1
66beta 2013-08-15 14:07:49 +08:00
第三关画canvas不会~~
|
2
exoticknight 2013-08-15 18:55:43 +08:00
激光那题函数用不了?
|
3
yopming 2013-08-15 20:09:29 +08:00
@exoticknight 激光那个移动两个块,反射激光就好了,终端里面调整绝对定位的位置,然后加上css3的rotate
|
5
exoticknight 2013-08-15 21:51:15 +08:00
@yopming 嗯我已经过了。请问一下有一题猜图,内容是1 1.1. 1.2.……的答案是什么?另外最后一题是提交什么上去呢?我把调整位置后的css代码提交上去似乎不行呢……
|
6
juicy 2013-08-15 22:53:22 +08:00
@exoticknight 用css把指纹隐藏了就行
|
7
exoticknight 2013-08-15 23:21:38 +08:00
@juicy 直接改指纹div的css?话说我是直接看js代码发现最后是跳转到一个页面的于是Base64.decode之后过了……有点无聊
|
8
switch 2013-08-15 23:44:21 +08:00
通关没什么难度,如果做一个自动通关脚本还是蛮有意思的。
|
9
yopming 2013-08-16 08:39:54 +08:00
@exoticknight www.w3.org 你看网页的大致轮廓,蓝色黑色啥的
|
11
baozijianke 2013-08-16 10:49:06 +08:00 2
@66beta
var c = document.getElementById('qr-canvas').getContext('2d'); c.fillStyle = '#000'; var strAry,string="0,0,12,12 12,0,12,12 24,0,12,12 36,0,12,12 48,0,12,12 60,0,12,12 72,0,12,12 120,0,12,12 132,0,12,12 144,0,12,12 168,0,12,12 180,0,12,12 192,0,12,12 204,0,12,12 216,0,12,12 228,0,12,12 240,0,12,12 0,12,12,12 72,12,12,12 96,12,12,12 108,12,12,12 120,12,12,12 144,12,12,12 168,12,12,12 240,12,12,12 0,24,12,12 24,24,12,12 36,24,12,12 48,24,12,12 72,24,12,12 120,24,12,12 132,24,12,12 144,24,12,12 168,24,12,12 192,24,12,12 204,24,12,12 216,24,12,12 240,24,12,12 0,36,12,12 24,36,12,12 36,36,12,12 48,36,12,12 72,36,12,12 96,36,12,12 108,36,12,12 144,36,12,12 168,36,12,12 192,36,12,12 204,36,12,12 216,36,12,12 240,36,12,12 0,48,12,12 24,48,12,12 36,48,12,12 48,48,12,12 72,48,12,12 108,48,12,12 144,48,12,12 168,48,12,12 192,48,12,12 204,48,12,12 216,48,12,12 240,48,12,12 0,60,12,12 72,60,12,12 96,60,12,12 132,60,12,12 168,60,12,12 240,60,12,12 0,72,12,12 12,72,12,12 24,72,12,12 36,72,12,12 48,72,12,12 60,72,12,12 72,72,12,12 96,72,12,12 120,72,12,12 144,72,12,12 168,72,12,12 180,72,12,12 192,72,12,12 204,72,12,12 216,72,12,12 228,72,12,12 240,72,12,12 108,84,12,12 0,96,12,12 12,96,12,12 24,96,12,12 36,96,12,12 48,96,12,12 72,96,12,12 84,96,12,12 96,96,12,12 132,96,12,12 156,96,12,12 180,96,12,12 204,96,12,12 228,96,12,12 0,108,12,12 24,108,12,12 36,108,12,12 60,108,12,12 120,108,12,12 132,108,12,12 144,108,12,12 156,108,12,12 168,108,12,12 216,108,12,12 240,108,12,12 12,120,12,12 36,120,12,12 48,120,12,12 60,120,12,12 72,120,12,12 84,120,12,12 108,120,12,12 120,120,12,12 144,120,12,12 168,120,12,12 180,120,12,12 228,120,12,12 24,132,12,12 36,132,12,12 60,132,12,12 84,132,12,12 96,132,12,12 108,132,12,12 120,132,12,12 132,132,12,12 144,132,12,12 156,132,12,12 168,132,12,12 204,132,12,12 216,132,12,12 0,144,12,12 12,144,12,12 24,144,12,12 48,144,12,12 72,144,12,12 84,144,12,12 96,144,12,12 108,144,12,12 144,144,12,12 180,144,12,12 204,144,12,12 228,144,12,12 96,156,12,12 108,156,12,12 120,156,12,12 144,156,12,12 180,156,12,12 204,156,12,12 216,156,12,12 228,156,12,12 240,156,12,12 0,168,12,12 12,168,12,12 24,168,12,12 36,168,12,12 48,168,12,12 60,168,12,12 72,168,12,12 96,168,12,12 108,168,12,12 120,168,12,12 