First Commit

2024-09-09 17:16:59 +08:00 · 2024-09-09 17:16:59 +08:00 · 7df45e4453
commit 7df45e4453
4 changed files with 94 additions and 0 deletions
--- a/6
+++ b/6
@ -0,0 +1,6 @@
+FROM php:8.2-cli
+
+COPY _files/src /app
+WORKDIR /app
+
+CMD [ "php", "-S", "0.0.0.0:80" ]
--- a/_files/src/dump.pcap
+++ b/_files/src/dump.pcap
--- a/_files/src/index.html
+++ b/_files/src/index.html
@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html lang="zh">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>登录页面</title>
+    <script>
+        function xorEncrypt(data, key) {
+            let out = '';
+            for (let i = 0; i < data.length; i++) {
+                out += String.fromCharCode(data.charCodeAt(i) ^ key.charCodeAt(i % key.length));
+            }
+            return out;
+        }
+
+        function login() {
+            const username = document.getElementById('username').value;
+            const password = document.getElementById('password').value;
+            const key = 'FakeKey'; // localhost/dump.pcap
+
+            // 加密密码
+            const encryptedPassword = xorEncrypt(password, key);
+
+            // 发送请求
+            const xhr = new XMLHttpRequest();
+            xhr.open('POST', 'server.php', true);
+            xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
+            xhr.onreadystatechange = function () {
+                if (xhr.readyState === 4 && xhr.status === 200) {
+                    // 处理响应
+                    const response = xhr.responseText;
+                    alert(response);
+                }
+            };
+            xhr.send(`username=${encodeURIComponent(username)}&password=${encodeURIComponent(encryptedPassword)}`);
+        }
+    </script>
+</head>
+<body>
+    <h1>登录</h1>
+    <label for="username">用户名:</label>
+    <input type="text" id="username" required><br><br>
+    <label for="password">密码:</label>
+    <input type="password" id="password" required><br><br>
+    <button onclick="login()">登录</button>
+</body>
+</html>
+
--- a/_files/src/server.php
+++ b/_files/src/server.php
@ -0,0 +1,40 @@
+<?php
+// server.php
+
+// 定义一个简单的用户数据库
+$users = [
+    'admin' => '04f94c31-7845-469b-ba4e-1fdbabb511f4', // 用户名 => 密码
+];
+
+// 从环境变量中读取 Flag，如果没有则使用默认值
+$flag = getenv('GZCTF_FLAG') ?: 'CTF{this_is_test_flag}';
+
+// 异或加密函数
+function xor_encrypt($data, $key) {
+    $out = '';
+    for ($i = 0; $i < strlen($data); $i++) {
+        $out .= $data[$i] ^ $key[$i % strlen($key)];
+    }
+    return $out;
+}
+
+// 处理 POST 请求
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $username = $_POST['username'] ?? '';
+    $encrypted_password = $_POST['password'] ?? '';
+    $key = '1e72c059-3a93-4f6f-839e-aa0c0784cd29';
+
+    // 解密密码
+    $password = xor_encrypt($encrypted_password, $key);
+
+    // 验证用户
+    if (isset($users[$username]) && $users[$username] === $password) {
+        // 登录成功，返回加密的 Flag
+        $encrypted_flag = xor_encrypt($flag, $key);
+        echo "登录成功！Flag: " . base64_encode($encrypted_flag); // 使用 Base64 编码以便于传输
+    } else {
+        echo "用户名或密码错误！";
+    }
+}
+?>
+