUG] Session contents:
";
    print_r($_SESSION);
}

// only allow these keys
$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form = "";

$form .= '
';
foreach($validkeys as $key => $defval) {
   
    $val = $defval;
    if(array_key_exists($key, $_SESSION)) {
   
    $val = $_SESSION[$key];
    } else {
   
    $_SESSION[$key] = $val;
    }
    $form .= "$key: 
";
}
$form .= '';
$form .= ''
;

$style = "background-color: ".$_SESSION["bgcolor"]."; text-align: ".$_SESSION["align"]."; font-size: ".$_SESSION["fontsize"].";";
$example = "
Hello world!
";

?>

可以看到跟上一关很像的，比如这里把 $_REQUEST 里的键值对取出来赋值给 $_SESSION

// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
   
    foreach($_REQUEST as $key => $val) {
   
    $_SESSION[$key] = $val;
    }
}

然后我们发现，这个页面只关注这3个

$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form .= '
';

foreach($validkeys as $key => $defval) {
   
    $val = $defval;
    if(array_key_exists($key, $_SESSION)) {
   
    $val = $_SESSION[$key];
    } else {
   
    $_SESSION[$key] = $val;
    }
    $form .= "$key: 
";
}

并没有什么过滤，我们只需要用burp抓包然后在里面加上admin=1这个属性就会被加入到session中，因为这2个网页会共享session所以复制包里的PHPSESSID后拿到主页面就了

Username: natas22
Password: chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ

Natas Level 21 → Level 22

Username: natas22
URL:      http://natas22.natas.labs.overthewire.org

这一关有点简单的让人怀疑？结果是对的

查到的解释是因为用burp抓包会在检查前看到结果，看了看源代码确实是这样

可以看到只要有revelio参数就会直接打印

    if(array_key_exists("revelio", $_GET)) {
   
    print "You are an admin. The credentials for the next level are:
";
    print "
Username: natas23\n";
    print "Password: 
";
    }
?> 

但是会马上检查你的session如果不符合就重定向你到/目录

session_start();

if(array_key_exists("revelio", $_GET)) {
   
    // only admins can reveal the password
    if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {
   
    header("Location: /");
    }
}
?>

所以在抓包后给repeater发送是可以看到密码的，但是在proxy下forward来看页面是什么都没有。因为forward过去session就被检查了。

Username: natas23
Password: D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE

Natas Level 22 → Level 23

Username: natas23
URL:      http://natas23.natas.labs.overthewire.org

非常奇怪，难度突然直线下降了

    if(array_key_exists("passwd",$_REQUEST)){
   
        if(strstr($_REQUEST["passwd"],"iloveyou") && ($_REQUEST["passwd"] > 10 )){
   
            echo "
The credentials for the next level are:
";
            echo "
Username: natas24 Password: 
";
        }
        else{
   
            echo "
Wrong!
";
        }
    }
    // morla / 10111
?>  

只要学习一下strstr就明白了，构造poyload

http://natas23.natas.labs.overthewire.org/?passwd=1234iloveyou
Username: natas24 Password: OsRmXFguozKpTZZ5X14zNO43379LZveg

Natas Level 23 → Level 24

Username: natas24
URL:      http://natas24.natas.labs.overthewire.org

这一关学到了一个新东西非常开心，而且非常有趣。是一个2013年的玩意

先看源码