连续两次遇到这题
$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';
$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';
一个是用get传参what=flag过去 另一个是用post方法传参
1.使用burpsuite
第一个就没抓包了 输入url:xxx.xxx.xxx.xxx:xxxx/?what=flag就ok了
第二个先抓包得到:
GET / HTTP/1.1
Host: 114.67.246.176:11188
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
发现是GET而不是POST,发送到REPEATER以后右键修改为POST:
POST / HTTP/1.1
Host: 114.67.246.176:11188
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
这时候就可以自己攥写数据包了:
我们要注入的数据是what=flag
那么先要把Content-Length改成9
然后到下面写入what=flag
POST / HTTP/1.1
Host: 114.67.246.176:11188
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
what=flag
就得到了服务器发来的包
HTTP/1.1 200 OK
Date: Wed, 15 Sep 2021 09:14:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Vary: Accept-Encoding
Content-Length: 138
Connection: close
Content-Type: text/html
$what=$_POST['what'];<br>
echo $what;<br>
if($what=='flag')<br>
echo 'flag{****}';<br>
flagflag{726bc3fdeca4035d961e74712abd55af}
get到了flag以后提交玩就run
2.使用hackerbar
进入这个url以后,f12打开hackerbar
上面输入url 下面点击post data以后输入what=flag然后execute注入
3.使用python
用python的request模块发过去参数就可以了
import requests
url = 'http://114.67.246.176:19476'
data = {'what': 'flag'}
print(requests.request('post', url, data=data).text)
执行以后终端里面出现了request的内容,可以找到flag