132,168,12,12 156,168,12,12 192,168,12,12 204,168,12,12 216,168,12,12 228,168,12,12 0,180,12,12 72,180,12,12 108,180,12,12 180,180,12,12 192,180,12,12 204,180,12,12 216,180,12,12 228,180,12,12 0,192,12,12 24,192,12,12 36,192,12,12 48,192,12,12 72,192,12,12 96,192,12,12 108,192,12,12 120,192,12,12 132,192,12,12 156,192,12,12 192,192,12,12 228,192,12,12 0,204,12,12 24,204,12,12 36,204,12,12 48,204,12,12 72,204,12,12 96,204,12,12 120,204,12,12 132,204,12,12 144,204,12,12 156,204,12,12 168,204,12,12 180,204,12,12 204,204,12,12 216,204,12,12 0,216,12,12 24,216,12,12 36,216,12,12 48,216,12,12 72,216,12,12 96,216,12,12 144,216,12,12 168,216,12,12 180,216,12,12 204,216,12,12 216,216,12,12 0,228,12,12 72,228,12,12 96,228,12,12 132,228,12,12 144,228,12,12 156,228,12,12 168,228,12,12 180,228,12,12 204,228,12,12 216,228,12,12 0,240,12,12 12,240,12,12 24,240,12,12 36,240,12,12 48,240,12,12 60,240,12,12 72,240,12,12 96,240,12,12 108,240,12,12 120,240,12,12 144,240,12,12 228,240,12,12"; strAry=string.split(" "); var temp; for(i=0; i<string.length; i++){ //console.log(strAry[i]); temp=strAry[i].split(","); c.fillRect(temp[0],temp[1],temp[2],temp[3]); } 贴到 console 去。 |
12
baozijianke 2013-08-16 10:50:23 +08:00
@exoticknight 提交 script。xss。
|
13
lingyired 2013-08-16 10:59:18 +08:00
囧,第一关和最后一关都是作弊过去的。
|
14
exoticknight 2013-08-16 11:40:26 +08:00
@baozijianke 哦怪不得提交上去的东西会显示出来……不过kissy不会过滤掉么……
|
15
66beta 2013-08-16 12:07:32 +08:00
@baozijianke next-room怎么过?
|
16
baozijianke 2013-08-17 03:09:40 +08:00
@exoticknight 哈哈,说明没用kissy,反正肯定是故意把这个给你留着的。比较熟悉这个的人,看到能够随便提交东西,肯定会想到这个的。
|
17
baozijianke 2013-08-17 03:10:56 +08:00
@66beta 最简单的办法,就是人肉下一页。 注意网页的路径,改路径即可。 xxxx?room=12 之类的。
|
18
baozijianke 2013-08-17 03:12:01 +08:00
@lingyired 我靠,最弊过去的才最厉害啊。
|
19
xavierskip 2013-08-17 12:46:24 +08:00
那个脚本语言的是什么意思?
|
20
exoticknight 2013-08-17 13:23:53 +08:00
@66beta
先在控制台执行这个代码,?t=的后面和'24'根据自己的情况修改: url='index.php?t=OTk1ZDJjYjhyMzRsRldWd2NDVlF4UkRRNWNCRTlW&room='; urlreal=url+'24'; strr=''; $.get(urlreal, function(data){ var mess=$(data).find('#message').text(); var number=$(data).find('#next-room').text(); strr=strr+mess; urlreal=url+number; console.log(strr); }) 第一次执行完之后在控制台不断执行: $.get(urlreal, function(data){ var mess=$(data).find('#message').text(); var number=$(data).find('#next-room').text(); strr=strr+mess; urlreal=url+number; console.log(strr); }) 最后控制台的输出没变化就得到完整地址了 |
21
exoticknight 2013-08-17 13:26:15 +08:00
@xavierskip 先得到页面上的canvas,然后将那些数字分隔成每一个二维码黑点的数据作为参数传入c.fillRect(1,2,3,4),刚好就是4个参数……其实就是画出二维码出来
|
22
exoticknight 2013-08-17 13:26:57 +08:00
@baozijianke 第一关和最后一关都能作弊,看看html和js代码就能够发现了
|
23
xavierskip 2013-08-17 14:34:35 +08:00
@exoticknight 啊,我表达有误。二维码后面一关。有个提示,然后回答什么的,有一个问题就是“脚本语言”,然后一个大大蓝色的圆圈。。想起来了,php。奇葩问题。。
|
24
exoticknight 2013-08-17 16:43:35 +08:00
@xavierskip 哦哦……那个图案我一看就填php了没有看提示……话说我做了几次,猜图的题目其实不太多
|
25
lingyired 2013-08-21 13:50:52 +08:00
@baozijianke - -最后一关自己不知道怎么过啊,但是他们的key 放在了很明显的地方,一下子就看到了,所以直接作弊过了- -
|