BUUCTF/极客大挑战2019-WEB BuyFlag
查看源代码,到payflag页面,这里有个提示:
Flag need your 100000000 money
attention
If you want to buy the FLAG:
You must be a student from CUIT!!!
You must be answer the correct password!!!
查了下CUIT是阿根廷的意思,我把Accept-Language改成了es-ar,不过后来测试没有什么影响。。
把Cookie里的user=0改成user=1
最底下有一行注释:
<!-- ~~~post money and password~~~ if (isset($_POST['password'])) { $password = $_POST['password']; if (is_numeric($password)) { echo "password can't be number</br>"; }elseif ($password == 404) { echo "Password Right!</br>"; } } -->
is_numberic()绕过,传参的时候把password后的404加个空格就好啦。
然后传入money=100000000提示Nember lenth is too long,直接数组绕过。
payload:
password=404 &money[]=100000000