该漏洞已修复,仅做参考。
1.BP代理登录游戏抓包
2.获得通关请求
GET /sheep/v1/game/game_over?rank_score=1&rank_state=01&rank_time=123&rank_role=1&skin=1 HTTP/1.1 Host: cat-match.easygame2021.com Connection: close t: xxx content-type: application/json Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/8.0.27(0x18001b36) NetType/WIFI Language/zh_CN Referer: qqq Content-Length: 2 HTTP/1.1 200 OK Date: Fri, 16 Sep 2022 06:45:33 GMT Content-Type: application/json; charset=utf-8 Content-Length: 36 Connection: close Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST {"err_code":0,"err_msg":"","data":0}
3.重放通关请求
4.查看分数结果
5.实现刷分脚本(python3)
header_t字段为个人身份token,需替换为自己的。
import requests import sys import os requests.packages.urllib3.disable_warnings() header_t = "XXX" finish_api = "https://cat-match.easygame2021.com/sheep/v1/game/game_over?rank_score=1&rank_state=03&rank_time=1314&rank_role=1&skin=1" headers = {"Host": "cat-match.easygame2021.com", "content-type": "application/json", "User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148", "t": header_t} def finish_game(): res = requests.get(url=finish_api, headers=headers,verify=False,timeout=10) # err_code为0则成功 if res.json()["err_code"] == 0: print("状态成功") else: print(res.json()) for i in range(99): finish_game()
最后执行脚本即可。
修复点1:关键在于通关请求是由客户端发起,解决问题需在服务器判断。
修复点2:请求可以重放,可以对接口进行限制,每次请求需获取一个唯一校验值。
最后,此漏洞仅能刷个分炫耀一下,可能会占用一部分服务器资源,实际危害有限。
另外一个角度看未必不是一波广告呢?