2. Hacking lab script off [detailed writeup]

Two 、 Script off

1.key I can't find it again

The score is :200

Tips :

​ Xiao Ming cried this time ,key I can't find it again ！！！ key ah , Where on earth did you hide , Why don't I see it on the page ！！！！！！

Customs clearance address

The problem solving steps ：

First step ： Access via address , Found a a Label hyperlink , see html The purpose of finding jump after source code is search_key.php.

The second step ： Click hyperlink , Study the echoed content , And network monitoring .

The third step ： adopt BurpSuite Intercept , We found that search_key.php The page uses windows.location="./no_key_is_here_forever.php" To jump to the page . At the same time, I found the real key value .

Step four ：python Script gets directly key value

# coding=utf-8
#  introduce requests library 
import requests

#  Set the target to be accessed url Address .
url='http://lab1.xseclab.com/xss1_30ac8668cd453e7e387c76b132b140bb/search_key.php';
#  Instantiate one called http Of requests Library session Class object , It is used to keep persistent replies .
http = requests.Session();
#  With get Form access target url, Redirection is also not allowed , Default is also not allowed .
response = http.get(url, allow_redirects = False);
#  Set the page result returned by the request to be encoded as utf-8
response.encoding = 'utf-8';
#  Print out the returned page results 
print(response.text);
#  Print out the status code 
print(response.status_code);

Make a summary ：

（1）js Of window.location Method - Property description ：
    assign()	 Navigate to a new page 
    reload()	 Force reload of current page from server 
    replace()	 Use the new url Replace this page 
    
（2） The effect of the following two methods is equal ： Jump to a specific page .
	 Method 1：window.location.assign("https://clqwsn.blog.csdn.net/"); 
	 Method 2：window.location = "https://clqwsn.blog.csdn.net/";
	
（3）session conversation ：
	requests Library session Session objects can hold certain parameters across requests , To put it bluntly , For example, you use session Successfully logged into a website , Use the... Again session Object to visit other pages of the website will use this by default session Used before cookie Equal parameter .
     therefore requests.session() It plays a role in maintaining the conversation , Generally speaking, it allows us to save some parameters across requests .
    
（4）requests.get()  Follow  request.session().get()  The differences and similarities ：
	 Both are based on  sessions.Session  send out get Requested , The only difference is that the former requests to disconnect immediately （ Connect only once ）, The latter requires manual disconnection （ The connection can be used repeatedly ）.
	
（5） Two kinds of get The syntax of the request is as follows ：
	#########################################
	    # 1.requests Directly initiate get request .
	    response = requests.get(url)
	    response.encoding='utf-8'
	    print(response.text)
	################# Demarcation line ###################
	    # 2. So let's create one session object , Post launch get request .
	    http = requests.Session()
	    response = http.get(url)
	    response.encoding='utf-8'
	    print(response.text)
	################# Demarcation line ###################